I was wondering, which takes precedence, automatic approvals that would approve a botched update, or an administrator explicitly denying that same update? In retrospect I vaguely remember when declining an update it warning me that its prior approvals would be removed. Ordinarily I am not this micromanagement or OCD'ish, I just want to make sure that this is what actually happens because of the scope of potential problems.
Finally, does this approval get rescinded from a computer that the night prior has connected to WSUS and seen it as approved, but has the setting to not download or install without user intervention? Like will the declined command, remove that update from the list on the local computer the following night (or whatever default time interval) when it next contacts the WSUS server?