locked
Different settings for security updates and definition updates on WU client RRS feed

  • Question

  • Hi!

    Distributing definition updates through WSUS may seem like a good idea but what if i want to manually approve installation of my security updates on for example my servers (auto download but manually approve installation) but, (and i hope everyone agrees with me) i want my definition updates distributed and installed asap.

    same thing with clients...i think most people have gpo settings saying download automatically and schedule installation. again i want different WU agent settings for my security updates and my definition updates.

    What's best practise?

    SQL slammer spread globally in 10 - 15 min (or something like that) 

    any ideas?

    /Johan

    Thursday, February 22, 2007 3:15 PM

Answers

  • Ah, ok.  I think you are looking for the policy setting:

     

    Allow Automatic Updates immediate installation

    Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

     

    If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

     

    If the status is set to Disabled, such updates will not be installed immediately.

     

    Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.

     

     

    FCS Definitions are marked to support immediately installation, therefore if you make this setting the definitions will install as soon as they are downloaded.

     

    Does that help?

    Craig

    Friday, February 23, 2007 9:46 PM
  • Thanx Craig!

    That was exactly what i was looking for.

    I assume what every security patch that are marked to support immediate installation will be installed aswell. however they go through the manual approval at the WSUS first, so that should be OK since there is no reboot or disrupted services.

    The reason i wanted to manually install the update (once it was downloaded from the WSUS) was to control the installation during a narrow service window.

    /Johan

    Tuesday, February 27, 2007 8:32 PM

All replies

  • Thanks for your posting.

     

    WSUS supports this.  You are free to manually approve security updates while auto-approving Definition Updates.  This can be done in the WSUS administration pages by choosing Options> Automatic Approval Options> Approve for Installation – “Add/Remove Classifications”

     

    Also, you can create different WSUS target groups and adjust the approved updates for each of those accordingly.  So if you wanted a set of updates to be installed by the client machines but not servers or if you wanted client machines to be auto-approved but not server machines, you can do this as well.

     

    For more information see the WSUS Deployment guide at:
    http://technet2.microsoft.com/WindowsServer/f/?en/Library/ace052df-74e7-4d6a-b5d4-f7911bb06b401033.mspx

     

     

    Thanks,

    Craig

    Thursday, February 22, 2007 6:05 PM
  • Craig,

    thank you for a promt answer, however i think you missunderstood my problem/question, or i was not very clear.

    The problem is not on the WSUS side it's the client settings. My servers are set to auto download updates from the WSUS but i want to manually "kick of" the installation locally on the server to controll the installation/reboot time.
    this client-side setting will affect the behavior of the definition installation aswell (i have to manually "kick off" the install of the definition update).

    ...the same problem exsist on my XP clients. i want the definition update to be installed asap (to maintain the highest level of protection) but the security patches to be downloaded and scheduled for install at night (i cannot disturb my users w reboots during office hours). 

    Thanks,

    /Johan

     

    Thursday, February 22, 2007 7:55 PM
  • Ah, ok.  I think you are looking for the policy setting:

     

    Allow Automatic Updates immediate installation

    Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.

     

    If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

     

    If the status is set to Disabled, such updates will not be installed immediately.

     

    Note: If the "Configure Automatic Updates" policy is disabled, this policy has no effect.

     

     

    FCS Definitions are marked to support immediately installation, therefore if you make this setting the definitions will install as soon as they are downloaded.

     

    Does that help?

    Craig

    Friday, February 23, 2007 9:46 PM
  • Thanx Craig!

    That was exactly what i was looking for.

    I assume what every security patch that are marked to support immediate installation will be installed aswell. however they go through the manual approval at the WSUS first, so that should be OK since there is no reboot or disrupted services.

    The reason i wanted to manually install the update (once it was downloaded from the WSUS) was to control the installation during a narrow service window.

    /Johan

    Tuesday, February 27, 2007 8:32 PM