WSUS - Deployment strategy help


     We have a single 2K3, native, AD domain. We, now, have about 1100 PCs across the state at 70 facilities. The OU structure is simple; That is most of the workstations are in a single OU. The rest are child OUs off the main [ with various GPOs assigned to them] is a crude visual:

- Workstations
              - OU1
              - OU2
              - OU3
              - OU4
              - OU5
              - OU6
              - OU7
              - WSUS Filtered OUT.
              - WSUS Test OU <--- Will be used as a test OU for special applications in OUs 1-7.
              - WSUS Staging OU <--- being used to bring systems up-to-date ... but will be deleted once we are in production.

 Ultimately the PCs are used for CD/DVD RW access or some sort of special application where a TC is simply not suited. We have already identified the the applications that cannot accept updates and created an OU that will service filtering out the WSUS GPO. In addition, we have also developed a strategy to deploy the updates following application testing with the PCs in the aforementioned OUs. I will comment on that shortly.

At this time we are, relatively, up to a current update base with the PCs. All are up to XP SP 3 and most are in a WSUS staging OU receiving updates weekly. [Our current staging and planned WSUS GPO will be for Critical and Security updates ONLY. SPs will be deployed only after extensive evaluations]

Okay. Those things said, what I am looking for is guidence/confirmation/any information towards the following stratigic requirements:

1) We must have a written test plan in place to test the applications in the OUs that have been created/configured to accomodate said applications.
     * For the most part I can hammer this out. Insight would be appreciated though.

2) We must have a 2 week Lag between the Auto-Apporvals for the WSUS Test environment/OUs and the Production Environment/OUs.
     * This is where I am having some difficulty. That is, this is going to end up being a manual approval for the latter while approval for the former will remain Automatic, ,.... Correct?

3) An additional OU must be created so the WSUS Production Policy can be filtered out.
     * Like it or not...I work for an organization where any updates following XP SP 2 will simply cripple the application hosted on the system.

Any help is appreciated.

If you need further information I am happy to give it. Just let me know.

Thank you,

Who is Participating?
Rant32Connect With a Mentor Commented:
I would like to add that most of the WSUS administration tasks can be automated in .NET, with the library Microsoft.UpdateServices.Administration.dll

The DLL is documented in

I'm not a very skilled C# programmer, but I imagine that it's fairly trivial to retrieve the updates approved for your Test OU and approving them for the Production OU.

The IUpdate.GetUpdateApprovals method has an overloaded version that allows to select Update Approvals in a specific time range:

Can't directly help with any code, but may this will give you some ideas.
I agree to your ideas
You must create the same OU structure in WSUS console and release the patches OU wise
NaerwenAuthor Commented:
     I figured as much as you can see. I guess my main concern is that there is no way to automate the approvals for a two week delay. That is, I will have to mannually approve the updates for the Production network once we've tested the PCs and their associated applications in our test environment, correct?
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Just thought of this:

Do you have the ability to assign computers using GPO (client side targeting)?

The combination of GPO and WMI filters is very powerful. You could detect a piece of installed software using WMI (registry query) and effectuate a different GPO (different computer group) based on the installed software.

Your deployment seems large enough to warrant an investigation into this.
Rick JohnsonConnect With a Mentor Systems AdministratorCommented:
You can approve the patches to the group you want (matching the OU structure) and then right click on the patch and set a deadline for 2 weeks, 1 week, whatever. You would then make sure that Group Policy was set up NOT to automatically patch machines, letting the deadline pass and thereby forcing it to happen.

It's a bit manual but it does work.
NaerwenAuthor Commented:
- Rant32, still looking into those links.
- niwqk, Curious. Setting the deadline simply means "install before this date", correct?
Rick JohnsonSystems AdministratorCommented:
That is correct...however, if you have it set up within Group Policy to simply download the patches but not automatically install them, this could work. Of course, it would take some training to NOT install the patches when the machine comes up with the notification.  :-)
NaerwenAuthor Commented:
Both experts gave good advise. Though I should not that rant32's C#/.NET solution will be our likely course of action... as Deadlining an update does not offer the level of control needed for our environment.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.