locked
Can I Decline very old WSUS updates? RRS feed

  • Question

  • Hi,

    I have WSUS 3.2. I have run the Server Cleanup Wizard successfully with all options checked. When I click on All Updates and filter on "Any Except Decline" I am very surprised to still see updates for 2014, 2015, 2016....

    QUESTION:Since I have individually updates each and every client machine on my network (over the internet, not WSUS), can I safely go ahead and decline all updates for these years?

    Monday, December 4, 2017 12:40 PM

All replies

  • Hi,

    refer to this Blog post on how to decline superseded updates.

    From the Blog:

    Now there are 4 options:

    • No icon: update doesn’t supersede another one nor is it superseded by an update
    • supersedes updat Blue square on nbsp;these updates you do not want to clean…!!
    • supersedes update2  Blue square in the middle: this update has been superseded by another update, and superseded another update as well, this is an example of an update you may want to clean (decline)
    • supersedes update1  Blue square in the right below corner: this update has been superseded by another update, this is an example of an update you may want to clean (decline)



    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 4, 2017 1:33 PM
  • Hi Daniel - thanks for your reply. I thought of this initially but... it didn't make sense to me:-

    Q1) why would I want to keep ANY update older than before the Friday where I manually updated each of my clients? Why can't I just get rid of them all?

    Q2) If I decline EVERY SINGLE UPDATE in WSUS (even the approved ones), would it make any difference at all as all my client machines, I know, are up to date as I manually updated them on Friday???


    • Edited by Michelle99 Monday, December 4, 2017 1:40 PM
    Monday, December 4, 2017 1:40 PM
  • Hi,

    Q1: maybe you add new devices at some point (such as Windows 7/8.1) to your network which might need updates from way back in 2015. Or you need to reinstall the OS at some point for whatever reason. In this scenario you would need to approve them again which is time-consuming.

    Q2: Well, no it wouldn't affect your machines(WSUS will not uninstall the update when declining it.  It will stop pushing the update out.), however it would be counterproductive for the same reason as described above.



    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, December 4, 2017 2:09 PM
  • Great, thank-you Daniel. For all new machines (or re-installations) -- which is about 1 machine every 2 years - we always run Windows Update anyhow before connecting it to the network, but I see what you are saying.

    Last question - I have a whole lot of declined updates for products I will never use again. I'd like to get rid of them totally, so that they don't even appear in my DECLINED list. Is it possible to do this?

    Monday, December 4, 2017 2:18 PM
  • I'm afraid that there is no official way to completely remove no longer needed products.

    Unchecking "Windows XP" in Products for example will prevent new XP updates from being synchronized, already synced updates will still show up in the views hovewer.

    To work around this you might want to create a new update view where you exclude the products you no longer need or alternatively only select the products you are interested in.

    The only other official way which comes in my mind is to reinstall WSUS.


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Elton_Ji Wednesday, January 10, 2018 3:45 PM
    Monday, December 4, 2017 2:50 PM
  • Hi,

    In addition , if you want to remove declined old updates thoroughly , please try the following powershell commands:

    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()
    [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
    $wsus.getupdates() | Where {$_.isdeclined -match 'true'} | ForEach-Object { $wsus.DeleteUpdate($_.Id.UpdateID); Write-Host $_.Title removed }
     

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Elton_Ji Wednesday, January 10, 2018 3:45 PM
    Tuesday, December 5, 2017 4:51 AM
  • Alternatively, use my script (as mentioned in the Spiceworks Forum). You really don't have to think about it after that. The script auto-declines all superseded updates every month, and every quarter it runs the equivalent of what Elton mentions above to remove the declined updates from the WSUS Database.

    Also, as mentioned in the Spiceworks forum, if you uncheck the product, sync with MS, and then run the server cleanup wizard (SCW) (or wait for the next day when my script does it), it will remove the expired products.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    • Proposed as answer by Elton_Ji Wednesday, January 10, 2018 3:44 PM
    Wednesday, December 6, 2017 3:18 AM