If you use an older version of Configuration Manager or standalone WSUS servers, follow these steps to create custom indexes in the SUSDB database. To Install WSUS: Re-add the WSUS Role It is located under Options, as shown here: For more information, see Use the Server Cleanup Wizard. If timeouts continue to occur, see the SQL Server alternative in HELP! My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out. For related information, see Reindex the WSUS database. If something failed, maintenance can be rescheduled for the next night, once the underlying issue is identified and resolved. In this case, it would be 60 days since SUP component properties are configured to wait two months before expiring superseded updates: The following command lines illustrate the various ways that the PowerShell script can be run (if the script is being run on the WSUS server, LOCALHOST can be used in place of the actual SERVERNAME): Running the script with a -SkipDecline and -ExclusionPeriod 60 to gather information about updates on the WSUS server, and how many updates could be declined: Running the script with -ExclusionPeriod 60, to decline superseded updates older than 60 days: The output and progress indicators are displayed while the script is running. Select Run whether a user is logged on or not, and then add a description if you wish. Stop the WSUS service and IIS Service with the following command: stop-service WSUSService, W3SVC You're actually adding a type of approval in this case. If you google "force wsus client to check in to wsus server", you'll see almost 300,000 results. However, because of changes in this release of Windows Server and Windows Server 2012 R2, when upgrading from any version of Windows Server and WSUS 3.2, the installation is not blocked. If you have one of these options configured, you should consider automating the WSUS Server Cleanup to perform cleanup of these two options. Reinstall WSUS with a fresh database. This guide also assumes you have a working instance of WSUS installed and configured, using default ports. It allows you to see which computers require updates, generate reports based on this information and roll out updates from a single point saving bandwidth of your WAN line. Note: The test URL below uses my-wsus-box as the server name and 8530 as the configured port for the WSUS web site … The next day, you should find you have a file on disk that … WSUS maintenance tasks can be automated, assuming that a few requirements are met first. If you want to learn how to install WSUS, continue to read this part. This script is provided as is. Handy WSUS Commands(Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient), how to Start, Stop and Restart Windows Server Update Services (WSUS) via PowerShell and CMD, indows Server Update Services: Windows 2016 Servers does not show up on WSUS console, and WSUS clients appear and disappear from the WSUS … Let’s start with the description of the server policy – ServerWSUSPolicy. Schedule this task to start about 30 minutes after you expect your cleanup to finish running. WSUS is still fully supported and many companies rely on it. The second cleanup is a much better indicator of what is normal for your machines. It may add more time to the schedule. Here's an example: "C:\Program Files\Microsoft SQL Server\110\Tools\Binn\SQLCMD.exe" -S \\.\pipe\Microsoft##WID\tsql\query -i C:\WSUS\SUSDBMaint.sql -o c:\WSUS\reindexout.txt. My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out once, which would allow subsequent attempts from Configuration Manager to run successfully. Adds SHA256 hash capability for additional security. Unfortunately, it can be problematic for Configuration Manager clients, and the overall performance of the WSUS/SUP server. If Tier2 overlaps Tier3 by a few minutes, it will not cause a problem because my sync isn't scheduled to run. How to Use WSUSUtil.exe to Move the WSUSContent Folder to a New Location. There are a number of caveats related to this, including length of initial sync, and full client scans against SUSDB, versus differential scans. It should be done on all autonomous WSUS servers in the Configuration Manager/WSUS hierarchy. WSUS Group Policy for Windows servers. WSUS 102.3 is the Tri State area's station playing the best of the 80's to now for Franklin, Newton, Vernon, Augusta, Sparta; and all of Sussex and Pike counties. For more information about SUP maintenance in Configuration Manager, see the following articles: maintenance features that have been added in Configuration Manager, version 1906, How to determine the version, edition and update level of SQL Server and its components, WSUS cleanup behavior starting in version 1810, Running the Decline-SupersededUpdatesWithExclusionPeriod.ps1 script times out when connecting to the WSUS server, or a 401 error occurs while running, HELP! This article addresses some common questions about WSUS maintenance for Configuration Manager environments. The file specified after the -i parameter is the path to the SQL script you saved in step 1. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster. Remove all Drivers from the WSUS Database (Default; Optional). Make a note of this setting. Decline superseded updates in the WSUS server to help clients scan more efficiently. The main goal is to facilitate WSUS administration by allowing system administrators to automate their day-to-day operations. Open SQL Server Management Studio and connect to your WSUS instance. The Windows PowerShell cmdlets for WSUS operations add flexibility and agility for the system administrator. The Adobe Flash Player removal update is not published in Windows Server Update Service (WSUS), they are planning to release the update in early 2021; Microsoft releases individual updates that are not part of the WSUS catalog especially the software that is out of support similar to Adobe flash player removal updates. Remove the WSUS Content folder wherever you had it previously installed (eg. Use the below procedure to manually import updates in WSUS. Group Policy-based computer startup script. Lastly make a full pass with all options checked. If you are utilizing the maintenance features that have been added in Configuration Manager, version 1906, you don't need to consider these items since Configuration Manager handles the cleanup after each synchronization. My cleanup is running at 1:00 AM every first Sunday. Click Next Once again Next without Add any Feature Click once again Next. Original product version:   Windows Servers, Windows Server Update Services, Configuration Manager Once the SUP is set up, we close the WSUS console and pretend it doesn't exist. Maintenance is easy and doesn't take long for WSUS servers that have been well maintained from the start. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. WSUS Offline Update is a simple, lightweight, elegant solution, released free to use under the GNU GPL license. Open PowerShell as admin. Listen to WSUS for Steve Andrews every weekday morning - and your favorite music all day long! But the problem is now when I run the reinstall command: And the Results pane will contain messages related to what indexes were rebuilt. If the value includes the string ##SSEE or ##WID in it, SUSDB is running in WID, as shown: If SUSDB was installed on WID, SQL Server Management Studio Express must be installed locally to run the reindex script. WSUS is a repository for updates and associated files. You can review WsyncMgr.log for more information, and manually run the SQL script that is specified in HELP! Before you run the script, follow the steps in The spDeleteUpdate stored procedure runs slowly to improve the performance of the execution of spDeleteUpdate. On the General tab, set the name of the task, the user that you want to run the PowerShell script as (most people use a service account). If updates are not configured to be immediately expired in Configuration Manager, the PowerShell script must be run with an exclusion period that matches the Configuration Manager setting for number of days to expire superseded updates. For standalone WSUS servers, or if you are using an older version of Configuration Manager, it is recommended that you run the WSUS Cleanup wizard periodically. Include the SP level when searching the Microsoft Download Center for SQL Server Management Studio Express. In Windows Server 2012, upgrading from any version of Windows Server with WSUS 3.2 installed is blocked during the installation process if WSUS 3.2 is detected. Windows Server Update Services Wizard. Set any other conditions or settings you would like to tweak as well. Always run the script with the -SkipDecline parameter first, to get a summary of how many superseded updates will be declined. Hrm, according to my WSUS server, that version of .NET was released to Windows 10 1607 back on 8/20/19 and falls under the Windows 10 product category. Ensure you have a backup of the SUSDB database, then run a reindex. If you are using Configuration Manager current branch version 1906 or a later version, we recommend that you use Configuration Manager to create the indexes. Make sure that you have a backup of the SUSDB database. For more information, see Create a Full Database Backup. To create the indexes, configure the Add non-clustered indexes to the WSUS database option in the software update point configuration for the top-most site. Windows Server Update Services. 1- Select Tools and then select WSUS Server Configuration wizard. It takes about 30 minutes to run and I am going to give it another 30 minutes before starting my reindex. The link below is the one I like to use to test the connection from the WSUS managed device to the WSUS web site.. To reindex the WSUS database (SUSDB), use the Reindex the WSUS Database T-SQL script. When syncing or adding updates, they go to the upstream WSUS server first, then replicate down to the downstream servers. After superseded updates have been declined, for best performance, SUSDB should be reindexed again. If errors occur when you attempt to use the PowerShell script to decline superseded updates, an alternative SQL script can be run against SUDB. For system administrators to automate their operations, they need coverage through command-line automation. For more information about WSUS cleanup and maintenance in Configuration Manager, see the docs. Use SQL Management Studio to connect to the SUSDB database, in the same manner as described in the Reindex the WSUS database section. This process is optional but recommended, it greatly improves performance during subsequent cleanup operations. Most clients failed to install updates with possibly different errors. If you are using Configuration Manager current branch version 1906 or a later version, we recommend that you automatically decline the superseded updates by enabling the Decline expired updates in WSUS according to supersedence rules option in the software update point configuration for the top-most site. If Configuration Manager is set to Immediately expire superseded updates (see below), the PowerShell script can be used to decline all superseded updates. For more information about determining if a WSUS server is a replica, see Decline superseded updates. It takes about 30 minutes to run, and I am going to give it another 30 minutes before starting reindex. If you have downstream WSUS servers, you will need to perform maintenance on them first, and then do the upstream servers. WSUS content was one of the share affected in network. This is important because you need to figure out about how long each step takes as a baseline (I also like to add about 30-minutes wiggle room) so that you can determine the timing for your schedule. The WSUS Server Cleanup Wizard runs from the WSUS console. I am a bit aggressive on the timing of the decline scripts. The file specified after the -o parameter is where you would like the log to be placed. My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out, The spDeleteUpdate stored procedure runs slowly, Weekend Scripter: Use the Windows Task Scheduler to Run a Windows PowerShell Script, Decline-SupersededUpdatesWithExclusionPeriod.ps1, Software updates maintenance in Configuration Manager, If the OS is Windows Server 2012 or later versions, use, If the OS is older than Windows Server 2012, enter, Unused updates and update revisions (also known as Obsolete updates). To run the script in either SQL Server Management Studio or SQL Server Management Studio Express, select New Query, paste the script in the window, and then select Execute. Original KB number:   4490644. WSUS helps maintain order: Instead of having all the Windows clients go to the internet and download the updates, you have one or more WSUS servers that centralize the job and give you control on which updates to release to the clients. The steps to connect to SUSDB and perform the reindex differ, depending on whether SUSDB is running in SQL Server or Windows Internal Database (WID). Windows Server Update Services (WSUS) enables the administrators to deploy the latest Microsoft product updates. Answer. When doing so, ensure that one tier is done before moving onto the next one. It may take multiple hours or days for the Server Cleanup Wizard or SQL alternative to run through completion. I schedule this overnight before my AM sync, so I have time to check on it before my sync runs. WSUS is a Windows Server server role and when you install it, you can efficiently manage and deploy the updates. WSUS should now be completely gone from your system. The answer is that you probably could, but I wouldn't. Failure to uninstall WSUS 3.2 prior to performing a Windows Server 2012 R2 upgrade will cause the post installation tasks for WSUS in Windows Server 2012 R2 to fail. If the WSUS Server Cleanup Wizard has never been run and the WSUS has been in production for a while, the cleanup may time out. Copy and paste the WSUS reindex script, and then select OK: Schedule this task to run about 30 minutes after you expect your cleanup to finish running. Declining superseded updates is really a type of addition to an update rather than a removal. For Windows Server 2008 R2 or previous versions: After installing SQL Server Management Studio Express, launch it, and enter the server name to connect to: For WID, if errors similar to the following occur when attempting to connect to SUSDB using SQL Server Management Studio (SSMS), try launching SSMS using the Run as administrator option. So I've been wrestling with our WSUS server for a few days now and I can't manage to get it going. When it's finished, a Query executed successfully message will be displayed in the status bar. No unusual to get the occasional moody WSUS managed-device that will not report and/or update using a correctly configured WSUS server. Open WSUS administrator console, go to Options > Products and Classifications. WSUS Server Cleanup Wizard provides options to clean up the following items: In a Configuration Manager environment, Computers not contacting the server and Unneeded update files options are not relevant because Configuration Manager manages software update content and devices, unless either the Create all WSUS reporting events or Create only WSUS status reporting events options are selected under Software Update Sync Settings. Here are the steps to configure SSL on your servers running the Windows Server Update Services. It means I would schedule this task for every first Sunday at 2:00 AM, as shown here: Select the action to Start a program. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. I did give myself extra time between the Tier3 decline and the Tier3 cleanup since I definitely want to make sure the decline script finishes before running my cleanup. You can use the WSUS Cleanup script. If you would like a log, you can modify the last line of the script as follows: You'll get an FYI/warning in Task Scheduler when you save. This script performs cleanup options that Configuration Manager current branch version 1906 doesn't do. This guide was written using Server 2012 R2, however it should be the same steps for Windows Server 2008 R2 as well. WSUS maintenance tasks can be automated, assuming that a few requirements are met first. If you haven't backed up the SUSDB database, do so before proceeding further. Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. The Weekend Scripter blog post mentioned in the previous section contains basic directions and troubleshooting for this step. Since a sync can't be done during the actual cleanup, it's suggested to schedule/complete all tasks overnight. Group Policy-based user logon script. If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities that, if exploited, could lead to a loss of revenue and intellectual property. And I can schedule it to rerun to completion the next night. This update is applicable for computers running Windows 10 1903 and Windows 10 1909 OS. If SUSDB was installed on full SQL Server, launch SQL Server Management Studio and enter the name of the server (and instance if needed) when prompted. To download the script, right-click the link, and then select Save target as.... Download the script, remove the .txt file extension, and save the file with a .PS1 extension. Microsoft has released an update for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2). To determine whether a WSUS server is a replica, check the Update Source settings. Then check on their completion via the logging the following morning, before the next scheduled sync. The core scenarios where WSUS adds value to your business are: Upgrade from any version of Windows Server that supports WSUS 3.2 to Windows Server 2012 R2 requires that you first uninstall WSUS 3.2. When that completes, run the following script in SQL Server Management Studio or SQL Server Management Studio Express. Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program and network service developed by Microsoft Corporation that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. To check progress, monitor the Messages tab in the Results pane. Windows Server Update Services (WSUS) is a widely used tool that helps businesses automate their Windows patching process. Minimizing this threat requires you to have properly configured systems, use the latest software, and install the recommended software updates. It brings up a common question: Since I'm not syncing, why shouldn't I run all of the cleanups and reindexes at the same time? As an administrator, you can determine - based on network security and configuration - how many other WSUS servers connect directly to Microsoft Update. It would effectively handle all cleanup operations described in this article, except backup and reindexing of WSUS database. For example, my CAS site has two SUPs: The basic steps necessary for proper WSUS maintenance include: Back up the WSUS database (SUSDB) by using the desired method. Ensure that SUPs don't sync during the maintenance process, as it may cause a loss of some work already done. I finally decided to take matters into my own hands. If the value contains just the server name or server\instance, SUSDB is running on a SQL Server. You'll get a warning, similar to the one you got when creating the cleanup task. It's recommended to enable these options in the software update point configuration on the top-level site to allow Configuration Manager to clean up the WSUS database. In the Program/script box, type the following command. If you do, it's possible your downstream servers will just end up resyncing all of the updates you just attempted to clean out. And I swear I've read every single one of them and tried every single suggestion. For more information, see the following articles: The following SQL query can be run against the SUSDB database, to quickly determine the number of superseded updates. Don't change anything for the Role Services of the Web Server and click Next. Save the Reindex the WSUS database script as a .sql file (for example, SUSDBMaint.sql). Expand Management, right-click Maintenance Plans, and then select New Maintenance Plan. Generally is not a problem. For more information, see Reindex the WSUS Database. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS. In that case, you will need to start it again or use the SQL alternative. Configure Windows Server Update Services. These tasks may run faster or slower depending on the environment, and timing of the schedule should reflect that. It helps you maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your production environment. WSUS maintenance can be performed simultaneously on multiple servers in the same tier. If you do not see this information returned on your WSUS server, it is safe to assume that the cleanup timed out. If you are using standalone WSUS servers or an older version of configuration Manager, you can manually decline superseded updates by using the WSUS console. As mentioned previously, if you are using Configuration Manager current branch version 1906 or a later version, automate the cleanup procedures by enabling the WSUS Maintenance options in the software update point configuration of the top-level site. The answer is that you should perform monthly maintenance. If you have never run WSUS cleanup, you need to do the first two cleanups manually. Fortunately only those data were lost. Select subplan1 and then ensure your Toolbox is in context: Drag and drop the task Execute T-SQL Statement Task: Right-click it and select Edit. For each SUSDB, it's a one-time process. My cleanup is running at 1:00 AM every first Sunday. After it finishes, follow all of the above instructions for running maintenance. Check the Windows Server Update Services and at the same time click Add Features. In this scenario, you can schedule the WSUS database backup and reindexing jobs to run before the configured sync schedule without worrying about any of the other steps, because Configuration Manager will handle everything else. If you use this option, you don't need to use the script described later in this section (either by manually running it or by setting up as task to run it on a schedule). Not syncing keeps the declines from accidentally flowing into my Tier3 replica WSUS servers from Tier2. Includes Windows PowerShell cmdlets to manage the most important administrative tasks in WSUS. I built a lab environment consisting of a domain controller, a WSUS server and a client machine. If you're using Configuration Manager current branch version 1906 or a later version to perform WSUS Maintenance, Configuration Manager performs the cleanup after synchronization using the top-down approach. A WSUS server provides features that you can use to manage and distribute updates through a management console. This will free up space on your disk and clean up the WSUS server to some extent. Your second manual cleanup should be run 30 days from your first since it takes 30 days for some updates and update revisions to age out. 2. you can use the Server Cleanup Wizard to get rid of unnecessary updates based on rules. Before you start the maintenance process, read all of the information and instructions in this article. Applies To: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. If Configuration Manager is used along with WSUS, check Software Update Point Component Properties > Supersedence Rules to see how quickly superseded updates expire, such as immediately or after X months. It's not uncommon for conscientious Configuration Manager administrators to be unaware that WSUS maintenance should be run at all. After it reports the number of items it has removed, the cleanup finishes. Give your plan a name. It means I would schedule this task to run every first Sunday at 2:00 AM. It refused to repair and I tried all the suggestions I found around when I decided it was best to do a complete re-install. The operation failed because an index or statistics with name 'nclLocalizedPropertyID' already exists on table 'dbo.tbLocalizedPropertyForRevision'. By exposing core WSUS operations through Windows PowerShell, system administrators can increase productivity, reduce the learning curve for new tools, and reduce errors due to failed expectations resulting from a lack of consistency across similar operations. When you save the task, you may be prompted for credentials of the Run As user. If you have never run WSUS Cleanup wizard, running the cleanup with Unused updates and update revisions may require a few passes. But there was question how force WSUS server to download patches once again after deletion? Enabling the Remove obsolete updates from the WSUS database option in Configuration Manager current branch version 1906 handles the cleanup of Unused updates and update revisions (Obsolete updates). To determine where SUSDB is running, check value of the SQLServerName registry entry on the WSUS server located at the HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup subkey. It is not a true deployment tool. However, when using the script to decline superseded updates, the run should be done from the top down. Run the following script against SUSDB, to create two custom indexes: If custom indexes have been previously created, running the script again results in an error similar to the following one: Msg 1913, Level 16, State 1, Line 4 Usually if it fails, the account running the task doesn't have appropriate permissions or the WID service isn't started. Let’s see full path of solving this problem. You can uncomment them if you are using standalone WSUS or an older version of Configuration Manager. WSUS enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. You can ignore this warning. This last step is necessary because the spDeleteUpdate stored procedure only removes unused updates and update revisions. Windows Server Update Services is a built-in server role that includes the following enhancements: Can be added and removed by using the Server Manager. C:\WSUS, or D:\WSUS) Restart the server. Change the approval to Not Approved, and then resync the SUP to bring the update back in.