I have an issue at all sites with WSUS cleanup. Specifically with Microsoft antivirus definitions and the deleting unused update revisions cleanup. After a period of time, it varies, this cleanup fails. I find myself having to set all updates in the WSUS database to unapproved and set all declined updates to unapproved. Then the cleanup works. After, I have to re-approve all updates. It's rather tedious.
We set only the antivirus and edge updates to auto-approve, this seems necessary to maintain reasonable workstation and server health. I like the Microsoft antivirus at our servers, it seems to work well. I also like the visibility of the update status. I'd actually prefer if these two portions of WSUS were moved to it's own service maybe.
Question is, am I doing something wrong that is causing this cleanup task to consistently fail? It seems to me that something is fundamentally wrong with this cleanup or the auto-declining of virus definitions is getting in the way.