locked
WSUS 3.2 on SBS 2011 RRS feed

  • Question

  • I am running WSUS version 3.2.7600.251 on a machine with SBS 2011 Standard (SP1) installed, and I have been having problems with it for ages.  Mostly it has been to do with the WSUS console hanging and asking me if I want to reset the server node.  This doesn't seem to help, by the way, and the only way I can get a working console back is by resetting the server.  I'm sure it would also work to reset sone service or other, but I am not experienced enough to know which one.  Perhaps SQL?  I'd love to know what is causing this, but I will put that as a secondary priority for now.

    My primary issue is that since I turned on a daily notification from WSUS regarding the status of updates and which machines needed what I noticed an inconsistency between that e-mail and the daily report generated by SBS.  My SBS report says that only one machine needs an update (a laptop which isn't connected to the network very often), yet the e-mail from WSUS says that all machines are missing at least one update.

    When I go to the WSUS console (if it doesn't crash) it tells me that there are no computers which are missing an update (other than the laptop) so it is agreeing with the SBS report.  When I go onto a client machine and run windows update it also says there are no updates available (it searches the WSUS database).  However, when I force the client machine to check directly with Microsoft, up pops the missing updates.  They install fine and everybody is happy ... except me.

    I have checked that WSUS is synchronising regularly and without error, I have moved from storing the updates locally to retrieving them from the web (we only have 11 machines, so it's not much of an overhead for small updates), and I have just this morning moved back again to local storage.  I have checked the GPO entries to make sure that everything is correct and the correct update source is selected (the local server) and that WSUS is communicating with Microsoft for its source.  We have no upstream/downstream servers (it is a SBS installation, after all) and so I am completely stumped.  I have even removed WSUS from SBS as a role within the Server Manager window and told the client computers to just revert to contacting Microsoft Update themselves, but that just threw up regular errors on the SBS report moaning that WSUS was missing.  Reinstalling it I used all the default settings.

    Does anybody have any idea why I cannot get WSUS to work properly for me?  As a sideline, why do I only get access to the console once?

    Thanks in advance for help and advice :-)

    Tuesday, June 6, 2017 9:04 AM

Answers

  • Before giving up, please run my script. It usually fixes these issues and brings life back to WSUS. Before you say .Net 4 is not compatible with SBS, see the notes at the bottom of the post.


    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    For SBS notes - Taken from my version 3.0 which is what I'm working on right now.


        - For SBS 2008: This script WILL work on SBS 2008 - you just have to install the pre-requisites below.
                        .NET 4 is backwards compatible and I have a lot of users who have installed it on SBS 2008 and use the script.
            - Install Windows Powershell from Server Manager - Features
            - Install .NET 3.5 SP1 from - https://www.microsoft.com/en-ca/download/details.aspx?id=25150
            - Install SQL Server Management Studio from https://www.microsoft.com/en-ca/download/details.aspx?id=30438
              You want to choose SQLManagementStudio_x64_ENU.exe
            - Install .NET 4.0 - https://www.microsoft.com/en-us/download/details.aspx?id=17718
            - Install Powershell 2.0 & WinRM 2.0 from https://www.microsoft.com/en-ca/download/details.aspx?id=20430
            - Install Windows Management Framework 3.0 from https://www.microsoft.com/en-us/download/confirmation.aspx?id=34595

        - For SBS 2011: This script WILL work on SBS 2011 - you just have to install the pre-requisites below.
                        .NET 4 is backwards compatible and I have a lot of users who have installed it on SBS 2011 and use the script.
            - Install .NET 4.5.2 from https://www.microsoft.com/en-ca/download/details.aspx?id=42642
            - Install Windows Management Framework 4.0 and reboot from https://www.microsoft.com/en-ca/download/details.aspx?id=40855
            - Install SQL Server Management Studio from https://www.microsoft.com/en-ca/download/details.aspx?id=30438
              You want to choose SQLManagementStudio_x64_ENU.exe

    Please see my comments (OverDrive) and the run through here:

    https://community.spiceworks.com/topic/1999958-need-help-getting-rid-of-wsuscontent-files

    Everything that says .NET 3+ on SBS is not supported revolves around old information.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Marked as answer by Angus Kitchin Sunday, July 16, 2017 6:24 PM
    Thursday, June 22, 2017 4:52 AM

All replies

  • I am running WSUS version 3.2.7600.251 on a machine with SBS 2011 Standard (SP1) installed, and I have been having problems with it for ages.  Mostly it has been to do with the WSUS console hanging and asking me if I want to reset the server node.  This doesn't seem to help, by the way, and the only way I can get a working console back is by resetting the server.  I'm sure it would also work to reset sone service or other, but I am not experienced enough to know which one.  Perhaps SQL?  I'd love to know what is causing this, but I will put that as a secondary priority for now.

    My primary issue is that since I turned on a daily notification from WSUS regarding the status of updates and which machines needed what I noticed an inconsistency between that e-mail and the daily report generated by SBS.  My SBS report says that only one machine needs an update (a laptop which isn't connected to the network very often), yet the e-mail from WSUS says that all machines are missing at least one update.

    When I go to the WSUS console (if it doesn't crash) it tells me that there are no computers which are missing an update (other than the laptop) so it is agreeing with the SBS report.  When I go onto a client machine and run windows update it also says there are no updates available (it searches the WSUS database).  However, when I force the client machine to check directly with Microsoft, up pops the missing updates.  They install fine and everybody is happy ... except me.

    I have checked that WSUS is synchronising regularly and without error, I have moved from storing the updates locally to retrieving them from the web (we only have 11 machines, so it's not much of an overhead for small updates), and I have just this morning moved back again to local storage.  I have checked the GPO entries to make sure that everything is correct and the correct update source is selected (the local server) and that WSUS is communicating with Microsoft for its source.  We have no upstream/downstream servers (it is a SBS installation, after all) and so I am completely stumped.  I have even removed WSUS from SBS as a role within the Server Manager window and told the client computers to just revert to contacting Microsoft Update themselves, but that just threw up regular errors on the SBS report moaning that WSUS was missing.  Reinstalling it I used all the default settings.

    Does anybody have any idea why I cannot get WSUS to work properly for me?  As a sideline, why do I only get access to the console once?

    Thanks in advance for help and advice :-)

    • Merged by Alvwan Wednesday, June 7, 2017 12:48 AM dup thread
    Tuesday, June 6, 2017 9:10 AM
  • Hi Angus Kitchin,

    Please re-index the database of the WSUS server, check if it could work after then.

    Reindex the WSUS Database

    https://technet.microsoft.com/en-us/library/dd939795(v=ws.10).aspx

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 7, 2017 7:41 AM
  • Forgot to mention that I had already done that procedure.  Didn't seem to work.  Interestingly, looking at the Installed Components report in SQL and the SUSDB database appears to be missing.  As an added complication we are running SQL 2008 *and* SQL 2014 on this server, and I am no SQL expert.  I have, however, heard that if you mess too much with SQL then you can destabilise SharePoint.  I am not keen to create yet more problems.

    I think my best bet would be to receive guidance for removing WSUS fully from a SBS machine (WSUS itself, its database, it's data and basically everything it uses) and reinstall it from scratch.  Is that possible?

    Wednesday, June 7, 2017 7:56 AM
  • Hi Angus Kitchin,

    Yes, I would also recommend to reinstall the WSUS from the scratch.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 22, 2017 1:45 AM
  • Before giving up, please run my script. It usually fixes these issues and brings life back to WSUS. Before you say .Net 4 is not compatible with SBS, see the notes at the bottom of the post.


    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    For SBS notes - Taken from my version 3.0 which is what I'm working on right now.


        - For SBS 2008: This script WILL work on SBS 2008 - you just have to install the pre-requisites below.
                        .NET 4 is backwards compatible and I have a lot of users who have installed it on SBS 2008 and use the script.
            - Install Windows Powershell from Server Manager - Features
            - Install .NET 3.5 SP1 from - https://www.microsoft.com/en-ca/download/details.aspx?id=25150
            - Install SQL Server Management Studio from https://www.microsoft.com/en-ca/download/details.aspx?id=30438
              You want to choose SQLManagementStudio_x64_ENU.exe
            - Install .NET 4.0 - https://www.microsoft.com/en-us/download/details.aspx?id=17718
            - Install Powershell 2.0 & WinRM 2.0 from https://www.microsoft.com/en-ca/download/details.aspx?id=20430
            - Install Windows Management Framework 3.0 from https://www.microsoft.com/en-us/download/confirmation.aspx?id=34595

        - For SBS 2011: This script WILL work on SBS 2011 - you just have to install the pre-requisites below.
                        .NET 4 is backwards compatible and I have a lot of users who have installed it on SBS 2011 and use the script.
            - Install .NET 4.5.2 from https://www.microsoft.com/en-ca/download/details.aspx?id=42642
            - Install Windows Management Framework 4.0 and reboot from https://www.microsoft.com/en-ca/download/details.aspx?id=40855
            - Install SQL Server Management Studio from https://www.microsoft.com/en-ca/download/details.aspx?id=30438
              You want to choose SQLManagementStudio_x64_ENU.exe

    Please see my comments (OverDrive) and the run through here:

    https://community.spiceworks.com/topic/1999958-need-help-getting-rid-of-wsuscontent-files

    Everything that says .NET 3+ on SBS is not supported revolves around old information.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Marked as answer by Angus Kitchin Sunday, July 16, 2017 6:24 PM
    Thursday, June 22, 2017 4:52 AM
  • Hi Adam,

    First please let me compliment you on providing one of the most well annotated scripts I have ever seen.  It explains everything.  At least, that it so say it tells me everything.  I wouldn't say I understand a lot of it, but you've done the hard work so I don't have to.  So, thank you.

    Next, I am currently running the script after installing the pre-requisites (Management Framework 5 in my case, and a refresh of the .Net 4.5.2).  It has been running for an hour and a half so far and still seems to just show "Executing RemoveWSUSDrivers" on the Powershell console.  I've run the script from the desktop and notice a SQL query called 'AdamjRemoveWSUSDrivers.sql' has been created.  Looking through this I notice that there are several 'PRINT' statements, which implies to me that as the query runs it gives a sort of running commentary of where it has got to.  I see no running commentary.  Is this normal or has something fallen over?

    Angus

    Sunday, July 9, 2017 11:22 AM
  • Hi Angus,

    The Print statements do not print items on the screen, but rather into a variable for the output file and email log reports.

    If it hasn't completed the RemoveWSUSDrivers section yet, go ahead and cancel the script (ctrl-c or close the powershell window) and restart it. I've seen that SQL script take between 5-10 min, but usually within 3 minutes that's done, so over an hour is problematic. Don't worry, it will restart where it left off, but you'll lose the log of what it's already done.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, July 9, 2017 11:09 PM
  • Hi Adam,

    I pressed <Ctrl><C> and saw your warning.  As you know it brings up the list of running processes, but it had said that the background job 'Job1' was complete.  Any ideas why it wasn't continuing?  I'm starting the process again now.

    Angus

    Monday, July 10, 2017 7:08 AM
  • Only a couple of things come to mind. The Ctrl-C cut the SQL process and the SQL script terminated, returning to the Cleanup script's processing, or there was a powershell screen 'pause' - like when you highlight text to copy, but never press enter or copy it. It halts the foreground processing until that pause is released.

    How is it running now?


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 12:42 PM
  • It failed saying that it couldn't access the SQL query because something else was already accessing it. Possibly the old instance of PowerShell? Anyway, I'm rebooting the server now to clear all file locks, will delete the WSUS Content folder, will run the 'WSUSUtil reset', tell the server to not actually store local copies of the update on the server and then run your script again. I'm having to do all this through remote desktop as I am on another site. Hence the delays in responding to your messages.
    Monday, July 10, 2017 6:01 PM
  • It failed saying that it couldn't access the SQL query because something else was already accessing it. Possibly the old instance of PowerShell? Anyway, I'm rebooting the server now to clear all file locks, will delete the WSUS Content folder, will run the 'WSUSUtil reset', tell the server to not actually store local copies of the update on the server and then run your script again. I'm having to do all this through remote desktop as I am on another site. Hence the delays in responding to your messages.
    I would hold off on deleting the content folder and instead try running my script again.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 6:06 PM
  • Shame.  Bit late for that.  Anyway, I've been running the script for 20 minutes now and it is still saying 'Executing RemoveWSUSDrivers'. This is after several hours this morning and a few hours this afternoon.  I am happy to try and completely blitz WSUS, remove the database and start from scratch.  If I tell WSUS to not store content locally it doesn't really seem like such a big deal.  Once everything is looking right and clients are updating then I can then switch over to storing locally.

    Is there a way of telling what is causing problems with your script?  If not, how can I completely remove and reset WSUS?  I've heard it can be a bit tricky on SBS, given that SharePoint, etc. are all built in.

    Monday, July 10, 2017 7:13 PM
  • Does it make any odds that we have SQL Server 2008 and 2014 installed at the same time?  As far as I know WSUS is on 2008 and other software to do with remote deployment and management of antivirus software is using 2014.

    Given that one of my original problems is that the WSUS management console hangs (or at least cannot access the database or whatever it does) when I'm looking through the updates, could this indicate where the problem lies?

    Monday, July 10, 2017 7:19 PM
  • Nope,

    In an Admin Powershell, run the following commands

    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlServerName" | Select-Object -ExpandProperty "SqlServerName"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlAuthenticationMode" | Select-Object -ExpandProperty "SqlAuthenticationMode"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlDatabaseName" | Select-Object -ExpandProperty "SqlDatabaseName"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlUserName" | Select-Object -ExpandProperty "SqlUserName"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "UsingSSL" | Select-Object -ExpandProperty "UsingSSL"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "PortNumber" | Select-Object -ExpandProperty "PortNumber"
    Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "ServerCertificateName" | Select-Object -ExpandProperty "ServerCertificateName"

    Paste the results


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 10, 2017 7:26 PM
  • PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlServerName" | Select-Object -ExpandProperty "SqlServerName"
    FES\MICROSOFT##SSEE
    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlAuthenticationMode" | Select-Object -ExpandProperty "SqlAuthenticationMode"
    WindowsAuthentication
    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlDatabaseName" | Select-Object -ExpandProperty "SqlDatabaseName"
    SUSDB
    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "SqlUserName" | Select-Object -ExpandProperty "SqlUserName"

    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "UsingSSL" | Select-Object -ExpandProperty "UsingSSL"
    Get-ItemProperty : Property UsingSSL does not exist at path HKEY_LOCAL_MACHINE\Software\Microsoft\Update
    Services\Server\Setup.
    At line:1 char:1
    + Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Serv ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (UsingSSL:String) [Get-ItemProperty], PSArgumentException
        + FullyQualifiedErrorId : System.Management.Automation.PSArgumentException,Microsoft.PowerShell.Commands.GetItemPr
       opertyCommand
    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "PortNumber" | Select-Object -ExpandProperty "PortNumber"
    8530
    PS C:\> Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Server\Setup" -Name "ServerCertificateName" | Select-Object -ExpandProperty "ServerCertificateName"
    Get-ItemProperty : Property ServerCertificateName does not exist at path HKEY_LOCAL_MACHINE\Software\Microsoft\UpdateServices\Server\Setup.
    At line:1 char:1
    + Get-ItemProperty -Path "HKLM:\Software\Microsoft\Update Services\Serv ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (ServerCertificateName:String) [Get-ItemProperty], PSArgumentException
        + FullyQualifiedErrorId : System.Management.Automation.PSArgumentException,Microsoft.PowerShell.Commands.GetItemPropertyCommand
    Monday, July 10, 2017 7:36 PM
  • I have a couple of tricks up my sleeve to help fix WSUS that are included with my script's version 3, but I don't want to add them publicly yet. Contact me through my form on my website and include the link to this thread, and I'll email you the enhancements that will make WSUS MUCH faster.... 1000-1500 times faster.

    It also would be great if you could export HKLM:\Software\Microsoft\Update Services\Server\Setup to a txt file and add that in the message so that I could see what is going on, and gather intel for my script's next version.

    When you're running my script, after ~5 min from 'Executing RemoveWSUSDrivers', press enter a few times and click inside the powershell window and press enter a few more times. Does that make a difference?

    If not, comment line 2313 and make it #RemoveWSUSDrivers -SQL

    Re-run my script - let's see how far you get past it.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Tuesday, July 11, 2017 1:43 AM
  • Surely I need to comment out line 2314 as well. 2313 just displays the text on the console screen but 2314 actually executes the command.

    I have exported the registry entries, made sure that the PowerShell window wasn't paused and will now contact you via your website, as requested.

    As an aside, I already run the script found at https://community.spiceworks.com/scripts/show/336-wsus-automatic-cleanup-script (modified to suit my needs) on a monthly basis.

    Talk to you soon,

    Angus

    Tuesday, July 11, 2017 6:29 AM
  • Thanks to Adam Marshall for his help and assistance restoring my WSUS back into working order.  Very helpful chap.  Thank you.
    Sunday, July 16, 2017 6:25 PM
  • You're welcome. All I ask is that you pay it forward :)

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Sunday, July 16, 2017 10:44 PM
  • What does 'pay it forward' mean?  Are you chasing me for money?  I said I would be making a donation, as repeatedly requested by the e-mails and reports which your script generates.  I am just making sure that the 'login lock-up' problem has gone away and I can store the updates locally again.  I will pay you soon.
    Monday, July 17, 2017 5:52 AM
  • Hi Angus, you mis-understood what I meant.

    https://payitforwardday.com/about/how-does-it-work/

    Donations are appreciated for my work, but not required.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 17, 2017 12:55 PM
  • Ah. A reference which lost translation as it crossed the Atlantic.  I am not familiar with the film, the phrase or the concept of formalising doing a good turn for somebody.  Thank you for clarifying.
    Monday, July 17, 2017 4:34 PM