none
WSUS Approval status replication RRS feed

  • Question

  • Greetings,

    We have an upstream server which is a standalone WSUS server. There is a downstream server which is our SUP server in SCCM. I noticed that the upstream server had one update in the 'Not approved' state but the downstream WSUS server had the same update as approved and deployed in our ADR. I though approval status was replicated? How can I make sure that the downstream server only deploys updates that have been approved by the upstream server?

    Thanks

    David Z


    Tuesday, September 10, 2019 12:29 AM

Answers

  • What's in your software update groups, whether put their manually or using and ADR has nothing to do with what's approved directly in WSUS. ConfigMgr does not approve updates in WSUS nor does it care about or use the approval status of updates in WSUS.

    Note that updates declined in WSUS though will be expired in ConfigMgr.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by David Zemdegs Tuesday, September 10, 2019 4:38 AM
    Tuesday, September 10, 2019 2:55 AM

All replies

  • What's in your software update groups, whether put their manually or using and ADR has nothing to do with what's approved directly in WSUS. ConfigMgr does not approve updates in WSUS nor does it care about or use the approval status of updates in WSUS.

    Note that updates declined in WSUS though will be expired in ConfigMgr.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by David Zemdegs Tuesday, September 10, 2019 4:38 AM
    Tuesday, September 10, 2019 2:55 AM
  • Hi David,

    >> I though approval status was replicated? 
    Please kindly check if downstream wsus server is in replica mode or autonomous mode. Only the replica mode WSUS server will share the update status.

    >>but the downstream WSUS server had the same update as approved and deployed in our ADR.

    As Jason mentioned, ConfigMgr does not approve updates in WSUS. Please verify if you have enabled automatic approval rule in WSUS. Also, we can view change.log for more details about WSUS server database that has changed.


    >> How can I make sure that the downstream server only deploys updates that have been approved by the upstream server?

    Based on your scenario, the SUP wsus server synchronizes updates from upstream WSUS server, and then deploy the updates using SCCM. Therefore, we don’t need to approve any updates in the WSUS server. Upstream server is only used as a synchronization source. Again, SCCM will not change the update status in WSUS to approved.

    Hope above information helps.

    Best Regards,
    Tina


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 10, 2019 3:33 AM
  • Actually the question is, if my WSUS SUP server has an update with a status of 'Not approved' will SCCM just ignore that if an ADR rule finds it and adds it to the SUG?

    Thanks

    David Z

    Tuesday, September 10, 2019 4:47 AM
  • Yes. Status of 'Not approved' has no impact to SCCM. Actually, the updates in the SUP WSUS server should be in 'Not approved' status, and you can use SCCM to deploy the updates normally.

    Best Regards,
    Tina


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 10, 2019 6:36 AM