none
Manage WSUS Update Approvals

    Question

  • I'm new to WSUS and just rolled out a single server installation for Windows 7 workstations only.  Using WMI filtering to target them.  I chose ALL update classifications, but only use the default rule to automatically approve "Critical Updates" only.  After running the default rule, I noticed that my local update folder on the WSUS server had grown to over 70 GB.  Is this normal?  If not, where did I go wrong and how do you get old, already installed updates deleted from the WSUS cache?
    Friday, August 22, 2014 5:39 PM

Answers

  • I chose ALL update classifications
    Including Drivers?
    but only use the default rule to automatically approve "Critical Updates" only.
    And not Security Updates?
    After running the default rule, I noticed that my local update folder on the WSUS server had grown to over 70 GB. Is this normal?
    It is if you approve a couple thousand more updates than you actually need. :-)
    If not, where did I go wrong and how do you get old, already installed updates deleted from the WSUS cache?
    Well, ideally, you don't approve them in the first place. But I believe this article: Removing unneeded update approvals will help you out. Then, after those legacy updates are declined, you can run the Server Cleanup Wizard to delete the unneeded files.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, August 22, 2014 9:21 PM
    Moderator
  • Do I have to decline the updates rather than just "unapproved"?

    If you only set them to Not Approved, they'll have to stay there for 30 days, AND be reported as not NEEDED by any system for at least 30 days before the Server Cleanup Wizard can decline them.

    And after they're declined, then the files can be removed.

    So yes, it's better to actually DECLINE them in this process rather than just set them to Not Approved.

    If so, what happens if a new system comes on the network which may need that update I've declined because I want to save space?

    It's logically irrelevant. The update is superseded, and by virtue of the fact that its reported 100% NotApplicable, I also know that the newer update is approved. (It's been installed.)

    Any new systems that come on the network will install the newer update.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, August 28, 2014 11:51 PM
    Moderator

All replies

  • I chose ALL update classifications
    Including Drivers?
    but only use the default rule to automatically approve "Critical Updates" only.
    And not Security Updates?
    After running the default rule, I noticed that my local update folder on the WSUS server had grown to over 70 GB. Is this normal?
    It is if you approve a couple thousand more updates than you actually need. :-)
    If not, where did I go wrong and how do you get old, already installed updates deleted from the WSUS cache?
    Well, ideally, you don't approve them in the first place. But I believe this article: Removing unneeded update approvals will help you out. Then, after those legacy updates are declined, you can run the Server Cleanup Wizard to delete the unneeded files.

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, August 22, 2014 9:21 PM
    Moderator
  • Lawrence,

    Follow question regarding your statement:

    "ideally, you wouldn't approve them in the first place"

    Does that mean that you recommend not using the automatic approval feature that Microsoft included?  Or is there some way to get it to not apply to "old" critical updates and just newly released critical updates?

    Tuesday, August 26, 2014 7:18 PM
  • Lawrence,

    I took your advice here and followed the article for removing unnecessary update files.  After sorting for 100% installed updates I removed the approval and ran the cleanup wizard.  It didn't seem to have the impact I expected though.  I still have a 70GB data volume.  Do I have to decline the updates rather than just "unapproved"?  If so, what happens if a new system comes on the network which may need that update I've declined because I want to save space?

    Tuesday, August 26, 2014 7:48 PM
  • Do I have to decline the updates rather than just "unapproved"?

    If you only set them to Not Approved, they'll have to stay there for 30 days, AND be reported as not NEEDED by any system for at least 30 days before the Server Cleanup Wizard can decline them.

    And after they're declined, then the files can be removed.

    So yes, it's better to actually DECLINE them in this process rather than just set them to Not Approved.

    If so, what happens if a new system comes on the network which may need that update I've declined because I want to save space?

    It's logically irrelevant. The update is superseded, and by virtue of the fact that its reported 100% NotApplicable, I also know that the newer update is approved. (It's been installed.)

    Any new systems that come on the network will install the newer update.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, August 28, 2014 11:51 PM
    Moderator