Schedule the updates by classification
Microsoft and third-party software manufacturers provide critical and non-critical updates (or patches) to address bugs and vulnerabilities in the software. These updates are categorized into update classifications that separate the updates into categories based on their update type (such as security updates and service packs). You can install these updates using the Update Management Wizard.
The wizard installs the updates identified by the Windows Update Agent (WUA) as needed or critical updates. You can install Approved updates only or all updates suggested by the wizard. If you choose all needed updates regardless of approval, some WSUS configurations will only download the content of the updates for Approved Updates.
The following table describes the WSUS update classifications you can install on the managed systems. Be sure to read and understand each option before you install it on the system.
WSUS Update Classification |
Description |
---|---|
Critical Updates | Provides fixes that target critical, non-security related bugs. |
Definition Updates | Provides updates to virus and definition files. Definition databases are used to detect objects with specific attributes, such as malicious code, phishing websites, or junk e-mail. |
Drivers | Provides software components that control or regulate another device. |
Feature Packs | Provides new product functionality for the next product release. |
Security Updates | Provides a fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated based on their severity, which is indicated in the Microsoft security bulletins as critical, moderate, or low. |
Service Packs | Provides a cumulative set of security updates, hotfixes, critical updates, updates, and design changes or features for a Microsoft product release. Service packs may also include customer-request design changes or features. |
Tools | Provides utilities or features that help you complete one or more tasks. |
Update Rollups | Provides a cumulative set of security updates, critical updates, hotfixes and updates in one package. Update rollups generally target a specific area in the operating system. |
Updates | Provides fixes that address non-critical, non-security related bugs. |
See the Microsoft Docs website for details about the latest Microsoft security updates.
Exclusive updates (such as such as Microsoft Windows service packs, Microsoft .NET service packs, and updates to the Component-Based Servicing stack) must be installed outside of a batch update. See Patch Manager Update Management Task fails due to an exclusive update for details.
- Log in to the Patch Manager Administrator Console as an administrator.
-
In the navigation pane, expand Enterprise and select Computers and Groups or Managed Computers.
The Computers and Groups node displays all systems and servers managed by the Group Policy (GPO) or Windows Update local policy management. The Managed Computers node displays all inventoried systems in the corporate network.
- Locate and select the node that contains the systems you want to update.
-
In the Actions column, click Update Management Wizard.
-
Select the update management selection type that includes the update classifications you want to include in the rule, and click Next.
All Windows updates must be approved before they can be downloaded to the WSUS server.
For example, if you want to publish only security and critical updates to the managed systems, select one of these management rules:
- Download and install all needed and approved security and critical updates
- Download and install all needed security and critical updates
If you want to publish all needed updates to the managed systems, select one of these management rules:
- Download and install all needed approved updates
- Download and install all needed updates
Update Management Type Included Update Classifications Download and install all needed and approved security and critical updates Critical Updates and Security Updates Download and install all needed approved updates
Application Updates, Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, and Updates.
Download and install all needed security and critical updates Critical Updates and Security Updates Download and install all needed updates
Application Updates, Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, and Updates.
Load existing update management rules Includes one or two management selection types in the rule. You can choose:
- All Needed and Approved Security and Critical Updates
- All Needed and Approved Updates
- All Needed Security and Critical Updates
- All needed Updates
Create custom dynamic update management rules Allows you to add one of the following rules:
- Title rule
- Security Bulletin Rule
- KB Article Rule
- Classifications Rule
- Product Rule
-
Review the classifications, make any changes as required, and then click Next.
In this example, the Security Updates and Critical Updates classifications display because they are included with the selected update management type.
You can add or delete a rule, change a rule, or modify this list and save it to a template that you can apply to another computer group, domain, or workgroup.
-
Select the pre- and post-update tasks to execute before and after the updates are installed.
If you select a reboot for either option, you can set a grace period before the targeted computers automatically reboot and install the updates.
The maximum grace period is 1440 seconds (24 hours). Be sure to provide ample time for all users to complete their critical tasks and log off before their computers automatically reboot. -
Complete the Approval and Advanced options, and click Finish.
The following option is selected by default:
If an exclusive update is matched, fail the installation process
.An Exclusive update is an update that must be installed individually, outside of a batch of other updates. Typically this includes updates such as operating system service packs, .NET Framework service packs and redistributables, and updates to the Component-Based Servicing Stack.
SolarWinds recommends selecting Ignore exclusive updates when matched and install updates. After you finish creating your scheduled update, schedule a second update that only installs the exclusive updates.
-
If prompted, select the domain or group that hosts the manage systems. For example,
WORKGROUP
. -
In the center window, select one or more systems to include in the task, and click OK.
- Click Next to continue.
-
Enter a name and description for the task.
- Select Schedule the task to run daily, weekly, or monthly in the Schedule Settings box, and click Edit.
-
Select a start time and date. Select Universal Time to select Greenwich Mean Time.
-
Select how often the task should run in the assigned department or group.
-
Select how often the task should reoccur, and click OK.
SolarWinds recommends setting the Range of recurrence to No end data to ensure the managed systems receive the latest software updates.
The selected settings display in the wizard.
-
Complete the Task Options Wizard, and click Finish.
The Task Wizard displays a schedule summary.
-
In the SolarWinds Patch Manager menu, expand Administration and reporting and select Scheduled Tasks.
- Verify that the task name displays in the Scheduled Task window.
See Update Management task failing due to an Exclusive Update if the Update Management Wizard fails due to an exclusive update.