locked
WSUS automatic approval RRS feed

  • Question

  • I have set up an auto update rule in WSUS that for all critical and security updates, they are approved to all computers and the deadline is set for "7 days after the approval at 3:00am".  What does this deadline mean?  My intent was for the WSUS to download the update and sit on having it deployed and installed to the workstation community at large until 7 days after it gets received from MU.  Someone mentioned to me that a workstation can immediately install and apply the update but it places a constriction that it must be done within 7 days.

    Note: I have setup other client-side targeting for test workstations that have immediate approval of critical & security updates. The idea was that these subset of machines would immediate get the patches and we would be allowed 7 days to determine if any issues arise.

    Thursday, December 18, 2014 8:12 PM

Answers

  • What does this deadline mean?

    [Recalling the dozens of stories of WSUS admins who have set deadlines without understanding their implications, only to be bitten in the backside as a result.] :-)

    My intent was for the WSUS to download the update and sit on having it deployed and installed to the workstation community at large until 7 days after it gets received from MU.

    And this is exactly what everybody else thought too, and exactly NOT what deadlines do.

    Someone mentioned to me that a workstation can immediately install and apply the update but it places a constriction that it must be done within 7 days.

    That is pretty much the crux of a deadline.

    So let's talk in more detail about what deadlines mean in WSUS. In short, they mean exactly the same thing in WSUS that they mean in the English language, which is that something must be done ON or BEFORE the "Deadline".

    How this translates in WSUS is this:

    • If the client is configured with a *scheduled* installation event, the update will be installed at the first scheduled installation event.
    • If the scheduled installation event is missed and the client is configured to install updates at power-up (which is on by default), the updates will be installed at power-up.
    • If the client is NOT configured with a scheduled installation event, the updates MAY be installed by a user launching the installation from the WUApp, or they MAY be installed at shutdown if that option is not disabled.
    • If the installation does not happen by the configured deadline, the WUAgent will install the updates AT the scheduled deadline.
    • If the machine is powered off at the scheduled deadline, the update will be installed immediately upon power-on (even if power-on updating has been disabled).
    • Finally, if the target system does not download the update prior to the scheduled deadline, the update (now with an expired deadline) will be installed immediately upon discovery.

    Most importantly: A deadline-initiated installation includes a mandatory reboot that a logged-on user CANNOT override.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by Steven_Lee0510 Wednesday, January 7, 2015 8:34 AM
    Thursday, December 18, 2014 11:25 PM