locked
How to decline updates for certain computer groups RRS feed

  • Question

  • Hello

    I have a wsus server serving many clients/servers.

    Some of the servers and clients served by this wsus server have installed software from a software vendor that test new windows patches for compatibility with their system, and releases lists with approved updates for their system.
    Some of the new windows updates are found to cause trouble for the software and are not to be installed until further notice.

    The servers and clients that have this software installed are grouped, so I would like to decline the updates with compatibility issues for these specific computer groups while the updates are still available to other computers that are not affected by these updates.

    Can you tell me how I can easily in wsus decline updates from certain computer groups without declining them for all computers??

    Don't tell me to just not approve these updates for install, that is not an answer. There should be a way to distinguish not yet approved updates(as in just released ) from the updates I really don't want to install.

    I would also like to keep track of these updates that I don't want installed so that I can check those specific updates the next time the software vendor update their list of approved patches to see if they can be installed or still needs to be declined.


    The WSUS tool could potentially have been an awesome tool, but because of some strange design choices and features like this missing, the tool is just mediocre at best...



    Monday, August 26, 2019 12:26 PM

All replies

  • Hi MrTrollgubben,
       

    It seems that WSUS's "New Update View" and "Update Filter" can help you.
      

    1. First, create a "New Update View" to filter the groups of computers you need.
         

        

          
    2. In the "New Update View", select the appropriate criteria to filter the updates you need to process. Based on your description, I recommend selecting "Any Except Declined" + "Needed" and then you can process them according to your needs.
          

          

    All of the above screening criteria can be adjusted according to your needs.
    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 27, 2019 2:36 AM
  • Thank you for your suggestion, I will have a look at the script, but I would rather like for wsus to have all the functionality that it should have had in the first place so that I can manage the updates from one place in stead of having to use several tools to overcome the shortcomings of wsus. I am not exactly sure how the script will help me but I will have a look.

    Tuesday, August 27, 2019 7:22 AM
  • Hi Yic

    Yes, I have fooled around with new views and filters but this does not really help a lot because some obvious features has been left out from the new view function.


    The only choice in the new view is updates APPROVED for certain groups, for this to help I would need other options like not approved or especially DECLINED for certain groups. In typical Microsoft fashion these choices has not been included for some reasons beyond my understanding.

    The whole point would be to be able to decline certain updates for certain computer groups and then I could have set up a view of declined updates for the computer group to keep track of them, but there is no way to do this..???

    Will approving updates for removal for a certain computer group keep the updates from being installed to the members of this group in the first place? If this would work, i could get around it by creating a computer group called Declined updates or something and add the computers also to this group and create a view showing approved updates for the declined updates group.


    But if a computer is member of two groups where an update is approve for one group and not approved or approved for removal for the other group, will the update be installed or not??


    I mean, all this just because a few simple and for me completely obvious and basic features is left out of wsus, why were these simple choices not included? There should be no technical reason to not include these features, it must be a design choice that I do not really understand, or even complete ignorance from the creators..

    Is it only me that is seeing these shortcomings???




    Tuesday, August 27, 2019 8:20 AM
  • Will approving updates for removal for a certain computer group keep the updates from being installed to the members of this group in the first place? If this would work, i could get around it by creating a computer group called Declined updates or something and add the computers also to this group and create a view showing approved updates for the declined updates group.
      

    But if a computer is member of two groups where an update is approve for one group and not approved or approved for removal for the other group, will the update be installed or not??

    This seems to be a way.
    I understand that your situation is that the client will be installed by a third-party service provider to pass some test updates, then I guess the installation method may be manual installation. If these updates are removable, they will be removed by WSUS approval after confirming the installation.
      

    Another problem, one update on the same machine, when one group approves the installation, and the other group approves the removal, my test result is that the update will still be installed.
       

    Hope the above can help you.
       

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 28, 2019 3:19 AM

  • We have servers and clients running critical production equipment, with software delivered by system vendors like ABB, Wonderware,siemens and so on. These reputable vendors have their own testlabs where they test new windows updates for compatibility issues for their systems and provide their customers with lists of approved windows updates. Some updates are in their test labs found to cause issues for their systems and of course these updates are marked to not be installed until further notice.

    I would of course like to block these specific updates from being installed on the critical equipment to avoid problems. The updates might not cause any issues for other clients and servers and should be installed on those. 

    It really dazzles me that Microsoft fail to see the need for this feature/possibility in wsus. It should be just as natural to be able to decline an update for specific groups just as well as approving it for specific groups. Do you really fail to see this? Don't you see that we are pulling out a lot of hair trying to find all other sorts of solutions to solve a problem that would not even exist if just the WSUS service that is supposed to make us able to manage updates would have the essential functionality to actually manage the updates??

    I have seen many enough similar questions about this that was never properly answered, so it is not just me having these needs..

    Small things like this, that would not even require any development/research to fix, just a simple design decision from microsoft, makes a lot of potentially awesome microsoft products just mediocre at best.

    Why, why???


    Wednesday, August 28, 2019 7:28 AM
  • Hi MrTrollgubben,
      

    I am very sorry that my suggestion did not help you. 
    I will continue to analyze the situation you mentioned. And we can waiting for other experts in the forum to have better suggestions.
      

    Regards,
    Yic

    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 28, 2019 8:40 AM
  • Well, thank you for the suggestion

    The basic problem is that wsus does not have all the functionality that it should have had, in my opinion. It is just like if you get into a car with lots of forward gears but you cannot find the reverse gear, the maker forgot to implement reverse gear or did not see the need of it. You have to find other solutions or use external device to make the car perform a basic operation you thought and excepted all cars to be able to do..

    So, I am hoping at least all these questions will show the need of these features, even though nobody has the balls to admit the lack of these features..



    Wednesday, August 28, 2019 9:01 AM