best practice for out dated kb's


  • Hi guys, i'm moving from a 3rd party updating back to WSUS. I set a test group for auto approvals and then i'll manually approve the 'rest of em' group a few days later. I figure the spot to check updates to approve would be 'all updates'  / approval = unapproved / and status = any or needed.

    my question is I have some listed from 2008 - 2011 and state this update is superseded by another.  Should I just highlight them all and choose decline so they are no longer in my view?

    Additional question that may seem silly.  If I have laptops that are off network for a very long time but are set to automatically install, do those laptops just check MS for updates daily then download and install since WSUS isn't in the picture for large swaths of time?   I shouldn't have to take them off WSUS and configure manually to auto install updates.

    • Editado RyGy14 viernes, 18 de mayo de 2018 15:02
    viernes, 18 de mayo de 2018 12:42

Todas las respuestas

  • Superseded are fine to decline and recommended to decline.

    WAM your server and you'll have much less to deal with and it will be way faster too!

    There's a new version of WAM coming on June 1st.

    Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    viernes, 18 de mayo de 2018 15:41
  • As for your additional question - if the GPOs are setup with WSUS's url, they won't check Microsoft's servers at all. They will only check WSUS's - and they will check the next time the system turns on, and if it can't reach the WSUS Server it will check again at the next interval.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    viernes, 18 de mayo de 2018 15:43
  • I also have an 8 post blog series coming out June 1st on how to setup, manage, and maintain WSUS.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    viernes, 18 de mayo de 2018 15:43
  • So what you're saying is if I have a laptop that is out of our network for 5 months or so, it's not being updated at all?   Sales ppl or any traveling position perhaps I should remove from WSUS?

    Just a quick search, what about the group policy setting  "Do not connect to any windows update internet locations"  The description stats "even when windows update is configured to receive from an intranet update, it will periodically retrieve information from the public windows update service"

    enabling will disable functionality to connect to public update services.

    • Editado RyGy14 martes, 22 de mayo de 2018 15:43
    martes, 22 de mayo de 2018 15:33
  • Yes, as the location of where the updates come from is WSUS. If the system can't reach WSUS, it doesn't do anything else but wait until the next time it needs to try.

    VPNs are usually used with external people to allow internal resources access from the outside. In these cases, when connected to the VPN, the computer would be able to connect to WSUS and get the updates.

    If you want both worlds, either setup a WSUS Server in downstream replica mode in your DMZ and assign outside systems to that.

    Adam Marshall, MCSE: Security
    Microsoft MVP - Windows and Devices for IT

    martes, 22 de mayo de 2018 15:50