Scenario:

Installed WSUS a long time ago and never maintained it.

Came back to it recently and approved all updates for all computers (1000's of updates in the database.) - including superseded updates. Not all of these updates install (I suspect only the most recent version of a update installs?).

This means the client status is incorrect - clients reports numerous "needed" updates when in fact they are actually up-to-date.

I wish to tidy this up.

Going through all the updates one by one and deleting superseded ones isn't an option - too time consuming.

My options are:

1. Delete the current WSUS database and re-sync - will this ensure no superseded updates are downloaded on the initial sync? i.e. only the most recent versions. Allowing me to start from the scratch and stay on top of it this time.

2. Run the WSUS server cleanup tools - in my case I don't think they will achieve my end goal i.e. to have  an up to date database, with no superseded updates and clients reporting accurately.

3. Filter "All Updates" on the superseded column, delete ALL updates that are superseded and only retain the most recent versions of updates.

In cases 1 and 3 my hope is that when clients report against the WSUS after this they will rectify their status and report accurately.

Opinions please...

Not all of these updates install (I suspect only the most recent version of a update installs?).

Correct.

This means the client status is incorrect - clients reports numerous "needed" updates when in fact they are actually up-to-date.

Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

Going through all the updates one by one and deleting superseded ones isn't an option

And yet, DECLINING the superseded updates is exactly what is required. The fact that it is "too time consuming" is merely a perception of the process required as a result of the manifestation of the procrastination from not doing it when it should have been done. :-)

In this article on PatchZone I talk about a SIMPLE process for addressing this situation.

3. Filter "All Updates" on the superseded column, delete ALL updates that are superseded and only retain the most recent versions of updates.

This is essentially the process, except that you misuse the term "delete" (which is not possible from the console) for the operation "decline" which is the appropriate and correct operation in this ins

Ok...I read the article and have taken your notes on board.

I still have a query though. You said:

Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

So, does this mean that if I delete the superseded updates the clients reporting will eventually be precise? You say that this means an update OR a superseded update is not installed yet...

If I approve 3 versions of the same update together i.e. Update 1a and 1b and 1c for all computers (1a is superseded by 1b, 1b is superseded by 1c):

1. Will only 1c be installed?

2. Will the client report as 1 update installed, 2 updates needed?

3. Will declining the superseded updates (1a and 1b) rectify the problem?

4. If the answer to 3 is yes, then why does it matter what percentage of machines have superseded updates installed when doing the filter...i.e. should I not just simply decline ALL superseded updates at this stage, and then only the most recent updates will be installed. (i.e. an update isn't dependent on a superseded being installed already).

I still have a query though. You said:

Nope. The client status is accurate as reported. If there are updates reported as "Needed" that that means either that update, or one that supersedes it is NOT installed yet.

So, does this mean that if I delete the superseded updates the clients reporting will eventually be precise?

Not necessarily. DECLINING the superseded updates merely removes the reporting of them as Needed (which is why the article explicitly states you should only decline superseded updates that are reported as 100% Installed/NotApplicable). A superseded update reported as Needed means that the newer update is not yet installed -- possibly because it is not yet approved, or maybe not yet downloaded to the WSUS server. Whatever the reason, it's missing from the client and that's the condition that requires remediation.

You say that this means an update OR a superseded update is not installed yet...

If I approve 3 versions of the same update together i.e. Update 1a and 1b and 1c for all computers (1a is superseded by 1b, 1b is superseded by 1c):

1. Will only 1c be installed?

Yes. The WUAgent ignores superseded updates for purposes of download/install, but it still reports state on those updates, initially "Needed" (because they are not installed), or possibly "Installed" for any that are (and "Not Applicable" for the superseded updates once the newer update has been installed).

Once the latest update (1c in your example) is installed, then 1a and 1b will be reported as "NotApplicable". If 1b were to be installed, 1a would be reported as Not Applicable, 1b as Installed, and 1c as Needed.

3. Will declining the superseded updates (1a and 1b) rectify the problem?

No. The problem is not that the superseded updates are still reported as "Needed" ... that's critically important evidence of the actual problem. The actual problem is that some other newer update is NOT installed, maybe not even approved (or maybe not yet downloaded to the WSUS server after being approved).

why does it matter what percentage of machines have superseded updates installed when doing the filter

Because the fact that there IS a superseded update reported as "Needed" is a critial indicator that some other update (the one that supersedes the superseded update) is NOT installed, and that problem needs to be remediated. Once all of the current updates are installed, then the superseded updates will be reported as "Not Applicable", and the 100% Installed/Not Applicable state is a Healthy Indicator ... and is what triggers the knowledge that declining the superseded updates is now an appropriate action to take.

Thanks for this.

I have a large task ahead of me. I'm was considering declining all superseded at the expense of missing out some updates on machines (no superseded updates appear to be 100%) - but I might just have to work through them all.

So, from my first question...I assume this is not a solution:

Delete WSUS (inc. db) and reinstall, re-sync. (only most recent versions will be downloaded on first sync) - approve updates as necessary. (or will clients still report inaccurately)