Auto-Approve Clients Windows Updates

spiceuser-hq9 · 2025-05-23T08:35:23.720Z

Hi all,

We are thinking about enabling auto-approval for Windows updates in WSUS for staff computers. Up to now, we’ve typically approved updates for a small pilot group first, then rolled them out more widely. That said, we haven’t run into any issues with updates over the past few months.

I’m just wondering what others are doing – do you auto-approve updates for staff devices and handle servers manually, or do you still Test everything first?

Would be great to hear what’s working for you.

Rod-IT · 2025-05-23T08:43:45.957Z

I moved to Vendors > Action1 since WSUS deprecation was announced, it’s free for 200 endpoints, no charge and it’s a lot better at handling automations, including 3rd party apps and supports update rings, so you can do your tests before deploying to live.

As for WSUS, you can set the GPO to auto deploy and reboot as required.

joebridgeman · 2025-05-23T14:24:33.360Z

Like @Rod-IT, I use Action1 as well. That being said, we’re in a small environment that I’m always physically present at so I just send it with automatic updates hourly so there is no delay, and I’m always around if things go bad. I can think of only one time “things went bad” with an update and it was 2 years ago on a Server update (an update destroyed the .vhdx files for Hyper-V guests; a good reason to always have verified backups!). Never had a problem with desktop OS really but they’re just glorified web browsers in our workflows.

PatrickFarrell · 2025-05-23T19:46:41.381Z

Another Action1 happy person here.

brianklish2 · 2025-05-30T19:18:24.449Z

Defender updates I auto approve using WSUS configuration for all target groups. Beyond that, I’m not a fan of the auto approval rules built in to WSUS. To get more granular control, I wrote some PowerShell scripts to handle approvals on a daily basis. The scripts also handle declining expired and superseded updates. I have one script for clients and another for servers that get run by the Windows task scheduler. The scripts leverage the PSWindowsUpdate Powershell module.

ich-ni-san · 2025-05-30T19:42:42.434Z

I auto approve definitions, but manually approve everything else.

Jay-Updegrove · 2025-05-30T19:48:41.396Z

If you have the licensing for it, I would recommend you move to Microsoft’s 365 updating feature in Intune. (Update for Business)
Create some rings (test, prod, execs, whathaveyou) then let it rip.

Rod-IT · 2025-06-01T22:20:34.427Z

@spiceuser-hq9

Do you still need assistance with this?

Nerf_Herder · 2025-06-02T12:35:54.123Z

We are testing NinjaOne through one of our vendors to test the updates first and then do the push after they approve.