So I should change the way I install software? Until now I use the non-upgrade packages to install updates to all systems in different group (old systems which have and new systems which don't have any 3rd party software installed). Using the upgrade packages would mean that I have to preinstall systems with all needed 3rd party software.
In theory I could manually run a management task which installs one or more not approved non-upgrade packages to new systems. But the publishing of the package to wsus leeds to the point where clients without the package "need" them.
- If a client is member of a wsus-group, it should get all 3rd party updates of the group (or install if not installed)
- If a client is member of another wsus-group (where a package is not approved) all not approved install packages should not be needed
... Another idea: I misunderstand the WSUS use: All published packages are needed if the package requirements meet the clients configuration (for example: Java x32 for x64 package --> client x64 OS), right? The check, if a software in a older version is already installed (by search for a reg-key) is also a "package requirement". So all updates which are not installed and not approved are left in status needed. Then there is no way to define "package x has not to be installed on client group y" ... Or "package x has only needed and to be installed in client group y, whether it is installed or not"?