Does this sound ok as a way of making administration of WSUS less onerous:
1. Unless it’s for software we don’t use (e.g. office 2013 since we are office 2007 users): We shall always approve superseding updates.
2. We shall always disapprove superseded updates.
3. Two weeks after Microsoft publishes updates, we will approve all updates (unless for products we don’t use).
4. Even if ALL pc’s on our network are up-to-date for superseding updates, we will keep that update around until it gets superseded in case we spin up a new pc which has not received the updates yet.
We do realize that we disapprove the superseded updates and have not yet approved the superseding update, there could be two weeks where the PC’s might be vulnerable. However, in practice, if a user complies and applies updates and reboots as we release updates, chances are, this should not be a big problem.
Any glaring problems with this strategy?
If there’s a better approach to make WSUS less terrible to administer, I’d love to hear any suggestions.
Sorry for sounded like such a woose but I hate applying these updates!