Bring Deleted/Declined Windows Update Back to SCCM

Maintaining WSUS and SCCM SUP correctly is an essential task in every SCCM environment. There are great guides on declining superseded updates, maintaining SUP, re-indexing SUSDB out there on web.

There could be scenarios where you need to bring back declined/deleted update/s back to SCCM and deploy. Below are the steps that you need to follow in such a scenario.

1. Let’s assume you declined updates and cleaned up SUSDB longtime back so the particular update is not visible even on WSUS console. To check that, open WSUS console and search for the update. If it’s not there, you need to import that from Windows Update Catalog. If the update is visible in WSUS console, go to step 5.

2. Click on “Import updates…” under Actions on WSUS Console. This will open Windows Update Catalog. Search for the KB number you want. Then Add the updates to your basket. Click on View Basket when you add the required updates.

3. In basket, there is an option to Import the update directly to WSUS.

If you don’t see the Import to WSUS option, make sure to change the protocol in the end of the URL to 1.8 when you open Windows Update Catalog through WSUS. Default it will open with 1.20. Then you will get the option to import directly to WSUS. Import the update to WSUS.

After you import the updates to WSUS, search for the update. Now it’s visible in WSUS.

5. Next place the updates in unapproved mode in WSUS.

Close the approval window.

6. Now you have to run a full SUP sync from the SCCM console. Running manual sync will only do a delta sync and the update you just configured in WSUS may not appear. To run a full sync, you have to wait till a scheduled sync happen. Or else you can modify SUP Properties; this will also initiate a full SUP sync.

For that, rather than doing a big change like adding or removing an update classification or product, the easiest method is doing a little modification to the Sync Schedule. Since SUP properties have changed now, you can initiate a manual full sync.

7. If the update which you need to restore is released long time back, it will not come back to SCCM because of the Supersedence Rules configured in SUP Properties. So you might need to modify the "Months before wait…" to a time before the update is expired.

Since the update that I want to restore is release on March 2017, I modified the setting to 18 months.

Run a sync again. You can see the update back in SCCM.

If you check wsyncmgr.log it displays items updated in SMS database and content version is updated.

8. Once you finished deploying the update, change the Supercedence Rules to default value in SUP Properties.