WSUS Options and GPO settings

in WSUS I would like to know if I select approve for Installation for  a group of computers, but in GPO I will select the setting #3  AUtoDownload and notify for install.
Would approve for Installation in WSUS make any sense? in other words when does WSUS Approve for Installation will make sense?

thanks
jskfanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

Every update has to be approved first in WSUS, after that client with setting #3 will download update and notify user that update is ready to install. If you don't approve updates, client won't even begin to download them.

HTH

Toni
jskfanAuthor Commented:
In WSUS does it make any difference if it's approved for detection or approved for installation?
Toni UranjekConsultant/TrainerCommented:
Of course, first setting will only detect if updates are installed on client computers. If they are not such update will be marked as needed. When you approve update for install, clients will start downloading updates.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

jskfanAuthor Commented:
<<<When you approve update for install, clients will start downloading updates.>>>
3 - Auto download and notify for install

<<<When you approve update for install, clients will start downloading updates.>>>

I guess the client wouldn't download the updates if this policy is applied:
2 - Notify for download and notify for install


In my case this policy is applied:
3 - Auto download and notify for install
what happens for the servers which is my concern is if the approve for installation is selected and 3 - Auto download and notify for install, it will still install the updates in the server and if the update needs a reboot it will reboot the server, it did this several times, this is why I changed it to Approve for Detection and left the 3 - Auto download and notify for install.


Toni UranjekConsultant/TrainerCommented:
If you approve updates for install and you have selected option #3, approved updates will be downloaded and you will end up with notification baloon or later with yellow shield icon in notification area of taskbar. You will have to double click this icon to start installation. Actualy I'm using exactly the same setting on computer I'm typing this post right now for exactly the same reason - to avoid automatic restarts. ;)
jskfanAuthor Commented:
I know if a user is logged on to the machine it doesn't automatically restart, but if there is noone logged on it will reboot if the updates require that.

can you please tell me how you set up your WSUS and GPO settings for your servers?
jskfanAuthor Commented:
with GPO #3 settings updates will be downloaded to the client regardless if approve for detection or approve for install is select?
Toni UranjekConsultant/TrainerCommented:
No updates will be downloaded by clients if they are not approved for install.

I use exactly the same option #3 Auto download and notify for install, for servers, for client computers updates are automatically installed also. These are settings which I use with my customers. For my network I always go with "Auto download and notify for install" for W2K/XP/W2K3 computers, currently I patch Vista manually because I did have some problems after I've applied updates to Vista.

This is not a recommendation and it doesn't mean that you should do it the same way, I'm jst telling you how I do it.
jskfanAuthor Commented:
I have checked approve for installation in WSUS options, and selected a group named Test(it has 2 computers WXP)
in The GPO I select #4 download and schedule install.

the 2 computers are showing 18 needed and 19 Needed,  and under the Approval column they show Install.
but it seems like the updates don't get installed. though there is no update that requires reboot.
Toni UranjekConsultant/TrainerCommented:
And when are your updates scheduled to install?
jskfanAuthor Commented:
<<<And when are your updates scheduled to install?>>>

where can I see that?
Toni UranjekConsultant/TrainerCommented:
When you select: Auto download and schedule the install, you must also set the day and time for the recurring scheduled installation. This is configured in your WSUS GPO.

You can also configure: Allow Automatic Update Immediate Installation
This policy specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.