Skip to Content
Version 4.1 by Sebastian Marsching on 2022/05/30 12:28
Show last authors
1 {{toc/}}
2
3 For more information on WSUS, also see [[Windows Server 2012 R2|doc:Windows.Windows_Server_2012_R2.WebHome]].
4
5 # Removing superseded updates
6
7 With new updates being released regularly, more and more superseded updated accumulate over time. The files for those superseded updates consume a considerable amount of disk space after some time.
8
9 Superseded updates that have been approved for installation can be found by selecting approved updates in the "All Updates" view, adding the "Supersedence" column and then sorting for this column.
10
11 There are two ways to remove the files for those updates:
12
13 The first option is to decline them and then run the "Server Cleanup Wizard" (which can be found in the "Options" area). This method is described [here](http://www.tecknowledgebase.com/43/how-to-identify-and-decline-superseded-updates-in-wsus/). This method has the disadvantage that updates that might be needed in the future may be accidentally declined because the supersedence status is not 100% reliable (an update might only be superseded by another update for certain system configurations). One comment in the linked article suggests declining the updates, then running the cleanup wizard, and finally setting them back to "not approved".
14
15 The second option it to mark the updates as "Not Approved". However, this will not delete the associated files and there is no direct option to delete those files either. The only way is to remove all files in the `WsusContent` folder and then again downloading the files that are still needed. The WSUS service should be stopped before deleting the files and restarted after. After that, the `WsusUtil.exe` (which can be found in `C:\Program Files\Update Services\Tools`) should be run with the `reset` command. This will start the background process that downloads the needed files. This method is described [here](http://blogs.technet.com/b/gborger/archive/2009/02/27/what-to-do-when-your-wsuscontent-folder-grows-too-large.aspx).
16
17 Regarding WSUS maintenance, there is another [blog entry](https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/) in the TechNet blog that describes maintenance tasks that should periodically be run on a WSUS server (e.g. re-indexing the database). It also provides some hints regarding what to do if the Server Cleanup Wizard keeps timing out.
18
19 In addition to the hints in that article, I found another trick: For me, the Server Cleanup Wizard was timing out when running the "Decline expired updates" action. I could fix this by running the `spDeclineExpiredUpdates` procedure from SQL Studio. I used "WUS Server" for the `adminName` parameter of this procedure. After that I ran the wizard again, and regenerated the indices. After doing this a few times, the wizard would finally complete without timing out. As always, make a backup of the `SUSDB` database before trying any of this.
20
21 My idea to run `spDeclineExpiredUpdates` was based on the ideas given in [this thread](https://social.technet.microsoft.com/Forums/windows/en-US/7b12f8b2-d0e6-4f63-a98a-019356183c29/getting-past-wsus-cleanup-wizard-time-out-removing-unnecessary-updates?forum=winserverwsus).
22
23 # Optimizing IIS pool settings
24
25 * Queue length: 2000 (default 1000, WAM recommends 25000)
26 * Idle time-out (minutes): 0 (default 20)
27 * Ping enabled: False (default True)
28 * Private memory limit (KB): 0 (unlimited, default 4294967)
29 * Regular Time Interval (minutes): 0 (default 1740)
30
31 (see <https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices>)
32
33 # IIS site settings for TLS
34
35 Configure TLS certificate for port 8531. After that, run
36
37 ```bat
38 "%programfiles%\Update Services\Tools\WsusUtil.exe" configuressl <FQDN>
39 ```
40
41 Require SSL (SSL Settings => Require SSL) for the following endpoints:
42
43 * ApiRemoting30
44 * ClientWebService
45 * DssAuthWebService
46 * ServerSyncWebService
47 * SimpleAuthWebService
48
49 (see <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852346(v=ws.11)?redirectedfrom=MSDN#35-secure-wsus-with-the-secure-sockets-layer-protocol> and <https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/>)
50
51 # Enabling compression
52
53 Enable dynamic compression by running
54
55 ```bat
56 cscript "%programfiles%\update services\setup\DynamicCompression.vbs" /enable "%programfiles%\Update Services\WebServices\suscomp.dll"
57 ```
58
59 # Importing updates into WSUS
60
61 $wsus = Get-WsusServer
62 $wsus.ImportUpdateFromCatalogSite('<Update ID>', '<Full path to update file>')
63
64 (see https://www.windowspro.de/wolfgang-sommergut/updates-manuell-wsus-importieren-ie-powershell (in German))
65
66 Strong cryptography for the .NET Framework has to be enabled in order for this to work, but even then I somehow couldn’t make this method work, so I resorted to opening the Microsoft Update Catalog in Internet Explorer and directly importing the updates from there (that method worked for me).
67
68 # Resources
69
70 * WSUS Best Practices: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/windows-server-update-services-best-practices>
71 * WSUS Maintenance: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/wsus-maintenance-guide>