WSUS Approval Groups

Posted on 2011-04-20
Medium Priority
Last Modified: 2012-05-11
When configuring Approval Groups inside of WSUS, the former administrator did it by Operating system, there was one Approval group for each OS:

Windows Server 2008 R2
Windows Server 2008 x86
Windows Server 2008 x64
Windows XP x86
Windows XP x64

The test groups were the same way, except prefixed by the word test.  This results in a lot of working sorting all of the updates down by the OS they are intended for.  Further, multiple approvals are needed when a single update (.NET Framework) is intended for multiple OS (XP, Server 2003).

What is the best practice?  From my research I believe (and want) to set it up in the following:

User Machines (Desktops Laptops)
Server Test Group
User Machines (Desktop Laptops) Test Group

And then just mass approve everything to the Test groups, if nothing breaks, then approve all to the regular groups.

I am looking to see what is best practice in how to set this up.  Do I do it by OS, and if so why? It seems like a lot more work to set it up by OS.
Question by:itwatchhelp
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 332 total points
ID: 35434265
Just remember that an update will only be requested and installed IF it is needed by a machine.
I have seen admins who set up wsus exactly as you say.  does no harm at all and it works just fine.
But remember you MAY have requirements to break your groups down further. IE7/8/9 needed by everyone? Media player or not? etc
LVL 81

Assisted Solution

arnold earned 668 total points
ID: 35434484
Adding to Neilsr, the test groups are important for the breakdown you have, the approval process depends on how you go about it.

Presumably you go through first approving the needed updates for the test groups. Once a sufficient time has passed for the test groups to get the updates and provide time for the operators to use them and report any issues has passed, you go back and look at the non-test group system to see which updates it needs and approve the ones that were previously approved for the test group for this group.
A breakdown of

You still would need to go through at least two or two workstation and likely two servers since the update that applies to 2008 x64 and , 2008 R2 will be the same and the 2008 32bit.

Do you have auto-approve options?  Ie. are you currently taking a risk that an update will auto-approved may have side effects?

Do you have WSUS configured to email you when update changes occur/notifications received by the WSUS server?

Author Comment

ID: 35443956
Auto Approve Options:  No, we are currently not using auto approve.

WSUS Configured to email when update changes occur: No, we are currnelty not getting notices from the WSUS server.

You mention having a test and a normal split along architecture lines (x86 and x64).  Why is that?

Ideally I would like to simplify our whole setup to just:

Test Servers
Test Desktops

Production Servers
Production Desktops

And just be able to mass approve to the test groups, let them patch, watch for problems, and if there are any I would then deny that patch for the production push.

I guess I am also wondering if there is any harm in approving, lets say an itanium, or a x64 patch for a nonitanium, x86 server.  I dont think so, since as the Neilsr indicated, the server wont request that.  THe previous administrator swore up and down that doing this could cause the x86 server to go and install x64 patches or itanium patches and thus cause a lot of problems.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 81

Expert Comment

ID: 35444292
The system will only be offered updates that are relavent to it. I.e. if your Production desktop group consists of both X86 and x64 you would need to look at each type (x86/x64) in this group and approve the updates for this type.  The common updates for office and the like need only be approved once.

Similarly, by group the test, you would need to approve updates when looking through the workstations in the group and the updates it needs.

A deny is not advisable, if a patch presents as a conflict, simply do not approve it.  If you decline it will never be offered and may cause issues down the line while the vendor of your customer with which this patch conflicted may release an update to correct this issue.
I usually deny updates for systems that I do not have.  i.e. there is no reason to keep an update list of itanium if you do not have such equipment., etc.

Author Comment

ID: 35708968
I apologize for the late addition

Do I need to split my approval groups based upon architecture:

Do I need

Test Workstations x86
Test Workstations x64

and ONLY approve x64 for the x64 group?

Or can I just have

Test Workstations

And drop and approve patches and workstations that are both x86 and x64 in there?
LVL 81

Accepted Solution

arnold earned 668 total points
ID: 35710408
You can have either setup workstations with both in there or two OUs with each in one,The issue is whether you can consistantly add/separate the workstations based on their architecture into the OUs, or whether using a single OU where all the workstations end up while you have to check the status of each in the group to approve the update for the test environement and then repeat the process in the live environment to approve the installation of the updates to the rest of the systems.
X86 can not load an X64 update nor is the reverse possible, so have update1 _x86 and update1_x64 will not cause a problem.
LVL 27

Expert Comment

ID: 36283859
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question