Note For more information about software updates in System Center 2012 Configuration Manager, click the following article number to view the article in the Microsoft Knowledge Base:
Expired updatesAs part of the ongoing update revision process, some updates in the Microsoft Update Catalog are expired. This typically occurs when there is a newer version of the update available. However, in rare cases, Microsoft may discover a problem with an update and therefore expire it. During software update synchronization, these expired updates are marked as "Expired" in the Configuration Manager console. This expired status is indicated by a dimmed icon next to the update. These expired updates are automatically cleaned up from the Configuration Manager database on a regular schedule. The WSUS Synchronization Manager component removes expired updates. It does this only if the following conditions are true:
- The update is not referenced in an update assignment.
- The update is older than the value of "Updates Cleanup Age." (By default, this value is seven days.)
WSUS Synchronization Manager at the top-level Configuration Manager site checks every hour for updates that have to be removed, and it removes expired updates if they match the criteria in the previous list. When WSUS Synchronization Manager deletes expired updates, you can see the following entries in the WSyncMgr.log file:
Content cleanupAs expired updates are removed, content for those expired updates may become orphaned. WSUS Synchronization Manager also cleans up this orphaned content. As part of the content cleanup, WSUS Synchronization Manager analyzes the packages that are owned by the current site, finds content that is no longer referenced, and removes that content from the package source directory. By default, content is removed only if it has been orphaned for more than one day.
If any content is removed, the cleanup process also updates the package so that the updated content is sent to the distribution points (DPs). When WSUS Synchronization Manager removes orphaned content, you can see the following entries in the WSyncMgr.log file:
For more information about the cleanup of expired updates and content, see the following article:
WSUS server maintenanceTo maintain optimal performance of the WSUS database, we recommend that you routinely run the WSUS Cleanup Wizard tasks on the WSUS database (SUSDB) and also reindex the WSUS database on each WSUS computer that is hosting a Software Update Point role in the Configuration Manager environment. When you run WSUS Cleanup Wizard actions in a multilevel hierarchy, you should run the cleanup process on the lowest tier of the WSUS chain first and then move up to the next tier to run the Cleanup Wizard tasks. You should continue on up the hierarchy until you reach the top-tier WSUS computer. You can run this WSUS maintenance routine at the same time on multiple servers in the same tier.
Although reindexing can be performed in any order on any WSUS computer’s SUSDB, we recommend that you run the cleanup and reindexing on each WSUS computer by running the reindex process first and then run the Cleanup Wizard tasks. If you tune the performance of the SUSDB first through reindexing, the Cleanup Wizard tasks will finish more quickly.
Reindexing the WSUS database (SUSDB)You can reindex of the WSUS database (SUSDB) by using the script in the following Microsoft TechNet resource:
If the WSUS database is installed on an instance of Microsoft SQL Server, use SQL Server Management Studio to connect to the database server and to run the database maintenance script.
If the WSUS database is installed on Windows Internal Database, you can use either SQL Server Management Studio Express or the sqlcmd utility.
To use SQL Server Management Studio Express, follow these steps:
- Start SQL Server Management Studio Express, and then connect to the database server.
- For Windows Server 2012 or Windows Server 2012 R2, the server name would be as follows: \\.\pipe\MICROSOFT##WID\tsql\query
- For older operating systems, the server name would be as follows: \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query
- For Windows Server 2012 or Windows Server 2012 R2, the server name would be as follows:
- Click New Query, paste the contents of the database maintenance script into the new query, and then click Execute.
- Open a command prompt by using administrator credentials.
- Run one of the following commands, depending on your operating system:
For Windows Server 2012 or Windows Server 2012 R2:sqlcmd -S \\.\pipe\MICROSOFT##WID\tsql\query -i <scriptLocation>\WsusDBMaintenance.sqlFor older operating systems:sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -i <scriptLocation>\WsusDBMaintenance.sql
Tip If you aren't sure whether the WSUS database is hosted on SQL Server or Windows Internal Database, check the following registry key on the WSUS server:
If you see only ServerName or Server\Instance, you are using SQL Server. If you see something that has a ##SSEE or ##WID string in it, the WSUS database is installed on Windows Internal Database.
Tip To determine which version of SQL Server Management Studio Express to install, follow these guidelines:
- For Windows Server 2012 or Windows Server 2012 R2, go to the following folder, and then open the latest ErrorLog file in Notepad. C:\Windows\WID\Log
- For Windows Server 2008 R2 or earlier versions, go to the following folder, and then open the latest ErrorLog file in Notepad. C:\Windows\SYSMSI\SSEE\MSSQL.2005\MSSQL\LOG
Use the version number or service pack level to search the Microsoft Download Center for SQL Server Management Studio Express.
Running a WSUS server cleanupThe WSUS Server Cleanup Wizard can be run from WSUS Console > Options. We recommend that you run WSUS maintenance approximately once a month. If cleanup was never run and the WSUS computer was in production for a long time, it's possible that cleanup may time out and fail. If this occurs, run the cleanup with only the Unused updates and updates revisions check box selected. (This is the top check box.) Then, wait for the process to finish before you run the WSUS Server Cleanup Wizard again but with the next check box selected. Be aware that this may require several passes to complete the cleanup process. Finally, run cleanup with all the options selected. For more information about the WSUS Server Cleanup Wizard, see the following article:
Cleaning up superseded updates
When WSUS is integrated with Configuration Manager, superseded updates may not be deleted because of the restrictions of the WSUS cleanup process. Therefore, we recommend that you periodically decline any unnecessary updates on the WSUS server as appropriate. Unnecessary updates include superseded updates, updates for products or classifications that are not present in the client environment, and expired updates. You can manually decline the updates in the WSUS console or use the following script.
Note Always back up the WSUS database (SUSDB) before you make any changes such as those described here.
Also, be aware that after you deline unneeded updates, you should reindex SUSDB and then run the WSUS Server Cleanup Wizard one more time to remove unneeded updates as appropriate. This will remove the updates from any Configuration Manager software update groups of which it is part. Cleaning up WSUS by using a ScriptA sample script will allow scripted declining of superseded updates in your WSUS environment. You can find the sample script here. Updates have to be declined at the top-level WSUS instance and replicated to downstream WSUS instances that are configured for replica mode. You will have to run the script on any WSUS instance that is running in Autonomous mode. To use the script, you must rename it as "Decline-SupersededUpdates.ps1" and then use it as the following instructions indicate. As always, it is important to test this script in a lab environment before you deploy the script in production.
Notes about the scriptThe default WSUS server port is 80. However, if you have WSUS installed to a custom IIS site, WSUS is probably using a different port. You will have to determine which port WSUS is using and then change the -Port parameter in the following examples to that port.
The argument -DeclineLastLevelOnly declines only those updates that do not supersede any other update. If you omit this argument, any update that is superseded will be declined. This leaves only updates that are not superseded in a state other than "declined."
Running the script
- Run the script with the -SkipDecline switch to see how many superseded updates are in WSUS. For example, to do a test run against WSUS Server without SSL, you would use the following command:
Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -Port 80 -SkipDecline
- You can decline only the updates that are superseded and not supersede updates (leaf-level updates):
Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -Port 80 -DeclineLastLevelOnly
- Or you can use the following command to decline all superseded updates:
Decline-SupersededUpdates.ps1 -UpdateServer SERVERNAME -UseSSL -Port 8080
Cleaning up WSUS from the WSUS consoleIf you have to or want to decline updates manually, you can do this directly from the WSUS console. To do this, follow these steps:
- Open the Windows Update Services Microsoft Management Console (MMC).
- Select the All Updates view. To do this, set the display to show the Approval status of Any except Declined with a status of Any, and then click Refresh.
- Display the Supersedence column. To do this, right-click the column headers, and then select Supersedence.
- Sort by supersedence. To do this, left-click the Supersedence column.
- Select and decline the superseded updates.