I’m writing to communicate a STRONG OPINION I have regarding a COMMON ERROR I see often with companies using Windows Server Update Services (WSUS). This is based on the version of WSUS provided with Server 2012 R2, but similar principals should apply to WSUS on other Windows Server releases.
With a fresh install of WSUS, a Default Approval Rule will be present that will AUTO-APPROVE ONLY CRITICAL and SECURITY updates for ALL COMPUTERS in the organization. I recommend that with this approval rule enabled (checked), the MOST IMPORTANT UPDATES will be auto-approved and installed on company computers which report to your WSUS server. With this conservative and automatic approval setting, you are trying to ensure that all computers received crucial bug-fix or security-vulnerability patches. Occasionally an update approved at this level may cause a system problem – if this risk is a concern, you may want to schedule different groups of WSUS clients to receive updates on different schedules so that you can have some systems operational and disapprove the trouble updates while determining what went wrong and fixing the affected clients.
The trouble I see is that WSUS management tool reports “NEEDED” updates which really just means – An update published by Microsoft that applies to software installed on one of your clients. These updates are not actually NEEDED unless you decide to install them. Since the default rule will only approve CRITICAL and SECURITY updates, there will be a large list of Needed updates reported in your WSUS server console. When an admin logs into WSUS, they naturally want to Resolve the problem and Approve the Needed updates. This is WRONG, DO NOT APPROVE these “Needed” updates. All updates that are not classified as Critical or Security have a MUCH HIGHER RISK of breaking your client systems as they are not providing a critical bug fix or security vulnerability patch. I recommend that WSUS administrators leave these less urgent update categories unapproved unless a specific update is released that addresses a known issue with software in use on your Update Services client PC’s.
I can’t stress enough that this more conservative WSUS update approval process will HELP YOU AVOID APPLYING A “BAD UPDATE” to your clients. In WSUS the term “Needed” might be better interpreted as – current release update that applies to software installed on your WSUS Client system(s) (updates of any classification).
I’m sure there are many opinions about this topic as it is a matter or administrative preference or policy for each WSUS network. This blog post is just a quick note of WARNING – if you apply all “WSUS Needed” updates, you are increasing the risk of applying some “bad updates” to your client systems.