Deep Dive Maintaining the WSUS Catalog by Declining Updates for Better Update Scanning
ฝัง
- เผยแพร่เมื่อ 2 ก.ค. 2024
- * Important Update *
- Do NOT remove the "all" in the language script (Decline-Windows10Languages.ps1) as I did in the video at 25:14. If you run the script with the standalone WSUS option, removing the "all" language may cause some language-independent updates to be declined.
- It's recommended to first run the script with the -Whatif switch to determine the impact of running the script.
Overview
In this video guide, we will walk through the process of maintaining our WSUS catalog to reduce the catalog size and client scanning issues. In this guide, we will cover ensuring the IIS AppPool for WSUS is improved, indexing the SUSDB, setting up a task to run a script to automatically decline any superseded updates, change the wsyncmgr purge of expired updates from 7 days to 0. and compare the initial catalog download size on a client.
For additional resources mentioned in the video, please see the accompanying blog post at setupconfigmgr.com/maintainin...
Introduction - (0:00)
Review SUP Products that are Enabled - (1:57)
Review WSUS Catalog for Un-Maintained WSUS Catalog - (2:51)
Review All Software Updates in SCCM Console - (4:55)
Perform Update Scan on Client to Un-Maintained WSUS Catalog - (5:43)
Review Catalog Download Size on Client (13.5MB) - (9:27)
Optimize WSUS IIS AppPool Settings - (12:10)
Indexing SUSDB - (13:17)
Creating the two WSUS SUSDB Indexes to Improve Speed when Declining Updates - (14:41)
Adding Scheduled Task for Declining Updates to Run Bryan Dam’s Script - (15:46)
Changing wsyncmgr Expired Purge Time From 7 days to 0 Days - (29:25)
Perform Update Scan on Client to Maintained WSUS Catalog (2MB) - (31:36)
#SCCM #ConfigMgr #Patching - วิทยาศาสตร์และเทคโนโลยี
Note: It was pretty late when I did this video. If you set the speed to 1.25x, it may sound more normal :) - Justin Chalfant
Haha, yeah I was slower in the first videos, probably better for later videos.
@@PatchMyPC Adding Scheduled Task for Declining Updates to Run Bryan Dam’s Script - (15:46) from this point not working with me
is this correct
@@PatchMyPC
-NoLogo -NoProfile -NonInteractive -ExecutionPolicy ByPass -command D:\scprit\ScriptsInvoke-DGASoftwareUpdateMaintenance.ps1 -DeclineSuperseded -UpdateListOutputFile D:\scprit\ScriptsDeclinedUpdates.csv -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -CleanSUGs -RemoveEmptySUGs -RunCleanUpWizard -ReSyncUpdates -MaxUpdateRunTime @{'*Security Monthly Quality Rollup For Windows*'=60;Security and Quality Rollup for .NET*=30}" -Force
Thank you for making these great videos and going into detail explanations of settings and functions. Your videos are great to reference back on details I overlooked.
Thanks for watching.
Hey Justin, This is awesome, Every day you have some video on SCCM, Much Appreciated mate. Thanks.
nawaz kazi thanks!
I love your program man, really appreciate all your work!
Glad to hear it!
Very awesome video! :)
Thanks for watching
Great video Justin. Is it ok to remove "all" in languages script in an SCCM environment if we're using only en-us language?
221989qwerty No, I would leave it. There are some updates that are language independent like CUs for Win10.
your videos are very informative, thanks for sharing
I just have one question, When client scans(Full) for software updates, do they scan only against all patch deployments assigned to that client or against all updates present in SUP or WSUS ?
All updates
I always heard that you cannot work with updates on the wsus server itself by accepting and declining updates. That's on the SUP through the SCCM console. Is that true?
Approval of updates should always be in SCCM if you plan to use SCCM for deploying updates. It's fine to decline updates you don't want clients to scan against directly in WSUS or using a script like mentioned in the video. The declined updates will sync over to SCCM and show as expired and be removed after a week from the SCCM update view.
Hello Justin,
I have installed Windows Server 2016 v1607. I have synchronized Windows Updates on SCCM.
On SCCM shows that server needs only one update "2018-05 Update for Windows Server 2016 for x64-based Systems (KB4132216)" but I know from other live servers that should be one more update "2018-10 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4462928)".
If I build a package and install updates with that only one update KB4132216 how server will get that another update KB4462928? Or I should first install this KB4132216 update and than scan again?
You show on video that you build all update packages in one go and then deploy them. What is best practice, to build Update Packages, first scan all devices and then to run Windows Updates?
Could you please explain more in detail how to not to miss necessary updates.
Regards,
Tomas
Have you happened to see setupconfigmgr.com/how-to-deploy-software-updates-using-microsoft-sccm yet? I think this may help?
When do you schedule SUP sync before or after "Patch Tuesday" ADR run?
Currently I have the sync set to 6pm and "Patch Tuesday" ADR schedule to run 2nd Tuesday 2 days offset, due to time zone difference. Couldn't find where to set to UTC.
It depends if you run it too soon and you use required criteria keep in mind you may not have enough scan data yet from your clients.
@@PatchMyPC OK thanks for that. I just noticed 20% of my production Workstations didn't complete May 2019 CU during 6hrs maintenance window. I'm reviewing the client settings and SUP sync schedule so it doesn't happen for further monthly patchings.
Currently SUP is set to sync 3am daily. Will this cause issue during the production patching maintenance window set from 9pm to 6am on 4th Thursday.
Thanks for your great videos. 1 question, do you know why workstations with SC Endpoint Protection/Defender only get their definition update every 5 days? Can’t figure how to change it
In not sure I understand the question.
Patch My PC sorry for the mess.
we’ve got some workstations with Defender that are being managed by our SCCM. I noticed that defender on these workstations are only getting their definition updates every 5 days.
So if SCCM syncs with WSUS and gets updates today, the workstations won’t get the updates the same day, but the next days (5) normally. Ps: we’re using ADR.
Is there a way I could shorten the times machines get definition update, please?
@@allferryrocha2698 you may want to check your deployment deadline in your ADR you should be able to make your definition update deploy right away with a required deadline right away.
Patch My PC installation deadline is already set to as soon as possible.
Not sure then, maybe maintenance windows.
Thanks for the great guides! I have a question I'm hoping you can help with.
I ran the VB script you provided to change the wsyncmgr expired purge time from 7 days to 0 days (after putting in my server's FQDN and site code). Next, I declined an update in WSUS, saw that it was expired in ConfigMgr, and scheduled a full SUP sync. The expired update is still showing in ConfigMgr and wsyncmgr doesn't show any sign of this update being deleted.
Have you seen this problem before?
Can I ask where this script comes from? I cant find much documentation on it and am wondering if it's supported with ConfigMgr 1910
Hoping you can help as it's a bit annoying waiting 7 days for expired updates to purge from the ConfigMgr console
Is the update in a software update group?
@@PatchMyPC No, the update wasn't in a SUG, but the issue solved itself! The updates in question automatically purged several hours later. There is a random "Deleted 1322 expired updates" in my wsyncmgr.log. So, seems like that VB script works but it might just take a few hours for the updates to purge. Still better than waiting 7 days!! Thanks for replying
I have ran the maintenance script and its expiring the update in the SCCM console, if I am not wrong they will be removed from the list after 7 days automatically or sync needs to be run after 7 days ? Currently my sync is only running on second Tuesday and and maintenance script is scheduled to run on same day at night... Maintenance script is also calling for re sync... but still i am seeing the expired updates in the console.. just wanted to understand that I am not doing anything wrong...
Yeah, removed after 7 days *as long as they aren't in a SUG being deployed*. I believe I posted a script to change the SCCM cleanup from 7 to 0 days if you want to be more aggressive.
How to filter out the updates for ARM64 based systems (like KB4456655)
is it just adding a name to one of the scripts or do you need to edit the scripts ?
It believe it's searching in the title to decline them.
Patch My PC its not, did run all scripts version, language, enc but no filter them out.i did react on his website but nu response yet.
I would ping Bryan on Twitter. He's super responsive twitter.com/bdam555
Hello Justin. How are you? Just want to check does the script work for both SCCM as well as standalone WSUS environments? Just a bit confused on this. Thank you
It does
hello - where i can found the link for powershell script you mention in this vedeo and the other ones ?
damgoodadmin.com/2018/10/17/latest-software-maintenance-script-making-wsus-suck-slightly-less/
stuck on running the script Invoke-DGASoftwareUpdateMaintenance I have created the task Schedule and its running but dose nothing no log file is created in the folder from where I run the script form help plz
as soon as I posted the above comment I got it working
@@bardfox9878 ok great!
I have 2 SUP/WSUS's. Should the downstream WSUS source be configured as autonomous or as a replica?
SCCM should set the setting already for you in WSUS.
what to do if SCCM does not show all WSUS driver?
What happens if you choose to synchronize for all products under the Software Update Point? Why shouldn't one do that? I mean it's not likely you have any installations of Microsoft Works hanging around, but there are lots of products for which patches are available that you don't know exist in the enterprise, and ought to be patched.
Your catalog would be pretty big, and it may cause performance impact.
"Sync failed: the subscription cannot be run at this time. "
Wsus sync fails with this error. Can you please help on this. It's on a downstream replica server.
Did this clear up?
hi - pls send me sccm 1806 link trial ?
i could find 1801 from microsoft.
the second question how can i upgrade 1606 version to 1806 somhow?
i like to thank you for these video ,you are the best instructor on sccm.best regards
You should be able to find the trial download link via google pretty easily.
I am getting error, Failed to connect to provider server with code -2147217394, Aborting! with the Adjust-WSync_UpdateCleanupAge.vbs script. Any thoughts as to why?
Did you figure this one out?
@@PatchMyPC Yes, thanks!