You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

Fixing WSUS - When the Best Defense is a Good Offense

Apr 12 2018

This week started pretty harsh, a ton of customers reaching out to our team having WSUS issues. Everything from the “traditional” CPU and Memory spikes, to severe network traffic over port 8530 to the WSUS/SUP server. Basically Clients downloading massive amount of info, some customers reporting up to 700 MB per endpoint.

Note #1: One ongoing issue right now seem to be that the Windows version next updates contains a ton of metadata, causing a massive headache for WSUS admins. See below for scripts to help cleanup the mess, and to perform needed maintenance tasks. Also, if you are missing some info here, let me know. I’m @jarwidmark on Twitter.

Note #2: Whatever solution you pick for the maintenance of your WSUS/SUP server, ensure that you do not sync your WSUS/SUP during the maintenance process!

WSUS Housekeeping

Until Microsoft replaces WSUS with something better, you have to do some housekeeping for WSUS to behave. Your mileage is going to vary, but you simply have to keep the WSUS database in shape, as well as declining unused updates. Here are a few resources that can help.

WSUS Automated Maintenance (Formerly Adamj Clean-WSUS

Cleanup and DB script from Adam Marshall (@Adamj_1)


WSUS Administration, WSUSPool, web.config, settings enforcement via Configuration Items

Great article by Sherry Kissinger

Fully Automate Software Update Maintenance in Configuration Manager

As the title implies, a script that automates software updates, including cleanup, optimization and more. Written by Bryan Dam (@bdam555).

Update April 17, 2018: Bryan recently updated the script to support standalone WSUS, below you find a sample syntax for that:

.\Invoke-DGASoftwareUpdateMaintenance.ps1 -UpdateListOutputFile .\UpdateListOutputFile.csv -StandaloneWSUS WSUS01 -RunCleanUpWizard -DeclineSuperseded -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -Force


SQL Cleanup scripts

Some shiny SQL scripts from paul salwey @psalwey

Especially checkout the WSUSSQLMaintenance_4_DeclineUpdates_XML_Lengthover5000.sql one. I had not seen that before.

Tip on usage:

  1. Reindex
  2. Obsolete script
  3. Superseded script
  4. XML script
  5. Reindex again
  6. Reboot server


The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

Info from Microsoft. The title is a bit misleading, since it’s not actually a complete guide. But there is still lots of good info.

Clients cannot report Scan Results back to WSUS

During the day, Matthew Krause (@MatthewT_Krause) also provided info on an issue he was having: Quite many clients, 75 percent out of 6500,were not reporting back the scan results to WSUS. Basically the server got overloaded with IIS 500 errors as the clients kept trying to report scan results, fail, and then try again. In the WindowsUpdate.log on the client they found that clients would get the error message stating invalid parameter but the sub message was Message:parameters.InstalledNonLeafUpdateIDs (see below).

WindowsUpdate.log on a client failing to report back scan results.


So if you are running into the non-leaf error message, one solution that proved to be working was changing the maxInstalledPrerequisites value in the WSUS Web.config file, and then do an IIS Reset. Doing this change made 90% of clients report scan results back within one day for this environment.

Change WSUS Web.config from:

<add key="maxInstalledPrerequisites" value="400"/>


<add key="maxInstalledPrerequisites" value="800"/>


Optimizing WSUS with Configuration Manager, via Adaptiva

Good WSUS overview article with a few technical tricks in it. Written by Matt Tinney (@mnt2556) from Windows Management Experts. 

Happy Deployment / Johan

Happy deployment, and thanks for reading!

What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive