As you probably know, it is now not possible to pick and choose specific updates to approve or decline in WSUS for older Windows operating systems. For servers, generally speaking there are now only two types: a roll up for the month's security updates, and a comprehensive rollup that includes all security and "quality" updates.
For servers, I am only interested in evaluating and approving security updates, and I will decline all "quality" updates. However, quality and security updates seem to be lumped together under the same class and MSRC classification categories. The only way to distinguish between the two appears to be the the update title itself (i.e. whether or not the update title includes "quality" or not).
Because the names of the quality and security updates are very similar, and there is no easy way that I can see to completely separate them each other in the WSUS view, I am afraid that eventually either I or somebody else will get careless and approve a quality update by mistake. The best way to alleviate the problem is to simply automatically decline all quality updates.
Does anybody know how to do this? An alternative solution could be to find a view in WSUS that makes it easier to discern between quality and security updates, or not having server quality updates show up in WSUS in the first place.
The WSUS server is Windows 2008 R2 and WSUS version is 3.2.7600.226.
This powershell script can be used to automatically block all new quality updates in WSUS. It must be run directly on the WSUS server. As far as how the script works, first the script searches for non-approved installable updates with the word "quality" in the title. If any such updates are found they are listed, and user is given the option to proceed and block the updates, or not, via an input prompt.
If you want to decline quality updates automatically, run a slightly modified version of the above script as a windows task.
NOTE: I write the above script with some help from Boe Prox's great WSUS powershell scripting tutorial.