locked
How to remove windows servers from WSUS RRS feed

  • Question

  • I inherited a WSUS system that pushes updates to workstations and servers.  I don't want the updates to go to the servers though.  I have removed them from the classifications list but the updates for servers are still there.  Do I have to decline all of the server updates?  Is there a way to completely get rid of the server/server updates?
    Monday, July 17, 2017 12:26 PM

All replies

  • Hi Robin, If you've removed them from Products and Classifications that should stop future server updates from being downloaded. if servers are still getting updates sounds like there have been updates that have been previously approved either manually or automatically. Is there an automatic approval rule in WSUS that says, for example, automatically approve security updates for clients and servers? If so you could change this so that updates are not automatically approved for servers. Then manually run the rule to apply it. If you don't want to patch servers you could then decline them. Hope this helps
    • Proposed as answer by Yan Li_ Wednesday, July 19, 2017 5:45 AM
    Monday, July 17, 2017 10:19 PM
  • Hello,

    If those updates are approved, then your servers may get those updates. If those updates are already got installed on those server, decline would not remove them from servers, you may choose To approve updates for removal. 

    In my opinion, if those updates do not influence your servers, you do not need to remove them. You may not approve them and then when running server cleanup wizard, those updates that not got approved for 30 days can be removed. 

    According to the title of this post, if you want to remove windows servers from WSUS, you can just delete them from the console. 

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 19, 2017 5:58 AM
  • That is the frustrating part.  I have deleted these servers several times and they keep coming back.  They show as having updates needed, but none of the updates are approved.
    Friday, August 25, 2017 5:47 PM
  • GPOs are responsible for pointing Windows clients (workstations and servers) to a website for the local Windows Update client to check for updates. If your servers are NOT being updated from WSUS, create a new GPO and point the Windows Update Location back to Microsoft (simply switching to not configured is not enough). Delete the servers from WSUS, and once the GPO applies to the servers, they will not come back into WSUS.

    Just to clarify, WSUS doesn't PUSH. WSUS is a repository of updates - it's just a website (with some application code behind it) to present updates to clients that are setup to check that location for updates.

    I would recommend that you keep the servers on WSUS and update them appropriately. If you're looking for that '100%' up to date report - you may never get it. Even if you don't approve an update, it may apply to a server as a needed update, and therefore will never show 100% if you don't approve it for install.

    You need to change how you think.

    Also, if you're talking about removing Declined updates from the WSUS database, my script has a switch for that (does not run on -FirstRun, but does run on -QuarterlyRun, manually, or on the schedule on the Quarters).

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need!

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, September 2, 2017 2:48 AM