The Windows Update slow issue – there is a definitive answer… less a definitive solution

I’m just now catching up on last week’s email, and found this from CH100:

I understand that from previous posts your experience with WSUS is limited, so I thought to provide a little bit more detail about some of my posts in relation to the Windows Update being slow, at least at the beginning of the process on a clean image of Windows 7 with SP1. I didn’t test yet, but I believe this is the same for Windows 2008 R2.

In WSUS there are options to synchronize the updates for various Microsoft products (not third-party products from Adobe or Oracle).

After the updates are synchronized from the MU site, they have to be approved to be provided to the client computers. The computers do scan as instructed and if nothing is approved, they see no updates available. The closest equivalent is that on the Microsoft site, everything is approved, old and new, until they expire updates (‘pull’ them in internet slang).

There is a column which is not enabled by default in WSUS which shows the supersedence of the updates and this is also made available in a different format in the bottom field for each update – which updates the current update supersedes or is superseded by.

Although it looks complicated and it is, someone with a certain degree of experience in navigating through various options can figure out what to do.

I found the posts from Lawrence Garvin from SolarWinds which are everywhere but mostly on the Microsoft’s various forums to be authoritative when it comes to WSUS and a good start for those trying to learn the product.

SCCM uses a built-in version of WSUS, but I don’t have experience with that product.

Now back to the subject. The expired updates (the so called ‘pulled’ updates) are automatically declined when they are expired and WSUS is synchronized with Windows Update.

In addition there is a cleanup process which has to be run manually (or scripted via PowerShell) to decline expired revisions of the same update.

Also the administrator can decline whatever is considered not desired. And this is what is of interest here.

By declining everything superseded and leaving only top level supersedence updates and those without any relationship with other updates, the Windows Update mechanism works flawlessly as claimed by Susan Bradley for who this is old news and I found another Microsoft forum giving the same answer to the problem.

I don’t have an answer for updating online though – WSUS Offline may be an answer, but in the same way the you are reluctant recommending third-party products unsupported by Microsoft I am too.

So I think after 70+ posts in the thread which you started and which it seems to have a huge following, I think we have the root cause – not discovered by me, only rediscovered after being found by others and tested.

It is as expected that  Microsoft does not maintain their WU site for peak performance.

Until they do something about it, if they will do it, the only possible action for those trying to use the supported WU method is to wait and wait and wait and leave the computer on over many nights until things adjust by themselves.

For the sake of completeness, I would mention here few more things.

Declining all superseded updates is not the full answer, as some may still be useful if the superseding update is not installed or in some cases is made confusing by Microsoft.

Example: KB3102429 initial release (now expired) superseded KB2919469 but not its replacement. In such a case for full compliance, the superseded update needs to be installed too and as such approved.

Other situations are when people do not install all the latest updates for various reasons, in which case they should install the older ones, superseded.

Or as Microsoft now releases Optional updates superseding Important updates as is the case with Windows Update Client updates, same as above applies if Optional updates are not installed.

As I said in a post, now I made a decision to install all updates and it would only be an exception not to install any.

Another issue is how to see the superseded updates in WU online. By hiding all updates and doing a scan, you will see the next level of updates which were not visible before being superseded and this is what that svchost.exe process which never ends does – it calculated various combinations in memory until it decides what to do. Hiding the second level, or only some of them, you will see another level of updates invisible before.

Shouldn’t this all be explained in detail in the official Microsoft documentation, even if only for System Administrators? To the best of my knowledge this is not officially available and my claims are all based on information on the internet, testing, reverse engineering the behaviour of WU and based on the very limited official documentation available.