- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
Even if you don't subscribe to many products and don't activate problematic classifications such as drivers or language packs, WSUS can quickly consume hundreds of GB of disk space. One trigger for this is automatic approvals, where activating the default rule is often enough to run out of disk space.
Emptying the content directory
Once the disk is full of updates, it seems like a good idea to delete them and then restart syncing. However, you will be disappointed if you hope that older or already superseded updates will not be downloaded again. All updates that have been previously approved will end up back on the disk. If you have deactivated the option to download only approved updates, you will even get all updates.
By default, WSUS only downloads the files for approved updates
In this case, the Server Cleanup Wizard does not achieve much because it only deletes expired and replaced updates, the latter only after 30 days. As a solution, some instructions on the web recommend uninstalling WSUS, removing the SUSDB database and updates, and starting from scratch. Of course, in this case, all settings and historical data will be lost.
If you want to avoid this, then you have to decline all updates that are no longer needed before you empty the wsuscontent directory. The updates would then no longer be downloaded. With hundreds or even thousands of updates, rejecting them manually is too time-consuming.
Declining and deleting updates using a script
The solution offered by Microsoft employee Nick Eales, with his PowerShell Script, is way more elegant. It declines updates for old OS and IE versions, for Windows on Itanium or language files, and then deletes them from the disk.
The filter criteria can be found in a lengthy if statement and are documented by comments. You may not want to apply some conditions. for example, declining all x86 updates if you still have 32-bit versions of Windows installed. In this case, you can simply comment out the corresponding lines.
Conversely, you will usually not need the updates for ARM64, so you can include them in the conditions of the if statement. This also applies to all other updates that are not needed.
Adjusting criteria
In some areas, the script requires a few adjustments. For example, the above described decline of x86 updates does not work because the regular expression is case-sensitive, but the LegacyName on Windows 10 contains a capital 'X.' Here, you should replace the match operator with imatch.
It is recommended to check the conditions of the _if_ statement and to adapt them if necessary
A similar problem occurs with language packs where the search expression is no longer effective. If you want to decline them, but, for example, intend to keep German and English language packs, you should replace
$\_.Title -imatch "language\\s" -or
with
($\_.Title -imatch "language" -and $\_.Title -notmatch "(DEU|ENG)") -or
Starting the script
Basically, you can execute the PowerShell script remotely by specifying the name of the server and the port number using the parameters WSUSServer and WSUSPort. All too often, however, WSUS servers that contain many updates abort the connection on long-running actions.
Subscribe to 4sysops newsletter!
During longer running remote operations the WSUS server is likely to terminate the connection. Therefore you should execute the script locally.
Therefore, you have a better chance for successful execution if you start the script directly on the WSUS server. There, you can simply run it without parameters via the command:
.\\Decline-Updates.ps1
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Hi Wolfgang,
as always, interresting post. One thing tho – how about shrinking the WSUS database? I once made a big mistake and checked WSUS to download also driver updates. As a result, I got 170k!! of updates and the DB grew up to 9GB just within that day (even without downloading them). As a quick solution, I have simply uninstalled WSUS and did the thing again…
Cheers Leos
Hi Leos,
good point. The database is another weakness of WSUS. At the size you mention the system probably slows down to a crawl. My problem has been a disk running out of space. This is why I came up with this solution. But it's worth it to look into the DB issue too.
Regards, Wolfgang
Yep, your correct. The issue was that the WSUS server had only 8GB of RAM in total, and multiple actions in the WSUS console caused a appcrash, due to the DB could not fit in.
I was looking for that specific error message on google and found a one-click script from a guy, but it turned out to be paid thing. I also found few articles, but they were all related to SQL DB, not the Windows built-in DB solution (sorry cant recall exact name now, and not at the machine to check).
Have a good weekend!
It's really annyoing if the WSUS console is diconneting from the server all the time. I know that to well. And most of the time the reason is a bloated database.
Can someone please help me with this issue?
When I run the script, I get a timeout error as such:
—————————————-
PS C:\temp> .\Decline-Updates -WSUSServer vserver-wsus2
Connecting to WSUS Server vserver-wsus2 and getting list of updates
Exception calling "GetUpdates" with "0" argument(s): "The operation has timed out"
At C:\temp\Decline-Updates.ps1:51 char:9
+ $Updates = $wsus.GetUpdates()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : WebException
———————————
Is there a way to increase the timeout for a PS script? I have searched a bit but nothing so far.
Thanks for your attention!
Carlos, try to run the script on the WSUS server without any parameter
I also did so with the exact same result. BTW, I’m running Windows Server 2016.
Just an update:
It worked now. Here’s the output:
——————————————————————
PS C:\temp> .\Decline-Updates.ps1
Connecting to WSUS Server Localhost and getting list of updates
10970 Updates before cleanup
5776 Updates to decline
44 Updates to decline (superseded by Windows Server 2008 R2 Service Pack 1 para sistemas basados en x64 (KB976932))
5151 Updates remaining, running WSUS cleanup
Obsolete Updates Deleted:0
Expired Updates Declined: 0
Obsolete Updates Deleted:0
Updates Compressed:0
Obsolete Computers Deleted:0
Diskspace Freed:45453290844
————————————————————
The only thing I did was to cleanup the WSUS internal Database as instructed here:
https://www.urtech.ca/2016/10/solved-how-to-clean-up-and-repair-wsus/
Thanks for your attention and the great script!
Cheers!
Hi Wolfgang,
where can I get the script?
Your links is "dead"
Best regard from Frankfurt
ThoGri
Looks like Microsoft has done a great job messing up another of its websites. I do have an updated link on the German version of this article, you might get the script from there.
Thanks for the hint! You can now also download the script from 4sysops.