Depending on the products and classifications you have subscribed to, WSUS can become a storage hog. Manually declining updates to free up space is too time-consuming, and the Server Cleanup Wizard is ineffective. Luckily, a script from the TechNet Gallery can thoroughly erase unneeded updates.
Avatar

Even if you don't subscribe to many products and don't activate problematic classifications such as drivers or language packs, WSUS can quickly consume hundreds of GB of disk space. One trigger for this is automatic approvals, where activating the default rule is often enough to run out of disk space.

Emptying the content directory

Once the disk is full of updates, it seems like a good idea to delete them and then restart syncing. However, you will be disappointed if you hope that older or already superseded updates will not be downloaded again. All updates that have been previously approved will end up back on the disk. If you have deactivated the option to download only approved updates, you will even get all updates.

By default, WSUS only downloads the files for approved updates

By default, WSUS only downloads the files for approved updates

In this case, the Server Cleanup Wizard does not achieve much because it only deletes expired and replaced updates, the latter only after 30 days. As a solution, some instructions on the web recommend uninstalling WSUS, removing the SUSDB database and updates, and starting from scratch. Of course, in this case, all settings and historical data will be lost.

If you want to avoid this, then you have to decline all updates that are no longer needed before you empty the wsuscontent directory. The updates would then no longer be downloaded. With hundreds or even thousands of updates, rejecting them manually is too time-consuming.

Declining and deleting updates using a script

The solution offered by Microsoft employee Nick Eales, with his PowerShell Script, is way more elegant. It declines updates for old OS and IE versions, for Windows on Itanium or language files, and then deletes them from the disk.

The filter criteria can be found in a lengthy if statement and are documented by comments. You may not want to apply some conditions. for example, declining all x86 updates if you still have 32-bit versions of Windows installed. In this case, you can simply comment out the corresponding lines.

Conversely, you will usually not need the updates for ARM64, so you can include them in the conditions of the if statement. This also applies to all other updates that are not needed.

Adjusting criteria

In some areas, the script requires a few adjustments. For example, the above described decline of x86 updates does not work because the regular expression is case-sensitive, but the LegacyName on Windows 10 contains a capital 'X.' Here, you should replace the match operator with imatch.

It is recommended to check the conditions of the _if_ statement and to adapt them if necessary

It is recommended to check the conditions of the _if_ statement and to adapt them if necessary

A similar problem occurs with language packs where the search expression is no longer effective. If you want to decline them, but, for example, intend to keep German and English language packs, you should replace

$\_.Title -imatch "language\\s" -or

with

($\_.Title -imatch "language" -and $\_.Title -notmatch "(DEU|ENG)") -or

Starting the script

Basically, you can execute the PowerShell script remotely by specifying the name of the server and the port number using the parameters WSUSServer and WSUSPort. All too often, however, WSUS servers that contain many updates abort the connection on long-running actions.

Subscribe to 4sysops newsletter!

During longer running remote operations the WSUS server is likely to terminate the connection. Therefore you should execute the script locally.

During longer running remote operations the WSUS server is likely to terminate the connection. Therefore you should execute the script locally.

Therefore, you have a better chance for successful execution if you start the script directly on the WSUS server. There, you can simply run it without parameters via the command:

.\\Decline-Updates.ps1
avataravatar
11 Comments
  1. Avatar
    Leos Marek (Rank 4) 3 years ago

    Hi Wolfgang,

    as always, interresting post. One thing tho – how about shrinking the WSUS database? I once made a big mistake and checked WSUS to download also driver updates. As a result, I got 170k!! of updates and the DB grew up to 9GB just within that day (even without downloading them). As a quick solution, I have simply uninstalled WSUS and did the thing again…

    Cheers Leos

  2. Avatar
    Wolfgang Sommergut 3 years ago

    Hi Leos,

    good point. The database is another weakness of WSUS. At the size you mention the system probably slows down to a crawl. My problem has been a disk running out of space. This is why I came up with this solution. But it's worth it to look into the DB issue too.

    Regards, Wolfgang

    avatar
    • Avatar
      Leos Marek (Rank 4) 3 years ago

      Yep, your correct. The issue was that the WSUS server had only 8GB of RAM in total, and multiple actions in the WSUS console caused a appcrash, due to the DB could not fit in.

      I was looking for that specific error message on google and found a one-click script from a guy, but it turned out to be paid thing. I also found few articles, but they were all related to SQL DB, not the Windows built-in DB solution (sorry cant recall exact name now, and not at the machine to check).

      Have a good weekend!

  3. Avatar
    Wolfgang Sommergut 3 years ago

    It's really annyoing if the WSUS console is diconneting from the server all the time. I know that to well. And most of the time the reason is a bloated database.

  4. Avatar
    Carlos 3 years ago

    Can someone please help me with this issue?

    When I run the script, I get a timeout error as such:

    —————————————-

    PS C:\temp> .\Decline-Updates -WSUSServer vserver-wsus2
    Connecting to WSUS Server vserver-wsus2 and getting list of updates
    Exception calling "GetUpdates" with "0" argument(s): "The operation has timed out"
    At C:\temp\Decline-Updates.ps1:51 char:9
    +         $Updates = $wsus.GetUpdates()
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : WebException
     ———————————

    Is there a way to increase the timeout for a PS script? I have searched a bit but nothing so far.

    Thanks for your attention!

     

    • Avatar
      Wolfgang Sommergut 3 years ago

      Carlos, try to run the script on the WSUS server without any parameter

      • Avatar
        Carlos 3 years ago

        I also did so with the exact same result. BTW, I’m running Windows Server 2016.

        • Avatar
          Carlos 3 years ago

          Just an update:
          It worked now. Here’s the output:

          ——————————————————————
          PS C:\temp> .\Decline-Updates.ps1
          Connecting to WSUS Server Localhost and getting list of updates
          10970 Updates before cleanup
          5776 Updates to decline
          44 Updates to decline (superseded by Windows Server 2008 R2 Service Pack 1 para sistemas basados en x64 (KB976932))
          5151 Updates remaining, running WSUS cleanup
          Obsolete Updates Deleted:0
          Expired Updates Declined: 0
          Obsolete Updates Deleted:0
          Updates Compressed:0
          Obsolete Computers Deleted:0
          Diskspace Freed:45453290844
          ————————————————————

          The only thing I did was to cleanup the WSUS internal Database as instructed here:
          https://www.urtech.ca/2016/10/solved-how-to-clean-up-and-repair-wsus/

          Thanks for your attention and the great script!
          Cheers!

  5. Avatar
    ThoGri 3 years ago

    Hi Wolfgang,

    where can I get the script?

    Your links is "dead"

    Best regard from Frankfurt

    ThoGri

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account