locked
WSUS Syncronizing Declined Updates - sometimes RRS feed

  • Question

  • I have a master WSUS 3.0 SP2 (3.2.7600.256) Server set to "Store update files locally on this server" and a check next to "Download update files to this server only when updates are approved". The server currently has 51 Unapproved Updates, 6181 Approved Updates, 3032 Declined Updates, 11027 Computer, and 6 Computer Group. The server also has 10 downstream servers all with the same settings and same numbers of updates. The servers are all tied to SCCM 2012 R2 and working perfectly in that regard. The main WSUS server uses a remote SQL cluster for its DB, while the downstream servers use Windows Internal DB. All f the servers in question are running Windows 2008 R2 Server.

    On the downstream servers I have nightly maintenance scripts that Kick off SCW, re-index local DB, and Delete Declined updates. On the master WSUS server the scripts only run the SCW and the DB is setup to preform a nightly re-index at the SQL level, but I do not delete declined updates from the master WSUS server.

    The problem I seem to be having is that about once every 2 weeks the downstream servers synchronize ALL of the declined updates again and the scripts will then be needed to clean them back up. I am wondering what is happening that could possibly be forcing the servers to re-download updates that are declined even though I have them configured to ignore this category entirely?


    Portland Public Schools / Systems Administrator II


    • Edited by Adam Seitz Thursday, September 25, 2014 5:26 PM
    Thursday, September 25, 2014 5:19 PM

All replies


  • Hi Adam,

    Are the downstream servers in replica mode? A WSUS server running in replica mode inherits the update approvals and computer groups created on its parent WSUS administration server.

    Besides, could you post the SoftwareDistribution.log and Change.log here? It may give some hints.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Friday, September 26, 2014 10:04 AM
  • The server currently has 51 Unapproved Updates, 6181 Approved Updates

    The servers are all tied to SCCM 2012 R2

    Why? Why? Why?

    Why are updates associated with a Configuration Manager Software Update Point **APPROVED**??

    Never mind the fact that there are over six thousand of them!!!!

    The problem I seem to be having is that about once every 2 weeks the downstream servers synchronize ALL of the declined updates again and the scripts will then be needed to clean them back up.

    Actually, the real fact is that you're not actually declining anything with your nightly SCW run, because they're all APPROVED!

    Fundamentally there are two defects here:

    • Configuration Manager does not use approvals. There is **NO** legitimate reason to approve updates on a Software Update Point.
    • The Server Cleanup Wizard does not touch Approved Updates. Period. Never.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, October 5, 2014 6:25 AM

  • Hi Adam,

    Are the downstream servers in replica mode? A WSUS server running in replica mode inherits the update approvals and computer groups created on its parent WSUS administration server.

    Besides, could you post the SoftwareDistribution.log and Change.log here? It may give some hints.

    Best Regards.



    Steven Lee

    TechNet Community Support

    I was caught up in fighting some issues last week and had no time to work on this. I am waiting at this point for the issue to replicate and will grab the logs if it happens again. Yes, they are in replica mode.

    Portland Public Schools / Systems Administrator II


    • Edited by Adam Seitz Monday, October 6, 2014 4:57 PM
    Monday, October 6, 2014 3:30 PM
  • The server currently has 51 Unapproved Updates, 6181 Approved Updates

    The servers are all tied to SCCM 2012 R2

    Why? Why? Why?

    Why are updates associated with a Configuration Manager Software Update Point **APPROVED**??

    Never mind the fact that there are over six thousand of them!!!!

    The problem I seem to be having is that about once every 2 weeks the downstream servers synchronize ALL of the declined updates again and the scripts will then be needed to clean them back up.

    Actually, the real fact is that you're not actually declining anything with your nightly SCW run, because they're all APPROVED!

    Fundamentally there are two defects here:

    • Configuration Manager does not use approvals. There is **NO** legitimate reason to approve updates on a Software Update Point.
    • The Server Cleanup Wizard does not touch Approved Updates. Period. Never.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Did I offend you at some point? If so I apologize sincerely. 

    I have spent the last week learning about WSUS workflow and I have learned a lot that I didn't know before. Maybe if you replied back with some of this to other people instead of yelling at them it would be more helpful.

    1. In All Updates view add "supersedence " to the view and apply to all views.

    2. There are 4 supersedences

     * No supersedence - valid update, do not decline.

     * Blue Box in top of icon - Supersedes an old update, do not decline.

     * Blue Box in middle - Update is part of a supersedence chain - decline.

     * Blue box at bottom right - Update is superseded - decline.

    3. Go through your declined updates and verify that you have no valid updates contained in there, if so approve them and set them to "Not Approved", so clients can begin to check in and evaluate whether that update is needed or not. You can see the effect of "not Approved" by looking at your "Unapproved" updates and seeing your previously declined updates in this category.

    4. With those cleaned up, clean up your approvals. Click on the server name itself in the admin console and you will see a summary view of all your updates. Locate and click on "Updates needed by computers".

    5. This takes you to the "All Updates" with the filter "Any except declined" and Status "Needed". Approve all of these patches, these have been determined to be needed for installation (obviously don't approve patches you do not want in production).

    6. Now you need to clean up your approvals and move the unneeded updates to "unapproved". Do this by setting the All Updates Approval filter to: "Approved" and the status filter to: "Any". Add the "Needed Count" if it is not already there and add that all views as well. Sort your updates by Needed Count. You will look at each update and determine if is needed by any computers, if the needed count is 0 then unapprove that update (do not decline it).

    That should help you sort things out, my numbers are now at:

    * 5239 Unapproved Updates

    * 1015 Approved Updates

    * 3011 Declined Updates

    * 11280 Computers

    * 6 Computer groups

    7. Run the Server Cleanup wizard often, I run mine nightly on all my servers by scheduled task.

    Lawrence you said: 

    Fundamentally there are two defects here:

    • Configuration Manager does not use approvals. There is **NO** legitimate reason to approve updates on a Software Update Point.
    • The Server Cleanup Wizard does not touch Approved Updates. Period. Never.

    I never said that my SCCM server is doing approvals, it is not, it just handles the products and classifications my WSUS server auto-approves items - I  can give you more information on that if you need.

    The reason I have about 6000 updates I am dealing with is because we have an environment consisting of: Windows XP (32 Bit), Windows 7 (32 & 64), Windows 8.1 (32 and 64), Windows 2003 Server, Windows 2008 R2 Server, Windows 2012 Server, Windows 2012 R2 Server, Office 2010 (32 Bit), Office 2013 (32/64), Lync Clint 2010,  SCCM, SCOM, SCSM, SCVMM, WSUS, Report Viewer 2005-2010, Visual Studio 2010-2013, Forefront Client Security, Forefront Endpoint Protection 2010, Forefront Protection Category, Security Essentials, Dictionary updates for office 2010-2013, Capicom, Silverlight, SQL Server 2012, SQL Server 2014, SQL Server 2005, SQL Server 2008, SQL Server 2008 R2, SQL Server 2012 Product Updates for Setup, and SQL Server Feature Pack.

    We have a large and active development team and a ton of SQL in our enterprise. We are actively cleaning up up and combining older servers into newer 2012 R2 servers. We are migrating our VS2010 and VS2012 TFS to a consolodated VS2013 TFS build environment.

    Thanks!


    Portland Public Schools / Systems Administrator II






    • Edited by Adam Seitz Monday, October 6, 2014 5:35 PM
    Monday, October 6, 2014 4:03 PM
  • I have spent the last week learning about WSUS workflow and I have learned a lot that I didn't know before. Maybe if you replied back with some of this to other people instead of yelling at them it would be more helpful.

    Nobody is yelling. But this basic fundamental about how Configuration Manager works is only seven years old, so I'm not sure where to go with that.

    If you want to tell me that you *inherited* this environment from somebody else, then I'll be happy to cut you some slack. Otherwise, my questions are dead serious: WHY would you approve updates on a Configuration Manager Software Update Point -AND- your Server Cleanup Wizard task is falling flat on its face because of those approvals.

    I never said that my SCCM server is doing approvals, it is not, my WSUS server auto-approves items

    WHY? Turn off the Automatic Approval rule and REMOVE all remaining 1,015 approvals.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Tuesday, October 7, 2014 1:23 AM
  • I have spent the last week learning about WSUS workflow and I have learned a lot that I didn't know before. Maybe if you replied back with some of this to other people instead of yelling at them it would be more helpful.

    Nobody is yelling. But this basic fundamental about how Configuration Manager works is only seven years old, so I'm not sure where to go with that.

    If you want to tell me that you *inherited* this environment from somebody else, then I'll be happy to cut you some slack. Otherwise, my questions are dead serious: WHY would you approve updates on a Configuration Manager Software Update Point -AND- your Server Cleanup Wizard task is falling flat on its face because of those approvals.

    I never said that my SCCM server is doing approvals, it is not, my WSUS server auto-approves items

    WHY? Turn off the Automatic Approval rule and REMOVE all remaining 1,015 approvals.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Your comment of " WHY would you approve updates on a Configuration Manager Software Update Point -AND- your Server Cleanup Wizard task is falling flat on its face because of those approvals." is wrong, my server is stable. The only issue we have is that sometimes it re-syncronizes declined updates, but this has actually not even happened for about 3 weeks, so it seems to in the past at this point anyway. But even when it happened the sync was successful it just took an hour to get past the last 1%.


    I have been the SCCM admin here since 2008, the only thing I inherited was WSUS about a year ago. There is nothing that logs any errors in our SCCM configuration, every log and system is monitored with SCOM and (believe it or not) the management packs are properly configured.

    We are stable, we have 1 bug that comes up sometimes, that is not "Flat on its face".

    When I designed and then migrated our old SCCM 2007 system to 2012 R2 I cut out a bunch of poor design decisions. I read the documentation thoroughly, the process took about half a year because I did a ton of testing and monitoring. I never ever read anything that told me that I can not run in the configuration that I am in now.

    Would you please show me some links to the documentation of the mis-configuration of the WSUS/SCCM configuration so that I might take it under advisement on our next re-architecture of the product(s)?


    Portland Public Schools / Systems Administrator II





    • Edited by Adam Seitz Tuesday, October 7, 2014 5:52 PM
    Tuesday, October 7, 2014 4:37 PM
  • Your comment of " WHY would you approve updates on a Configuration Manager Software Update Point -AND- your Server Cleanup Wizard task is falling flat on its face because of those approvals." is wrong, my server is stable.

    Okay. Obviously I cannot help you.

    My suggestion is that you take this conversation over to the Configuration Manager forums and let them explain to you how to properly implement a WSUS server as a Software Update Point.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Wednesday, October 8, 2014 2:05 AM