Approving monthly roll-ups to client computers RRS feed

  • Question

  • I have two questions regarding WSUS installed on windows server 2012.

    1- for Microsoft monthly rollup, while approving newest rollup may i disapprove the older versions? for example a computer joined to wsus will get all the rollup to avoid traffic why not disapprove the precedent rollups as new rollup contains the fixes from previous ones?

    2- Computers (mostly windows 10) are not showing up in WSUS but present in Active Directory, other versions of OS showing up just after join to domain.

    Wednesday, October 11, 2017 9:36 PM

All replies

  • Hello,

    As far as I know, we do not need to decline older version roll-ups, when a computer join to WSUS, it should install the newest one. 

    If computers are not showing up in WSUS after join to domain, I suggest you logon to those computer and check registry key in below path:


    make sure key WUServer has correct value set that point to your WSUS server. 

    If above key has no value or incorrect value, please check group policy settings configure related to Windows Update on those computers. 



    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Yan Li_ Tuesday, October 24, 2017 7:46 AM
    Thursday, October 12, 2017 2:03 AM
  • First question - yes, any superseded updates you can decline, in fact my script does it all for you so you don't have to worry about it. (see the bottom of this post)

    As for the 2nd question, there are 2 things to look at. 1 is if the GPO is being applied (do a gpresult /h gpo.html from a cmd cmdprompt on the client) and 2, are these computers cloned? If so, they may have been improperly prepared and have connected to WSUS before the sysprep. Run the following in an administrative command prompt on each affected client.

    net stop bits
    net stop wuauserv
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v AccountDomainSid /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v PingID /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIDValidation /f
    rd /s /q "C:\WINDOWS\SoftwareDistribution"
    net start bits
    net start wuauserv
    wuauclt /resetauthorization /detectnow

    As mentioned above for #1,

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!


    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Adam Marshall, MCSE: Security

    Saturday, October 14, 2017 4:18 AM