WSUS Part 3: Tuning you WSUS server with Powershell

WSUS Server cleanup

Because the WSUS server uses a lot of storage, it can be useful to clean the WSUS server regularly. This works well if you starts with cleaning regularly after a clean install. When you wait to long and the WSUS server becomes bigger and bigger, it will take a long time to clean the server. In PowerShell you can use this cmdlet:

Invoke-WsusServerCleanUp 

Parameters:

-CleanupObsoleteComputers

Specifies that the cmdlet deletes obsolete computers from the database.

-CleanupObsoleteUpdates

Specifies that the cmdlet deletes obsolete updates from the database.

-CleanupUnneededContentFiles

Specifies that the cmdlet deletes unneeded update files.

-CompressUpdates

Specifies that the cmdlet deletes obsolete revisions to updates from the database.

-DeclineExpiredUpdates

Specifies that the cmdlet declines expired updates.

-DeclineSupersededUpdates

Specifies that the cmdlet declines superseded updates.

-UpdateServer

Specifies the object that contains the WSUS server. This value is obtained by calling the Get-WsusServer cmdlet and passing the resulting IUpdateServer object into this cmdlet.

Example I use for my script:

Invoke-WsusServerCleanUp -CleanUpObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates

WSUS Part 2: Create a task for Patch Tuesday with Powershell

I found out that it is not possible to choose a monthly schedule on the second tuesday of the month with "New-ScheduledTaskTrigger". It is only possible to use a monthly or weekly schedule. Because of this, I used SCHTASKS to create a task for my WSUS PowerShell scripts:

SCHTASKS /RU "NT AUTHORITY\SYSTEM" /Create /ST 18:00 /SC Monthly /MO Second /D Tue /TN "<TASKNAME>" /TR "PowerShell.exe C:\Scripts\<ScriptName>.ps1 -ExecutionPolicy Bypass"

view raw Create-WSUS-task-for-Patch-Tuesdag.ps1 hosted with ❤ by GitHub

For more information about "New-ScheduledTaskTrigger":

Script to change Scheduled Task to run monthly (microsoft.com)

New-ScheduledTaskTrigger (ScheduledTasks) | Microsoft Docs

WSUS Part 1: Synchronization updates and Approve/Deny updates with Powershell

You can use PowerShell for WSUS management. This example works on a Windows Server with Powershell 5.1 and the Powershell WSUS module installed from Server Manager. You can start the synchronization and approve the updates with the example below:

	$wsus = Get-WSUSserver
	$Subscription = $wsus.GetSubscription()
	# Start de WSUS Synchronization.
	$Subscription.StartSynchronization()
	# Wait Until the the Synchronizations is finished.
	Start-Sleep -Seconds 5
	While($Subscription.GetSynchronizationProgress().Phase -ne "NotProcessing"){
	Write-Host "Synchronization is busy: $($Subscription.GetSynchronizationProgress())"
	Start-Sleep -Seconds 5
	}
	Get-WSUSUpdate -Approval AnyExceptDeclined | Approve-WSUSUpdate -Action Install -TargetGroupName "All Computers"

view raw WSUS-Sync.ps1 hosted with ❤ by GitHub

You can use this example if you like to deny older updates:

	# Get all updates older then 4 months:
	$Updates = Get-WSUSUpdates -Approval AnyExceptDeclined | Where-Object{!($_.update.creationdate -ge (Get-Date).Addmonths(-4))}
	# Deny the updates:
	$Updates | Deny-WSUSupdate

view raw WSUS-Deny.ps1 hosted with ❤ by GitHub

All updates are denied when they are older then 4 months.

Sometimes it is necessary to accept a license agreement for an update. You can use this code to accept all license agreements:

	$wsus = Get-WSUSServer
	# Get a list of updates with a License Agreement.
	$AcceptLicenses = $wsus.GetUpdates() | Where-Object {$_.HasLicenseAgreement -eq "True"}
	# Accept the License Agreement for the updates.
	ForEach($Item in $AcceptLicenses){
	$item.AcceptLicenseAgreement()
	}

view raw WSUS-License hosted with ❤ by GitHub