locked
Restore Declined WSUS Updates to SCCM 2012 RRS feed

  • Question

  • I have some updates that were declined in WSUS a few years ago. I need to restore and deploy them through SCCM. I've moved the updates from "Declined" to "Not Approved" in WSUS, when WSUS Synchronizes with the SUP in SCCM 2012 R2, the updates are not appearing in the Software Updates Catalog. I've synced WSUS, and SCCM is logging events that the Sync between WSUS and the SUP was successful.

    Is there another step I'm missing here?

    Friday, November 6, 2015 2:35 PM

Answers

  • Well, if a round about way you've finally answered my question which was direct and specific for a reason (sorry, not trying to be harsh or rude but when someone is helping you and they ask a direct question, give a direct answer as they are most likely asking it for a specific reason).

    In this case, there are two different types of syncs: full and delta. Traditionally, a manually sync will only do a delta sync and scheduled syncs will do a full. That's not necessarily the case in 2012 anymore though: https://msdn.microsoft.com/en-us/library/jj218108.aspx. You should be able to initiate a full sync manually using a script: https://www.sepago.com/blog/2013/07/21/how-to-sync-the-software-update-point-configmgr-via-powershell. This will hopefully get the updates back.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Monday, November 9, 2015 4:23 AM
    • Marked as answer by Joyce L Thursday, November 12, 2015 7:15 AM
    Friday, November 6, 2015 8:19 PM

All replies

  • I honestly don't know if there is a supported path back from what you've done. Is there a reason you are declining updates in WSUS. This really shouldn't be done unless you know you will never need the update -- technically, I think doing this was unsupported until recently.

    How did you initiate the update sync and how many times have you initiated it?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 6, 2015 3:20 PM
  • Generally, I don't decline stuff unless I've determined updates have no place in my environment. I decline them in WSUS and they show up as expired in SCCM after a sync. I track what's been declined and a justification.

    I've been asked to restore and deploy some old updates that were previously declined (several years ago). I work for a large company, there've been a lot of people who've worked on the system in the past. I can't explain why they were declined, it was before my department was responsible for the product.

    Generally, our WSUS syncs automatically at 1am. When necessary, I kick off a manual sync. Reporting events from the logs indicated that WSUS and the SUP are synchronizing correctly.

    I've heard some mention, through searching, or executing "wsusutil reset" to clean up wsus metadata?

    Friday, November 6, 2015 4:10 PM
  • That doesn't answer my question though: "How did you initiate the update sync and how many times have you initiated it?"

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 6, 2015 4:19 PM
  • Synchronizing is clearly not changing anything but; Specifically;

    I declined the updates on Wednesday night at 10pm. I manually initiated a wsus synchronization, at that time, and then when it was finished (it didn't detect any new updates), I manually initiated a sync from the SCCM console Software Library. Event entries indicated the sync was successful.

    The catalog automatically syncs at 1am every morning. So that process has completed twice since then (its now Friday). I know there's some sort of deal where a manual sync doesn't do a full sync, but the scheduled ones do.

    Since then, I have also initiated manual syncs twice with no changes being made to these updates. As a test, I declined an update that I didn't need, and it was correctly changed to expired. So I know the sync is working; and the event logs indicate syncs have been successful.



    • Edited by GregJK Friday, November 6, 2015 8:05 PM
    Friday, November 6, 2015 8:04 PM
  • Well, if a round about way you've finally answered my question which was direct and specific for a reason (sorry, not trying to be harsh or rude but when someone is helping you and they ask a direct question, give a direct answer as they are most likely asking it for a specific reason).

    In this case, there are two different types of syncs: full and delta. Traditionally, a manually sync will only do a delta sync and scheduled syncs will do a full. That's not necessarily the case in 2012 anymore though: https://msdn.microsoft.com/en-us/library/jj218108.aspx. You should be able to initiate a full sync manually using a script: https://www.sepago.com/blog/2013/07/21/how-to-sync-the-software-update-point-configmgr-via-powershell. This will hopefully get the updates back.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Monday, November 9, 2015 4:23 AM
    • Marked as answer by Joyce L Thursday, November 12, 2015 7:15 AM
    Friday, November 6, 2015 8:19 PM
  • Nobody answered the OP's question. I too have the same dilemma. How does one get an update back into SCCM after it has been inadvertently declined through WSUS?

    Supported or Not, I need an update restored. If I have to go intot hte database and edit a table, I will.


    Mike Brown

    Saturday, July 23, 2016 3:57 PM
  • Right. As I noted, I don't know if there's a supported path back from declining an update directly in WSUS as declining them in the first place was never a supported operation and I've never tested it.

    The only real path though is to go into WSUS, set the update back to its default state (which unapproved I believe), and initiate a Full Sync of the catalog -- to manually initiate a full sync, you need to change your criteria for the update catalog like adding or removing a classification, language, or product. I would expect this to restore the update (assuming it's not expired or superseded) to ConfigMgr.

    Keep in mind the that the normal definition of supported is that its something that they have explicitly designed or accounted for *and* successfully tested. Often things that aren't supported also simply won't work so it's not about them not wanting you to do something, it's because it just doesn't work either so no amount of hacking, fiddling, or configuration will make it work. In this case, I honestly don't know but as noted, do expect the above to work (of course my expectation doesn't mean it will though).


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Saturday, July 23, 2016 7:12 PM
  • Nobody answered the OP's question. I too have the same dilemma. How does one get an update back into SCCM after it has been inadvertently declined through WSUS?

    Supported or Not, I need an update restored. If I have to go intot hte database and edit a table, I will.


    Mike Brown

    The supported way is to change the update in WSUS to "Not Approved" and then perform a sync as described in this article released by MS, look under the Troubleshooting section:

    The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

    This will work as long as the update is not expired by MS and your supersedence rule is set prior to the release date of the update (if it is a superseded but not expired update). I have tested this myself.


    Rolf Lidvall, Swedish Radio (Ltd)



    Monday, July 25, 2016 12:30 PM
  • Followed the recommendation and still see this in WSYNCMGR:

    Skipped update 97c59ce4-ad57-4247-9f43-713e74c6a092 - Update for Windows Server 2012 R2 (KB3137691) because it was superseded.

    This update is showing as superseded in WSUS, but there is no reference of any superseding update to replace it.


    Mike Brown

    Monday, July 25, 2016 4:06 PM
  • According to the Windows Update Catalog, this update was superseded by KB3145432 (http://catalog.update.microsoft.com/v7/site/ScopedViewInline.aspx?updateid=533a7851-2b4e-4598-9f62-572def07e3df): http://catalog.update.microsoft.com/v7/site/ScopedViewInline.aspx?updateid=97c59ce4-ad57-4247-9f43-713e74c6a092

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, July 25, 2016 4:51 PM
  • Thanks Jason. I didn't see that.

    Mike Brown

    Monday, July 25, 2016 5:16 PM
  • Is there anyway to get a superseded update back in?

    Within WSUS KB2972216 is shown as superseded by KB3188744.

    However, KB3188744 is only for Server 2008 and is NOT for 2008 R2.

    KB2972216 was applicable to 2008 and 2008 R2.

    This applies to a whole bunch of .net 4.5.2 updates for Server 2008 R2.  This means that I cannot get KB2972216 into SCCM even though it is still needed by 2008 R2 clients.

    From SCCM: Skipped update e63b4eca-27a1-4fd0-b311-e468da0cd02e - Security Update for Microsoft .NET Framework 4.5, 4.5.1 and 4.5.2 on Windows 7, Vista, Server 2008, Server 2008 R2 x64 (KB2972216) because it was superseded.

    However running Windows Update online against MS shows that it it still available and required.



    • Edited by Dooley Do Thursday, November 10, 2016 11:17 AM
    Thursday, November 10, 2016 10:47 AM
  • Once ConfigMgr expires an update no.

    You should contact Microsoft support on this as there is something wrong with the catalog (obviously).


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, November 10, 2016 6:05 PM