Selecting Your Test Systems
Selecting your test systems is a question of what you have in your environment at your disposal. If you have a true test environment, those would be where you’d want to test the updates. If you don’t have a test environment like most small to medium sized businesses, you would be “testing in production”; it’s not the best way, but it is much better than auto-approving all updates and finding out the next morning that no one can work and that all systems are down. For selecting which workstations are part of the test group, try and get at least one system from every business process (department). Try to have a good mix of applications and hardware, and if you are running multiple operating systems, try to include a mix of operating systems to create a well-rounded test group. These users do not need to know that they are part of the test group, but as being transparent and open is a good thing, it would be best to let them know so that if they have any issues they can let you know. Also, if you can, try to pick the NON-technical users more often than the technical ones. Why? The non-technical users are the best ones to test with as they break lots of things lots of times by not knowing what to do and playing around with it. Of course have a couple of the more technical users for the advanced testing, but don’t exclude the non-technical ones. Add these computers as members of the “ACL_GPO.WSUS – Workstations & Test_Apply” group.
Again, for servers, selecting your test systems is best if you have a separate test environment, but if you’re going to be “testing in production”, then pick a few servers that are not critical business processes (maybe like a CA/Subordinate CA, a print server, a KMS server, etc) and select them for the test groups. Add these server computer objects as members of the “ACL_GPO.WSUS – Servers & Test_Apply” group.
Now all of your computers attached to the domain will check these new locations for Windows Update (care of the GPO at the domain root), and then the appropriate policies for checking frequency, install methods, and others will apply at the lower levels combining to produce a great GPO inheritance setup.
The Approvals Process
Click on the view “All Updates Except Drivers” and make sure the selected Approval is set to Unapproved with a status of Failed or Needed. This list will show you what updates you need to take care of. Select the ones you wish to approve for testing, and right click on the selection and choose Approve. On “Test – Servers” and “Test – Workstations”, select the down arrows and choose “Approved for Install”. Leave everything else as “Keep existing approvals” and click OK.
This will now download the physical update files to the WSUS Server and present them to the clients the next round that they check for updates. You can monitor the download process by clicking the server name. It has a section on the right column of the display called “Download Status”
Only those machines in the test groups will see these updates you’ve approved. Do your testing; whether it be actually opening applications, or just installing, rebooting and waiting to hear of any issues. You may choose to wait a few days, or a week. I would seriously consider shortening your testing to a week or less – preferably less, especially on those really critical security updates.
After Testing is completed, go into the “Test – Workstations” update view and select the Approval of “Approved” and the status of “Any” and click Refresh. You will now see all approved updates to your “Test – Workstations” group. You can then select the updates that have passed your testing stages, and right click them and click Approve.
Here is where my recommendation will come into play. I recommend that you approve these tested updates to the “All Computers” group at the top of the tree and also select “Apply to Children” or press CTRL-C. — Why? — You may have some ‘Servers’ that are running Windows 10, and/or other client-based systems that you’re using as servers. Subsequently, if you decide to create more computer groups later for whatever reason, the updates will apply to those groups automatically by way of the inheritance tree. The same goes for Servers – approving to “All Computers” group and selecting “Apply to Children” or pressing CTRL-C.
Only updates that are relevant to each individual system and ONLY those that are deemed ‘needed’ updates will be installed. You don’t have to worry about a Windows 10 update applying to a Server 2012 system because WSUS takes care of knowing what is needed and what is not.