wsus how to

If the WSUS Server Cleanup Wizard has never been run and the WSUS has been in production for a while, the cleanup may time out. Remove the WSUS Content folder wherever you had it previously installed (eg. The WSUS Server Cleanup Wizard runs from the WSUS console. On the Triggers tab, set your schedule for once a month or on any schedule you want. Let’s see full path of solving this problem. Copy and paste the WSUS reindex script, and then select OK: Schedule this task to run about 30 minutes after you expect your cleanup to finish running. My cleanup is running at 1:00 AM every first Sunday. For more information about software update maintenance in Configuration Manager, see Software updates maintenance. WSUS Group Policy for Windows servers. As an example, I will be importing update KB4554364 into WSUS. Note: The test URL below uses my-wsus-box as the server name and 8530 as the configured port for the WSUS web site … You can review WsyncMgr.log for more information, and manually run the SQL script that is specified in HELP! You can uncomment them if you are using standalone WSUS or an older version of Configuration Manager. Check the SUP sync schedule and temporarily set it to manual during this process. It should be done on all autonomous WSUS servers in the Configuration Manager/WSUS hierarchy. Since a sync can't be done during the actual cleanup, it's suggested to schedule/complete all tasks overnight. Before declining updates, ensure that the superseding updates are deployed, and that superseded ones are no longer needed. For system administrators to automate their operations, they need coverage through command-line automation. The number 90 in the line that includes DECLARE @thresholdDays INT = 90 should correspond with the Supersedence Rules from step 1 of this procedure, and the correct number of days that aligns with the number of months that is configured in Supersedence Rules. Open SQL Server Management Studio and connect to your WSUS instance. Always run the script with the -SkipDecline parameter first, to get a summary of how many superseded updates will be declined. This article addresses some common questions about WSUS maintenance for Configuration Manager environments. If you have never run WSUS cleanup, you need to do the first two cleanups manually. Under the Actions tab, add a new action and specify the program/script you want to run. Usually if it fails, the account running the task doesn't have appropriate permissions or the WID service isn't started. First of all, there is a new product category available in WSUS that you will need to check so the related updates can be downloaded. And I swear I've read every single one of them and tried every single suggestion. If you use this option, you don't need to use the script described later in this section (either by manually running it or by setting up as task to run it on a schedule). If you are using Configuration Manager current branch version 1906 or later versions, we recommend that you enable the WSUS Maintenance options in the software update point configuration at the top-level site to automate the cleanup procedures after each synchronization. If you have downstream WSUS servers, you will need to perform maintenance on them first, and then do the upstream servers. The answer is that you should perform monthly maintenance. However, you should still automatically back up and reindex the WSUS database on a schedule. Configuration Manager includes a separate cleanup, which allows it to expire superseded updates based on specified criteria. If you are utilizing the maintenance features that have been added in Configuration Manager, version 1906, you don't need to consider these items since Configuration Manager handles the cleanup after each synchronization. WSUS maintenance can be performed simultaneously on multiple servers in the same tier. If you are using Configuration Manager current branch version 1906 or a later version, we recommend that you use Configuration Manager to create the indexes. Manually Import Updates into WSUS. If errors occur when you attempt to use the PowerShell script to decline superseded updates, an alternative SQL script can be run against SUDB. Your second manual cleanup should be run 30 days from your first since it takes 30 days for some updates and update revisions to age out. When performing a cleanup and removing items from WSUS servers, you should start at the bottom of the hierarchy. Windows Server Update Services (WSUS) is a widely used tool that helps businesses automate their Windows patching process. To determine where SUSDB is running, check value of the SQLServerName registry entry on the WSUS server located at the HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup subkey. If you are using Configuration Manager current branch version 1906 or a later version, enabling the Decline expired updates in WSUS according to supersedence rules option handles declining of Expired updates and Superseded updates based on the supersedence rules that are specified in Configuration Manager. WSUS is still fully supported and many companies rely on it. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. Again, you must ensure that you don't sync your WSUS during the entire cleanup and reindex time. WSUS enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. If updates are not configured to be immediately expired in Configuration Manager, the PowerShell script must be run with an exclusion period that matches the Configuration Manager setting for number of days to expire superseded updates. WSUS content was one of the share affected in network. If you do, it's possible your downstream servers will just end up resyncing all of the updates you just attempted to clean out. The answer is that you probably could, but I wouldn't. Use SQL Server Management Studio to connect to SUSDB. 2. I usually set this script to run before the other cleanup steps, but only after I have run it manually and ensured it completed successfully. So you can't judge how long this maintenance will normally take. C:\WSUS, or D:\WSUS) Restart the server. Open Task Scheduler and select Create a Task. Make a note of this setting. When you save the task, you may be prompted for credentials of the Run As user. However, I'll walk you through the process in the following steps. As an administrator, you can determine - based on network security and configuration - how many other WSUS servers connect directly to Microsoft Update. To check progress, monitor the Messages tab in the Results pane. Now you should be able to re-install the WSUS role, and if necessary, the Windows Internal Database (WID) role too. Once the SUP is set up, we close the WSUS console and pretend it doesn't exist. 3. Set any other conditions or settings you would like to tweak as well. If you are using Configuration Manager version1906 or a later version, automate the cleanup procedures by enabling the WSUS Maintenance options in the software update point configuration of the top-level site. Here's an easy way to determine which version of SQL Server Management Studio Express to install: For Windows Server 2012 or later versions: Go to C:\Windows\WID\Log and find the error log that contains the version number. If timeouts continue to occur, see the SQL Server alternative in HELP! This will free up space on your disk and clean up the WSUS server to some extent. It's just steps that proceed to finish the installation of WSUS. To download the script, right-click the link, and then select Save target as.... Download the script, remove the .txt file extension, and save the file with a .PS1 extension. That said, in cases where WID is used you can use the Task Scheduler with SQLCMD mentioned earlier. So I've been wrestling with our WSUS server for a few days now and I can't manage to get it going. If you haven't backed up the SUSDB database, do so before proceeding further. The current version of this tool does not support the following deployment technologies and techniques: Windows Update Catalog. 1- Select Tools and then select WSUS Server Configuration wizard. Here is a list of available command lines for … To schedule the reindex of the SUSDB, you will need a full version of SQL Server. It brings up a common question: Since I'm not syncing, why shouldn't I run all of the cleanups and reindexes at the same time? This guide also assumes you have a working instance of WSUS installed and configured, using default ports. If Tier2 overlaps Tier3 by a few minutes, it will not cause a problem because my sync isn't scheduled to run. Unfortunately, it can be problematic for Configuration Manager clients, and the overall performance of the WSUS/SUP server. Then check on their completion via the logging the following morning, before the next scheduled sync. My WSUS has been running for years without ever having maintenance done and the cleanup wizard keeps timing out once, which would allow subsequent attempts from Configuration Manager to run successfully. I am a bit aggressive on the timing of the decline scripts. Windows Server Update Services (WSUS) enables the administrators to deploy the latest Microsoft product updates. While creating the maintenance plan, consider adding a backup of the SUSDB into the plan as well. As long as you have "Windows 10" checked under products and classifications in WSUS, it should have already been on your WSUS server and you shouldn't have needed to import it. When that completes, run the following script in SQL Server Management Studio or SQL Server Management Studio Express. Before you start the maintenance process, read all of the information and instructions in this article. It takes about 30 minutes to run and I am going to give it another 30 minutes before starting my reindex. Add WSUS Index Optimization to the database to increase the speed of many database operations in WSUS by approximately 1000-1500 times faster. For each SUSDB, it's a one-time process. Generally is not a problem. Run the following script against SUSDB, to create two custom indexes: If custom indexes have been previously created, running the script again results in an error similar to the following one: Msg 1913, Level 16, State 1, Line 4 The Adobe Flash Player removal update is not published in Windows Server Update Service (WSUS), they are planning to release the update in early 2021; Microsoft releases individual updates that are not part of the WSUS catalog especially the software that is out of support similar to Adobe flash player removal updates. Your second manual cleanup should be run 30 days from your first since it takes 30 days for some updates and update revisions to age out. Launch the WSUS console, expand your server and click Updates. Include the SP level when searching the Microsoft Download Center for SQL Server Management Studio Express. After superseded updates have been declined, for best performance, SUSDB should be reindexed again. WSUS helps maintain order: Instead of having all the Windows clients go to the internet and download the updates, you have one or more WSUS servers that centralize the job and give you control on which updates to release to the clients. Look up the version number in How to determine the version, edition and update level of SQL Server and its components. Maintenance is easy and doesn't take long for WSUS servers that have been well maintained from the start. If something failed, maintenance can be rescheduled for the next night, once the underlying issue is identified and resolved. The core scenarios where WSUS adds value to your business are: Upgrade from any version of Windows Server that supports WSUS 3.2 to Windows Server 2012 R2 requires that you first uninstall WSUS 3.2. These tasks may run faster or slower depending on the environment, and timing of the schedule should reflect that. It allows you to see which computers require updates, generate reports based on this information and roll out updates from a single point saving bandwidth of your WAN line. For more information, see the following articles: The following SQL query can be run against the SUSDB database, to quickly determine the number of superseded updates. Listen to WSUS for Steve Andrews every weekday morning - and your favorite music all day long! This article includes information about the contents of the update and how to obtain the update. A WSUS server provides features that you can use to manage and distribute updates through a management console. WSUS maintenance tasks can be automated, assuming that a few requirements are met first. If Configuration Manager is used along with WSUS, check Software Update Point Component Properties > Supersedence Rules to see how quickly superseded updates expire, such as immediately or after X months. These options handle all cleanup operations that are performed by the WSUS Server Cleanup Wizard. Select subplan1 and then ensure your Toolbox is in context: Drag and drop the task Execute T-SQL Statement Task: Right-click it and select Edit. For more information about WSUS cleanup and maintenance in Configuration Manager, see the docs. If you decide you need one of these declined updates in Configuration Manager, you can get it back in WSUS by right-clicking the update, and selecting Approve. In Windows Server 2012, upgrading from any version of Windows Server with WSUS 3.2 installed is blocked during the installation process if WSUS 3.2 is detected. To reindex the WSUS database (SUSDB), use the Reindex the WSUS Database T-SQL script. It would effectively handle all cleanup operations described in this article, except backup and reindexing of WSUS database. Whatever the reason, here are the steps for recreating the SUSDB and the WSUS Content folder for a Windows Server 2012 based WSUS computer: 1. Answer. Before you run the script, follow the steps in The spDeleteUpdate stored procedure runs slowly to improve the performance of the execution of spDeleteUpdate. When using WSUS along with downstream servers, WSUS servers are added from the top down, but should be removed from the bottom up. I finally decided to take matters into my own hands. Make sure that you have a backup of the SUSDB database. And I can schedule it to rerun to completion the next night. However, when using the script to decline superseded updates, the run should be done from the top down. This update is applicable for computers running Windows 10 1903 and Windows 10 1909 OS. For related information, see Reindex the WSUS database. If you go this route, it's important that you don't sync your WSUS servers/SUPs during this maintenance period! You can also use these steps to configure the Decline-SupersededUpdatesWithExclusionPeriod.ps1 script to run every three months. This process is optional but recommended, it greatly improves performance during subsequent cleanup operations. Most of us just set up WSUS servers because it's a prerequisite for a software update point (SUP). The Windows PowerShell cmdlets for WSUS operations add flexibility and agility for the system administrator. It's not uncommon for conscientious Configuration Manager administrators to be unaware that WSUS maintenance should be run at all. Summary. WSUS connection timeout errors 4. If you want to learn how to install WSUS, continue to read this part. Enabling the Remove obsolete updates from the WSUS database option in Configuration Manager current branch version 1906 handles the cleanup of Unused updates and update revisions (Obsolete updates). Open WSUS administrator console, go to Options > Products and Classifications. 3. When you use this option, you can see how many updates were declined by reviewing the WsyncMgr.log file after the synchronization process finishes. For standalone WSUS servers or older versions of Configuration Manager, you can continue to use the following steps. It will be much easier or faster in subsequent months. You can use the WSUS Cleanup script. For Windows Server 2008 R2 or previous versions: After installing SQL Server Management Studio Express, launch it, and enter the server name to connect to: For WID, if errors similar to the following occur when attempting to connect to SUSDB using SQL Server Management Studio (SSMS), try launching SSMS using the Run as administrator option. Here's an example: "C:\Program Files\Microsoft SQL Server\110\Tools\Binn\SQLCMD.exe" -S \\.\pipe\Microsoft##WID\tsql\query -i C:\WSUS\SUSDBMaint.sql -o c:\WSUS\reindexout.txt. By exposing core WSUS operations through Windows PowerShell, system administrators can increase productivity, reduce the learning curve for new tools, and reduce errors due to failed expectations resulting from a lack of consistency across similar operations. In this case, the only known corrective measure is to format the hard drive and reinstall Windows Server. I built a lab environment consisting of a domain controller, a WSUS server and a client machine. In that case, you will be prompted to first uninstall Windows Server Update Services prior to upgrading your server. Don't change anything for the Role Services of the Web Server and click Next. Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. Alternatively, a utility called sqlcmd can be used to run the reindex script. you can use the Server Cleanup Wizard to get rid of unnecessary updates based on rules. For more information, see Reindex the WSUS Database. Windows Server Update Services Wizard. The second cleanup is a much better indicator of what is normal for your machines. No unusual to get the occasional moody WSUS managed-device that will not report and/or update using a correctly configured WSUS server. WSUS Server Cleanup Wizard provides options to clean up the following items: In a Configuration Manager environment, Computers not contacting the server and Unneeded update files options are not relevant because Configuration Manager manages software update content and devices, unless either the Create all WSUS reporting events or Create only WSUS status reporting events options are selected under Software Update Sync Settings. To determine whether a WSUS server is a replica, check the Update Source settings. If the update is no longer in WSUS, it can be imported from the Microsoft Update Catalog, if it hasn't been expired or removed from the catalog. It means I would schedule this task to run every first Sunday at 2:00 AM. Microsoft has released an update for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2). It's recommended to enable these options in the software update point configuration on the top-level site to allow Configuration Manager to clean up the WSUS database. Windows Server Update Services is a role present in Windows Server since 2008, but it has been in place since 2001 under the name Software Update Services. If it times out, run it again until it completes, and then run each of the other options one at a time. Reinstall WSUS with a fresh database. After it reports the number of items it has removed, the cleanup finishes. If SUSDB was installed on full SQL Server, launch SQL Server Management Studio and enter the name of the server (and instance if needed) when prompted. In the Program/script box, type the following command. You can ignore this warning. The file specified after the -i parameter is the path to the SQL script you saved in step 1. It is required for clients to validate the updates are published from a trusted source. Let’s start with the description of the server policy – ServerWSUSPolicy. On the General tab, set the name of the task, the user that you want to run the PowerShell script as (most people use a service account). Distributed by Microsoft, WSUS was designed to alleviate the pain and difficulty of patching manually. In earlier versions of the Windows Server operating system, there were no Windows PowerShell cmdlets, and update management automation was challenging. For standalone WSUS servers, or if you are using an older version of Configuration Manager, it is recommended that you run the WSUS Cleanup wizard periodically. The steps to install Windows Server Update Services Role on Windows Server 2019 are as follows : Step 1: Log on to the Windows 2019 server on which you plan to install the WSUS server role using an account that is a member of the Local Administrators group. Windows Update Services (WSUS) is a fantastic tool for managing Windows security updates. Ensure that SUPs don't sync during the maintenance process, as it may cause a loss of some work already done. It is located under Options, as shown here: For more information, see Use the Server Cleanup Wizard. After superseded updates have been declined, for best performance, SUSDB should be reindexed again. WSUS is a Windows Server server role and when you install it, you can efficiently manage and deploy the updates. When doing so, ensure that one tier is done before moving onto the next one. A WSUS server can also be the update source for other WSUS servers within the organization. The Weekend Scripter blog post mentioned in the previous section contains basic directions and troubleshooting for this step. For more information, see Create a Full Database Backup. You're actually adding a type of approval in this case. Questions are often along the lines of How should I properly run this maintenance in a Configuration Manager environment, or How often should I run this maintenance. I run at 12:00 AM on the first Sunday every three months. Not syncing keeps the declines from accidentally flowing into my Tier3 replica WSUS servers from Tier2. How to Install WSUS. Windows Server Update Services is a built-in server role that includes the following enhancements: Can be added and removed by using the Server Manager. WSUS should now be completely gone from your system. WSUS is a repository for updates and associated files. If the value includes the string ##SSEE or ##WID in it, SUSDB is running in WID, as shown: If SUSDB was installed on WID, SQL Server Management Studio Express must be installed locally to run the reindex script. This script performs cleanup options that Configuration Manager current branch version 1906 doesn't do. Hopefully they are faster since my lab environment tends to be a bit slower than a normal production environment. If Configuration Manager is set to Immediately expire superseded updates (see below), the PowerShell script can be used to decline all superseded updates. Group Policy-based user logon script. Lastly make a full pass with all options checked. The main goal is to facilitate WSUS administration by allowing system administrators to automate their day-to-day operations.