• WSUS blocks forced patches?

    Home » Forums » Admin IT Lounge » WSUS, SCCM, Exchange and update management tools » WSUS blocks forced patches?

    Tags:

    Author
    Topic
    SwainIT
    AskWoody Lounger
    April 6, 2018 at 8:14 am #181780

    How effective is WSUS from blocking “forced” WinX patches on a domain?

    I am very new to patch management and my boss hates WSUS. I contacted 4 patch management vendors and only one claims their solution in combination with WSUS was successful at delaying patches being forced onto client PCs. They were cautious to state “at this time” as MS may pivot at any time, which might not be in our favor.

    Perhaps I asked the wrong questions to the vendors.

    If WSUS can delay forced updates for 30 days, perhaps MS can stabilize them and we can install them post beta test on the public. My fear is that even with a “correctly configured” WSUS instance, MS can choose to ignore our defenses and force feed patch defects breaking our systems.

    Does WSUS provide adequate protection? Does a WSUS best practices guide exist? Are you happy with your current patch management add-on vendor? Is stand along WSUS enough?

    Thanks for assisting with our learning curve.

    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • anonymous
      Guest
      April 6, 2018 at 11:47 am #181857

      Check your WSUS Automatic Approval settings. There may be a rule in there to automatically approve certain updates such as out-of-band updates

      Reply | Quote
    • Susan Bradley
      Manager
      April 6, 2018 at 12:15 pm #181873

      Rules of WSUS:

      Ensure that you have the policy in place to prevent dual scan. “Do not allow update deferral policies to cause scans against Windows updates”

      Do not use “no auto restart with logged on users” as that will make systems think things are active and not reboot when you want them to.

      Last but not least – don’t approve updates until you are ready to.

      Here’s a video I did that may help — https://www.youtube.com/watch?v=RrwmuSM7sxo&feature=youtu.be

       

      Susan Bradley Patch Lady/Prudent patcher

      1 user thanked author for this post.
      PKCano
      Reply | Quote
    • SwainIT
      AskWoody Lounger
      April 10, 2018 at 6:57 am #183298

      Thank you Susan for this post. It seems WSUS is able to block updates, but configuration is critical.

       

      https://www.askwoody.com/2018/patch-lady-no-its-not-wsuss-fault/

      Reply | Quote
    Viewing 2 reply threads
    Reply To: WSUS blocks forced patches?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.