Windows WSUS – Configuring Automatic Updates Delays

automatic-updateswindowswindows-updatewsus

Right now we have 2 groups of Computers set up in our WSUS server (2012R2).
One is an early release group for testing and the other is the production group with all of the other workstations.

We have automatic updates configured for the first group, but not the second. Which means we currently have to manually approve updates to the production group. I'd like to be able to automate the deployment of updates to group 2, but unfortunately that would mean we would be unable to vet the updates before release. However, if we were able to set up Automatic updates for the production group in a way that would allow us to stop the update from being installed for the first week or two of release, that would give us time to properly vet the updates before releasing them into the production group.

Basically, I'm wondering if there is any way to set up a delay schedule in WSUS where an update will be applied to the Early release group the day of availability, and then 2 weeks later it will be automatically approved for the production group, but not before then.

If there is no way to set this up in WSUS natively, do you know of any programs that would help us do this?

Best Answer

To have updates apply to a test group followed by everyone else, which is basically what you're trying to do, I set an install time in Group Policy for the test group of computers (the next weekend, for example) and then deadline the updates for one week after the test date. There's also a Group Policy option (that admittedly I haven't used) that removes access to Windows Update features.

In Group Policy: Under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update (which you've probably already found, since you're using WSUS in the first place). enter image description here

In the WSUS console, under Options -> Automatic Approvals. enter image description here

If you wanted to apply them to the test group the same day, you could automatically deadline new updates for 14 days later.

The "Remove access to use all Windows Update features" option is also under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Update enter image description here

I don't imagine that would block someone from entering wuauclt /detectnow on the command line, though. The documentation on this policy says:

By enabling the Group Policy setting under Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.

You'd probably need to test it to see if the command line would cause a pop-up notification. If it does, there is (or used to be) a registry key that suppresses those notifications that should be scriptable to a value of 0. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutoTrayNotify
Related Topic