Two WSUS servers - declined the same updates... RRS feed

  • Question

  • I have two WSUS servers. For the purposes of this question, let us define them as:
    Server A - with access to the internet, without any clients connected, only as a source, being backup for server B
    Server B - in a closed network, without internet access, with connected clients.
    Both WSUS servers are based on W2k16. Once a month on server A, I download patches and using Windows Server Backup I backup WSUSContent and use wsusutil.exe to export xml.gz and log. Then everything is imported on server B and approved for installation on clients. 
    And now, I would like to clean the base and Content on server A - decline updates unneeded by any computers because there are a lot of them ...

    But for it to make sense (not transfer the removed updates every month), I should decline and delete these updates also on the source server A. There is only a problem because on server A, I don't have the unneeded parameter (zero computers connected, this is only source-backup server) Is there any way (e.g. powershell) to export the list of declined updates on server A, then import it on server B and doing the same ? In short, what method to use to remove the same patches on Server A as those removed on server B ?

    Thursday, August 29, 2019 4:02 PM

All replies

  • Hi,

    I saw the following description of the Migration Command-line Tool in an article:

    • Although you can use incremental backups to move update files onto the import server, you cannot move update metadata piecemeal. WSUSutil.exe exports all the metadata in the WSUS database during the export operation. [Quoted from: "Set Up a Disconnected Network (Import and Export Updates)"]

    So it seems that WSUSUtil.exe can't reach your goal. But I have not found any other suitable method at present, so I am sorry.
    Be patient and wait for other experts to have any suggestions.


    Please remember to mark as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 30, 2019 5:30 AM
  • You should really be looking at this in a different way. Maintenance has to be done on BOTH systems, not just 1 system. Also, declining updates that are not needed by your clients is not the way to manage WSUS. All that does is cause the potential for new systems to miss updates. You should only be declining a select few types of updates, like Superseded, Beta, Expired, etc. On your disconnected system you should only be approving those updates that are NEEDED by your systems.

    See Part 8 of my blog series regarding maintenance - https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

    See part 6 of my blog series regarding the approvals processes. I invite you to read the full series and other guides on my site.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Saturday, September 7, 2019 4:08 AM