* Updates *
- Do NOT remove the “all” in the language script (Decline-Windows10Languages.ps1) as I did in the video at 25:14. This change is not required or recommended.
- It’s recommended to first run the script with the -Whatif switch or option in the config.ini to see what will be declined.
- Update: in the latest script, you can use a config.ini file rather than a bunch of PowerShell parameters. Here’s the config.ini I’m now using instead of parameters.
- Here’s what the updated script folder structure looks like
- Here’s what the updated script folder structure looks like
Overview
In this video guide, we will walk through the process of maintaining our WSUS catalog to reduce the catalog size and client scanning issues. In this guide, we will cover ensuring the IIS AppPool for WSUS is improved, indexing the SUSDB, setting up a task to run a script to automatically decline any superseded updates, change the wsyncmgr purge of expired updates from 7 days to 0. and compare the initial catalog download size on a client.
There’s a lot of good WSUS maintenance scripts out there now. In my video, I used Bryan Dam’s script. See the resources below for a lot of great information that will be helpful in addition to what I cover.
Creating a Scheduled Task to Automate the Declining of Updates
- Scheduled Task Options for Bryan Dam’s WSUS Scripts
- Program: powershell.exe
- Argument: -NoLogo -NoProfile -NonInteractive -ExecutionPolicy ByPass -command <PATH>\Invoke-DGASoftwareUpdateMaintenance.ps1
- Download config.ini that I am now using in the updated release of the script
Topics in Video
- Review SUP Products that are Enabled – https://youtu.be/wqBaTp855sk?t=117
- Review WSUS Catalog for Un-Maintained WSUS Catalog – https://youtu.be/wqBaTp855sk?t=171
- Review All Software Updates in SCCM Console – https://youtu.be/wqBaTp855sk?t=295
- Perform Update Scan on Client to Un-Maintained WSUS Catalog – https://youtu.be/wqBaTp855sk?t=343
- Review Catalog Download Size on Client (13.5MB) – https://youtu.be/wqBaTp855sk?t=567
- Optimize WSUS IIS AppPool Settings – https://youtu.be/wqBaTp855sk?t=730
- Indexing SUSDB – https://youtu.be/wqBaTp855sk?t=797
- Creating the two WSUS SUSDB Indexes to Improve Speed when Declining Updates – https://youtu.be/wqBaTp855sk?t=881
- Adding Scheduled Task for Declining Updates to Run Bryan Dam’s Script – https://youtu.be/wqBaTp855sk?t=946
- Changing wsyncmgr Expired Purge Time From 7 days to 0 Days – https://youtu.be/wqBaTp855sk?t=1765
- Perform Update Scan on Client to Maintained WSUS Catalog (2MB) – https://youtu.be/wqBaTp855sk?t=1896
Resources for This Guide:
- The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance – https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/
- Bryan Dam’s Script | Software Update Maintenance Script Updated: All the WSUSness – https://damgoodadmin.com/2018/04/17/software-update-maintenance-script-updated-all-the-wsusness/
- Johan Arwidmark | Fixing WSUS – When the Best Defense is a Good Offense | This post links out to many additional posts about WSUS optimization – https://deploymentresearch.com/Research/Post/665/Fixing-WSUS-When-the-Best-Defense-is-a-Good-Offense
- Enhancing WSUS database cleanup performance SQL script – https://stevethompsonmvp.wordpress.com/2018/05/01/enhancing-wsus-database-cleanup-performance-sql-script/
- WSUS Reindex SUSDB Script – https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61
- Script to Change wsyncmgr Purge of Expired Updates From 7 Days to 0 Days – https://setupconfigmgr.com/wp-content/uploads/2018/06/Adjust-WSync_UpdateCleanupAge.zip
Arguments for Scheduled Task:
Note: you will need to change the script path
-NoLogo -NoProfile -NonInteractive -ExecutionPolicy ByPass -command J:ScriptsInvoke-DGASoftwareUpdateMaintenance.ps1 -DeclineSuperseded -UpdateListOutputFile J:ScriptsDeclinedUpdates.csv -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -CleanSUGs -RemoveEmptySUGs -RunCleanUpWizard -Force
I'm Justin Chalfant! I'm the founder of
Quick Question, If I do have CAS-Primary Environment then do I have to run on CAS and then on Primaries?
Hey,
This blog has some good details about running maintenance on WSUS in a hierarchy: https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/. “Remember that when doing WSUS maintenance when you have downstream servers, you add to the WSUS servers from the top down, but remove from the bottom up. So if you are syncing/adding updates, they flow into the top (upstream WSUS server) then replicate down to the downstream servers. When you do a cleanup, you are removing things from the WSUS servers, so you should remove from the bottom of the hierarchy and allow the changes to flow up to the top.”
So Justin, in a CAS>Primary>Secondary hierarchy, do we run the maintenance / scripts on every secondary first? Then the primaries? Then the CAS? Or does just running it on the secondaries do the trick?
Thanks
Yes to this 🙂 (do we run the maintenance / scripts on every secondary first? Then the primaries? Then the CAS?)
My organization tried to implement updates through SCCM several years ago, but gave up on the attempt. Put up a standalone WSUS server with the file server. Going forward with Windows 10, I took on the task of shoring that up. The primary site server’s WSUS was so long un-maintained I figured I should just spin up a new server to be an update point. It’s now working, however I can’t seem to run the DGASoftwareUpdateMainenance script to clean it up.
“Currently, this script must be ran on a primary site server. When the CM 1706 reaches critical mass this requirement might be removed. Invoke-DGASoftwareUpdateMaintenance 8/15/2018 2:34:59 PM 7112 (0x1BC8)”
Should I just make do with what I’ve got until that requirement is (possibly) removed? Or how else should I go about running a maintenance script against the current SUP?
I think there may be an option to run in standalone WSUS mode when WSUS isn’t’ on the site server. I will ping BDAM to see if he can reply with details.
Yep, it depends on what you’re trying to run it against. If you’re trying to run it against the standalone WSUS server your predecessor created then you’d use the StandAloneWSUS options which _should_ avoid that check. If you’re running it against an actual SUP then you will want to run the script from your primary site server. Note, your new SUP should not use the pre-existing stand-alone WSUS instance and needs a totally new one.
Thanks Bryan!
Can you give some guidance on how to implement this in a primary –> secondary site configuration? I have a single primary site with 3 secondary sites. The primary SUP syncs with MU, and the secondary SUPS are downstream WSUS syncing with primary SUP.
You should be able to just run the decline superseded updates script from the site server those changes will flow down through the sync. I believe for the WSUS Cleanup Task (If Enabled) it’s recommended to run that from the bottom up.
Hi Justin,
Quick question about the Re-index the WSUS 3.0 Database script you ran on SQL. You mentioned that you could set this up as a maintenance plan. Wondering what you recommend for how often to run that?
I think once a week would probably be fine.
Hi Justin,
I am only able to keep English language updates. I have the array setup as this $SupportedUpdateLanguages=@(“en”,”de”,”zh”,”jp”,”all”) . Then run the script using the whatif parameter to see what is being declined. What I’m I doing wrong?
Just pinged Bryan to see if he can chime in on this question.
Honestly, no real idea since I don’t have any non-English udpates left. Keep in mind two things though.
First: That array is only used for Stand-Alone WSUS environment. If you have ConfigMgr it will grab the languages from there.
Second: This only applies to Windows 10 updates.
The logic there is really quite simple so it shouldn’t be overly hard to troubleshoot. The script is filtering on Win 10 updates then looping through each supported language to see if it’s on the list.
Hello,
I’m trying to use Adjust-WSync_UpdateCleanupAge.vbs with SCCM 1810 (5.00.874.1033) and receiving the error:
‘Failed to open desired object with error code -2147217379 (Unexpected error). Aborting!’
Did you replace the sitecode and server in the script?
Yes, I did.
Hi Justin and thank you for this. If you decline anything how can you reverse it? Say I want to decline a specific language then later on it is required.
Thanks
Right-click approve then leave the computer group(s) not selected.
I think i may know the answer. I assume you remove the product in question from the decline script I just want to be sure . Thanks
I posted this comment on the Youtube video but am also posting it here in case it isn’t seen 🙂
Thanks for the great guides! I have a question I’m hoping you can help with.
I ran the VB script you provided to change the wsyncmgr expired purge time from 7 days to 0 days (after putting in my server’s FQDN and site code). Next, I declined an update in WSUS, saw that it was expired in ConfigMgr, and scheduled a full SUP sync. The expired update is still showing in ConfigMgr and wsyncmgr doesn’t show any sign of this update being deleted.
Have you seen this problem before?
Can I ask where this script comes from? I cant find much documentation on it and am wondering if it’s supported with ConfigMgr 1910.
Hoping you can help as it’s a bit annoying waiting 7 days for expired updates to purge from the ConfigMgr console.
Regarding my VB script issue – it resolved itself. The updates purged but took several hours. Still better than waiting 7 days though!
I have noticed it can take a few syncs now to purge. I think there was a code-change maybe that affected the wscynmgr thread, because I know it used to always be almost immediate.
I am seeing this error now, it looks like it start a few months ago in my lab, The site code *** could not be found. Invoke-DGASoftwareUpdateMaintenance 4/15/2020 2:39:18 PM 4156 (0x103C)
I got it working, crazy my runas account lost is rights..
Apparently most tasks have been implemented in SCCM from version 1906 and newer, except re-indexing the WSUS database according to this article, or am I mistaken?
https://support.microsoft.com/en-us/help/4490644/complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maint
Which topics in this video do you recommend still to be done?
The built-in maintenance will probably work fine now https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/software-updates-maintenance
Hello Justin,
I’d like to know how I can use the config.ini file
Thanks a lot
I’m planning on making an updated video for WSUS maintenance soon. TBH, I would just use the built-in feature at this point: https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/wsus-maintenance-guide
Hi Justin ,
Implemented this in my test environment.
I have a lot lesser ugrades in my windows 10 servicing plan. I went from 2438 to 82 🙂
Problem nos is as follows ….76 of them are windows 11 upgrades (business edition) and windows 11 (consumer editions) in various languages. How do i get rid of them with the scripts you described
To makes things clear, we do support windows 11 but only enterprise
And another issue…my expired updates are not removed. I ran the script Adjust-WSync_UpdateCleanupAge and fill in my server name en site code. i ran the script with servername and site code. I changed the sync shedule from my sup to start syncing in 5 minutes (which happen) i checked that there are no expired updates in in SUG (which are not) i ran the script Invoke-DGASoftwareUpdateMaintenance with the -force option (because it already run this day) i used you config.ini file
What am i missing and why are the expired updates still showing up ?
a lot of question and i apologise for any inconvienance.
The expired updates are now removed. I gues s i just had to wait one day 🙂