WSUS Smart Approve Documentation

Introduction.
Downloading WSUS Smart Approve.
Configuring WSUS Smart Approve.
1. Configuring the XML file.
2. Configuring a scheduled task.
Working with the source code
Contributing to the documentation
Project history
1. Implemented.
2. Road Map.
Credits

Introduction

WSUS Smart Approve is a tool for Microsoft Windows Server Update Service. Its purpose to approve updates as they are detected as being needed. The reason for this approach is for IT departments that want to deploy all needed updates automatically, but don't want to download every single update off Microsoft as they now pass (as of March 2009) 40GB across 26k updates in the English language alone!

Only a small portion of these will ever be needed, so allowing a machine to report what updates it is lacking and then approving them is a better use of disk space, bandwidth and time. Usually this approach would require someone to periodically check the WSUS administration control panel and approve downloads. This tool removes the need for this by automating this checking process.

This tool has been tested with WSUS 3.0 (all service packs) and Microsoft System Center Essentials 2010.

Downloading WSUS Smart Approve

If you downloaded the WSUS Smart Approve from somewhere other than the Codeplex project please check your download. There are various mirrors on advert driven download sites who are hosting a copy without our involvement, due to the license they're not required to get our permission. Codeplex is the only site where we have control of the contents of the download, we can not guarantee modifications, malicious or otherwise have not been carried out on these mirrors.

WSUS Smart Approve is available from CodePlex.

Configuring WSUS Smart Approve.

WSUS Smart Approve is a console application that is intended to be run on a regular basis, i.e. as a scheduled task. The more frequently it is run, the less time there will be between an update being reported as needed, and it being approved for download.

In order to carry out these tasks you need to have administrator access. The login which you choose to run WSUS Smart Approve under must have administrator access. You can add an account to your domain specifically for this tool, for now I will leave a search engine as your source for instructions on how to do this.

Configuring WSUS.

WSUS needs to be set to detect all the classifications and products you wish to be approved. A pre-exisiting WSUS setup will most likely already be set to do this, you just need to stop it automatically approving everything.

Open the WSUS MMC Console
Navigate to Update Services -> %SERVER NAME% -> Options
Ensure you have chosen the Products and Classifications that you want detected
Choose the Automatic Approvals option
Edit the Default Automatic Approval Rule and any other rule which may exist
Untick any type of update you do not want to be automatically downloaded
Note: If you just want to detect everything and not approve them automatically you want to delete the default rule (as it must have 1 option chosen at all times), this decision is down to you.

Configuring the XML file.

Below is the default settings. These apply updates to all machines that need them, will approve stale updates, and approve any update that needs a license agreement.

Note: WSUS can be set to approve stale updates, the only stale updates it won't approve are those requiring a License Agreement.


	<?xml version="1.0" encoding="utf-8" ?>
	<configuration>
		<configSections>
			<section name="ApplicationSettings" type="SmartApprove.Model.ApplicationSettings, smartapprove, Version=1.0.0.5" />
		</configSections>
		<ApplicationSettings>
			<Server Hostname="localhost" Port="8530" Secure="false" />
			<NoRunSet AcceptLicenseAgreement="true" ApproveStaleUpdates="true" ApproveSupersededUpdates="true" ApproveNeededUpdates="true" />
		</ApplicationSettings>
	</configuration>

For a more complex setup you can base your config upon:


	<?xml version="1.0" encoding="utf-8" ?>
	<configuration>
		<configSections>
			<section name="ApplicationSettings" type="SmartApprove.Model.ApplicationSettings, smartapprove, Version=1.0.0.5" />
		</configSections>
		<ApplicationSettings>
			<Server Hostname="localhost" Port="8530" Secure="false" />
			<NoRunSet AcceptLicenseAgreement="true" ApproveStaleUpdates="true" ApproveSupersededUpdates="true" ApproveNeededUpdates="true" />
			<RunSets>
				<add Name="Normal">
					<TargetGroups>
						<!-- All Computers -->
						<add Guid="a0a08746-4dbe-4a37-9adf-9e7652c0b421">
							<Classifications>
								<!-- Critical Updates -->
								<add Guid="e6cf1350-c01b-414d-a61f-263d14d133b4" AcceptLicenseAgreement="true" ApproveStaleUpdates="true" ApproveSupersededUpdates="false" ApproveNeededUpdates="true">
									<Products>
										<!-- Windows -->
										<add Guid="6964aab4-c5b5-43bd-a17d-ffb4346a8e1d" />
									</Products>
								</add>
							</Classifications>
						</add>
					</TargetGroups>
				</add>
			</RunSets>
		</ApplicationSettings>
	</configuration>

Server

Server lets you specify the connection settings for a server, so you can connect to a remote or local instance of WSUS.

Argument Name	Type	Description
Hostname	string	name of the server to connect to
Port	unsigned int	port to connect to
Secure	boolean	whether to use SSL or not

NoRunSet

This is run when you don't specify a /norunset on the command line. This follows the "apply to all" approach of V1.0.0.0, the difference being that you can specify what is applied.

Argument Name	Type	Description
AcceptLicenseAgreement	Boolean	Whether to accept a license agreement. If you set this to false and an update needs a license accepting first, it won't be approved.
ApproveStaleUpdates	Boolean	Whether to approve new revisions of already approved updates.
ApproveSupersededUpdates	Boolean	Whether to approve an update that replaces a previous update, that has already been approved.
ApproveNeededUpdates	Boolean	Approve updates that are reported as needed.

RunSets

New to V1.0.0.1 is the ability to specify a runset via the command line. This allows you to set up approval settings that can be run at different times (For example if you only want to check for a specific target group, or a certain type of update)

Arguement Name	Type	Description
Name	String	Name of a runset.

TargetGroups

TargetGroups are the TargetGroups defined in WSUS, the config requires a GUID which can be obtained by the ListGuids tool.

Classifications

Classifications match the Classifications defined in WSUS, the config requires a GUID which can be obtained by the ListGuids tool. It also takes the same 4 arguments regarding the approval of updates.

Arguement Name	Type	Description
AcceptLicenseAgreement	Boolean	Whether to accept a license agreement . If you set this to false and an update needs a license accepting first, it won't be approved.
ApproveStaleUpdates	Boolean	Whether to approve new revisions of already approved updates
ApproveSupersededUpdates	Boolean	Whether to approve an update that replaces a previous update, that has already been approved.
ApproveNeededUpdates	Boolean	Approve updates that are reported as needed.

Products (new in V1.0.0.2)

Products match the Product Categories defined in WSUS, the config requires a GUID which can be obtained by the ListGuids tool. If the products section is missing the classification rules will be applied to ALL products.

Working out the command line.

The command line depends on how you have configured the XML config. If you wish to use the no runset approach you use the command:

SmartApprove.exe /norunset

If you wish to use the runset approach the command is

SmartApprove.exe /runset "name"

If the name of the runset contains a space it *must* be surrounded by quotes.

If you wish to see how your configuration will be applied, without actually applying changes you can use the test mode which is as simple as adding /test onto the relevant command like so:

SmartApprove.exe /norunset /test SmartApprove.exe /runset "name" /test

Configuring a scheduled task.

Navigate to Control Panel -> Administrative Tools -> Task Scheduler (On Windows Server 2003 and earlier the path is Control Panel -> Scheduled Tasks).
Choose *Add Scheduled Task*
Browse to the application and select it (SmartApprove.exe)
Add the relevant arguements described above
Initially choose Daily, as we are going to edit this
Stick with the default times (for now)
Choose the login you wish to run this with, it must have administrator access in order to work with WSUS.
Choose *Open advanced properties for this task when i click Finish*
Decide how often you want to have the tool run, say every 3 hours from 0600 (or a custom pattern of just after people get to work, lunchtime and just after they leave ;))

Using multiple schedules

Change the start time to 06:00
Check *Show multiple schedules*
Click the *New* button
Set a schedule of Daily and a time of 09:00
Repeat the addition for 12:00, 15:00, 18:00, 21:00, 00:00 and 03:00

Using a single schedule

Alternatively you can use a single schedule.
Set the initial time of say 06:00.
Click advanced.
Check *Repeat task*.
Choose a repeat interval, for example every 3 hours.
Set a duration of 23:55.

Working with the source code.

Contributing to the documentation.

Contributions to the documentation are more than welcome, and the process is designed to be as simple as possible.

Fork the documentation.

See the github help page for instructions on how to create a fork.

Write desired content.

Use your preffered method for carrying out work.

Send a pull request.

See the github help page for instructions on how to send pull requests

Project History.

For a more detailed history you can view the source code changesets on codeplex.

V1.0.2 (17 March 2013)

Fixed backward compatability issue between WSUS 3.1 and Windows Server 2012 RSAT tools.

V1.0.1 (10 March 2013

Addition of contribution: Copy approvals between targetgroups.
removed update scope filter on previously approved items, as it's stopping new target groups getting needed approvals.

V1.0.0.5 (28 January 2012)

Declined updates are no longer approved if they have a history of being needed.
Changed the way the config file is checked for detecting AllClassifications or ProductClassification inside a runset.

V1.0.0.4 (23 January 2012)

Fix: Listguids crashing with Unauthorised access exception.
Fix: version strings and assembly information was wrong.

V1.0.0.3 (22 January 2012)

Fix: problem where approved update name's still aren't appearing in console.
Fix: Creating Install for Update that doesn't support install.

V1.0.0.2 (22 March 2010)

Fix: Update name no longer displayed in console.
Fix: Stale Updates and Superseded logic now correctly filters by Classification (was applying all classifications regardless of config settings).
New: create installer.
New: Allow approval rules for specific product.
Fix: Listguids and SmartApprove now check the user has the necessary permissions on WSUS.

V1.0.0.1 (12 October 2009)

feature: Added XML Config schema.
feature: Ability to specify the server to connect to in the XML config.
feature: Ability to specify runsets.
feature: Added Command Line option for specifying which runset to perform.
feature: Ability to specify rules for target groups and classifications.
feature: Option to accept license agreements.
feature: Option to automatically approve superseded updates of previously approved updates.
feature: Option to automatically approve stale updates (designed to work alongside or replace the existing WSUS option as it can be used in conjunction with the license agreement option).
feature: Test mode. Shows changes that would take place without actually doing them.
feature: addition of ListGuids tool to aid in setting up the app.config.
ui: now displays header.
ui: now shows help listing when using /?.

V1.0.0.0 (19 May 2009)

Initial Release.

Road Map.

V1.1.0

Ability to specify the minimum age of an update.

Credits.

Main Project

David Vreony: Primary Development.
Petr Herzig: Feedback on more complex approval groups.
jeddytier4: Contribution on copying between target groups.
Yasufumi Shiraishi: Original author of the copying between target groups logic.

Documentation Site