- Recommended security settings and new group policies for Microsoft Edge (from 107 on) - Fri, Jan 27 2023
- Save and access the BitLocker recovery key in the Microsoft account - Tue, Jan 24 2023
- Reopen apps after Windows startup - Thu, Jan 19 2023
Even if you don't subscribe to many products and don't activate problematic classifications such as drivers or language packs, WSUS can quickly consume hundreds of GB of disk space. One trigger for this is automatic approvals, where activating the default rule is often enough to run out of disk space.
Emptying the content directory
Once the disk is full of updates, it seems like a good idea to delete them and then restart syncing. However, you will be disappointed if you hope that older or already superseded updates will not be downloaded again. All updates that have been previously approved will end up back on the disk. If you have deactivated the option to download only approved updates, you will even get all updates.
In this case, the Server Cleanup Wizard does not achieve much because it only deletes expired and replaced updates, the latter only after 30 days. As a solution, some instructions on the web recommend uninstalling WSUS, removing the SUSDB database and updates, and starting from scratch. Of course, in this case, all settings and historical data will be lost.
If you want to avoid this, then you have to decline all updates that are no longer needed before you empty the wsuscontent directory. The updates would then no longer be downloaded. With hundreds or even thousands of updates, rejecting them manually is too time-consuming.
Declining and deleting updates using a script
The solution offered by Microsoft employee Nick Eales, with his PowerShell Script, is way more elegant. It declines updates for old OS and IE versions, for Windows on Itanium or language files, and then deletes them from the disk.
The filter criteria can be found in a lengthy if statement and are documented by comments. You may not want to apply some conditions. for example, declining all x86 updates if you still have 32-bit versions of Windows installed. In this case, you can simply comment out the corresponding lines.
Conversely, you will usually not need the updates for ARM64, so you can include them in the conditions of the if statement. This also applies to all other updates that are not needed.
In some areas, the script requires a few adjustments. For example, the above described decline of x86 updates does not work because the regular expression is case-sensitive, but the LegacyName on Windows 10 contains a capital 'X.' Here, you should replace the match operator with imatch.
A similar problem occurs with language packs where the search expression is no longer effective. If you want to decline them, but, for example, intend to keep German and English language packs, you should replace
$\_.Title -imatch "language\\s" -or
($\_.Title -imatch "language" -and $\_.Title -notmatch "(DEU|ENG)") -or
Starting the script
Basically, you can execute the PowerShell script remotely by specifying the name of the server and the port number using the parameters WSUSServer and WSUSPort. All too often, however, WSUS servers that contain many updates abort the connection on long-running actions.
Subscribe to 4sysops newsletter!
Therefore, you have a better chance for successful execution if you start the script directly on the WSUS server. There, you can simply run it without parameters via the command: