How to Setup, Manage, and Maintain WSUS
WSUS Server Maintenance
It should come to you as no surprise that the WSUS server itself requires maintenance. It has a SQL database (by default using the Windows Internal Database – WID), it manages files on the file system for its updates, it has updates that are released and then sometimes re-released superseding the previous version, in the database it carries the list of computers reporting and requesting update from it including a whole bunch of dynamically ever changing data like OS version numbers, BIOS version numbers, needed updates, installed updates, etc.
On a periodic schedule (usually twice a year), you should review the products and classifications that are enabled, disabled, and available to select. If you have a new product introduced into your network, you should select it. If you have already removed a previously selected product from your network, remove the checkbox by it. By removing the checkbox and performing a sync with Microsoft (either manual or automatic at its next interval), you are indicating to the Microsoft servers that that product is no longer to be utilized and the sync with Microsoft will expire all of the updates within that product set that you removed. After the updates are expired, the next time the Server Cleanup Wizard (SCW) is run, it will remove the files from the server.
But what about the new WSUS servers? What may come as a surprise to most people is that even if you JUST install a WSUS Server (rebuild or new), it should have the proper maintenance done right away. During the setup process, it does a sync to Microsoft, a download of a bunch of updates into the database (approved or not via auto-approvals), and as a few computers report in, it is already fragmenting the SQL database. Sure, WSUS will work without doing any maintenance at this stage, but it will not work as well, and there are MORE things for an administrator to do. Of those synced updates, most of them do not apply to your systems or they are superseded by other updates. We want to emphasize something here:
Just because you’ve installed a new WSUS server, doesn’t mean that it’s clean or optimized; it just means that it’s NEW!
WSUS does a horrible job of keeping itself clean – it has no automated processes, it has no internal identification of issues and subsequent running a fix, and all you are left with from Microsoft is the ‘Server Cleanup Wizard’ (SCW) which is highly limited in scope and is unworkable on its own. It does not run any SQL Maintenance on the database, it has very tight restrictions on what it declines, it has a hardcoded 30 day removal of computer objects, and it will not remove updates from the database – only decline them. These are just the start of the issues with the SCW. Up until fairly recently (2016), WSUS did not have an administrator’s guide to maintaining WSUS that was written by Microsoft. This guide, as you can see, is very labour intensive, depending on your technical level, difficult to setup, and overall does not cover anything but the basics.
WSUS Automated Maintenance (WAM) fills the gap between manually running through figuring out how to find and implement random SQL Scripts to fix certain things, figuring out a way to schedule them with task scheduler, manually or via task scheduler running the SCW, and being able to see the output of these commands to identify any possible issues. From helping other people with their WSUS issues, we have seen that there are a number of areas that help shrink your content folder and prevent issues that are common that the Microsoft guide does not even touch on. They have been built out as features of WAM.
WSUS Automated Maintenance is priced as a tier-based pricing model. The more WSUS servers you use, the more you will pay. WSUS Automated Maintenance is CHEAP AND AFFORDABLE to any business who has a need for WSUS including those who use Microsoft Endpoint Configuration Manager (MECM/SCCM) which uses WSUS as distribution points. If you have 1 server handling 15 clients or 5000 clients, the price of licensing WAM is the same. If you have a more distributed network with 5 downstream servers and 1 upstream server, handling 200 clients or 20,000 clients, the price of licensing WAM is the same (1 upstream and 5 downstream). Please look at the features of WAM and decide for yourself if the time saving is worth the expense, then please purchase a subscription for WAM for every WSUS server you have in your network and then WAM your server! ®