Defining Automatic Approval Rules

 

Applies To: Windows Server Update Services

Automatic approval rules apply to newly synchronized updates (the rules apply to new updates only, not to a new revision of an update). You can create one scan rule and one install rule. If the scan rule and install rule apply to the same classification and target group, the install rule overrides the scan rule.

Typically, you create an automatic approval rule to scan clients for applicable updates. A scan approval rule asks the client to detect if the update is applicable (can be installed on the client to update existing software), but does not to install the update. You can generate a report from the scan results to determine which clients in the target group can apply the update.

To define an automatic approval rule

  1. Call the GetInstallApprovalRules to retrieve the install approval rule.

  2. Set Enabled to true.

  3. Call SetUpdateClassifications to specify the classification of updates for which you want to automatically create the approval. For example, create a scan approval rule to detect applicable critical and security updates.

  4. Call SetComputerTargetGroups to specify the target groups to which you want to apply the rule.

  5. Call Save to save the rule.

The following example shows how to create and enable an automatic approval rule to scan clients in the All Computers group for applicable critical and security updates. The server variable that is used in the example is an instance of IUpdateServer (for an example that retrieves an IUpdateServer instance and sets the preferred culture, see Using the WSUS 3.0 Class Library).

IAutomaticUpdateApprovalRule scanRule = null;  
ComputerTargetGroupCollection targetGroups = null;  
UpdateClassificationCollection classifications = null;  
  
//Retrieve the scan rule.  
scanRule = server.GetScanApprovalRule();  
  
//Specify the target groups to which you want to apply the rule.  
targetGroups = new ComputerTargetGroupCollection();  
targetGroups.Add(server.GetComputerTargetGroup(ComputerTargetGroupId.AllComputers));  
scanRule.SetComputerTargetGroups(targetGroups);  
  
//Specify the classification of updates to which you want to apply the rule.  
classifications = new UpdateClassificationCollection();  
foreach (IUpdateClassification classification in server.GetUpdateClassifications())  
{  
  if (classification.Title.ToLower() == "critical updates" ||   
      classification.Title.ToLower() == "security updates")  
  {  
    classifications.Add(classification);  
  }  
}  
scanRule.SetUpdateClassifications(classifications);  
  
//Enable the rule.  
scanRule.Enabled = true;  
  
//Save the rule.  
scanRule.Save();  
  

You can define an automatic approval rule to automatically install specific classifications of updates, for example, critical updates or security updates, to groups of clients in your organization. However, you typically use the automatic install approval rule to deploy updates to a test group where you test the update to ensure that there are no issues with the updates in your environment. If there are no issues, you can then manually approve the updates for deployment to other clients in your organization.

Note that the automatic install approval rule will not deploy an update if the update requires the acceptance of a license agreement. If this occurs, WSUS logs an NT event to the event log. The event identifier is 422.

For information on manually approving an update, see Manually Approving Updates for Deployment.