I'm a little unsure how WSUS behaves in this scenario. I'll use the latest KB3097877 issue as an example.
We have a main WSUS server and a downstream server at a remote site. When I approve patches on the main one, they get pushed to the downstream and then all clients will install the patches. For KB3097877, Microsoft had an issue and it was causing problems for many users so they pulled it. Under normal circumstances this would be fine because I would just then set that patch to Approve for Removal then deny it. Happy days. However they decided to re-release that same patch (fixed) under the same KB. What does WSUS do now? Do I need to set the patch for removal, wait until I get 100% compliant, then approve it again? Or will this approve the same old, previously downloaded patch and screw up users again? How do I tell the WSUS to delete the old and get the new one from Microsoft Update? Or does it do all this automatically?
Hope to get some clear answers as our users are having issues again!
Thanks