The Woes of WSUS

[Melbosa]

So not sure you guys know what WSUS is (but probably do)... its Windows Server Update Services (WSUS) used to basically run your own Windows Update for your domain.  Well its a bloated piece of Microsoft festering poo if not properly configured and managed, and can very quickly eat of drive space for local catalogs of Windows Updates.  And if you let those catalogs run wild, you probably will get a very unresponsive and crashy WSUS system.

As such I've been trying to fix one of my client's sites WSUS system.  Most of my clients have a big enough pipe to the internet and small enough numbers of machines to let them just update from the internet, but one of my clients doesn't have the best internet around, which makes WSUS so appealing.  But alas they have a 1TB drive dedicated to the catalogs and it was full to the hilt.  The SQL DB is on another drive but the speed of the queries were causing the service to drop in and out all the time.  Now though I have finally found everything I needed to fix it from top to bottom and thought I would share those steps:

• Decline any OS/Software Updates you no longer need - this is a must when administrating the WSUS system.  i.e. If you don't have a need for Windows XP updates, Decline them all from being synced
• Download WSUS_CleanUp_CL.exe from CodePlex to schedule task cleanups because Microsoft doesn't include this damn automated functionality out-of-the-box!
• If NT AUTHORITY\NETWORK SERVICE is not a Sysadmin on your WSUS SQL instance, make it one so that the cleanup tasks can automate properly
• Schedule your tasks of WSUS_CleanUp_CL.exe by section as per these lines in this order:

Code Select Expand

WSUS_Cleanup_CL %computername% f 8530 superseded
WSUS_Cleanup_CL %computername% f 8530 computers
WSUS_Cleanup_CL %computername% f 8530 obsolete
WSUS_Cleanup_CL %computername% f 8530 expired
WSUS_Cleanup_CL %computername% f 8530 compress
WSUS_Cleanup_CL %computername% f 8530 files
WSUS_Cleanup_CL %computername% f 8530 DB
This will ensure your cleanup tasks execute in the proper order, and also that an application event is written to the log for each step

• And if you find that your WSUS_Cleanup_CL %computername% f 8530 obsolete times out, log into your WSUS DB Instance and run the following code to remove the obsolete item:

Code Select Expand

USE SUSDB
GO
exec spGetObsoleteUpdatesToCleanup
Take the top result and execute (where XXXXXX is the top result):

Code Select Expand

exec spDeleteUpdate @localUpdateID=XXXXXX
This lets SQL get rid of the timing out obsolete item, but may take many minutes to complete.  Then you can execute WSUS_Cleanup_CL %computername% f 8530 obsolete again.






FYI, to log into the SQL WSUS Instance, use Windows Authentication to:

Code Select Expand

\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query


Sources how I came up with the above solution:
https://community.spiceworks.com/topic/959769-sbs-2011-very-slow-performance-because-of-susdb-mdf
https://social.technet.microsoft.com/Forums/office/en-US/7b12f8b2-d0e6-4f63-a98a-019356183c29/getting-past-wsus-cleanup-wizard-time-out-removing-unnecessary-updates?forum=winserverwsus
https://mbrownnyc.wordpress.com/technology-solutions/securing-your-network/part-3-patch-management/part-3-a-install-and-configuring-windows-server-update-services-wsus/

Download WSUS_CleanUp_CL.exe: http://wsus.codeplex.com/releases/view/17612



I am finally seeing that 1TB shrink as the clean-ups are working.  Like a whole week it took me to get to this point, so hopefully this helps someone someday.


Windows 2012 R2/2016 Method
Save the blow as a "Whatever_You_Want_To_Call_It.ps1"

Code Select Expand

$logDate = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
$logFile="C:\Scripts\Logs\WSUS-Cleanup" + $logDate + ".log" #Or Path of your choosing

$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
Start-Transcript -path $logFile
$Error.Clear()

Write-Output "$((get-date).ToLongTimeString()) $server - WSUS Cleanup starting..."

Write-Output ""
Write-Output "Cleanup Obsolete Computers"
Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -Verbose

Write-Output ""
Write-Output "Cleanup Obsolete Updates"
Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteUpdates -Verbose

Write-Output ""
Write-Output "Cleanup Unneeded Content Files"
Get-WsusServer | Invoke-WsusServerCleanup -CleanupUnneededContentFiles -Verbose

Write-Output ""
Write-Output "Compress Updates"
Get-WsusServer | Invoke-WsusServerCleanup -CompressUpdates -Verbose

Write-Output ""
Write-Output "Decline Expired Updates"
Get-WsusServer | Invoke-WsusServerCleanup -DeclineExpiredUpdates -Verbose

Write-Output ""
Write-Output "Decline Superseded Updates"
Get-WsusServer | Invoke-WsusServerCleanup -DeclineSupersededUpdates -Verbose
Write-Output "$((get-date).ToLongTimeString()) $server - WSUS Cleanup complete."

Stop-Transcript
$emailbody = Get-Content $logFile | Out-String
$emailsubject = "WSUS Cleanup Report on $Env:ComputerName " + $logDate
if ($error -ne $null){ $emailsubject = "WSUS Cleanup Report ERROR on $Env:ComputerName " + $logDate}

Send-MailMessage `
    -From "$env:COMPUTERNAME@domain.local" `
    -To "theFROM@email.com" `
    -Subject "$emailsubject" `
    -Body "$emailbody" `
    -SmtpServer "Your_Local_SMTP_Server@domain.local" `

Modify some key parts above and then make yourself a scheduled task...

Key to scheduled task for powershell is very easy, just have your target like so and the wizard figures it out for you:

Code Select Expand

powershell -file "Path_to_your_PS1"

Now I know I could have gone all out with proper structure of the Powershell and even modulized it, but meh this was the quick and simple way to do so.

[Thorin]

I have heard of the WSUS.  I have feared the WSUS.  But luckily I'm not a sysadmin so leave this to others to sweat through

Thanks for sharing, though.

[Lazybones]

We use WSUS across all of our sites, and have it tiered from the central site that updates the remote sites.

Can't say we have had much trouble with it, at my current or past employer, but then again someone with admin skills touches it once a months to release updates manually so they can also do clean up.

I assume this is a side effect of running full auto.

WSUS also remains a sub-component of SCCM which gives you more control.

[Melbosa]

Lol yep side affect of full automation when you can afford or need sccm in small\medium business.  Of course at NAIT we use SCCM + WSUS.

[Tom]

Interesting.

[Lazybones]

Lol yep side affect of full automation when you can afford or need sccm in small\medium business.  Of course at NAIT we use SCCM + WSUS.

SCCM however does many other things and needs almost two admins to keep running it self.

Microsoft is turning SCCM into InTune a SaaS solution but it isn't as powerful yet.

Also Windows 10 and office 2016 have very aggressive update systems. Office 2016 basically updates it self.

Office 365 in many ways should be a great option for small business.

[Melbosa]

Lol yep side affect of full automation when you can afford or need sccm in small\medium business.  Of course at NAIT we use SCCM + WSUS.

SCCM however does many other things and needs almost two admins to keep running it self.

Microsoft is turning SCCM into InTune a SaaS solution but it isn't as powerful yet.

Also Windows 10 and office 2016 have very aggressive update systems. Office 2016 basically updates it self.

Office 365 in many ways should be a great option for small business.

Yes, Yes, Yes

[Darren Dirt]

...its a bloated piece of festering poo

..."A John WSUS film"...


(recently I finally got around to watching both Broken Arrow *and* Face/Off on Netflix... and wtf how did I think those were somehow awesome timeless action flicks, omg so many cheesy pointless editing choices and so-bad-it's-still-bad moments of dialog and acting that they make most "Asylum" productions look like classic works of art...)

Sorry off topic, but "WSUS" made me think of "Woo" and I couldn't resist.

anyway, back o/t...

[Melbosa]

So I had to do this on a Windows 2012 R2 WSUS Server today and turns out the WSUS CleanUp Tool doesn't work.  What does work is some new powershell commands so long as you have the latest updates that include some Windows 2016 updates to 2012 R2.  Adding the script to the OP.