The ingredients to get Window Defender updates to auto update are to first upgrade your WSUS 2.0 to WSUS 3.0. You will then have the ability to set a rule to auto approve ONE category while leaving your R2 console settings exactly as is.
I have mine to offer them up to me in the R2 console but not auto approve …now with WSUS 3.0 however while I can say HA! to SQL 2005 sp2 and still not approve it (I don’t rush on service packs… I hate them.. I’ve always hated them… I only install them when I’m good and ready and I’m not ready), I can set up a rule in WSUS 3.0 to auto approve defender updates.
See those below? I didn’t approve those. They were done automagically with my rule while leaving those other patches for ME to decide when to patch. (We may call it Patch Tuesday, but I don’t deploy patches until the weekend unless I have some unique reason otherwise)
Okay so the first step is to go into the automatic approvals section and DON’T TOUCH THAT FIRST UPDATE RULE. Consider that like it’s the movie Poltergeist or something and “don’t go into the light” and don’t touch it. It’s one of the rules needed for R2’s magic so just leave it alone. Set up a new rule, calling it Def Update or something.
Choose the category you want to get auto approval (obviously defintion updates)
And then choose the computers that will be impacted by this rule – all of ‘em.
Now there’s a bit of a good news/bad news here. IMF updates for Exchange 2003 are deemed to be update rollups as they ‘bounce’ Exchange but don’t bounce the box (Bounce is my slang for rebooting services or the server). Update rollups also included those DST updates earlier in the year that DID reboot the box. So if you make a rule that auto approves update rollups be aware that you may end up with a situation where the box gets auto rebooted.
I don’t like that as I like to reboot the box when I want to. So consider that and weigh the pros and cons of your custom rules sets accordingly.
But bottom line.. with WSUS 3.0 Defender updates can be set to auto approve.