WSUS – Declining all Superceded Updates – NOW!

Just a quick snippet today. I wrote this because I was didn’t want to have to wait for 30 days before unusused superceded updates in my WSUS server were automatically declined – especially those daily “Definition Update for Windows Defender”.


If you’re happy waiting for these unused superceded updates to be declined after 30 days then you can just use the following cmdlet:

Invoke-WsusServerCleanup -DeclineSupersededUpdates

However, if you don’t want to wait you can fire off this little PowerShell script. It is just a single line of PowerShell code that will automatically decline all updates with a status of anything except for declined and has at least one superceding update:

Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
    | Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
    | Deny-WsusUpdate

The command will take a few minutes to run (depending on how many updates your WSUS Server has) – on my WSUS server it took about 5 minutes. Once the process has completed you could then trigger the cmdlet to perform a WSUS Server cleanup (to get rid of any obsolete content files):

Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles

That is about it for today!


2 thoughts on “WSUS – Declining all Superceded Updates – NOW!

  1. Jeff says:

    Thanks for this post. It is what I was looking for, though I was a little more conservative and change it to “.count -gt 1” to decline updates that have been superseded by 2 or more updates.

    One thing, though. For me, on a windows server 2012R2 WSUS server the powershell script as written above, wasn’t working. It ran without error, but never found and declined all of the updates that it should have. Here is what seems to work better for me:

    Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
    | Where-Object { ($_.Update.GetRelatedUpdates(‘UpdatesThatSupersedeThisUpdate’)).Count -gt 1 } `
    | Deny-WsusUpdate


    • That is some great info! I think you’re right – my original script isn’t quite right. Looking at the script I’m currently running on my WSUS Server it is different to what I posted. I must have adjusted it at some point without changing the post! Thanks for pointing that out.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s