locked
Does it make sense to decline "superseded" ,"not needed" updates? RRS feed

  • Question

  • We have multiple wsus servers . On one of the servers I write a script and try to decline superseded updates which is not needed  by any client (needed count =0 ) and also not supersedes any other update  .Now if I try to update a new client using that server as update server it only shows 2 new updates but if I change the update server to other wsus servers it shows about 20 new updates.Does my method to decline the supperseded updates correct ?

    And one more question:Do all the updates which supersede one update must be apporved or one of them is enough?



    • Edited by harsini Sunday, July 15, 2018 3:42 AM
    Sunday, July 15, 2018 3:14 AM

All replies

  • Hi

    You can use below link

    http://www.tecknowledgebase.com/43/how-to-identify-and-decline-superseded-updates-in-wsus/

    Sunday, July 15, 2018 12:59 PM
  • Dear user I know how to use google for finding my answers .My question is something else.
    Monday, July 16, 2018 2:17 AM
  • Hi,

    Taherism provides a good method to decline the superseded updates. 

    Besides, I am not sure what your script looks like. Could you please check whether these two new updates in one WSUS server supersed 20 new updates in another? If yes, I assume that these 20 updates are all needed by the the computer, but 18 are superseded by other two. The script may decline all updates except the latest.

    I suppose you could approve these 20 updates and see which gets sent to the client.

    Hope it helps.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, July 16, 2018 2:45 AM
  • Not Needed/No Status updates = NO! Don't decline these as they may be needed in the future by systems.

    Superseded = 100% DEFINITELY YES! Superseded updates are updates that have been fully integrated into a new update (the Superseding update) with either bug fixes or additional patches. There is usually no reason to install any superseded updates (there are always exceptions, but the general rule is not to install superseded updates).

    Approving the top superseding update is a good practice before the declining of any superseded updates but is not required.

    Building your script - don't forget there's more than just declining updates (although that's a part) with maintaining WSUS. Don't forget about the SQL reindexing, Server Cleanup Wizard (SCW), and other items that should be run.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Monday, July 16, 2018 3:45 AM
  • Hi,

    Taherism provides a good method to decline the superseded updates. 

    Besides, I am not sure what your script looks like. Could you please check whether these two new updates in one WSUS server supersed 20 new updates in another? If yes, I assume that these 20 updates are all needed by the the computer, but 18 are superseded by other two. The script may decline all updates except the latest.

    I suppose you could approve these 20 updates and see which gets sent to the client.

    Hope it helps.

    Best regards,
    Johnson

    =====================
    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Hi.No the server doesn't have any difference in terms of approved updates.Indeed the servers are both replica servers .I've changed one of them to autonomous mode in order to test declining before applying on upstream server.

    Tuesday, July 17, 2018 2:43 AM
  • Not Needed/No Status updates = NO! Don't decline these as they may be needed in the future by systems.

    Superseded = 100% DEFINITELY YES! Superseded updates are updates that have been fully integrated into a new update (the Superseding update) with either bug fixes or additional patches. There is usually no reason to install any superseded updates (there are always exceptions, but the general rule is not to install superseded updates).

    Approving the top superseding update is a good practice before the declining of any superseded updates but is not required.

    Building your script - don't forget there's more than just declining updates (although that's a part) with maintaining WSUS. Don't forget about the SQL reindexing, Server Cleanup Wizard (SCW), and other items that should be run.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Actually I declined updates which have all these there circumstances :

    1-superseded

    2-not supersede any other update

    3-not needed

    But the aforementioned problem occurs after declining these updates.

    I also used The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance before in another environment but it had similar effect and wsus servers completely ruined as only 1 or 2 new updates shown when a new clients try to update.

    • Edited by harsini Tuesday, July 17, 2018 6:32 AM
    Tuesday, July 17, 2018 2:54 AM
  • #2, #3 may equate to your issue. I recommend to blanket decline all superseded updates regardless of #2 or #3. If an update is superseded, there's a reason why and it's wholly included in the superseding update with either fixes or additional patches.

    As for your experience while using Microsoft's guide, have a read through on part 8 of my blog series that I mentioned above.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Wednesday, July 18, 2018 2:21 AM
  • But based on This technet discussion these items must be true in order to decline a superseded update correctly:

    1. Approve the newer update.
    2. Verify that all systems have installed the newer update.
    3. Verify that all systems now report the superseded update as Not Applicable.
    4. THEN it is safe to decline the superseded update.


    • Edited by harsini Wednesday, July 18, 2018 5:45 AM
    Wednesday, July 18, 2018 3:06 AM
  • Yes, I'm aware of what Lawrence has said. I disagree with it, and unfortunately he passed away suddenly back in 2015 so we can't have a discussion on this together.

    If package A is replaced with package B which WHOLLY contains package A but also includes Fix A

    A=A
    B=A+Fix A

    B Supersedes A

    Why WOULDN'T you want to decline A right away?

    His method verifies that ALL systems have Package B installed already BEFORE declining package A. My question is WHY?

    Lawrence's way is like saying (going back to the days of school)... I'll hand you the first draft of my assignment for marking... oh, wait... Here's my final assignment in its fixed form now ready for your marking. Make sure you mark my final assignment before you throw out my first draft.

    It doesn't make sense.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Friday, July 20, 2018 3:35 AM
  • I can't speak for Lawrence, but if there's a potential problem with B, you would have to revert to A anyway (until B is replaced with C).

    Rolf Lidvall, Swedish Radio (Ltd)


    Friday, July 20, 2018 8:39 AM
  • Maybe reason explained in this forum would be the reason why we should not decline all superseded updates.

    don't you think my problem is due to declining updates not based on right logic so that new clients get only 2 updates after declining while get 20 updates from others?

    I will try to force the client to get updates from Microsoft directly today to see how many updates it get from .

    Saturday, July 21, 2018 2:46 AM
  • If you live in the past, you never see the future.

    What you talk about is for systems that are over 15 years old. Don't you think things have changed in the last 15 years?


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, July 21, 2018 3:02 AM
  • I can't speak for Lawrence, but if there's a potential problem with B, you would have to revert to A anyway (until B is replaced with C).

    Rolf Lidvall, Swedish Radio (Ltd)


    Actually, if there was a problem with B, you'd remove A & B because they were FAULTY. You'd revert to 0 which was before A.

    Think of Windows 10 Cumulative Updates. July 10th is a great example. it was replaced with July 17th... you don't go back to installing the July 10th update, you go back to JUNE's update.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, July 21, 2018 3:05 AM
  • Oh, and one can argue that June was replaced by July... Just because it's declined, doesn't mean that it's GONE. It's just declined (.... most of the time). If it was removed from the database, then you can just re-import it using the Windows Catalog.

    At the same time, All systems would have updated FROM June's update (ideally), so an approval for removal of July's update would revert the systems to June.

    Confused yet? I'm getting to that point. It's quite circular, but you have to remember to always look forward.


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, July 21, 2018 3:09 AM
  • I noticed something else.Newly installed Windows server 2012 r2 client gets updates that superseded instead of superseding updates which also being approved in WSUS.Do you know why this happens.

    Edit:I think it's because the superseded update isn't expired .Should I do anything else after declining and before removing .

    • Edited by harsini Saturday, July 21, 2018 7:14 AM
    Saturday, July 21, 2018 4:27 AM