locked
[Help wanted] Managing updates in WSUS RRS feed

  • Question

  • Hi all,

    I am somewhat new to WSUS and could do with some experience from someone who has more experience than myself in WSUS.

    Today i came across 2 points that i would like to ask

    1. WSUS server reported a Windows Server 2008 Enterprise SP2 to still be needing 432 updates. But the server it self that reported in to WSUS only this morning saying there is only 1 update for it to install. Result did not change after i told it to get other Microsoft updates.
      The updates did appear to be some for Windows server and some for IE and some for .net framework.
      I do not see any hidden updates on the server either.
      Also confirmed that on the WSUS that it is finished downloading updates.
      Updates has all been approved for install to the computer group where this server is part of.
    2. Previously we have approved a bunch of updates for Itanium but we do not have any such servers, in order to save some space what is the best course of action? decline the updates and then run server clean up?

    Thank you in advance for any assistance.

    Wednesday, July 26, 2017 3:36 PM

Answers

  • My script will help you take back control of WSUS. It automates the maintenance routines you should be doing. My guess is those 400+ updates are superseded and need to be declined, or they are a bunch of language packs (which are their own beasts and will never install automatically as it's a manual process for Lang packs).

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, July 29, 2017 3:15 AM

All replies

  • Hi Sir,

    >>But the server it self that reported in to WSUS only this morning saying there is only 1 update for it

    I'd suggest you check updates from microsoft update not WSUS to see if there is only 1 update listed .

    If you get more updates from windows update , I'd suggest you remove that server in wsus then reset "SUS ID " and register it into WSUS again .

    Any further information please feel free to let us know .

     

    >>Previously we have approved a bunch of updates for Itanium but we do not have any such servers, in order to save some space what is the best course of action? decline the updates and then run server clean up?

    Yes, you are right .

    After "server clean up" , the declined updates will be removed from WSUS content folder .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 28, 2017 9:01 AM
  • Hi Elton,

    Thank you very much, will give that a go and report back. If when checking with Microsoft directly it finds more what does that mean? removing from WSUS and resetting the SUS ID what will that do?

    Friday, July 28, 2017 10:28 AM
  • My script will help you take back control of WSUS. It automates the maintenance routines you should be doing. My guess is those 400+ updates are superseded and need to be declined, or they are a bunch of language packs (which are their own beasts and will never install automatically as it's a manual process for Lang packs).

    Have a peek at my Adamj Clean-WSUS script. It is the last WSUS Script you will ever need.

    http://community.spiceworks.com/scripts/show/2998-adamj-clean-wsus

    What it does:

    1. Remove all Drivers from the WSUS Database.
    2. Shrink your WSUSContent folder's size by declining superseded updates.
    3. Remove declined updates from the WSUS Database.
    4. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    5. Compress Update Revisions.
    6. Remove Obsolete Updates.
    7. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    8. Application Pool Memory Configuration to display the current private memory limit and easily increase it by any configurable amount.
    9. Run the Recommended SQL database Maintenance script on the actual SQL database.
    10. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment, simply run:

    .\Clean-WSUS.ps1 -FirstRun

    and then

    .\Clean-WSUS.ps1 -InstallTask

    If you wish to view or increase the Application Pool Memory Configuration, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, July 29, 2017 3:15 AM
  • Hi Adam,

    I will give that script a look. certainly sounds useful.

    By the way can you help me understand something? if you have update A and Update B and Update B supersedes Update A. Could there not be a situation where an older server OS perhaps can only install Update A and not Update B? So when you decline Update A then the older server is not fully patched?

    Regards Ronnie 

    Saturday, July 29, 2017 10:52 AM
  • If A is superseded by B (Meaning A is REPLACED by B), A should be declined, B should be installed as it contains everything A has, and more.

    Eg. MS finds an error in code of A that causes problems. They supersede A with B which fixes the code in A. B is not a totally new update as it relates to A with a bugfix.

    So, your scenario of a server would install update B if it could install update A.


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Saturday, July 29, 2017 11:57 AM
  • Hi Adam, 

    I have decided to run your script and install it as a task on all my WSUS servers throughout EMEA. awesome script.

    I do want to ask you one thing though. Do you know if possible that you can just have access to management studio on your master WSUS server and technically it would be possible to run your script from there and connect to remote WSUS servers? installing Management studio on all WSUS boxes are a bit bummer :)

    Monday, July 31, 2017 8:55 PM
  • Hi Adam, 

    I have decided to run your script and install it as a task on all my WSUS servers throughout EMEA. awesome script.

    I do want to ask you one thing though. Do you know if possible that you can just have access to management studio on your master WSUS server and technically it would be possible to run your script from there and connect to remote WSUS servers? installing Management studio on all WSUS boxes are a bit bummer :)

    Right from my script:

    IF YOU DON'T WANT TO INSTALL SQL SERVER MANAGEMENT STUDIO:
        Microsoft Command Line Utilities for SQL Server (Minimum requirement instead of SQL Server Management Studio)
            SQL 2008/2008R2 - https://www.microsoft.com/en-ca/download/details.aspx?id=16978
            SQL 2012/2014 - Version 11 - https://www.microsoft.com/en-us/download/details.aspx?id=36433
            SQL 2016 - Version 13 - https://www.microsoft.com/en-us/download/details.aspx?id=53591
    


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    • Proposed as answer by AJTek.caMVP Wednesday, August 2, 2017 1:22 AM
    Monday, July 31, 2017 9:36 PM
  • Oh, and you must run it on downstream servers directly due to the nature of how it connects to databases, and the fact that the default WID does not allow for remote connections by default.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 31, 2017 9:40 PM
  • I could have sworn i looked through the script and did saw about command line utilities but thought it was only for 2008.

    Ok about the remote running :) When you run it in install task mode, will it take care of the rest?

    Monday, July 31, 2017 9:44 PM
  • I could have sworn i looked through the script and did saw about command line utilities but thought it was only for 2008.

    Ok about the remote running :) When you run it in install task mode, will it take care of the rest?

    Yep. -InstallTask  will install the task to use -ScheduledRun - the automated maintenance routine that detects what to do when automatically for you.


    Defaults are setup in the configuration of the script - 8AM, Monthly on day 1, and Quaterly on months "1,4,7,10"


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Monday, July 31, 2017 9:48 PM
  • Awesome... off topic a bit but do you know of any good reset windows update client tricks for client OS's?
    Monday, July 31, 2017 9:51 PM
  • Hi Adam, 

    I have decided to run your script and install it as a task on all my WSUS servers throughout EMEA. awesome script.

    I do want to ask you one thing though. Do you know if possible that you can just have access to management studio on your master WSUS server and technically it would be possible to run your script from there and connect to remote WSUS servers? installing Management studio on all WSUS boxes are a bit bummer :)

    Right from my script:

    IF YOU DON'T WANT TO INSTALL SQL SERVER MANAGEMENT STUDIO:
        Microsoft Command Line Utilities for SQL Server (Minimum requirement instead of SQL Server Management Studio)
            SQL 2008/2008R2 - https://www.microsoft.com/en-ca/download/details.aspx?id=16978
            SQL 2012/2014 - Version 11 - https://www.microsoft.com/en-us/download/details.aspx?id=36433
            SQL 2016 - Version 13 - https://www.microsoft.com/en-us/download/details.aspx?id=53591
    


    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Hi Adam,

    Running the MS command line utilities for SQL server for Server 2012 R2 gave me this error after running the setup:

    Setup is missing an installation prerequisite:
     -Microsoft ODBC Driver 11 for SQL Server, To continue, Install Microsoft ODBC
    Driver 11 for SQL Server and
    then run the setup operation again

    Just FYI really.

    The ODBC Driver 11 can be downloaded https://www.microsoft.com/en-gb/download/details.aspx?id=36434 and now everything works :)

    • Proposed as answer by AJTek.caMVP Wednesday, August 2, 2017 1:22 AM
    Monday, July 31, 2017 10:01 PM
  • Hi Adam,

    Running the MS command line utilities for SQL server for Server 2012 R2 gave me this error after running the setup:

    Setup is missing an installation prerequisite:
     -Microsoft ODBC Driver 11 for SQL Server, To continue, Install Microsoft ODBC
    Driver 11 for SQL Server and
    then run the setup operation again

    Just FYI really.

    The ODBC Driver 11 can be downloaded https://www.microsoft.com/en-gb/download/details.aspx?id=36434 and now everything works :)

    Thanks for the info. I've added that to the new version of my script.

    Adam Marshall, MCSE: Security
    http://www.adamj.org

    Wednesday, August 2, 2017 1:22 AM