WSUS Auto Approval Bandwidth Saving

SKiTLz

2[H]4U
Joined
Aug 3, 2003
Messages
2,664
I've never really utilized WSUS in my environments much as I always found it to be an administration nightmare.
We are getting to the size where I'd really like to cut down our bandwidth useage though and looking to implement it. I'm familiar with how it works and how to set it up, but a little foggy on the approval side of things and the best way to do it.

Ideally, I just want to mirror Windows Updates decisions. I'm really not looking to dedicate 10 hours a week to hand selecting updates just save bandwidth. Is there a combination of classifications I can set to auto approval that will mirror the Windows Updates selections?
Also, It's my understanding that if I don't need to break out the rules per OS correct? If i set auto approval globaly and the hotfix is for XP, the client is still smart enough not to try install that patch correct?

Appreciate any insight on how you guys do it.. Overall I find it quite an administration headache for anyone in the 50 seat range. Not small but not quite big enough to warrant sitting there approving updates 1 by 1.
 
I've never really utilized WSUS in my environments much as I always found it to be an administration nightmare.
We are getting to the size where I'd really like to cut down our bandwidth useage though and looking to implement it. I'm familiar with how it works and how to set it up, but a little foggy on the approval side of things and the best way to do it.

Ideally, I just want to mirror Windows Updates decisions. I'm really not looking to dedicate 10 hours a week to hand selecting updates just save bandwidth. Is there a combination of classifications I can set to auto approval that will mirror the Windows Updates selections?
Also, It's my understanding that if I don't need to break out the rules per OS correct? If i set auto approval globaly and the hotfix is for XP, the client is still smart enough not to try install that patch correct?

Appreciate any insight on how you guys do it.. Overall I find it quite an administration headache for anyone in the 50 seat range. Not small but not quite big enough to warrant sitting there approving updates 1 by 1.

what about a cache server ? so if one computer does a pile of updates, then the next time the next computer does it, it pulls it from a cache server on the network..
 
Although it's not generally a best practice to auto approve everything, you can. You can also do it by classification if you want. You can also pick which products you want to manage updates for, so you can save some storage space and the bandwidth of downloading updates you will never need.

I do have a couple small customers that I have set to auto approve everything, because a little downtime in the rare case that an update breaks something is cheaper than having us test and approve everything on a regular basis. That decision is up to them, though.
 
Although it's not generally a best practice to auto approve everything, you can. You can also do it by classification if you want. You can also pick which products you want to manage updates for, so you can save some storage space and the bandwidth of downloading updates you will never need.

I do have a couple small customers that I have set to auto approve everything, because a little downtime in the rare case that an update breaks something is cheaper than having us test and approve everything on a regular basis. That decision is up to them, though.

If you set auto approve on everything, is that mirroring what you would get through Windows Update? Or is there more/different classifications on the patches through WSUS vs Windows Update?

That is what I've never got a definitive answer on. Given that 99% of our users select/install all updates that Windows Update says to, auto approving all updates for workstations wouldn't be that big of a deal if they are one in the same.
 
what about a cache server ? so if one computer does a pile of updates, then the next time the next computer does it, it pulls it from a cache server on the network..

I thought about it. Read a lot of horror stories with guys trying to cache WU with a squid server or equivelant. Seems to work but with a number of quirks that I'd rather not deal with,
 
Approving an update makes it mandatory, WSUS doesn't have any sort of "optional" or "recommended" categories it's either "install this" or just not available. You probably want to at least auto accept critical and security updates as well as definition updates if you use any MS AV/AM in anything (forefront, mse, etc). Maybe updates and update rollups, probably want to manually approve the rest, esp service packs.
 
This is how I typically set up a WSUS implementation. Screenshot is from my home lab.

319420_10150945339693155_22919564_n.jpg


Also, if you have clients running legacy apps or critical applications that may break from updating you could leverage client side targeting and place those clients in a different computer group that doesn't auto approve via GPO.
 
Last edited:
If you're going to autoapprove updates you might as well approve the update rollups, they're just the updates in a big package, fewer updates to install and all.
 
If you set auto approve on everything, is that mirroring what you would get through Windows Update? Or is there more/different classifications on the patches through WSUS vs Windows Update?

That is what I've never got a definitive answer on. Given that 99% of our users select/install all updates that Windows Update says to, auto approving all updates for workstations wouldn't be that big of a deal if they are one in the same.

Yes, they are the same updates. There are more things you can do to customize what you get though. I would guess that critical, definition and security updates are equal to the default setting for windows update. The Updates and update rollups would be like the optional updates you can also install but are not selected by default. You can set it up to download updates for any version of windows, Office, Visual Studio, MSSE, etc. l3thal6's screenshot shows the categories you can break it down into. If you don't want it to automatically pull all of the driver updates for an OS, you would want to uncheck the box like he has. If you don't want to automatically have it download powershell, I believe you would want to uncheck tools. In the updates category there should be the updates for IE so if you set auto approve just know that when IE10 comes out your boxes are going to automatically download and install it.

I would agree with l3thal6's settings plus the update rollups like dragon said. If you were manually approving update you can just approve the rollups as they supersede all of the updates that are below them. Just keep in mind that you only want to approve the Operating systems that you have most of your clients on. You do not want to approve updates for Server 2008 R2 if you only have 1 server because it will download ALL updates for it and take up multiple gigabytes of space. XP is probably the worst one if you don't have a lot of XP pcs. There might be a way to set it up for post SP3 but by default it's going to download everything from XP without any service packs all the way up to current. I don't know the number off hand but it's probably 10GB+.

You can always switch a box back and forth from a WSUS server by changing one registry key. It will then look back at the MS servers for updates. This is handy for drivers because you don't need to download every known driver just to install one printer that doesn't provide their own. (HP inkjets on W7 for example)

You also asked about having hotfixes for XP. Yes the clients use the exact same update lists that you would have from Windows update. A PC running Windows 7 will not even list Updates for WIndows XP since they do not pertain to them. Same with updates for IE. If you have IE8 installed it won't attempt to patch on all of the updates for IE6 as those are not needed. You can take a machine at any point and set it to your WSUS server and it will scan the pc and figure out what updates it needs to be current. So you can install Windows 7, deploy the network install of SP1, then let it finish approving updates for anything post SP1.

My biggest gripe with WSUS is getting updates to install in a timely manner. You can set deadlines and it will install updates faster, but then the pcs will force reboots with no option to delay them if it's past the deadline. Otherwise it can be kind of pokey to install updates. There is a batch file called AUForceUpdate you can use, but I swear it doesn't speed anything up. If anyone reading this knows how to basically force windows update to install updates, reboot the pc asap, the start installing updates as soon as the pc is booted back up I would love to know how. I really wish they would implement a way to force updates from the server like you can do with several of the enterprise AV solutions.
 
Last edited:
You REALLY don't want to enable auto-approve right away, otherwise it ends up downloading like, hundreds of GB of updates when you probably need like 15-20 tops.

First you want to make sure you're only getting the most current updates and not downloading superseded crap that won't ever be used. If you go to "All Updates" and chose Any Except Declined/Any, right click on the column headers and select "Supercedence" it adds a column where you can sort by what updates supercede what, if at all. There's 4 icons that represent different states:

Approve these:
-Blue rectangle on top of tree - most current update that supersedes others
-No icon - no supersedence, standalone update

Decline these:
-Blue rectangle between two grey ones, one higher, one lower - supersedes other updates but is superseded itself
-Blue rectangle at the bottom of a tree - entirely superseded by one or more other updates

(I can add SS if needed just don't wanna right now)

If you're doing server updates you also want to search for and decline any Itanium updates. For WinXP you're probably going to want to decline any XP-64 and XP x64 updates as well, and any x64 or x86 updates for vista/7 if you know your shop is all 32 or all 64.

Once you've declined everything you don't want go back and refresh the "Any Except Declined/Any" list and approve everything, then setup your auto-approve rules. Note you WILL approve and download updates you'd rather not, such as the server and XP itanium updates, there's no way to say "only auto approve XP x86 and server x64 updates" it's all or nothing for each update product. You'll still save a ton of bandwidth, you'll just use more than necessary with auto-approve (which is why you don't want to AA things like service packs since they tend to be large, other updates are pretty small). You just have to log on to WSUS say once a quarter and search for and decline all the itanium and superseded updates, then run the cleanup, you'll still have wasted the download but no reason to waste disk space.
 
Last edited:
It doesn't take 10 hours a week to manage updates on a WSUS system. The biggest hassle is the first time setup. Choosing your categories and classifications, the first sync and approving or declining the list. It will take a number of hours the first time, but after that you'll find it only takes 15 minutes or less on the 2 days each month that MS releases updates. The windows defender or AV updates which are updated daily only takes a minute each day. Well worth the time and effort overall.
 
Not really relevant to the OP, but something I found useful that's related to WSUS and bandwidth savings; Remember that BITS can be used to throttle WSUS traffic. This was useful to me in throttling update bandwidth between sites where I don't have a large pipe and I didn't want updates to saturate it during business hours.

Just going to leave that here in case it helps someone searching in the future.

( oh, and once set up, I barely touch my WSUS server. It just kind of plugs along. Once a month I'll test the updates, then approve them. Maybe 2 hours, most of which is spent watching bars paint on my test client ).
 
If you're worried about updates breaking something then just only auto approve security definitions (these come out like 3 times a day you do NOT want to be manually approving them), then every second tuesday of the month if you haven't read any headlines about windows updates horribly breaking computers somewhere just go to Unapproved/Failed or Needed (or Unapproved/Any if you just want to be thorough) and mass approve everything there (unless you hear of a particularly nasty patch with 0-day exploits).
 
I have autoapprove on almost 30+ server. Haven't encountered anything bad yet.

For the biggest clients I setup proxy servers.
 
Great info guys. I'll take some of your recommendations and re-set it up.

My biggest thing has always been that initial sync. Those thousands of supersceeded updates right of the bat. I also looked at the list and thought "screw this". Sounds like it can be configured to run pretty mainteance free though so I'll give it a fair shot.
 
I have WSUS setup for the company I work for. We have 3 seperate sites that I manage and once WSUS got the bugs fixed it is pretty maintenance free.

Definitely don't have "drivers" download.. Windows updated drivers have a very bad tendency to trash systems.

Every few months I go through and do a WSUS cleanup... decline superceeded updates and then do a cleanup with the Wizard.

If you go through the setup wizard, you will only want to select what products you are using.

On my setup, WSUS uses a total of 34GB. A few things I have updates for are not even used at the site I am at.. and will probably go away completely eventually.

The guy who said something about hundreds of GB must have never actually setup a WSUS server correctly.. either that or he is using absolutely every single MS OS and every other MS product as well.
 
Yeah the first time I did it I played the "LETS SEE WHAT HAPPENS IF WE CHECK AND APPROVE EVERYTHING!" game. >_> What happens is if you have a download cap, expect a nasty-gram from your ISP that month. "Take two" is a bit more reasonable 15.5GB
 
Back
Top