How should I manage the superseded updates in WSUS?

After the synchronization, I noticed a great number of updates that got
downloaded are already superseded by other updates. How do I deal with
them? Does WSUS give me an option to completely remove those, and make
my list cleaner?

If not, then what's the best policy regarding to approval? Should I use
"Approve for Detection", or "Decline Updates"?

Just don't approve them for installation.

By default WSUS only downloads content that is approved for installation.

If you want to "permanently remove them from the list because you believe
you will /never/ need them, you can mark them as "Declined". "Declined"
updates are not displayed in the default listings (though you can select an
option to show you Declined listings if you need to at some future time).


"achen" <> wrote in message
news: oups.com...
> After the synchronization, I noticed a great number of updates that got
> downloaded are already superseded by other updates. How do I deal with
> them? Does WSUS give me an option to completely remove those, and make
> my list cleaner?
>
> If not, then what's the best policy regarding to approval? Should I use
> "Approve for Detection", or "Decline Updates"?
>

Thanks for replying, could you please tell me how should I deal with an
update which is superseding an older update, when itself is superseded
again by a newer update?

For example if we had security_update_BB superseding
security_update_AA, the approval status were "Install" for BB and
"Delicne" for AA.

When a newer update security_update_CC comes out which superseding BB,
upon approval of CC, does it automatically remove BB from the approval
list? If not, is it a right thing to do to manually decline both AA
and BB, just because there is no reason of installing them anymore,
after CC is available for install?

I hope I have made my question clear.

Generally speaking, you don't need to do anything with "superceded" updates.
The WUA will ignore superceded updates if they're approved for installation.

However, there are issues with the WUA and the detection logic affecting
Cumulative Updates for IE and OE, and the WUA does not ignore these. So,
Cumulative Updates for IE and OE should be explicitly marked "Not Approved"
or "Detect Only" when they are superceded.

Addressing your specific example, when security update C comes out, the WUA
will see that it is available for install and install it. If a system does
not have security update B or A installed, it will simply ignore them. The
WUA does all of the work, so there's no "automatic declination" of
superceded updates -- that's the responsibility of the WSUS Administrator --
but, as noted, except for Cumulative Updates, there's no need to take any
action on superceded updates at all.

If you're absolutely positive that you will /never/ need the superceded
updates, it would be appropriate to mark them as "Not Approved". I would not
suggest marking anything as "Declined", since doing so will immediately hide
it from the list of updates on your WSUS server, and "out of sight/out of
mind" can be a potential trouble area.


"achen" <> wrote in message
news: ups.com...
> Thanks for replying, could you please tell me how should I deal with an
> update which is superseding an older update, when itself is superseded
> again by a newer update?
>
> For example if we had security_update_BB superseding
> security_update_AA, the approval status were "Install" for BB and
> "Delicne" for AA.
>
> When a newer update security_update_CC comes out which superseding BB,
> upon approval of CC, does it automatically remove BB from the approval
> list? If not, is it a right thing to do to manually decline both AA
> and BB, just because there is no reason of installing them anymore,
> after CC is available for install?
>
> I hope I have made my question clear.
>

Thank you Lawrence, your reply is really helpful.

One last question that I wanted to ask, the main purpose of my inquiry
about declining out-dated updates is to save space on the WSUS server.
I think it doesn't make sense to use 10GB of space if only 8GB of it is
needed.

So the question is - Upon disapporving an update that is previously
approved, or changing the status from "Install" to "Detect Only", will
WSUS delete the files associated with this particular update from its
storage space?

"achen" <> wrote in message
news: ups.com...
> Thank you Lawrence, your reply is really helpful.
>
> One last question that I wanted to ask, the main purpose of my inquiry
> about declining out-dated updates is to save space on the WSUS server.
> I think it doesn't make sense to use 10GB of space if only 8GB of it is
> needed.

<g>.. Welcome to the club!

> So the question is - Upon disapporving an update that is previously
> approved, or changing the status from "Install" to "Detect Only", will
> WSUS delete the files associated with this particular update from its
> storage space?

No, not automatically.

However, if you mark the update as DECLINED (and I would only recommend
doing so for update you know factually that you will -never- need), you can
then purge the content using the WSUS Server Diagnostic Tool. It has an
option /Tool:PurgeUnneededFiles that will remove the content associated with
declined updates.