Windows – How to automatically approve important updates from WSUS

My advice is to only configure Auto Approval rules for a limited set of Windows Updates, generally anything that is classified a Security Update, and only to a limited set of your servers and workstations.

You can then manually approve those updates for a wider set of your servers and workstations after a period of testing.

As an aside, be aware that there is a distinction between Classifications vs. Severity. Microsoft has helpfully reused the term 'critical' to refer to both a classification of Windows Update and a Severity Rating so you have Critical Updates that fix a specific problem that addresses a critical, non-security-related bug (Classification) and you have Security Updates that have Severity Rating of Critical. You will notice the same applied to Updates with a Severity of 'Important'.

My focus with Windows Update is primarily to ensure that security vulnerabilities are fixed, hence I only really have Auto Approval rules for Updates that are classified as Security Updates irregardless of their severity. If I find a Critical Update that needs to be deployed that is generally a one-off for our organization. I don't bother with any others.

Also be aware that Service Packs and Feature Rollups contain Security Updates along with a host of other things. You need to think very, very carefully about how you want to handle these Classifications of updates because of how much other stuff they include. Again, my organization's focus is on security vulnerabilities so we do not approve Service Packs or Update Rollups on any automatic or wide-spread basis unless we have a specific need to do so.

I would advise that you only auto approve Security Updates and you are more selective with Critical Updates but it is really what works best in your organization.

WSUS Auto Approval Rules