daknetworks.com

You are here: Blog WSUS Setup SpeedRun

WSUS Setup SpeedRun

Monday, 13 November 2017 17:23

WSUS setup speedrun.

I give credit when credit is due. This has been covered very well in the follow video:

https://www.youtube.com/watch?v=6RFkP2wppOI

=================================================================================
1-Optimize-WsusServer will automatically set some configuration in IIS. This is why it is run first.

.\Optimize-WsusServer.ps1 -firstrun
-Get-Command -Module UpdateServices
-Get-WSUSServer
-Get-WSUSComputer

-select Products
All Developer Tools, Runtimes and Redisributables
Office
Dictionary Updates
Microsoft 365 Apps/Office2019
New Dictionary Updates
Office 2016
Powershell x64
Microsoft SQL Version YYYY (version depends on your environment)
Microsoft SQL Version Management Studio
Windows Defender Antivirus
Microsoft Server Operating System 21H2
Microsoft Server Operating System 22H2
OOBE ZDP
Server 2022 Hotpatch
Windows 10, version 1903 and later
Windows 10
Windows 11
Windows Dictionary Updates
Windows Server 2012 R2
Windows Server 2012
Windows Server 2016
Windows Server 2019
Windows Server Manager
Windows Server version 1903 and later

Synchronize - manually sync and set sync schedule for automatic sync.

2-DeploymentBunny will automatically change the WSUS WID database. This is why it is run after the sync. https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint
-download all 3 files.
-run: .\Invoke-WSUSMaint

3-Invoke-DGASoftwareUpdateMaintenance will automatically perform maintenance on the update and remove the most common items found in the plugins.
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini #uncomment whatifpreference
Plugins:
Decline-Edge
Decline-Office365Editions
Decline-Windows10Languages
Decline-Windows10Versions
Decline-Windows11Languages
Decline-WindowsARM64
Decline-WindowsItanium

4-CleanUP-WSUS has its own set of items:
.\CleanUP-WSUS.ps1 -firstrun
.\CleanUP-WSUS.ps1 -scheduledrun
.\CleanUP-WSUS.ps1 -daily
.\CleanUP-WSUS.ps1 -monthly
.\CleanUP-WSUS.ps1 -quarterly

5-Decline-SupersededUpdates from Microsoft is published. It probably won't do anything at this point but lets run it for good measure.
.\Decline-SupersededUpdates.ps1 -SkipDecline -UpdateServer localhost -port 8530
.\Decline-SupersededUpdates.ps1 -UpdateServer localhost -port 8530 #remove -SkipDecline

6-Install-Script -Name Wsus-Maintenance
Wsus-Maintenance (to see the readme)
Wsus-Maintenance -Run

Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "2003" -or $_.products -match "2007" -or $_.products -match "2010" -or $_.products -match "2013"} |Deny-WsusUpdate -verbose #accidentially downloaded office 2003, 2007, 2010, 2013 |
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "Windows 10 and later Dynamic Update" -or $_.products -match "Windows 10 and later Dynamic Update, Windows Safe OS Dynamic Update" -or $_.products -match "Windows 10 and later GDR-DU" -or $_.products -match "Windows 10 GDR-DU FOD" -or $_.products -match "Windows 10 Feature On Demand" -or $_.products -match "Windows 10 LTSB, Windows 10" -or $_.products -match "Windows GDR-Dynamic Update"} |Deny-WsusUpdate -verbose

Get-WsusUpdate -Approval Unapproved -Status Needed
Get-WsusUpdate -Approval Unapproved -Status Needed |Approve-WsusUpdate -Action Install -TargetGroupName “All Computers” –Verbose
Get-WSUSUpdate -Classification critical -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
Get-WSUSUpdate -Classification security -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose

7-UpdateServices (builtin when installing WSUS)
-Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers –CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
-created wsus-cleanup.ps1
-set as Scheduled-Task

Sometimes this needs to be run one at a time:
Invoke-WsusServerCleanup -CleanupUnneededContentFiles -CompressUpdates
Invoke-WsusServerCleanup -DeclineSupersededUpdates
Invoke-WsusServerCleanup -DeclineExpiredUpdates
Invoke-WsusServerCleanup -CleanupObsoleteComputers
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CompressUpdates

8-Powershell OneLiner:
Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
    | Where-Object { $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
    | Deny-WsusUpdate

-reg query "HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup"

-options set to auto-approve > ran rule.
-created gpos for workstations/servers: https://community.spiceworks.com/how_to/1390-wsus-gpo-settings-for-the-real-world?page=3

See the WSUS Complete Setup which has a bit more explanation and troubleshooting items for both the WSUS Server and the WSUS Clients.

Contact Dak Networks

We are not taking on new clients at this time.