WSUS Approval Groups

Posted on 2011-04-20
Last Modified: 2012-05-11
When configuring Approval Groups inside of WSUS, the former administrator did it by Operating system, there was one Approval group for each OS:

Windows Server 2008 R2
Windows Server 2008 x86
Windows Server 2008 x64
Windows XP x86
Windows XP x64

The test groups were the same way, except prefixed by the word test.  This results in a lot of working sorting all of the updates down by the OS they are intended for.  Further, multiple approvals are needed when a single update (.NET Framework) is intended for multiple OS (XP, Server 2003).

What is the best practice?  From my research I believe (and want) to set it up in the following:

User Machines (Desktops Laptops)
Server Test Group
User Machines (Desktop Laptops) Test Group

And then just mass approve everything to the Test groups, if nothing breaks, then approve all to the regular groups.

I am looking to see what is best practice in how to set this up.  Do I do it by OS, and if so why? It seems like a lot more work to set it up by OS.
Question by:itwatchhelp
    LVL 37

    Assisted Solution

    Just remember that an update will only be requested and installed IF it is needed by a machine.
    I have seen admins who set up wsus exactly as you say.  does no harm at all and it works just fine.
    But remember you MAY have requirements to break your groups down further. IE7/8/9 needed by everyone? Media player or not? etc
    LVL 76

    Assisted Solution

    Adding to Neilsr, the test groups are important for the breakdown you have, the approval process depends on how you go about it.

    Presumably you go through first approving the needed updates for the test groups. Once a sufficient time has passed for the test groups to get the updates and provide time for the operators to use them and report any issues has passed, you go back and look at the non-test group system to see which updates it needs and approve the ones that were previously approved for the test group for this group.
    A breakdown of

    You still would need to go through at least two or two workstation and likely two servers since the update that applies to 2008 x64 and , 2008 R2 will be the same and the 2008 32bit.

    Do you have auto-approve options?  Ie. are you currently taking a risk that an update will auto-approved may have side effects?

    Do you have WSUS configured to email you when update changes occur/notifications received by the WSUS server?

    Author Comment

    Auto Approve Options:  No, we are currently not using auto approve.

    WSUS Configured to email when update changes occur: No, we are currnelty not getting notices from the WSUS server.

    You mention having a test and a normal split along architecture lines (x86 and x64).  Why is that?

    Ideally I would like to simplify our whole setup to just:

    Test Servers
    Test Desktops

    Production Servers
    Production Desktops

    And just be able to mass approve to the test groups, let them patch, watch for problems, and if there are any I would then deny that patch for the production push.

    I guess I am also wondering if there is any harm in approving, lets say an itanium, or a x64 patch for a nonitanium, x86 server.  I dont think so, since as the Neilsr indicated, the server wont request that.  THe previous administrator swore up and down that doing this could cause the x86 server to go and install x64 patches or itanium patches and thus cause a lot of problems.
    LVL 76

    Expert Comment

    The system will only be offered updates that are relavent to it. I.e. if your Production desktop group consists of both X86 and x64 you would need to look at each type (x86/x64) in this group and approve the updates for this type.  The common updates for office and the like need only be approved once.

    Similarly, by group the test, you would need to approve updates when looking through the workstations in the group and the updates it needs.

    A deny is not advisable, if a patch presents as a conflict, simply do not approve it.  If you decline it will never be offered and may cause issues down the line while the vendor of your customer with which this patch conflicted may release an update to correct this issue.
    I usually deny updates for systems that I do not have.  i.e. there is no reason to keep an update list of itanium if you do not have such equipment., etc.

    Author Comment

    I apologize for the late addition

    Do I need to split my approval groups based upon architecture:

    Do I need

    Test Workstations x86
    Test Workstations x64

    and ONLY approve x64 for the x64 group?

    Or can I just have

    Test Workstations

    And drop and approve patches and workstations that are both x86 and x64 in there?
    LVL 76

    Accepted Solution

    You can have either setup workstations with both in there or two OUs with each in one,The issue is whether you can consistantly add/separate the workstations based on their architecture into the OUs, or whether using a single OU where all the workstations end up while you have to check the status of each in the group to approve the update for the test environement and then repeat the process in the live environment to approve the installation of the updates to the rest of the systems.
    X86 can not load an X64 update nor is the reverse possible, so have update1 _x86 and update1_x64 will not cause a problem.
    LVL 27

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    This collection of functions covers all the normal rounding methods of just about any numeric value.
    The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
    The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now