- Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Mon, Sep 26 2022
- Get updates for Windows Server 2022 in WSUS - Mon, Sep 19 2022
- Microsoft Defender: Control updates for malware signatures using Group Policy or PowerShell - Thu, Sep 15 2022
WSUS suffered from multiple deficiencies even before Microsoft's orientation toward cloud services, such as Windows Update for Business (WUfB). Admins have been plagued by many of these shortcomings for years.
Regular maintenance is necessary for trouble-free operation ^
These issues are not limited to the inflexible and cumbersome management of distribution rings, the lack of a search function, or the rudimentary reporting capabilities. The biggest issue that admins face is probably the lack of mechanisms to automate the inevitable maintenance work. If neglected, a WSUS server will cause problems sooner or later, such as the enormous consumption of storage space and extremely limited performance with constant console disconnections.
Onboard tools and workarounds for maintenance ^
One of WSUS's onboard tools is the wizard for server cleanup, which is supposed to remove unnecessary updates or inactive clients. However, this wizard must be run manually on a regular basis and is quickly overwhelmed if too many updates have accumulated since the last run. This will cause it to abort its tasks.
For other tasks, such as reindexing the database, an SQL script can be downloaded from GitHub and run regularly via a scheduled task. A backup of the database must then be handled separately.
WAM with predefined maintenance routines ^
AJ Tek can relieve admins of these and many other duties related to WSUS maintenance using its WSUS Automated Maintenance (WAM). A scheduled task keeps the WSUS server cleaned up and in a functional state, with barely any intervention needed by the admin.
After its execution, whether scheduled or run manually from the command line, the tool generates a report in HTML or text format on the results achieved, if desired. This can then be saved or sent by email.
WAM contains a total of 14 routines for maintenance tasks (the developer calls them streams), which are executed at different intervals. An in-depth description of these routines can be found in the good documentation. In addition, there are other utilities that the admin can use as needed (for example, to configure the application pool memory or IIS settings).
Some streams should be run daily, whereas others may only be run weekly, monthly, or even quarterly. WAM’s default settings are plausible here and should fit most environments. If necessary, the frequency of each stream can be set individually.
WSUS optimization upon first start ^
At the end of the installation process, the software will offer to run the FirstRun routine. It contains actions that generally only need to be run once. These include setting up the scheduled task for WAM, as well as optimizing the database by adding SQL indexes to SUSDB. According to AJ Tek, this leads to a significant improvement in WSUS performance.
Microsoft only applies this measure to WSUS if the corresponding option is activated in SCCM or Endpoint Manager. It does not offer it solely for WSUS due to unknown reasons. If you use WAM, you should not configure this setting in SCCM.
In addition, FirstRun will perform tasks that will subsequently run only once a month or quarterly. These include, for example, backing up the database, pruning IIS logs, or deleting drivers.
One of the streams, called ServerCleanupWizard, runs the PowerShell equivalent of the WSUS clean-up wizard mentioned above; it runs by default with FirstRun and then every day after that. This variant of the wizard avoids the frequent timeout that causes the routine to abort when started from the WSUS console. In contrast to plain WSUS, you can also specify the number of days after which inactive clients are to be removed, a function customized by AJ Tek.
Removal of unnecessary updates ^
Perhaps the most important recurring task of such a tool is getting rid of the vast number of updates that are either not needed, outdated, or have been replaced. The onboard tools are of little use here, especially when you attempt to remove updates for products that you received in the past and then stopped subscribing to.
Unnecessary memory hogs are typically updates that belong to selected products but are intended for platforms that are hardly used by anyone. This applies, for example, to Itanium, ARM64, or increasingly, also to 32-bit versions of Windows.
In the case of Windows 10, there might also be updates for releases for which support ended or that are no longer used in the company. WSUS itself does not provide the option of removing updates for a specific version of Windows 10. To do so, you would have to use scripts from the internet to regain WSUS disk space.
While you have to compile the strings for filtering certain releases yourself when using such scripts, WAM's GUI allows you to comfortably select which updates are not desired for a subscribed product.
This applies not only to Windows, but also to Edge, where the Dev and Beta channels are added automatically. Office updates can also be removed, depending on the architecture.
Deletion of superseded updates ^
Removing superseded updates (i.e., those that are completely replaced by newer ones) is a great way of reclaiming storage space. The regular WSUS wizard only clears these after you have approved the most recent update and have not approved the replaced ones.
In addition, 30 days must have passed since the earlier updates were last requested by a client. In contrast, WAM removes these updates as soon as the admin approves the latest version for installation.
Before you can set up WAM on a WSUS server, several prerequisites must be met. These include a Windows server from 2008 R2 onwards, PowerShell 4 or better, the ODBC driver, and the command line utilities for SQL Server. The developer's website breaks down the requirements by OS version and links to the download sources at Microsoft. The SQL Server PowerShell module is installed by the WAM setup itself.
The account under which you run the setup should have administrative rights on the WSUS server; the planned task will also run in its context afterwards. AJ Tek recommends the use of a service account.
The setup can also be run unattended, but the interactive method via the GUI is usually preferred. It also works on Server Core. The wizard lets you choose between standard and advanced installation. The former should be suitable for most environments.
In the dialogue for configuring the mail delivery, the parameters for outlook.com and Gmail are already preset. If you have activated multifactor authentication for these services, then an app password will be required instead of the regular one. After you have created this for the respective account, you should wait some time until it is accepted by the mail service. Otherwise, you will get the following error:
5.7.57 Client not authenticated to send mail
If you want to configure the options after the installation, there’s a shortcut to the WAM Configuration in the Start Menu.
WAM adds all the necessary routines for automating WSUS maintenance, which should have been integrated into the product by Microsoft long ago. However, since WSUS did not receive any new functions in the last updates, all known deficiencies will probably remain in Server 2022.
If the system requirements are met, installing WAM is very easy. Any subsequent customizations can be done comfortably through the Start Menu. Reports by email provide daily information on the maintenance tasks that are carried out.
Subscribe to 4sysops newsletter!
Considering the time that admins can waste on WSUS maintenance, the $60 for WAM per year and server are well spent. The annual fee for downstream servers is $30.