none
WSUS - Cleanup

    Question

  • Scenario:

    Installed WSUS a long time ago and never maintained it.

    Came back to it recently and approved all updates for all computers (1000's of updates in the database.) - including superseded updates. Not all of these updates install (I suspect only the most recent version of a update installs?).

    This means the client status is incorrect - clients reports numerous "needed" updates when in fact they are actually up-to-date.

    I wish to tidy this up.

    Going through all the updates one by one and deleting superseded ones isn't an option - too time consuming.

    My options are:

    1. Delete the current WSUS database and re-sync - will this ensure no superseded updates are downloaded on the initial sync? i.e. only the most recent versions. Allowing me to start from the scratch and stay on top of it this time.

    2. Run the WSUS server cleanup tools - in my case I don't think they will achieve my end goal i.e. to have  an up to date database, with no superseded updates and clients reporting accurately.

    3. Filter "All Updates" on the superseded column, delete ALL updates that are superseded and only retain the most recent versions of updates.

    In cases 1 and 3 my hope is that when clients report against the WSUS after this they will rectify their status and report accurately.

    Opinions please...

    Sunday, July 07, 2013 10:13 PM

Answers

  • I still have a query though. You said:

    Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

    So, does this mean that if I delete the superseded updates the clients reporting will eventually be precise?

    Not necessarily. DECLINING the superseded updates merely removes the reporting of them as Needed (which is why the article explicitly states you should only decline superseded updates that are reported as 100% Installed/NotApplicable). A superseded update reported as Needed means that the newer update is not yet installed -- possibly because it is not yet approved, or maybe not yet downloaded to the WSUS server. Whatever the reason, it's missing from the client and that's the condition that requires remediation.

    You say that this means an update OR a superseded update is not installed yet...

    If I approve 3 versions of the same update together i.e. Update 1a and 1b and 1c for all computers (1a is superseded by 1b, 1b is superseded by 1c):

    1. Will only 1c be installed?

    Yes. The WUAgent ignores superseded updates for purposes of download/install, but it still reports state on those updates, initially "Needed" (because they are not installed), or possibly "Installed" for any that are (and "Not Applicable" for the superseded updates once the newer update has been installed).

    Once the latest update (1c in your example) is installed, then 1a and 1b will be reported as "NotApplicable". If 1b were to be installed, 1a would be reported as Not Applicable, 1b as Installed, and 1c as Needed.

    3. Will declining the superseded updates (1a and 1b) rectify the problem?

    No. The problem is not that the superseded updates are still reported as "Needed" ... that's critically important evidence of the actual problem. The actual problem is that some other newer update is NOT installed, maybe not even approved (or maybe not yet downloaded to the WSUS server after being approved).

    why does it matter what percentage of machines have superseded updates installed when doing the filter

    Because the fact that there IS a superseded update reported as "Needed" is a critial indicator that some other update (the one that supersedes the superseded update) is NOT installed, and that problem needs to be remediated. Once all of the current updates are installed, then the superseded updates will be reported as "Not Applicable", and the 100% Installed/Not Applicable state is a Healthy Indicator ... and is what triggers the knowledge that declining the superseded updates is now an appropriate action to take.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by UgTI Tuesday, July 09, 2013 8:31 AM
    Monday, July 08, 2013 10:10 PM

All replies

  • Not all of these updates install (I suspect only the most recent version of a update installs?).

    Correct.

    This means the client status is incorrect - clients reports numerous "needed" updates when in fact they are actually up-to-date.

    Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

    Going through all the updates one by one and deleting superseded ones isn't an option

    And yet, DECLINING the superseded updates is exactly what is required. The fact that it is "too time consuming" is merely a perception of the process required as a result of the manifestation of the procrastination from not doing it when it should have been done. :-)

    In this article on PatchZone I talk about a SIMPLE process for addressing this situation.

    3. Filter "All Updates" on the superseded column, delete ALL updates that are superseded and only retain the most recent versions of updates.

    This is essentially the process, except that you misuse the term "delete" (which is not possible from the console) for the operation "decline" which is the appropriate and correct operation in this instance.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.


    Monday, July 08, 2013 1:59 AM
  • Ok...I read the article and have taken your notes on board.

    I still have a query though. You said:

    Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

    So, does this mean that if I delete the superseded updates the clients reporting will eventually be precise? You say that this means an update OR a superseded update is not installed yet...

    If I approve 3 versions of the same update together i.e. Update 1a and 1b and 1c for all computers (1a is superseded by 1b, 1b is superseded by 1c):

    1. Will only 1c be installed?

    2. Will the client report as 1 update installed, 2 updates needed?

    3. Will declining the superseded updates (1a and 1b) rectify the problem?

    4. If the answer to 3 is yes, then why does it matter what percentage of machines have superseded updates installed when doing the filter...i.e. should I not just simply decline ALL superseded updates at this stage, and then only the most recent updates will be installed. (i.e. an update isn't dependent on a superseded being installed already).

    Monday, July 08, 2013 9:13 AM
  • I still have a query though. You said:

    Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

    So, does this mean that if I delete the superseded updates the clients reporting will eventually be precise?

    Not necessarily. DECLINING the superseded updates merely removes the reporting of them as Needed (which is why the article explicitly states you should only decline superseded updates that are reported as 100% Installed/NotApplicable). A superseded update reported as Needed means that the newer update is not yet installed -- possibly because it is not yet approved, or maybe not yet downloaded to the WSUS server. Whatever the reason, it's missing from the client and that's the condition that requires remediation.

    You say that this means an update OR a superseded update is not installed yet...

    If I approve 3 versions of the same update together i.e. Update 1a and 1b and 1c for all computers (1a is superseded by 1b, 1b is superseded by 1c):

    1. Will only 1c be installed?

    Yes. The WUAgent ignores superseded updates for purposes of download/install, but it still reports state on those updates, initially "Needed" (because they are not installed), or possibly "Installed" for any that are (and "Not Applicable" for the superseded updates once the newer update has been installed).

    Once the latest update (1c in your example) is installed, then 1a and 1b will be reported as "NotApplicable". If 1b were to be installed, 1a would be reported as Not Applicable, 1b as Installed, and 1c as Needed.

    3. Will declining the superseded updates (1a and 1b) rectify the problem?

    No. The problem is not that the superseded updates are still reported as "Needed" ... that's critically important evidence of the actual problem. The actual problem is that some other newer update is NOT installed, maybe not even approved (or maybe not yet downloaded to the WSUS server after being approved).

    why does it matter what percentage of machines have superseded updates installed when doing the filter

    Because the fact that there IS a superseded update reported as "Needed" is a critial indicator that some other update (the one that supersedes the superseded update) is NOT installed, and that problem needs to be remediated. Once all of the current updates are installed, then the superseded updates will be reported as "Not Applicable", and the 100% Installed/Not Applicable state is a Healthy Indicator ... and is what triggers the knowledge that declining the superseded updates is now an appropriate action to take.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    • Marked as answer by UgTI Tuesday, July 09, 2013 8:31 AM
    Monday, July 08, 2013 10:10 PM
  • Thanks for this.

    I have a large task ahead of me. I'm was considering declining all superseded at the expense of missing out some updates on machines (no superseded updates appear to be 100%) - but I might just have to work through them all.

    So, from my first question...I assume this is not a solution:

    Delete WSUS (inc. db) and reinstall, re-sync. (only most recent versions will be downloaded on first sync) - approve updates as necessary. (or will clients still report inaccurately)

    Tuesday, July 09, 2013 8:36 AM
  • Delete WSUS (inc. db) and reinstall, re-sync. (only most recent versions will be downloaded on first sync) - approve updates as necessary. (or will clients still report inaccurately)

    Well, yes, that's a solution as well, but you've incorrectly assumed that only the most recent versions will be downloaded on first sync -- ALL current updates for the products & classifications you've selected will be synchronized.

    Approve updates as necessary -- I guess the question is which do you think will be easier:

    • Finding and re-approving the updates that should be approved.
    • Finding and declining the updates that should not be approved.

    Plus the extra effort in uninstalling and reinstalling the WSUS server. Frankly, as long as the WSUS server is working, your better solution is almost always going to be to simply remediate the improperly applied approvals, rather than rebuild from scratch.

    Either way, you'll still have to *decline* a bunch of updates to prevent clients from evaluating and reporting status for those updates -- regardless of whether they're Installed, NotInstalled, or NotApplicable.

    Or, put another way, rebuilding the server requires you to do both of the above tasks; remediating it only requires one. :-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, July 09, 2013 8:52 PM