Approve updates

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Server Update Services, Windows Small Business Server 2011 Standard

After updates have been synchronized to your WSUS server, they will be scanned automatically for relevance to the server's client computers. However, you must approve the updates before they are deployed to the computers on your network. When you approve an update, you are essentially telling WSUS what to do with it (your choices for a new update are Install or Decline). You can approve updates for the All Computers group or for subgroups. If you do not approve an update, its approval status remains Not approved, and your WSUS server allows you or a user to evaluate whether a client computer needs the update.
If your WSUS server is running in replica mode, you will not be able to approve updates on your WSUS server. For more information about replica mode, see Configure and Manage Replica Servers.

Approving updates

You can approve the installation of updates for all the computers in your WSUS network or for computer groups.
We recommend that you approve updates to the WSUS server component before you approve other updates to client systems. You will see this warning message in the Approve Updates dialog box: "There are WSUS updates that have not been approved. You should approve the WSUS updates before approving this update." In this case, you should click the WSUS Updates node and make sure that all of the updates in that view have been approved before you return to the general updates.
After approving an update, you can do one (or more) of the following:

• Apply this approval to child groups, if any.
  
• Set a deadline for automatic installation. When you select this option, you set specific times and dates to install updates, which overrides any settings on the client computers. In addition, you can specify a past date for the deadline if you want to approve an update immediately (to be installed the next time client computers contact the WSUS server).
  
• Remove an installed update if that update supports removal.
  

Important

You cannot set a deadline for automatic installation for an update if user input is required (for example, specifying a setting that is relevant to the update). To determine whether an update will require user input, look at the May request user input field in the update properties for an update displayed on the Updates page. Also check for a message in the Approve Updates box that says, "The selected update requires user input and does not support an installation deadline."

To approve updates

1. In the WSUS administrative console, click Updates.
   
2. In the list of updates, select the update that you want to approve and right-click.
   
3. In the Approve Updates dialog box, select the computer group for which you want to approve the update, and click the arrow next to it.
   
4. Select Approved for Install, and then click Approve.
   
5. The Approval Progress window will display the progress toward completing the approval. When the process is complete, the Close button will be available. Click Close.
   
6. If you want to select a deadline, right-click the update, select the appropriate computer group, click the arrow next to it, and then click Deadline.
   
   • You can select one of the standard deadlines (one week, two weeks, one month), or you can click Custom to specify a date and time.
     
   • If you want an update to be installed as soon as the client computers contact the server, click Custom, and set a date and time to the current date and time or to a past date.
     

To approve multiple updates

1. In the WSUS administrative console, click Updates. Click the updates that you want to approve. (To select multiple contiguous updates, press SHIFT while clicking updates. To select multiple noncontiguous updates, press and hold down CTRL while clicking updates.)
   
2. Right-click the selection, and click Approve. The Approve Updates dialog box opens with the Approval status set to Keep existing approvals and the OK button disabled.
   

   Note
   You can change the approval status for individual groups, but doing so will not affect child group approvals.

   
   
3. Select the group for which you want to change the approval, click the arrow on its left, and then click Approved for Install.
   
4. The approval for the selected group changes to Install. If there are any child groups, their approval remains Keep existing approval. To change the approval for the child groups, click the group, click the arrow on its left, and then click Apply to Children.
   
5. To set a specific child group to inherit all its approval from the parent, click the child group, click the arrow on its left, and then click Same as Parent. If you set a child group to inherit approvals, but you are not changing the parent approvals, the child group will inherit the existing approvals of the parent.
   
6. If you want the approval behavior to change for all child groups, approve All Computers, and then choose Apply to Children.
   
7. Click OK after you set all the approvals. The Approval Progress window will display the progress toward completing the approvals. When the process is complete, the Close button will be available. Click Close.
   

Declining updates

If you select this option, the update is removed from the default list of available updates and the WSUS server will not offer the update to client computers for evaluation or installation. You can reach this option by selecting an update or group of updates and right-clicking them (or you can reach this option the Actions pane). Declined updates will appear in the updates list only if you select Declined in the Approval list when you specify the filter for the update in the View list.

To decline updates

1. In the WSUS administrative console, click Updates.
   
2. In the list of updates, select one or more updates that you want to decline.
   
3. Select Decline.
   
4. Click Yes on the confirmation message.
   

Change an approved update to not approved

If an update has been approved and you decide not to install it at this time, and instead want to save it for a future time, you can change the update to a status of Not Approved. This means that the update will remain in the default list of available updates and will report client compliance, but it will not be installed on client computers.

To change an approved update to not approved

1. In the WSUS administrative console, click Updates.
   
2. In the list of updates, select one or more approved updates that you want to change to not approved, and then click Not Approved
   
3. Click Yes on the confirmation message.
   

Approving updates for removal

You can approve an update for removal. This option is available only if the update is already installed and supports removal. You can specify a deadline for the update to be uninstalled, or specify a past date for the deadline if you want to remove the update immediately (the next time client computers contact the WSUS server).

Note
Not all updates support removal. You can see whether an update supports removal by selecting an individual update and looking at the Details pane. Under Additional Details, you will see the Removable category. If the update cannot be removed through WSUS, in many cases it can be removed with Add or Remove Programs from Control Panel.

To approve updates for removal

1. In the WSUS administrative console, click Updates.
   
2. In the list of updates, select one or more updates that you want to approve for removal, and right-click them.
   
3. In the Approve Updates dialog box, select the computer group from which you want to remove the update, and click the arrow next to it.
   
4. Select Approved for Removal, and then click the Remove button.
   
5. After the remove approval has completed, you can select a deadline. Right-click the update, select the appropriate computer group, and click the arrow next to it, and then click Deadline.
   
   • You can select one of the standard deadlines (one week, two weeks, one month), or you can click Custom to select a specific date and time.
     
6. Click Custom, and set a past date if you want an update to be removed as soon as the client computers contact the server.
   

Approving updates automatically

You can configure your WSUS server to automatically approve certain updates. You can also specify automatic approval of revisions to existing updates as they become available. This option is selected by default. A revision is a version of an update that has had changes made to it (for example, it might have expired, or its applicability rules might have changed). If you do not choose to approve the revised version of an update automatically, WSUS will use the older version, and you must manually approve the update revision.
You can create rules that your WSUS server will automatically apply during synchronization. You specify what updates you want to automatically approve for installation, by update classification, by product, and by computer group. This applies only to new updates, not to revised updates. You can also specify an update approval deadline, which sets a number of days and a specific time before a deadline that is set to install the approved update. These settings are available in the Options pane, under Automatic Approvals.

To automatically approve updates

1. In the WSUS administration console, click Options, and then click Automatic Approvals.
   
2. In Update Rules, click New Rule.
   
3. In the Add Rule dialog box, under Step 1: Select properties, select whether to use When an update is in a specific classification or When an update is in a specific product (or both) as criteria. Optionally, select Set a deadline for the approval.
   
4. In Step 2: Edit the properties, click the underlined properties to select the Classifications, Products, and Computer groups for which you want automatic approvals, as applicable. Optionally, choose Day and Time for an update approval deadline.
   
5. In Step 3: Specify a name box, type a unique name for the rule.
   
6. Click OK.
   

Note
Automatic approval rules will not apply to updates that require Microsoft Software License Terms that have not been accepted on the server. If you find that applying an automatic approval rule does not cause all the relevant updates to be approved, you should approve these updates manually.

Automatically approving revisions to updates and declining expired updates

The Automatic Approvals section of the Options pane contains a default option to automatically approve revisions to approved updates. You can also set your WSUS server to automatically decline expired updates. If you choose to not approve the revised version of an update automatically, your WSUS server will use the older revision, and you must manually approve the update revision.

Note
A revision is a version of an update that has changed (for example, it might have expired or have updated applicability rules).

To automatically approve revisions to updates and decline expired updates

1. In the WSUS administration console, click Options, and then click Automatic Approvals.
   
2. On the Advanced tab, make sure that both Automatically approve new revisions of approved updates and Automatically decline updates when a new revision causes them to expire check boxes are selected.
   
3. Click OK.
   

Important
Keeping the default values for these options allows you to maintain good performance on your WSUS network. If you do not want expired updates to be declined automatically, you should make sure to decline them manually on a periodic basis.

Approving superseding or superseded updates

Typically, an update that supersedes other updates does one or more of the following:

• Enhances, improves, or adds to the fix that was provided by one or more previously released updates.
  
• Improves the efficiency of the update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new update, so those files are not included in the superseding update's file package.
  
• Updates newer versions of operating systems. It is also important to note that the superseding update might not support earlier versions of operating systems.
  

In the detail pane of an update (displayed below the list of updates), an informational icon and a message indicates that it supersedes or is superseded by another update. In addition, you can determine which updates supersede or are superseded by the update by looking at the Updates superseding this update and Updates superseded by this update entries in the Additional Details section of the Properties pane.
WSUS does not automatically decline superseded updates, and we recommend that you do not assume that superseded updates should be declined in favor of the new, superseding update. Before declining a superseded update, make sure that it is no longer needed by any of your client computers.

Best practices for approving a superseding update

Because a superseding update typically enhances a fix that is provided by a previously released update, we recommend that you use the following process to see how many client computers will be compliant with the new update and work backward from there..

To approve a superseded update

1. Check the status of the update on client computers. Note which computers show a status of Not applicable for the update, and then compare the properties of those computers with the properties of the update.
   
2. Use the information that is available in the update properties to help you determine which previously released versions are available. You can look under Updates superseded by this update in the update's properties, and check the Description and KB article number entries if appropriate.
   
3. Look at the properties of the superseded versions of the updates.
   
4. When you find a superseded update that seems appropriate for the remaining client computers, approve the update for installation.