WSUS - Decline all updates upon a fresh install?


We were tight on space on the drive where WSUS has been installed for the past several years, so I went for an uninstall and re-install.

Now, having completed the re-installation and ran the initial synchronisation, WSUS reports 5905 security updates, 1490 critical updates awaiting approval.

As these updates have already been approved and pushed out in the previous installation, I am inclined to decline all these updates, in order to save space.

We then start fresh and approve all updates from this point on.

I wanted experts to confirm if my logic is sound here, or if there is any possible problem with this approach.

Many thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
I'd just leave them unapproved. That way if/when you replace or add machines down the road, the detection logic is still there and you'll see it updates are missing as well as get better supercedence info. Declining updates won't save space any more than leaving them unapproved would. It's a database entry either way.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Agree to above. That way you still keep record about machines and the applied patches, without using more space.
Should you ever need prior patches, you will see in WSUS. "Declined" stops collecting and removes any installation info.
mewtdAuthor Commented:
HI again,

In order to correctly manage this, am I right in thinking that all updates as of yesterday (when the previous version of WSUS was uninstalled) were already pushed out to servers and clients, and therefore you are suggesting I leave them there in the list (enormous list of 7632 updates). If that's the case, I'm thinking about how to effectively manage subsequent updates, (and keep WSUS DB down to a minimum).

I have added the field "Arrival date" to the display, I am thinking I should sort by that from now check on a weekly basis and only ever approve updates that have an arrival date later than 11/3/2015?

Please correct me if this is not advisable.

Many thanks.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Cliff GaliherCommented:
Why not just sort by "needed" and approve updates that are greater than 0, old *or* new?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Sorting for "needed" is useful if you have waited for more than two days after an update has been sync'd with MS, because by then all machines should have checked against WSUS.
On patch day I sort for arrival to see the new ones. But waiting and going for "needed" is more effective.
mewtdAuthor Commented:
I am trying to think ahead too. If I decline them, then if at any stage someone else is administering this server, they likely will leave them as declined, whereas if I leave them as unapproved, they might think 'wow, look at all these updates that were never approved, I should approve them all'.

My main concern is storage, I want to absolutely minimise the size of WSUS (it had been 100gb+), but I am also trying to give consideration to how best to deal with all the old updates which have already been pushed out, especially if someone new has to manage it at some stage,
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
If someone would say "look, there is soooo many updates to approve, let's just do it", it would be a very unexperienced admin ;-). That is no reason to decline the updates now.

In regard of keeping the file storage minimized, did you run the Cleanup Wizard of WSUS regularily? And decline superseded updates manually after some time?
mewtdAuthor Commented:
OK, I will close this off shortly, can you just please advise on how to identify "superseded updates" within WSUS?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There is a symbol for that in the detail lists:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mewtdAuthor Commented:
Thank you all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.