If you utilize automated update deployment tools, such as Windows Server Update Services (WSUS) or System Center Configuration Manager, you likely use automatic rules to streamline the approval and deployment of Windows updates.
No. I don't. Triaging WSUS updates is much more complex. The only updates I have set to auto-approve are malware definition updates. I use a PowerShell script to:
- Decline updates released for ARM64, Itanium and IA-32, because we only have x64 systems. Declining updates for IA-32 is truly difficult because they are either not marked or marked incorrectly. Sometimes they have "32-bit" or "x86" in their names.
- Decline tens of gigabytes worth of Windows 10 updates too. We do not want updates for Windows 10 version 1507 (OEM), 1511 (November Update), 1607 (Anniversary Update), 1703 (Creators Update), 1709 (Fall Creators Update), or 1809 (fall destroyer update). Just Windows 10 version 1803.
- Decline cluster updates, farm updates, "security-only" updates "security-only quality" (🙄) updates, and preview updates.
In addition:
- Any "package" released for .NET Framework needs manual case-by-case approval too.
- From time to time, I go down to a random computer and run a LOB tool that I've written myself. It connects to Microsoft Update service and checks for updates but does not download them. (It uses Microsoft's own WSUS API. No tricks.) Occasionally, I find that there are updates that somehow failed to appear on WSUS.
Microsoft