WSUS – Declining all Superceded Updates – NOW!

Just a quick snippet today. I wrote this because I was didn’t want to have to wait for 30 days before unusused superceded updates in my WSUS server were automatically declined – especially those daily “Definition Update for Windows Defender”.

ss_wsus_definitionupdates

If you’re happy waiting for these unused superceded updates to be declined after 30 days then you can just use the following cmdlet:

Invoke-WsusServerCleanup -DeclineSupersededUpdates

However, if you don’t want to wait you can fire off this little PowerShell script. It is just a single line of PowerShell code that will automatically decline all updates with a status of anything except for declined and has at least one superceding update:

Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
    | Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
    | Deny-WsusUpdate

The command will take a few minutes to run (depending on how many updates your WSUS Server has) – on my WSUS server it took about 5 minutes. Once the process has completed you could then trigger the cmdlet to perform a WSUS Server cleanup (to get rid of any obsolete content files):

Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles

That is about it for today!

Advertisements