1

Right now we have 2 groups of Computers set up in our WSUS server (2012R2). One is an early release group for testing and the other is the production group with all of the other workstations.

We have automatic updates configured for the first group, but not the second. Which means we currently have to manually approve updates to the production group. I'd like to be able to automate the deployment of updates to group 2, but unfortunately that would mean we would be unable to vet the updates before release. However, if we were able to set up Automatic updates for the production group in a way that would allow us to stop the update from being installed for the first week or two of release, that would give us time to properly vet the updates before releasing them into the production group.

Basically, I'm wondering if there is any way to set up a delay schedule in WSUS where an update will be applied to the Early release group the day of availability, and then 2 weeks later it will be automatically approved for the production group, but not before then.

If there is no way to set this up in WSUS natively, do you know of any programs that would help us do this?

McITGuy
  • 218
  • 1
  • 4
  • 18

1 Answers1

2

To have updates apply to a test group followed by everyone else, which is basically what you're trying to do, I set an install time in Group Policy for the test group of computers (the next weekend, for example) and then deadline the updates for one week after the test date. There's also a Group Policy option (that admittedly I haven't used) that removes access to Windows Update features.

In Group Policy: Under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update (which you've probably already found, since you're using WSUS in the first place). enter image description here

In the WSUS console, under Options -> Automatic Approvals. enter image description here

If you wanted to apply them to the test group the same day, you could automatically deadline new updates for 14 days later.

The "Remove access to use all Windows Update features" option is also under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update enter image description here

I don't imagine that would block someone from entering wuauclt /detectnow on the command line, though. The documentation on this policy says:

By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.

You'd probably need to test it to see if the command line would cause a pop-up notification. If it does, there is (or used to be) a registry key that suppresses those notifications that should be scriptable to a value of 0. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutoTrayNotify
Katherine Villyard
  • 18,550
  • 4
  • 37
  • 59
  • Wouldn't this still allow the production group to install updates as soon as they are available during our nightly update schedule? What we really want is to stop the production group from installing updates under any circumstances for the first 2 weeks of release, and then after two weeks have the automatic approval kick in. The set-up you showed is how we currently have our test group set up, minus the delay of 12 days on the deadline. I was under the impression that the deadline is not the minimum length of time to wait before installing updates, but the maximum time to wait before updating – McITGuy Nov 02 '18 at 20:38
  • I skimmed right past that piece. Hang on, updating answer... – Katherine Villyard Nov 02 '18 at 20:41
  • And yes, the deadline is "If they haven't installed it yet, force them," or, as you said, the maximum time to wait. – Katherine Villyard Nov 02 '18 at 21:10