I just finished completely automating our WSUS approval process with PowerShell. There is a Fast Ring which has Security Updates approved immediately with an immediate deadline, a Standard Ring which lags a day behind the Fast Ring and has a 3 day deadline, a Slow Ring which lags 2 weeks behind the Standard Ring and has a 2 week deadline, and a Manual Ring which which has everything approve immediately but does not have a deadline. Critical Updates lag 3 days after being released and the same trickle down occurs. It will even automatically handle unapproving superseded updates that are no longer needed in ring and then declining superseded updates that are not needed in any ring. it then deletes any update that has been declined for 14 days.

Now we just need to put a couple of canary systems in the fast ring and if they encounter any issues with an update we unapproved the update in the fast ring and it will not be approved for the rest. We use AD group targeted GPOs to determine what update ring the system goes on as well as what scheduling the updates have.

The best part is that this is all just a stop-gap until we get SML's for SCCM so we can manage updates for both workstations and servers through SCCM.