The SCCM SUP and the WSUS Cleanup Wizard RRS feed

  • Question

  • Hi, I'm hoping you can help with a question I have re the WSUS Cleanup Wizard...

    I have a test SCCM 2012 (1606) Primary Site which contains a Software Update Point (SUP). This synchronizes successfully from Microsoft into an underlying WSUS SUSDB database, the contents of which are then synchronised into the SCCM Site Database. This all seems to work OK - but one day I was looking in the SCCM admin console for a particular SQL patch (MS15-058), and couldn't find it.

    This patch is not superseded or expired, and SQL (all versions) is selected in the list of products configured for the SUP to service, so I couldn't understand why the MS15-058 patch wasn't in the SCCM database. I believe however that it may be related to the option within the SCCM console to "Run WSUS cleanup wizard" in the "Supersedence Rules" tab, which is selected...

    I think the effect of this is that SCCM periodically triggers the "WSUS Cleanup wizard" to run against the SUSDB database - effectively as if it had been triggered manually with all of the options within the "Select items to clean" tab selected. One of these options is "Unused updates and update revisions"...

    Anyway, I used the WSUS admin console to search for the MS15-058 patch, and found it without any problems. What I did notice however was that all of the KBs within the MS15-058 patch had a status of "Declined". There were however some other SQL updates which were not Declined, and when I checked the SCCM console to see which SQL updates the SCCM database knew about, this very closely matched the list of non-Declined patches in WSUS...

    When I compare the overall number of all patches in WSUS (c 24000) with the total number in SCCM there is a huge discrepancy - there are some 16000 in WSUS with the Declined status. From this position, performing a SUP Full Sync on the SCCM server doesn't bring any of the missing patches into SCCM.

    I then went into the WSUS Console, selected the missing MS15-058 patches and set them to "Not Approved", and then triggered a SUP full sync again - the result being that the MS15-058 patches were again available in SCCM.

    The conclusion I draw from this is that with MS15-058 never having been deployed to anything from within SCCM, it is effectively an "Unused Update", and the automatic running of the WSUS Cleanup Wizard then sets it to "Declined" within the WSUS database. The knock on effect of this is that the SUP synchronisation process then removes it from the SCCM database.

    The questions I ask then are:

    a) whether I have understood the process correctly, or whether there is something wrong with our environment which is making this purge updates from the SCCM database,

    b) whether we are right to automatically run the WSUS Cleanup Wizard from SCCM, given that it seems to have the effect of purging updates from the SCCM database which we may want to deploy at a later date. I'm thinking that there may be other options we could use instead - for instance manually (possibly by script) running the WSUS cleanup wizard for those selections other than "Unused updates and update revisions", and regularly re-indexing the WSUS database..

    Thanks in advance,

    Regards, Alex Line



    Thursday, September 15, 2016 11:27 AM


All replies

  • First off do you have CM12 or CMCB (1606)? You have posted to the CM12 forums.

    The clean up process will not decline SU that are not being used. It is most likely that someone when into WSUS console and declined that SU there and therefore CM can't see the SU.

    The clean up process will only remove SU that are expired and therefore you shouldn't be deploying anyways, this will have no effect on your process.

    Garth Jones

    Blog: http://www.enhansoft.com/blog Old Blog: http://smsug.ca/blogs/garth_jones/default.aspx

    Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleased

    Thursday, September 15, 2016 11:47 AM
  • Thanks for the reply Garth, and apologies we do have CMCB (1606) - I didn't realise there was a different forum for that..

    Regarding the clean up process I don't know if someone went into WSUS and declined anything, although I would have thought not - there are thousands of patches that have been declined, and only a couple of (trusted) people who have access to the console.. But I cant rule it out as it is a development environment.

    The important thing is that you have confirmed that this should not have happened and the clean-up process shouldn't be declining unused patches.

    We are about to build a completely new test environment, so once we have this we'll check more carefully what happens with the clean-ups and react accordingly.. Appreciate your help,

    Alex Line

    Thursday, September 15, 2016 3:21 PM