Could some of these be for updates that we have declined previously and therefore are no longer visible in WSUS however may still needed by our machines?
It's certainly possible. If the Updates classification is being synchronized, but the WSUS Administrator is unilaterally declining them because a decision was made to never deploy them via WSUS, they would appear as available from WU, but not from WSUS. But also, they could be synchronized to WSUS, and simply Not Approved. A Not Approved update would also never appear in the Windows Update applet. The updates that appear in the listing presented in the image are updates that are available for installation -- this implies that such updates have been Approved on the WSUS server for a target group containing the client. It could also be that the WSUS server just isn't synchronizing this classification at all. I've seen many WSUS Admins only select Security Updates and Critical Updates when configuring a WSUS server.
How should we handle these?
That probably depends to some extent on your organizational IT and Patch Management policies.
- If the updates are not available via WSUS, but should be, then one approach is to remediate the configuration of the WSUS server.
- If the updates are not available via WSUS "by design" -- somebody decided NOT to deploy these type of updates via WSUS -- then it may simply be a question of whether any of these updates are actually desirable to be installed on your server(s), and if so, whether there's nothing in organizational policy precluding you from installing these from Windows Update. Of course, doing so completely defeats the whole idea of having centralized reporting, since the existence of these updates as installed.will never get reported to the WSUS server, and having server admins pick-and-choose updates from WU can really mess up a centralized deployment strategy for update classifications that are managed via WSUS.
- If the updates are prohibited from being installed because they're not made available via WSUS, then you have a bigger issue to deal with -- particularly if you identify an update that is actually needed by your server(s).
FWIW, in my observations about 75% of these updates in the Updates classification are bugfixes to features that are not normally implemented on server operating systems. You'll want to evaluate these type of updates on a per-update basis before actually installing them. For example, I know that one of them is likely a USB Video update -- which is totally useless and meaningless on a virtual machine.