WSUS blocks forced patches?

Topic

New Reply

How effective is WSUS from blocking “forced” WinX patches on a domain?

I am very new to patch management and my boss hates WSUS. I contacted 4 patch management vendors and only one claims their solution in combination with WSUS was successful at delaying patches being forced onto client PCs. They were cautious to state “at this time” as MS may pivot at any time, which might not be in our favor.

Perhaps I asked the wrong questions to the vendors.

If WSUS can delay forced updates for 30 days, perhaps MS can stabilize them and we can install them post beta test on the public. My fear is that even with a “correctly configured” WSUS instance, MS can choose to ignore our defenses and force feed patch defects breaking our systems.

Does WSUS provide adequate protection? Does a WSUS best practices guide exist? Are you happy with your current patch management add-on vendor? Is stand along WSUS enough?

Thanks for assisting with our learning curve.

Reply | Quote

Replies

Check your WSUS Automatic Approval settings. There may be a rule in there to automatically approve certain updates such as out-of-band updates

Reply | Quote

Rules of WSUS:

Ensure that you have the policy in place to prevent dual scan. “Do not allow update deferral policies to cause scans against Windows updates”

Do not use “no auto restart with logged on users” as that will make systems think things are active and not reboot when you want them to.

Last but not least – don’t approve updates until you are ready to.

Here’s a video I did that may help — https://www.youtube.com/watch?v=RrwmuSM7sxo&feature=youtu.be

 

Susan Bradley Patch Lady

1 user thanked author for this post.

PKCano

Reply | Quote

Thank you Susan for this post. It seems WSUS is able to block updates, but configuration is critical.

 

https://www.askwoody.com/2018/patch-lady-no-its-not-wsuss-fault/

Reply | Quote