Update still appears available after setting it to "disapprove" after being approved in WSUS 3.0 SP1

Posted on 2009-12-22
Medium Priority
Last Modified: 2012-05-08
I had to remove the approval for a recently approved Update. I have ran the AU client force utility and also gpupdate / force ( with restart) but the Update shield still appears with the disapproved update ready for install.
We use a GPO to control wsus settings.  

What else can I do to eliminate the update from appearing for install?

Question by:Russ Wrightson
  • 4
  • 4

Expert Comment

ID: 26111190
Did you set the update as "not approved" ?
I suppose the au utility does the "wuauclt /resetauthorization /detectnow" command on the client to refresh update information?

Is the client connected to the correct WSUS server?

http://technet.microsoft.com/en-us/wsus/bb466192.aspx Has a Client Diagnostics Tool, to display the wsus settings on the client
LVL 47

Expert Comment

by:Donald Stewart
ID: 26113033
DId you disapprove for a Target Group or for all?

Author Comment

by:Russ Wrightson
ID: 26115028
thank you.
I changed the status to "disapproved' on the update itself for all the target groups.
The Parent WSUS still makes the update available but when I work on a PC that is attached to a Secondary WSUS server, the update notification does not return
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 47

Expert Comment

by:Donald Stewart
ID: 26115509
So all is well?

Author Comment

by:Russ Wrightson
ID: 26119026
Negative - the PC's that are attached to the Parent SUS Server @ our Corp office still recieve the update notification after removing the undesired  update.

I can choose custom from the update window and tell the OS to ingore the update but I would like to figure out why the Secondary Servers perform correctly but not Parent.
LVL 47

Expert Comment

by:Donald Stewart
ID: 26120072

Author Comment

by:Russ Wrightson
ID: 26148604
we are using WSUS 3.0 SP1 and I have used the Server Cleanup Wizard. what I have also noticed is that if a PC was not turned on until AFTER the update was switched to disapproved, then the disapproved update is not in the available updates on the Client PC. It's only still being pushed to a Client who originally got the approved push. Wondering if I should setup a Secondary WSUS Server here @ our Corp headquaters and assign the Corp PC's to it instead of them being controlled by the Parent WSUS Server.
LVL 47

Accepted Solution

Donald Stewart earned 1500 total points
ID: 26148638
There's more than just using the "server cleanup wizard"
From above link

Purge / Delete corrupted or Un-needed patches on WSUS Server
If you want to purge the downloaded patches on WSUS Server to cleanup / delete unneeded content, then you have to use the following tools; WSUSDebug PurgeUnneededFiles  
WSUSUTIL.exe Deleteunneededrevisions  
WSUSUTIL.exe Reset
WSUSUTIL.exe Removeinactiveapprovals (optional)
WSUS Debug Tool: Run PurgeUnneededFiles command to Purge unneeded content. This command deletes all files not needed on the WSUS server.
WsusDebugTool.exe /Tool:PurgeUnneededFiles
***(NOTE: You have to decline the updates first.)
WSUSUTIL.exe deleteunneededrevisions: Purges the metadata for unnecessary update revisions from the database. This is useful for managing WSUS with an MSDE database.
***(NOTE: this command should only be run after stopping the Windows Server Update Services website in Internet Information Services MMC.)
WSUSUTIL.exe Reset: Now that you have purged the content, use 'WSUSUTIL.exe reset' which checks that every metadata row in the database has corresponding content stored in the file system.  If content is a missing or corrupted, WSUS downloads the content again.
WSUSUTIL.exe reset
***(NOTE: WSUSUTIL.exe is installed C:\Program Files\Update Services\Tools)


Author Closing Comment

by:Russ Wrightson
ID: 31669239
thought the solution does clean up the un needed Patch, it does not address the situation of how we can succesfully remove the trigger from Parent attached PS'c from from recieving the notification of a declined update.
I will be setting up an additional Secondary Server for our Corporate office and move all PC's to that WSUS group.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Know what services you can and cannot, should and should not combine on your server.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question