WSUS 2016: I declined an update (KB4346087) and can't get it back into WSUS

Jeremiah Nelson 1 Reputation point
2020-11-30T22:23:01.493+00:00

I declined an update (KB4346087) and can't get it reinstated in WSUS. I can search for it and find it, then when I try and approve it, it shows up as "Unknown" as status, and doesn't actually install on the approved servers.

I've tried reimporting it, changing its approval to approved and not approved, but still can't find it in WSUS.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,084 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam J. Marshall 8,621 Reputation points MVP
    2020-11-30T22:32:19.147+00:00

    KB4346087 has been superseded by a ton of updates. It's from 2019-02
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4346087

    Install any of the superseding updates instead. Preferably the latest update from 2020-11
    https://www.catalog.update.microsoft.com/Search.aspx?q=KB4589210

    0 comments
  2. Dave Patrick 426K Reputation points MVP
    2020-11-30T22:32:38.423+00:00

    May be moot if a later cumulative update has been install (replaced by Package details tab)
    https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=cd8096e0-e632-4f72-aae1-4577d102034c

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  3. Rita Hu -MSFT 9,626 Reputation points
    2020-12-01T01:41:14.847+00:00

    Hi JeremiahNelson-9826,

    Thanks for your posting on Q&A.

    Which Windows clients you want to deploy the KB4346087 to? I found that the KB4346087 has been replaced by the other updates. Perhaps we could install the latest update instead of installing the KB4346087.

    Here is a related picture for your reference:
    43749-4.png

    Thanks for your time.

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Jeremiah Nelson 1 Reputation point
    2020-12-01T13:23:33.827+00:00

    Thanks for the replies. I understand that 4346087 has been superseded. My issue is that my scanner is showing still vulnerable to the "Windows Speculative Execution Configuration Check" Nessus Plugin ID: 132101.

    I have the registry key needed to fix the vuln. And the only way to clear the vuln in the scanner is when I install(manually) the 4346087 patch. Even on those that have the most up to date cumulative patch.

    0 comments
  5. Dave Patrick 426K Reputation points MVP
    2020-12-01T14:15:23.353+00:00

    You'll need to take it up with the scanner developer. It isn't required (or possible) to install an older cumulative update. The only method to install it would be to peel back (uninstall) any later updates as first step. (note: SSUs cannot be uninstalled) Its likely the scanner definition is out of sync / out of date

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments