none
Computers Needing this update

    Question

  • Hello Everyone - Happy New Year.

    I wondered if anyone could offer some advice regarding a query I have with WSUS and especially around "Computer needing this update".

    On our Upstream server I am seeing a total of 6178 updates of various guises. For example Critical, Security, WSUS, Cumulative etc, etc. I have noticed quite a significant number of these updates show in the Status bar that "Computers Needing this update" is 0 and it is greyed out.

    Given that "Computers needing this update" is showing as 0 is it ok to delete these updates from the WSUS DB?

    Any information would be greatly appreciated.

    Regards.

    Peter.

    Wednesday, January 03, 2018 8:56 AM

All replies

  • You really only should remove Updates from WSUS when they are superseded or truely no longer needed (example: XP Updates because you no longer have any XP Computers, and you remove the product line of Windows XP).

    If you remove updates that your systems have installed and now show a status of not being needed, if you decline and remove them from the WSUS database and you install a new Windows client that does not have one of these updates that have been removed, the client will NEVER get this update as it was removed from WSUS completely.

    I take it that you're trying to 'clean up' updates so that it's more 'organized' by declining and removing them from the database rather than leaving them there. This is the WRONG way to manage WSUS.

    Your best bet is to use my maintenance system to automate what maintenance should happen on a WSUS Server and keep it in tip-top shape. My script does decline superseded updates and does remove Declined updates from the WSUS Database automatically on a schedule (Read the description within the first 575 lines of the script to understand what, when, and why they are being done).

    Please have a look at the WSUS Automated Maintenance (WAM) system. It is an automated maintenance system for WSUS, the last system you'll ever need to maintain WSUS!

    https://community.spiceworks.com/scripts/show/2998-wsus-automated-maintenance-formerly-adamj-clean-wsus

    What it does:

    1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster.
    2. Remove all Drivers from the WSUS Database (Default; Optional).
    3. Shrink your WSUSContent folder's size by declining multiple types of updates including by default any superseded updates, preview updates, expired updates, Itanium updates, and beta updates. Optional extras: Language Packs, IE7, IE8, IE9, IE10, Embedded, NonEnglishUpdates, ComputerUpdates32bit, WinXP.
    4. Remove declined updates from the WSUS Database.
    5. Clean out all the synchronization logs that have built up over time (configurable, with the default keeping the last 14 days of logs).
    6. Compress Update Revisions.
    7. Remove Obsolete Updates.
    8. Computer Object Cleanup (configurable, with the default of deleting computer objects that have not synced within 30 days).
    9. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. This is a manual execution only.
    10. Checks to see if you have a dirty database, and if you do, fixes it. This is primarily for Server 2012 WSUS, and is a manual execution only.
    11. Run the Recommended SQL database Maintenance script on the actual SQL database.
    12. Run the Server Cleanup Wizard.

    It will email the report out to you or save it to a file, or both.

    Although the script is lengthy, it has been made to be super easy to setup and use so don't over think it. There are some prerequisites and instructions at the top of the script. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:

    .\Clean-WSUS.ps1 -FirstRun

    If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. See Get-Help .\Clean-WSUS.ps1 -Examples

    If you're having trouble, there's also a -HelpMe option that will create a log so you can send it to me for support.


    Adam Marshall, MCSE: Security
    http://www.adamj.org
    Microsoft MVP - Windows and Devices for IT

    Thursday, January 04, 2018 12:32 AM
  • Hi,

    >>Given that "Computers needing this update" is showing as 0 is it ok to delete these updates from the WSUS DB?

    Generally , it would be OK to delete these updates .

    But , I'd suggest you to delete the "superseded" updates (I mean other updates might be needed when you put a new computer into the existing environment ).

    To find the superseded updates please try the following script:

    $Computer = $env:COMPUTERNAME
    [String]$updateServer1 = $Computer
    [Boolean]$useSecureConnection = $False
    [Int32]$portNumber = 8530
     
    # Load .NET assembly
     
    [void][reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
     
    $count = 0
     
    # Connect to WSUS Server
     
    $updateServer = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer1,$useSecureConnection,$portNumber)
     
    write-host "<<<Connected sucessfully >>>" -foregroundcolor "yellow"
     
    $updatescope = New-Object Microsoft.UpdateServices.Administration.UpdateScope
     
    $u=$updateServer.GetUpdates($updatescope )
    
    foreach ($u1 in $u ) {
     
    if ($u1.IsSuperseded -eq 'True')
    {$u1.KnowledgebaseArticles}
    
    }


    For details please check the following article which mentioned decline superseded updates:

    https://xenappblog.com/2016/how-to-clean-up-wsus/

     

    In addition , to delete update I'd suggest you use scripts which running in WSUS server side (this script is used to delete declined updates) :

    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer()
    [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
    $wsus.getupdates() | Where {$_.isdeclined -match 'true'} | ForEach-Object { $wsus.DeleteUpdate($_.Id.UpdateID); Write-Host $_.Title removed }
     

    Hope it is useful to you .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 04, 2018 2:36 AM
    Moderator
  • Hi,

    Thank you Adam and Elton for your replies. I will take on board both the recommendations.

    Regards.

    Peter.

    Friday, January 05, 2018 7:38 AM