WSUS Automatic Approval policy

Hi Guys,
I'm setting up a brand new domain and I have installed the Windows Server Update Services.
I would like to have your opinion about the automatic approval policy.

I'm thinking on automatic approval for:
Definition Updates (We are using Windows Defender, and it has a daily update)
Security Updates

Now, I see another group named "Critical Updates" that might be worth auto approving, but I'm not sure about that one.

The goal here is to have the user computers up and running at all times, and while some harm might come to the computers related to not having an specific update, I'm also worried by the cases where a Microsoft Update has had adverse side effects on Windows computers that could also be problematic, in fact even more problematic.

So, I would like to know what is your advice, should I add "Critical Updates"  to the automatic approval list?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Make sure you have two groups for auto-install workstations.
A test group where the autoapprove will handle the critical/security/defender updates. and the main group.
The test group should have one type of a system/os combination if not a homogeneous env.

Once the approved updates are applied and no issues arise, you would need to manually approve the updates for the other group.

A manual auto-approve identical to the automatic... Though the difficulty is with timing running the manual approval...

Defender updates could be auto-approved for both/all as they are daily....../frequent releases.......

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kash2nd Line EngineerCommented:
Not use them too much but follow guidelines >>>
Seth SimmonsSr. Systems AdministratorCommented:
i have only auto approved definition updates
don't do that for critical updates as something could be bad (infrequent, but happens) that could cause issues.  better to test updates first

as an example, i installed updates on my lab WSUS server and after rebooting found the web reporting service was not working and clients weren't updating.  i found an update to the windows update client which i removed and the reporting web service was working again so better to test first before approving for production

@Kash - that article applies to windows 2003; this is the one relevant

Best Practices with Windows Server Update Services
cargexAuthor Commented:
Testing environment for updates before applying to production sounds about right.
Thank you very much.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.