This script will:

• Automatically approve the updates that SUS downloads, including updates that have been unapproved and re-released updates.
• Send you an email listing the newly approved updates
• Backup your previous autoupdates.txt

You may ask why would you want to put out untried and tested updates?, well I have to assume that Microsoft have tested the critical updates thoroughly, and in my environment we have never as yet had an application have an adverse effect to a critical update and in any case you will always get them eventually in a service pack of OS upgrade. We also do not have the time or staff to worry about testing the updates with all our software, or to manage yet another server! (3 of us support 70 servers) this script allows the sus server to approve and distribute the updates as soon as possible, especially in these times of blaster, my view is that critical updates should be on machines as soon as possible.

It has been tested on SUS server 1.0 SP1 (1.0.3630.2552).

(Right click and select save target as)

Autoapproveupdates.vbs [v0.7]

'v0.7 26/04/05 - Chris de Vidal <Chris at deVidal dot tv> - No W2K SP4, changed exclude logic a bit

'v0.6 10/04/05 - Stuart Hedges - No W2k3sp1

'v0.5 13/11/04 - SG: Added CDonts option and SP2 bypass

'v0.4 23/11/03 - SG: updated to use Jmail (free from http://www.dimac.net/) instead of CDO.

v0.3 18/11/03 - New functionalities (Thibault.LeMeur at supelec dot fr)
- Backups the old ApprovedItems.txt to "ApprovedItems_backup.txt"
- Parses the new approved patches names and send a summary email

v0.2 07/08/03 - SG: updated to add ",2@|" for new updates

v0.1 07/08/03 - Steven Gill (gillsr at iee dot org)

After downloading the vbs file, place it on your SUS server (I usually use c:\)

You have the option of using Jmail or the windows CDOnts mail components, by default it uses JMail since I find this more reliable and you have to install Jmail (free from www.dimac.net) on your sus server.

Set the script options:

Open autoapproveupdates.vbs in notepad and edit the setup section which looks like this:

''Use default C on local machine
strSUSpath = "C:"

You will usually not have to change the SUSPath unless you have installed InetPub on a different Drive (it does not matter where the updates are stored)

''Uncomment the line below and insert your server name if you want to run remotely
''strSUSpath = "\\Installsvr\c$"

It is possible to run the script on a machine other than the SUS server, just set the path here to the drive where the InenetPub directory is and later make sure the scheduled task user has privilages.

'' If true will not approve XP SP2
nosp2 = false

Change this to nosp2 = true to not approve XP SP2 automatically (New for 0.5)

'' If true will not approve Windows Server 2003 Service Pack 1
noWS03SP1 = false

Change this to noWS03SP1 = true to not approve Windows Server 2003 Service Pack 1 automatically (New for 0.6)

'' If false will use CDonts
usejmail = true

Change this to usejmail = false to use CDonts instead of JMail

'' Email configuration
EmailDstName = "admin@company.com"
EmailReplyToName = "sus@company.com"
EmailSrvName = "smtp.company.com"

change the email fields with relevent addresses for your organisation

Set the scheduled task:

Then set up a scheduled task on the server (control panel>scheduled tasks), right click and select add new task (rather than using the wizard) give it a sensible name such as "Approve SUS Updates" then edit the task.

Set the run box to the command line: "cscript c:\autoapproveupdates.vbs"

Leave the "start in" folder blank, but set the run as account to an account that has write access to the SUS files and the password is unlikely to change, you could set up a service account just for this purpose if you wanted or use the local administrator account.

Set the schedule to run say an hour or two depending on your connection speed after your SUS server is set to download updates.

Just to make sure the script should run ok, open a command prompt and then type "cscript c:\autoapproveupdates.vbs", and check for any error messages, if you see any the schedule will probably not work either, just check paths and permissions, these are the most likely causes of errors.

SUS stores it's database of updates in a dictionary object, that is serialised to a unicode text file called "approvedupdates.txt" in "c:\inetpub\wwwroot\autoupdate\dictionaries".

The script reads this file, converts it from unicode to 8 bit, each update has a record that looks like:

com_microsoft.q311889_xp_5081,1@|0@|0@|2003-08-01T15:06:35

The first "1" after the description and comma denotes the status of the update, 0= unapproved, 1 = approved, 2 = new, etc

So a simple search and replace on this field updates SUS's database with new status information, bypassing the manual process.

SUS's Service that does all the hard work will then read and update this file (converting it back to unicode) when it next does an syncronisation with the windows update servers.

You will be glad to know that the auto approval functionality will now be incorporated into the next version of SUS called WSUS.

This is how it appears in WSUS RC, and it is very configurable!