Monday, June 26, 2017

WSUS 2012 R2 Maintenance Automation

One of my most popular posts is WSUS automated maintenance, however it is centered on Server 2008 / 2008 R2. A friend asked me how I was doing it on Server 2012 R2 WSUS version 6.3 so I thought I would share that with the rest of the world. Server 2012 aka 6.2 should be no different.

I wont cover the reasons as they are explored in my above post as well as other places on the Internet, such as Jasons link below. This post is simply what I do to keep a 2012 R2 WSUS happy and fast. As before I perform 3 basic steps:

  • Decline Itanium Updates
  • Cleanup Wizard
  • Re-Index Database

Decline Itanium Updates


The first bullet is handled by a Powershell script Jason Sandys wrote. You just pass all the options to the script.

 powershell.exe "C:\Scripts\WSUSServerCleanup\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServer -Port 8530 -DeclineBeta -DeclineItanium"  

Cleanup Wizard


Second is a cleanup wizard script. I have moved to this one by Trevor Jones as my previous one didn't support 2012 R2 WSUS all that well. Jasons Script can do much of this, however Trevor's generates a nice HTML based email that you can send to yourself to see what it did.

You configure settings within the PS1 file for servers, contact email and SMTP smarthost and whatnot. I have single WSUS servers that I manage in this example howver several WSUS instances email me so I added the servername to the subject line.


  $WSUSServers = @(  
   "YOURWSUSSERVER"  
   )  
 # Mail settings  
 $smtpserver = "smtp.yourdomain.com"  
 $MailSubject = "YOURWSUSERVER WSUS Cleanup Report"  
 $MailRecipients = "[email protected]"  
 $FromAddress = "[email protected]"  

Then just run it:

 powershell.exe "c:\Scripts\WSUSServerCleanup\WSUSServerCleanupReport.PS1"




Re-Index Database


Same as before I use the Scripting Guys Cleanup Script. You can find the WsusDBMaintenance script here, however doing a Re-Index is a little more complex and needs to be ran on each WSUS server from the parent on down. If you use Windows Internal Database (default for WSUS) then this applies.

Firstly, you have to install some prereqs as the sqlcmd called in the re-index script needs to be present. Microsoft provides it separately so you do not have to install a full edition of MS SQL to get it. Install MS SQL Server Native Client and then install the sqlcmd tool to your server. Below are links for version 13.1 that works on 2012 R2. Install with defaults. Note the versions must match.



then run this. Note the -S switch changed for 2012R2 WSUS from 2008 R2.

 sqlcmd -E -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i "C:\Scripts\WSUSServerCleanupReport\WsusDBMaintenance.sql"  

For 2008 R2 I would get an email of the output of sqlcmd. I stopped as I looked at it once and never again. My previous post has details around this if you want to do it.


Schedule



As far as schedule, I now just run a single batch file on the WSUS server with all three steps as compared to running separately. I run it as a scheduled task the first Tue of the month so things are clean when Update Tuesday rolls around. 



Closing


Just as I wish Microsoft would split out Itanium from X86/AMD64, I also wish that WSUS would list Windows 10 versions separately instead of all together. As of right now if you choose Windows 10 updates you get 1511, 1607, and 1703 versions. Say for an environment that no longer has 1511 in it, why are we keeping updates for it? I have been thinking of using Jasons script to also decline all the Windows 10 version 1511 cumulatives in this example as he has a switch for '-DeclineOther' that takes a string so should do this.

Next up is Server 2016.

-Kevin