Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

WSUS - Possible to approve for installation multiple updates simultaneously but only the ones *needed* by computers?

Well, the subject pretty much says it all.

One WSUS server set to approve everything for "Detection".  Leave it for a couple of days after installation for it to synchronise and machines to report in, and it has now informed me that a lot of machines need patching - out of ~500 updates available, ~100 of them are needed by computers.

Ok, so rather than download 500 updates (which will eat up the space on our server), I would like to approve for download and installation ONLY the 100ish updates needed.  Problem is, I can't see how to do this en masse.  

- I can see how to show the updates needed by computers, but can only select and approve them one at a time.
- I can see a screen of updates where I can approve multiple updates at the same time, but can't see which ones are needed by computers?

So - How can I do what I want to achieve?  

Thanks for the help - hope the above makes sense.  Would like a fast answer if possible, but I realise this may be a tricky one to resolve so I am offering the maximum of 500 points ;)

1 Solution
Erik BjersPrincipal Systems AdministratorCommented:
You can hold the shift key and use the down arrow to move down the list, this will select multiple updates, you can also hold the ctrl key and select the updates you want to approve.  

I beleive you can also filter by wether the updates are needed or not and then appprove/ decline based on this filter.  Sorry don't have my WSUS server handy, but if you don't have the answer you want by Monday I will post more details.

Hi wasc this is not a simple question,
To answer one question at a time, only you know what is installed on the clients machines so I guess you woudl have to decide what is important
updates cover everything from new drivers to security to validation etc.
Maybe you could assign all these clients to the same workgroup Name..  temporarily power user or some such, some kind of operator then you logon to the server add the updates to this group.

Here is a list of all the known updates patches for all operating systems so you could start by manually downloading the necessary ones.
OS Updates: Patches & then some...

Erik BjersPrincipal Systems AdministratorCommented:
You can find out what updates need to be installed by looking at the reports.

Easiest solution:

1) Approve every update you want installed on your network reguardless if they are needed by client or not
2) Go to Options -> Syncronize options -> Advanced button at the end of the page
3) Select 'Do not store updates localy...' at the top of the window

This way the updates will not be downloaded to your server, you can still control what updates are applied to your network, but your clients will download there updates directly from MS.

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

wascAuthor Commented:
ebjers - regarding your comment on being able to hold down shift e.t.c - afraid that doesn't work.

On the view where it lists all the available updates, what you described worked, however on the view where you see "needed updates" the method doesn't work.
Erik BjersPrincipal Systems AdministratorCommented:
I found that out myself when I tried it this morning.  I know when I first set up my WSUS server I just sat there and approved updates till I was done...

The other method I mentioned should work for you

When you open the web interface (http://YOURWSUSSERVER/wsusadmin/) and click the Updates icon you CAN select multiple updates with the shift/ctrl keys and change approval for those selected. Just like ebjers first posted. If this doesn't work WSUS may have been setup incorrectly.

What kind of Bandwidth do you have available? Are your users 24/7?

Erik BjersPrincipal Systems AdministratorCommented:
I think the problem is he only wants to approve the updates that are needed to avoid downloading all the other updates (to save space).  The updates screen dosen't tell you if the update is needed or not.  The place where you can't hold shift/ctrl to select more than one is in the reports screen that will tell you what updates are needed.  Hence the idea of approving all updates and then allowing them to install from microsoft's server
You would have of make note of those needed from each screen then pick them out from the main screen. Sorry about my failure to RTFQ, my bad. :)

If you create a seperate update group and select auto-install for that group WSUS will only download those that are needed for the computers in that group. Provided all 500 are not ones that all the machines can use.

Hi Wasc,

When you approve an update for detection, the update is not installed. Instead, WSUS checks whether the update is compliant with or needed by computers in the groups you specify for the Detect only approval option in the Approve Updates dialog box. The detection occurs at the scheduled time that the client computer communicates with the WSUS server. You can see the result of the detection either in the Status of Updates report or on the Updates page, by clicking the Status tab for a specific update. In either case, the information you need will appear in the Needed column, which represents the number of computers that have been detected as needing a particular update. If the client computer does not need the update, the number in Needed is zero.

To automatically approve multiple updates for installation (not "detection only")
 1.  On the WSUS console toolbar, click Options, and then click Automatic Approval Options.
2.  In Updates, under Approve for Installation, select the Automatically approve updates for installation by using the following rule check box (if it is not already selected).
3.  If you want to specify update classifications to automatically approve during synchronization, do the following:

• Next to Classifications, click Add/Remove Classifications.
• In the Add/Remove Classifications dialog box, select the update classifications that you want to automatically approve, and then click OK.
4.  If you want to specify the computer groups for which to automatically approve updates during synchronization:

• Next to Computer groups, click Add/Remove Computer Groups.
• In the Add/Remove Computer Groups dialog box, select the computer groups for which you want to automatically approve updates, and then click OK.
5.  Under Tasks, click Save settings, and then click OK.

For more information read this article it has everything about WSUS,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now