WSUS Automated Maintenance

In many companies, either small, medium or large Windows Server Update Services (WSUS) is a must. WSUS is necessary if you plan to cache and control the distribution of Windows and Office updates in your local network. But WSUS has its issues out-of-the-box. Let’s take a look at WSUS Automated Maintenance by Adam Marshall!

Introduction

Microsoft itself has an article with official guidelines about what you could and should tune in WSUS, because the default settings won’t keep this service alive for a long time. The official guidelines can be found here and suggest the following for example:

Windows Server Update Services Best Practices

Consider using a configuration of 2-4 (WSUS) servers sharing the same SQL server database
Disable IIS AppPool recycling and configure memory limits
Configuring WSUS products and categories
Disable Itanium updates and other unnecessary updates
Decline Superseded Updates and run maintenance

In the past I’ve written my own article about How I build and maintain WSUS Server which covers some of this points. Trond E Haavarstein has an article How To Clean Up WSUS which is the TOP post on his blog. All in all the situation is not optimal and rather complicated.

Thankfully there is a fully automated solution available, which covers most of those best practices. Adam Marshall (MVP) has created a software solution which was once known as Adamj Clean-WSUS. Last year this software solution was professionalized by the addition of an installer and professional support. Now it is known by the product name: WSUS Automated Maintenance (WAM).

Requirements

The setup assumes, that you have already installed WSUS. PowerShell 4.0+ is needed which is the default from Windows Server 2012 R2 on wards. You will also need to install SQL Server Management Studio (SSMS) to leverage the full potential. You can find the full Requirements here.

Launch the WAM.exe and go through the setup steps. You have two paths to choose from: Red or Blue, inherited from The Matrix (1999). Blue will configure WAM with sane defaults, Red let’s you choose nearly every aspect in the GUI during the setup. I personally prefer the Red path, as I’m able to decline stuff like Language Packs, ARM64 and WinXP during the setup.

Installation – Blue

The Blue path will automatically configure pretty reasonable defaults for you, and will work in most cases out-of-the-box.

Setup type - Red or Blue? — Setup type – Red or Blue?

Halfway through, you can provide your E-Mail SMTP server settings, to receive a nice daily summary. On the last screen you can finish the setup and launch the First Run:

You will see some beautiful PowerShell magic, which will apply several WSUS best practices like custom SQL database indexes and declining of superseded updates:

This will take some time, depending on the size of your WSUS database and cache folder size. Multiple hours for the First Run aren’t unusual. After the script finished successful, you will receive a report by E-Mail.
The script will also install itself as a daily task in your task planner, to perform regular maintenance on your WSUS SQL database and cache folder.

The setup places different shortcuts in your start menu, to make usage and configuration as easy as possible.

Installation – Red

The Red path will ask you several questions during the setup, which will in the end preconfigure your Configuration.ps1 file.

Setup type – Red or Blue?

Choose Components

Choose Install Location

Mail Server Settings

Mail Report Settings

Advanced Settings Page 3

Server Cleanup Wizard Settings

Remove WSUS Drivers & Declined Updates

SQL & WSUS Server Connection Settings

Decline Multiple Types of Updates Settings

During the setup you are able to configure the following. Every time you are unsure, you can just stick with the proposed defaults, which corresponds with the Blue defaults.

Your SMTP server settings
Set the Mail Report style, TXT or HTML
Enable the SQL Database Maintenance
Enable the WSUS Cleanup Wizard automation
Remove WSUS Drivers and Declined Updates
Customize the SQL & WSUS Server Connection settings
And most important, the Decline Updates Settings:

Decline Multiple Types of Updates Settings - Adjusted — Decline Multiple Types of Updates Settings – Adjusted

On the last screen you can finish the setup and launch the First Run:

You will see some beautiful PowerShell magic, which will apply several WSUS best practices like custom SQL database indexes and declining of superseded updates:

The setup places different shortcuts in your start menu, to make usage and configuration as easy as possible. For example the shortcut WAM Configuration leads you to the Configuration.ps1, which you generated through the GUI during the setup. Here you could take a second look at the settings and adjust them to your needs. In my test I found the possibilities provided by the setup sufficient.

################################
#  Mail Report Setup Variables #
################################

[string]$AJTekMailReportEmailFromAddress = 'WSUS@example.com'
[string]$AJTekMailReportEmailToAddress = 'WSUS@example.com'
[string]$AJTekMailReportSMTPServer = 'mx.example.com'

################################
#    Decline Multiple Types    #
#     of Updates Variables     #
################################

$AJTekDeclineMultipleTypesOfUpdatesList = @{
    'Superseded' = $True #remove superseded updates.
    'Expired' = $True #remove updates that have been pulled by Microsoft.
    'Preview' = $True #remove preview updates.
    'Itanium' = $True #remove updates for Itanium computers.
    'LanguagePacks' = $True #remove language packs.
    'IE7' = $True #remove updates for old versions of IE (IE7).
    'IE8' = $True #remove updates for old versions of IE (IE8).
    'IE9' = $True #remove updates for old versions of IE (IE9).
    'IE10' = $True #remove updates for old versions of IE (IE10).
    'Beta' = $True #Beta products and beta updates.
    'Embedded' = $True #Embedded version of Windows.
    'ARM64' = $True #ARM64-based version of Windows.
    'NonEnglishUpdates' = $False #some non-English updates are not filtered by WSUS language filtering.
    'ComputerUpdates32bit' = $False #remove updates for 32-bit computers.
    'SharepointUpdates' = $False #remove updates for SharePoint.
    'WinXP' = $True #remove Windows XP updates.
}

Conclusion

WSUS Automated Maintenance is a very smart way to apply several best practices easily recommended by Microsoft. Additionally maintenance is applied regularly without further work for IT-Administration. WSUS will be faster and more stable, guaranteeing reliable Windows updates for all your clients and server, resulting in more security.

Disclaimer

Adam provided me with a Test version of WSUS Automated Maintenance. I promised him a critical review in my own words. He hasn’t influenced what is written here.

Author: Marco

Marco is an IT-System administrator and IT-Consultant with 10+ years experience. He is specialized in the delivery of virtual Apps and Desktops with Citrix solutions. In 2017 he has been awarded Citrix Technology Advocate by Citrix for his community work (#CTA). His second core area is availability & performance monitoring with Zabbix, a leading open-source solution. His employer is the German IT-Company ANAXCO, which is developing a Transport Management Software (TMS) based on Microsoft Dynamics AX. More about Marco View all posts by Marco

2 thoughts on “WSUS Automated Maintenance”

Chung says:

05/10/2020 at 06:00

Could you shareeeeeeeeeeeeeeee, please

1. Marco says:
  
  23/10/2020 at 14:11
  
  I’m sorry, I’m not allowed to share the setup file. Please buy a legal copy.