WSUS 2016 - server clean up RRS feed

  • Question

  • Hello,

    Under products and classifications we had accidentally added 'updates' now all workstations  show they need updates.  I've unticked this and run the clean up tool, but they still remain.  Before we had this enabled all workstations showed there were up-to-date and had a zero next to them.

    This is how they look now, this workstation needs 116 updates which it doesn't:

    We now have it set like this:

    However workstations still show the updates.

    Do we have to wait a few days now for workstations to checkin?  or can we run 'wuauclt /reportnow' on each of them?


    Friday, June 23, 2017 2:31 PM

All replies

  • Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.


    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Adam Marshall, MCSE: Security

    Saturday, June 24, 2017 2:53 AM
  • I also suggest you select all checkboxes in classification except for Drivers.

    Adam Marshall, MCSE: Security

    Saturday, June 24, 2017 2:55 AM
  • Hi TB303,

    1. It's recommended to select all classifications expect "Drivers"(As Adamj has already mentioned above);

    2. After you check "updates" in classifications, clients report as needing these updates, then, we'd approve these updates for clients to install, instead of removing these updates;

    3. Server Cleanup Wizard could only remove the update binary files in Content folder, it will not remove the WSUS metadata in SUSDB;

    I would suggest doing the following things:

    1. Check all classifications expect drivers, then sync from MU or upstream WSUS server;

    2. Wait for clients to report the latest status into WSUS server;

    3. Approve needed updates for clients to install;

    4. After clients installing the updates, we may run Server Cleanup Wizard.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 26, 2017 2:49 AM
  • Hello Adam,

    I downloaded the txt file and renamed it to a PS1 and then used the -FirstRun, but I get this:

    Windows 2016

    Monday, June 26, 2017 2:29 PM
  • Hi TB303,

    Just to check if you tried the suggestions in my last reply.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 29, 2017 7:10 AM
  • You didn't read and follow the prerequisites. You're not using ANSI - that's encoded in something else. I can tell because of the special characters by the word TXT.

    Adam Marshall, MCSE: Security

    Thursday, June 29, 2017 12:27 PM
  • Hello,

    I've saved the file and opened in Notpadd++ and converted to ANSI and saved as a PS1 and opened powershell as an Admin and ran the script with a -Firstrun switch and I'm not sure if it ran as there was no output after.

    How can I check it ran please?

    Friday, July 7, 2017 2:36 PM
  • When you run -FirstRun, it should give output on the screen that it's running. Try downloading it from a different machine and copying it to the WSUS server.

    Adam Marshall, MCSE: Security

    Friday, July 7, 2017 3:04 PM
  • Got more output this time, look ok (SMTP doesn't matter I guess):

    Monday, July 10, 2017 2:06 PM
  • I always see your post everywhere then click that URL but is NOT FREE you have to PAY$$$, is this a pure spam?

    JUN Pogi

    Saturday, October 13, 2018 5:58 AM
  • No it was free when I posted the links. You are looking at last year's posts. The software is now not free (as of June 1st 2018) as I have turned it into a business and I don't advertise it directly anymore unless I have paid for the right to advertise.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    Saturday, October 13, 2018 12:08 PM