What is “SUPERSEDENCE” option in WSUS UPDATES?

noted with thanks...

how come when I configured the GPO to automatically download & notify install the approved WSUS updates, the “Check Updates” option is visible after the update installations then when clicked another batch of updates starts to download?

is getting those updates from the internet or the WSUS? & why is the check updates option is visible even if the GPO was configured to push the Windows Updates to the targeted clients?

...even if the GPO was configured to push the Windows Updates to the targeted clients?

wsus doesn't push anything anywhere; it only makes updates available for clients when it is their time to check in 

If you really want to push updates, you have to use deadlines.

then when clicked another batch of updates starts to download?

sometimes it is because of dependencies
a monthly update might not install and will not show if, say, a previous servicing stack update isn't installed first (just one example) 

very informative, good to know, many thanks

should I also always filter the updates through table views to include SUPERSEDENCE & NEEDED COUNT when approving to get rid of old updates?

please advise, thanks

does including above filters reduces the number of WSUS downloads?

should I also always filter the updates through table views to include SUPERSEDENCE & NEEDED COUNT when approving to get rid of old updates?

you could...the cleanup wizard can remove superseded updates

does including above filters reduces the number of WSUS downloads?

it can.  it won't download anything until it has an approval for at least 1 group
before, once a sync was done, i would immediately search for anything with the word 'itanium' and decline those since i didn't have any of that architecture.  now (with 2008 gone), i decline anything with ARM64 since i don't have that either.  then i filter through what is left anything relevant for my environment

you can also take a pass at my article and see if it helps 

I regularly  (i.e. once a week) decline all superceded updates  and then do a wsus cleanup.
 I also check for updates needing approval (they are the ones needing acceptance of terms of service like the 2004 upgrade in which I declined the the languages I don't support and the upgrades I don't support) and then approved the rest This helps keep the wsusdata folder a reasonable size

until an update is downloaded to the wsus server it won't be offered to the client.

An additional way to filter updates is to create custom views for certain groups of computers.  For example, if you have Windows 8 and Windows 10 workstations, you could create a custom view for each one so that you only see the updates that are needed for that group.  At minimum, I usually do a custom group for workstations and one for servers.  It minimizes the number of updates you have to sift through for the different groups needing different updates.

This graphic shows how to start creating a custom group:

New WSUS Update View 1.jpg

should I also always filter the updates through table views to include SUPERSEDENCE & NEEDED COUNT when approving to get rid of old updates? 

I think this is good practice. This filter is quite important because it will tell you which updates are not needed. Then you can delete them. It can significantly reduce the WSUS folder.

does including above filters reduces the number of WSUS downloads?

If you want to reduce downloads, go to Options -> Products and Classifications. On the Products tab, select only those products you really use and untick all you don't need. On the Classifications tab, you might want to untick everything related to drivers.                        

I did configure your above recommendations but haven’t tried the SUPERSEDENCE & NEEDED COUNT options & the cleanup wizard which you said will definitely reduce the download time of the needed specific updates to install from WSUS, very helpful, thank you

I’ve also used GPO filtering to target a batch of clients in an OU to minimize bandwidth & network traffic

you start a question narrowly defined and then expand as you go.
A GPO merely tells the client system how to check for updates and what to do when updates are available.
MS might release updates either as versions meaning a newer version to a prior update, or an update that replaces, displaced the need for a prieviously issued updated.

What is the difference between “DECLINE” & “NOT APPROVED” in WSUS approval options?

Not approved, the client sees that it is available to it. Declined, means the update is not made available.

The reason Itanium updates  can not be opted out of, declining them reduces the totals reported updates pending approval...counter.

noted, I should probably not approve during the updates & decline them afterwards or using the cleanup wizard

Not Approved = the update is visible in WSUS, often downloaded but not allowed for installation (for certain groups or all computers)
Declined update = update is declined by the administrator = removed from WSUS except for metadata info about this update

The steps are:

• Review the list of updates and approve the ones that are needed by your servers and workstations.
• Check WSUS on a scheduled basis to see if there are updates that have been approved but not installed on some servers or workstations. Follow up on why they aren't installed and remediate that.
• Next month, before approving new updates, review the status of last month's updates. If you really want to keep your WSUS database clean, run a reindex process on it.  Then decline updates that are no longer needed (have been installed on all workstations and servers that need them). Then run the server cleanup wizard to purge them.
• Go back to the first step and repeat every month.

The timing somewhat depends on how many workstations/servers you manage.  If you have a small number, you may not really need to do the cleanup every month. If you have hundreds of them, you may want to clean up more often to minimize the growth of your WSUS database.

While I too periodically speak using circular reference, I am not clear what you mean.

The point of an internal wsus serverip to retrieve once and make available ....

Spares the bandwidth consumption for each system going out to retrieve their data.
You shoud. Decline Itanium if you do not have a system. Updates previously approved should not be declined unless/until tat product lines no longer available in your environment
Deals with if you have to build a new system it will get updates previously approved without a need for you to underline/approve updates it may need.

thanks, we have hundreds so the cleanup is definitely needed & I need to install the reports updates to make it work to better review them

I may need to “not approve” some updates that were previously approved since when I filtered the “SUPERSEDENCE”, I noticed a significant number of the updates are not needed

The cleanup wizard is how you decline updates that have been superseded by newer updates.

yes that will save me more time when installing only the needed WSUS UPDATES

Not sure I understand.
The process is wsus checks in with MS updates servers to see what updates are available based on the cal assimilation, products you selected.
The client system connect tothe wsus and check what updates are available to each and the ones that are approved it follows the settings download and notify, download and install or notify....

Depending you setup wsus groups and GPO of clients to target ... You can setup a test wsus group workstations commonly one of each type inthe environment and use the as the testing group in which you auto-approve critical and security updates.
If all things go without a hitch,you can approve the updates for the rest.

Usually, an approved update will auto-approve a newer version of the same update .