How do you manage products and classifications RRS feed

  • General discussion

  • Hi all,

    I just wanted to start a discussion on how do other system administrators manage what products and classifications on their WSUS server(s).

    The environment i work in is made up of a master wsus server located in our data centre in Europe. From there then i have downstream wsus servers in each country and also offices. My WSUS environment look after clients as well as servers.

    In terms of products and classifications we are selective to the OS versions we run and some of the products such as Office or SQL or CRM etc. We only have 3 classifications enabled.

    I cant help thinking that just turn on everything and let clients ask for the updates when they are applicable. A bit like when you are not in a corporate environment. computers are getting pushed updates for everything if applicable and when MS releases updates.

    So yeah i cant help wonder if us system admins we are actually making the patching process much harder for our self?



    Thursday, July 20, 2017 7:40 PM

All replies

  • before you ask yourself the question "what products+classifications should I have?", there's another question....

    "do we need to manage updating at all?"

    you might wish to manage updating, for several different reasons;

    - tightly control the change/release process, to avoid disrupting complex/sensitive systems
    - ensure updates/patches are deployed widely, and/or report upon updates/patches for compliance
    - control the traffic within your network/LAN/WAN and at your DMZ/edge/firewall/proxy

    if you don't need to worry about any of those points, then, maybe you don't need to be managing updating at all?

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, July 20, 2017 9:57 PM
  • Hi Don,

    Sorry for the late reply. We do need some control so i cannot get around a WSUS server but i do lack the experience of proper managing one. 

    Only today i really realised that we are approving updates for itanium computers and yet we do not have any.

    Wednesday, July 26, 2017 3:22 PM
  • Keep an eye out for my version 3.0 of my cleanup script (just entering the Beta testing phase - if you want to beta test it, let me know). It has a cleanup option for Itanium updates.

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.


    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Adam Marshall, MCSE: Security

    Sunday, July 30, 2017 8:13 PM