3 Useful WSUS Maintenance Options in Configuration Manager
In this post, we will explore the WSUS maintenance options available in Configuration Manager. There are 3 new WSUS maintenance options that automate the cleanup procedures after each SUP synchronization.
With every new version of the Configuration Manager current branch, Microsoft has added some tweaks and improvements to WSUS. I am referring to the WSUS cleanup tasks from the Configuration Manager console from the Software Update Point Component properties.
A lot of organizations today use Configuration Manager and WSUS to deploy software updates to endpoints. If you want to deploy Windows Updates, WSUS and Configuration Manager are the best way to do it. Not just that, Configuration Manager can also deploy third-party updates which is an added advantage.
One of the major concern of SCCM admins is the growing disk space mostly due to the software updates. When the SCCM software updates take up lot of space on hard disk, admins have no option but to keep increasing the size of hard disk. Microsoft has resolved this by introducing the WSUS clean up options in SCCM that will clean up the expired and obsolete updates from the WSUS database.
Keeping the software update points in the setup in good shape is one of the hardest parts of deploying updates. With so many operating systems, third-party applications, and a large number of updates, you want WSUS to be healthy and clean. This includes the big task of removing obsolete updates from the WSUS databases, declining expired updates, etc. You can use the options for WSUS maintenance, which are explained in the next section.
Table of Contents
What are WSUS Maintenance Options in Configuration Manager?
Starting with Configuration Manager 1906 and above, you will find 3 new WSUS maintenance tasks. Enabling these options will perform the cleanup procedures after each SUP synchronization. In Configuration Manager, you can turn on the WSUS Maintenance options for the software update point configuration.
These maintenance tasks would effectively handle all cleanup operations except backup and re-indexing of the WSUS database. The WSUS maintenance tasks in SCCM help you to maintain healthy software update points.
On the Software Update Point properties, the WSUS Maintenance tab now contains 3 new WSUS maintenance options.
- Decline expired updates in WSUS according to supersedence rules.
- Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance.
- Remove obsolete updates from the WSUS database.
If you haven’t enabled them yet, you can do so however let’s understand what each of these WSUS maintenance options in Configuration Manager do. Note that the WSUS maintenance occurs after every SUP synchronization.
Decline Expired Updates in WSUS according to supersedence rules
Declining expired updates in WSUS improves performance by removing those updates from the catalogs sent to clients. This option existed on standalone WSUS as well. The WSUS server cleanup wizard had an option to remove expired updates.
Declining expired updates that Configuration Manager marks as superseded further minimizes the catalogs and improves performance.
On the Software Update point properties, you can decline expired updates using the below steps.
- In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
- Select the site at the top of your Configuration Manager hierarchy.
- Click Configure Site Components in the Settings group. Then click Software Update Point to open Software Update Point Component Properties.
- In the WSUS Maintenance tab, select Decline expired updates in WSUS according to supersedence rules. Click Apply and OK.
Add Non-clustered indexes to the WSUS database
This WSUS maintenance option improves WSUS cleanup performance. Configuration Manager can add non-clustered indexes to the WSUS databases which actually improves the WSUS performance.
Cluster index is a type of index that sorts the data rows in the table on their key values whereas the Non-clustered index stores the data at one location and indices at another location.
Perform the below steps to enable Add Non-clustered indexes to the WSUS database.
- In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
- Select the site at the top of your Configuration Manager hierarchy. Click Software Update Point to open Software Update Point Component Properties.
- In the WSUS Maintenance tab, select Add Non-clustered indexes to the WSUS database. Click Apply and OK.
On each SUSDB used by Configuration Manager, indexes are added to the following tables.
- tbLocalizedPropertyForRevision
- tbRevisionSupersedesUpdate
Remove Obsolete updates from the WSUS database
Among all the WSUS maintenance options in Configuration Manager, removal of obsolete updates is my favorite. Obsolete updates are unused updates and update revisions in the WSUS database. If an update is no longer in Microsoft Update Catalog and isn’t required, the update is considered obsolete. You don’t want your WSUS database to include obsolete updates.
Perform the below steps to remove obsolete updates from the WSUS database.
- In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
- Select the site at the top of your Configuration Manager hierarchy. Click Software Update Point to open Software Update Point Component Properties.
- Click the WSUS Maintenance tab. From the list of WSUS maintenance options, select Remove Obsolete updates from the WSUS database. Click Apply and OK.
Note: The obsolete update removal will be allowed to run for a maximum of 30 minutes before being stopped. It will start up again after the next synchronization occurs
Synchronize Software Updates
As we mentioned previously, Configuration Manager’s WSUS maintenance options run after every SUP synchronization. So if you have enabled any of these WSUS maintenance options, either run the SUP synchronization manually or wait for SUP to run based on the schedule.
With WSUS maintenance options enabled, when you run the software update synchronization, we see the following lines in wsyncmgr.log. In the log file we see the database clean being performed, obsolete updates declined and indexing the SUSDB.
Done Indexing SUSDB. Custom indexes were created if they didn't exist previously.
sync: SMS performing cleanup SMS_WSUS_SYNC_MANAGER
Cleanup processed 2113 total updates and declined 21
Done Declining updates in WSUS Server
Starting Deletion of ObseleteUpdates
Obselete Update with Update ID: CCC2CED6-08B3-4A46-B083-5B8BABE48489 was deleted.
Obselete Update with Update ID: E4AEFB6D-2F6D-4558-B0E3-FB2D0D0311D8 was deleted.
I hope by now you have got an idea about the WSUS maintenance options in Configuration Manager and how useful they are. Go ahead and enable them and keep your software update points healthy.
One another thing i was thinking about, in classification you must tick windows 10 1903 or later to get for example 22H2 updates. But if you know for sure that there is only 22H2 computers i dont want to download alla patches for 20H2, 1909 and so on, how can i do that?
If yo do “Remove Obsolete updates from the WSUS database”, does it only remove them from the wsus database or does it also delete the files from the wsuscontent?
if it doesnt, how can i reduce the diskspace and delete files, i mean i must know what files i can remove. Every entry that “Remove Obsolete updates from the WSUS database” do when remove from db, this must be an corresponding file in wsuscontent.
if you have an old wsus installation and from the beginning you had for example server 2012 and server 2016 ticked in classification and now you dont need that anymore så you remove that tickbox in classification, i assume that all files in wsuscontent that has with these two operating system will not be deleted.
Also whatabout defender, i assume that there is many-many defender files in wsuscontent that you dont need anymore, how to remove all these?