With all of the problems with Windows Desktop Search rolling out without explicit approval from WSUS, I have closed down all automatic approvals, and now have to manually approve every update in WSUS. At least I thought I had.
It seems that when you go into WSUS -> Options -> Automatic Approvals, there are two things to change. First, you have to change the Update Rules, and then you also have to change the Advanced items. The Advanced items are easiest, because they are simple checkboxes, checked is ON, unchecked is OFF.
For Update Rules, it is more complicated. There is a check-box beside each Update Rule, but that is only to select and then Run Rule right then. This is the part that tripped me up. The box was checked when I first opened this, so I, falsely, believed that unchecking it turned it off. That does not seem to be the case, because updates came through and were automatically approved.
If you want to disable an Update Rule there are two ways you can do it:
- Delete it. I really can’t explain it simpler than that.
- Fake it out. Create a new Computer Group and assign the rule to run for that group only.
If you want to fake the rule out, you will need to first create a new computer group. To do this, you close the Automatic Approvals window, then expand the Computers group, then right-click the All Computers group and select Add Computer Group.
Name the group and click OK. Go back to Automatic Approvals, select an update rule, and then Edit.
Click on the name for “Approve the update for…” and then select the new group you created. You can now click OK to save the rule.
So, if you are like me, you turned off automatically approving Revisions to Updates, and you might be wondering how do you know if a new revision has come out. Well, you just go to WSUS -> Update -> All Updates. Then you choose Approval: Approves, Status: Any. Then you sort by Release Date, and click on the recent ones. Now you scroll through all of them, looking for the following text at the beginning of the description:
Now, if you want more information, right click the update and choose Revision History, and you will get a window like this:
If you are wondering, no, you don’t get to see what was updated, such as the description change or the applicability change, just that it was updated. If you decide to approve the update, then you have to close this window and then use either the Action menu or window, or open the Status Report and click on Net Approved status to change it.
Sadly, I have not found a way to see the list of updates that have been approved, but have a new revision. If it has been approved before, then the approval category is still “approved,” and the status is still “installed.” So, you have to go through each one to find any updated ones, and this is from the list of already approved updates, not the list of unapproved updates.
This is all quite aggravating.