I know there’s a risk in telling you to delay deploying updates for 1 month. Some think that means switching to manual approval – and that is an oxymoron because manual approval rarely happens. No; I would rather see large enterprises use a model that automatically deploys updates after delaying them for 1 month, just as you can do with System Center 2012 (R2) Configuration Manager (SCCM).

I’m going to refer you to the excellent guides by SCCM MVP, Niall C. Brady. SCCM uses WSUS to download the Windows Catalog. When I configure SCCM I configure WSUS to automatically sync and to automatically supersede updates. That means if Microsoft releases a replacement update, the old version is automatically replaced. That’s important so keep that in mind when reading the rest of the solution.

I will configure automatic deployment rules (ADRs) for each product. The ADR will be set up as follows:

  • Software Available Time: Set this to something like 21 days. That means that SCCM will hold back any applicable update for 3 weeks. That gives Microsoft lots of time to fix an update and the replacement will supersede the dodgy update.
  • Installation Deadline: With this set to 7 days, we have 4 weeks before updates are pushed out … and that assuming that we haven’t applied maintenance windows to any collections (servers, VMs, call centre PCs, etc) that might further delay the deployment.


With the above configuration, the dodgy August updates would not have been deployed to PCs or servers on your network. Instead, a tested and fixed update will be released, SCCM will sit on it and automatically approve it at a later date.

BTW, I do a similar thing with Endpoint Protection updates by delaying approval for 4 hours with immediate deployment.

I don’t know of a method for accomplishing this in Windows Intune – I’d like to see it. The same goes for WSUS, but a commenter suggested using cmdlets from this site for WSUS to write a script; I’d rather see a clean solution from Microsoft similar to what we have in ConfigMgr but less granular.

5 comments so far

Add Your Comment
  1. For WSUS, I’m simply using GPOs. I have WMI Filters for ie. First Friday, Second Tuesday, etc. I then create two GPOs on top of each other (in same OU). 1st one is applying WSUS settings to only download, second to download and install, using the desired WMI filter… Click the OU and make sure download is listed UNDER the download & install one. This way, you just have created “Schedulable GPOs”, also handy for other use-cases. Create similar GPOs in desired OUs to have different policies throughout your domain. I even use a 3rd GPO on top of the above two which only downloads, but then have security not set to authenticated users, but certain Computers only. That way you can again override the above default, just for certain systems in the domain. Conbined with client side targeting and proper groupings in WSUS provides a very solid and flexible alternative…

  2. Simple, but good approach. I’ll think about adapting my ADR’s to reflect this. Thanks a lot!

  3. This tip is the bomb. Thanks!

  4. Its a nice idea .. but you leave yourself exposed to potential threats for the month that the machines remain unpatched?!

    • As I said, the bigger threat of outages comes from the the dodgy patches.

Get Adobe Flash player