When Expiring Updates based on Supersedence Rules also Decline them in WSUS
When SCCM expires updates based on the configured Supersedence Rules it only does so in SCCM, not WSUS. Additionally, SCCM does not approve updates in WSUS.
Because of these two facts the WSUS Cleanup Wizard will never decline superseded updates. They are neither expired (as they are in SCCM) nor are their superseding updates approved (a requirement for the WSUS Cleanup Wizard). This causes a bloated Update Catalog that can cause very real client issues. There are scripts available to handle this situation but this is the last mile issue in regards to WSUS maintenance. If the product declined the updates in WSUS when it expires them in SCCM then there would be no additional steps that admins needed to take.
This is fixed in #SCCM 1806.
This was added in 1806 prod but to mark this completed may be misleading. Only for CAS and Primary servers. Ironically from my understanding there is nothing there to handle this on Secondary Servers (SUPs). Seems like it should be easy and intuitive to go after this "low hanging fruit" item when they incorporated into the 1806 product With Microsoft blessing of 130+ secondary servers this could be a daunting task to manage outside Current Branch.
Michiel Wouters commented
Found this user voice after reading numerous posts about WSUS and SUP maintenance. @bdam is propably right. The team should really look into the synchronization and cleanup process. For now I'll continue to use the tasks as described in The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance.
@Bjj The doc update was the doc team's revision of my submission. However, they revised it to say the exact opposite of what I sent. I do not believe ConfigMgr will _ever_ decline an update in WSUS and experience bears this out.
They have finally updated docs.
When Configuration Manager sets a superseded software update to Expired, it does not set the update to Declined in WSUS. However, when the WSUS cleanup task runs, the updates set to Expired in Configuration Manager are set to a status of Declined on the WSUS server and the Windows Update Agent on computers will no longer scan for these updates. This means that clients will continue to scan for an expired update until the cleanup task runs. For information about the WSUS cleanup task, see Software updates maintenance.”
@Peter, I tried correcting the docs twice but the docs team insisted that what they have written is correct*. I tweeted David James and he said he'd look into it.
Peter S commented
I agree. The WSUS vs SCCM nightmare could be finally resolved. The lack of documentation on this feature simply blows me away.