Eight Way WSUS MaintenanceAfter initial setup, find way to perform WSUS maintenance. The following seven items are the ways I've tried to perform WSUS maintenance. I started with more than 38K updates in WSUS.
1-Optimize-WsusServer
get script:
https://github.com/awarre/Optimize-WsusServer/blob/master/Optimize-WsusServer.ps1
Install-Module SqlServer -allowclobber
Optimize-WsusServer.ps1 -FirstRun
Optimize-WsusServer.ps1 -DeepClean
2-Wsus-Maintenance
Install-Script -Name Wsus-Maintenance
Wsus-Maintenance (to see the readme)
Wsus-Maintenance -Run
3-DeploymentBunny
get script:
https://deploymentbunny.com/2016/02/03/working-in-the-datacenter-keeping-wsus-happy-using-powershell/
https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint
4-Bryan Dam
get script:
Invoke-DGASoftwareUpdateMaintenance
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -DeclineSuperseded -UpdateListOutputFile c:\installs\Invoke-DGASoftwareUpdateMaintenance\ScriptsDeclinedUpdates.csv -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -RunCleanUpWizard -firstrun -StandAloneWSUS localhost -whatif
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -firstrun -StandAloneWSUS localhost -UseCustomIndexes -whatif
Probably the best once you customize and activate the plugins.
5-Powershell oneliner
get script:
Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
| Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
| Deny-WsusUpdate
Nothing returns since the Invoke-DGASoftwareUpdateMaintenance takes care of everything.
6-Microsoft script
get script:
https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/decline-superseded-updates
DeclineSupersededUpdates.ps1 -skipdecline -UpdateServer localhost -Port 8530
I mean, sure... why not. Nothing returns since the Invoke-DGASoftwareUpdateMaintenance takes care of everything.
7-Powershell step commands, individually (as a group they time out):
Invoke-WsusServerCleanup -CleanupUnneededContentFiles -CompressUpdates
Invoke-WsusServerCleanup -DeclineSupersededUpdates
Invoke-WsusServerCleanup -DeclineExpiredUpdates
Invoke-WsusServerCleanup -CleanupObsoleteComputers
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CompressUpdates
8-CleanUP-WSUS
get-script v3.2:
.\CleanUP-WSUS.ps1 -firstrun
#kept here
NOTES
This was my acutal procedure:
.\CleanUP-WSUS.ps1 -firstrun
.\CleanUP-WSUS.ps1 -scheduledrun
.\CleanUP-WSUS.ps1 -daily
.\CleanUP-WSUS.ps1 -monthly
.\CleanUP-WSUS.ps1 -quarterly
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini #uncomment whatifpreference
.\Decline-SupersededUpdates.ps1 -SkipDecline -UpdateServer localhost -port 8530
.\Decline-SupersededUpdates.ps1 -UpdateServer localhost -port 8530 #remove -SkipDecline
.\Optimize-WsusServer.ps1 -firstrun
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "2003" -or $_.products -match "2007" -or $_.products -match "2010" -or $_.products -match "2013"} |Deny-WsusUpdate -verbose
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "Windows 10 and later Dynamic Update" -or $_.products -match "Windows 10 and later Dynamic Update, Windows Safe OS Dynamic Update" -or $_.products -match "Windows 10 and later GDR-DU" -or $_.products -match "Windows 10 GDR-DU FOD" -or $_.products -match "Windows 10 Feature On Demand" -or $_.products -match "Windows 10 LTSB, Windows 10" -or $_.products -match "Windows GDR-Dynamic Update"} |Deny-WsusUpdate -verbose
Get-WSUSUpdate -Classification critical -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
Get-WSUSUpdate -Classification security -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
get-module
get-module -listavailable
get-installedmodule
get-command -module pswindowsupdate
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |get-member
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |select product -unique