locked
Immediate Removal of Patches from clients via WUS RRS feed

  • Question

  • We patch using WSUS, our GPO tells the machines to check for updates everyday at 4pm. Today we had to remove all Office 2013 patches from our latest update night from a Windows 7 machine due to an issue. Using WSUS, we created a dedicated group in the WSUS console, put the Windows 7 machine in there, highlighted the patches and scheduled the removal (too many to uninstall manually).

    Now that we are done I am wondering: Is the fastest way to remove the patches, once you've done the above work in WSUS and set the date to one in the past, to go to the client and manually check for updates? Since the client initiates the check-in with WSUS server, because of the GPO, that seems the only way to make it immediate. Otherwise, it will wait until 4pm.

    Jason

    Thursday, November 30, 2017 9:27 PM

Answers

  • You can adjust the Automatic Updates detection frequency through GPO and set it to check every 1 hour. GPO updates by default every 90 min, so initially waiting 90 min or thereabouts, however future changes would be picked up every hour.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Jack Leidu Monday, December 4, 2017 3:14 PM
    Sunday, December 3, 2017 4:01 AM

All replies

  • Hi,

    >> I am wondering: Is the fastest way to remove the patches, once you've done the above work in WSUS and set the date to one in the past, to go to the client and manually check for updates? 

    If that update is removable ,  I'd like to set "Approved for removal" for that update and configure a "expired" date for "deadline" , it would execute "remove" soon .

    "If the client contacts the server after the update deadline has passed, it will try to install the update as soon as possible. WSUS administrators can set update deadlines to a date in the past in order to have clients install the update immediately."

    https://technet.microsoft.com/en-us/library/cc708585(v=ws.10).aspx

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Elton_Ji Friday, December 1, 2017 9:52 AM
    Friday, December 1, 2017 9:22 AM
  • You can adjust the Automatic Updates detection frequency through GPO and set it to check every 1 hour. GPO updates by default every 90 min, so initially waiting 90 min or thereabouts, however future changes would be picked up every hour.

    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Jack Leidu Monday, December 4, 2017 3:14 PM
    Sunday, December 3, 2017 4:01 AM
  • Since it was just one machine in this case it looks like the quickest way is to set the removal date to a past date and then from the affected machine do a check for updates.
    Monday, December 4, 2017 3:14 PM