WSUS - Declining all Superceded Updates - NOW!

Just a quick snippet today. I wrote this because I was didn’t want to have to wait for 30 days before unusused superceded updates in my WSUS server were automatically declined - especially those daily “Definition Update for Windows Defender”.


If you’re happy waiting for these unused superceded updates to be declined after 30 days then you can just use the following cmdlet:

[sourcecode language=“powershell”] Invoke-WsusServerCleanup -DeclineSupersededUpdates [/sourcecode]

However, if you don’t want to wait you can fire off this little PowerShell script. It is just a single line of PowerShell code that will automatically decline all updates with a status of anything except for declined and has at least one superceding update:

[sourcecode language=“powershell”] Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined ` | Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } ` | Deny-WsusUpdate [/sourcecode]

The command will take a few minutes to run (depending on how many updates your WSUS Server has) - on my WSUS server it took about 5 minutes. Once the process has completed you could then trigger the cmdlet to perform a WSUS Server cleanup (to get rid of any obsolete content files):

[sourcecode language=“powershell”] Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CleanupUnneededContentFiles [/sourcecode]

That is about it for today!