locked
Confusion about declining an update RRS feed

  • Question

  • I am not clear on what happens when I decline an update. Put another way: I always decline updates that have a Needed Count of 0, seems to makes sense. However, using Office 2016 as an example: What happens if we do end up with that software (we run 2013 right now) in the future on our machines.......we will be missing all of the updates I have declined. I've not been able to find an article that addresses this question, but that is probably because I am not asking the question correctly in Google or Binging.

    Also, the .NET security and critical updates do not install new versions of .NET.....correct? They only apply the update to the version(s) you have. A security update for .NET 4.5 is not going to install 4.6. Just need a sanity check on this.

    Jason

    Thursday, October 19, 2017 10:49 PM

Answers

  • The question becomes why decline an update?

    • A superseded update has an update that replaces the superseded update entirely and therefore makes the superseded update irrelevant
    • An update that does cause trouble with a program/service on a machine in your network and you NEVER want to install this on ANY SYSTEM. If you want to make sure it doesn't get installed, you Decline it. If you're not sure, you keep it NOT APPROVED and it will not install on any system until you approve it (if it's only temporary, or you don't want to install it on 1 type of system - eg servers, you just keep it not approved, or approve it to specific groups).
    • An update that you do not EVER want to install on a system (perhaps you never want to install Silverlight on any system, anywhere)

    Are you declining to 'clear up' a view for updates? That's the WRONG way to Administrate WSUS.

    Let me give you an example that is out of date now, but will make sense.

    Windows XP SP3 has ~130-160 updates on a brand new install. Say you have an XP SP3 System that is 100% up to date. All of those 130-160 updates are not needed and will have a Needed Count of 0 because they're already installed on the system. Say now that that XP system dies. You now get a replacement system and Install a fresh copy of XP SP3 on the box. All of those 130-160 updates are now 'NEEDED' and will show up as such. Then you can Approve them, they will download, install, and then they will no longer be Needed.

    And yes, the .NET Security updates say they are for all versions but will only patch what is installed out of all of those versions. If you have multiple versions installed, the 1 update will patch each version.

    Also, something more...

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Friday, October 20, 2017 2:20 AM Added more info.
    • Marked as answer by Jack Leidu Monday, October 23, 2017 3:08 PM
    Friday, October 20, 2017 2:18 AM

All replies

  • The question becomes why decline an update?

    • A superseded update has an update that replaces the superseded update entirely and therefore makes the superseded update irrelevant
    • An update that does cause trouble with a program/service on a machine in your network and you NEVER want to install this on ANY SYSTEM. If you want to make sure it doesn't get installed, you Decline it. If you're not sure, you keep it NOT APPROVED and it will not install on any system until you approve it (if it's only temporary, or you don't want to install it on 1 type of system - eg servers, you just keep it not approved, or approve it to specific groups).
    • An update that you do not EVER want to install on a system (perhaps you never want to install Silverlight on any system, anywhere)

    Are you declining to 'clear up' a view for updates? That's the WRONG way to Administrate WSUS.

    Let me give you an example that is out of date now, but will make sense.

    Windows XP SP3 has ~130-160 updates on a brand new install. Say you have an XP SP3 System that is 100% up to date. All of those 130-160 updates are not needed and will have a Needed Count of 0 because they're already installed on the system. Say now that that XP system dies. You now get a replacement system and Install a fresh copy of XP SP3 on the box. All of those 130-160 updates are now 'NEEDED' and will show up as such. Then you can Approve them, they will download, install, and then they will no longer be Needed.

    And yes, the .NET Security updates say they are for all versions but will only patch what is installed out of all of those versions. If you have multiple versions installed, the 1 update will patch each version.

    Also, something more...

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org


    • Edited by AJTek.caMVP Friday, October 20, 2017 2:20 AM Added more info.
    • Marked as answer by Jack Leidu Monday, October 23, 2017 3:08 PM
    Friday, October 20, 2017 2:18 AM
  • Hi Sir,

    >>What happens if we do end up with that software (we run 2013 right now) in the future on our machines

    Based on my test , if you remove that product , then, the related updates will also be removed .

    The decline behavior is targeting WSUS server , it is similar to block the source file for windows update client downloading .

      

    >>Also, the .NET security and critical updates do not install new versions of .NET.....correct?

    Yes , the "upgrade" version belongs to classification "Feature Pack" :

    https://www.catalog.update.microsoft.com/Search.aspx?q=KB3186497

    In addition , regarding WSUS upgrade , please check the following article (You can also temporarily block the installation):

    Enterprises that have a specific need to block offering .NET Framework 4.7 on computers that directly connect to Microsoft Update servers can do so by deploying the blocker registry key described in following Microsoft Knowledge Base:
    KB4024204:  How to temporarily block the installation of the .NET Framework 4.7 and its corresponding language packs

    https://blogs.technet.microsoft.com/wsus/2017/06/12/microsoft-net-framework-4-7-coming-to-wsus/

    Hope it is useful to you .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 20, 2017 5:53 AM
  • Adam.

    Thank you for the detail, your time is much appreciated! Regarding this question - "Are you declining to 'clear up' a view for updates?" I must confess that the answer is yes. I will no longer do this.

    Jason

    Monday, October 23, 2017 3:10 PM