FCS and WSUS maintenance…..

Microsoft antimalware definition updates accumulate over time and can affect more than just database resources and disk resources on the Windows Server Update Service server.

When a client connects to the Windows Server Update Service (WSUS) server, the client retrieves a list of all the approved updates that are offered and then must parse the list to determine which updates need to be installed. Both Forefront Client Security and Forefront Endpoint Protection help minimize this by only requesting antimalware definition updates, but a WSUS server that has been in operation for a long time could still possibly return thousands of updates that must be parsed. This large number of updates being returned can manifest itself as high CPU and memory usage by the svchost.exe process inside which Automatic Updates runs http://support.microsoft.com/kb/938947.

When Microsoft releases new antimalware definitions, we mark it as superseding any previous released updates, and expire the oldest current update. The goal is to always have four versions of the updates available through WSUS to be offered to the client. Even though those older updates have been expired, unless they are declined, they will still be offered to the client for evaluation. Luckily there are several things we can do to avoid getting in this scenario.

Along with the ability to automatically approve the definition updates, WSUS has the ability to automatically decline updates as they are expired. To maintain the best performance of your WSUS server, this advanced option should be enabled, and if you choose to not automatically decline expired updates, you need to make sure to periodically decline them.

To automatically approve revisions to updates and decline expired updates:

  1. In the WSUS administration console, click Options, and then click Automatic Approvals.
  2. On the Advanced tab, make sure that both Automatically approve new revisions of approved updates and Automatically decline updates when a new revision causes them to expire check boxes are selected.
  3. Click OK.

(from http://technet.microsoft.com/en-us/library/dd939929(WS.10).aspx)


The Forefront team also released the Client Security Best Practice Analyzer. This tool performs a series of diagnostic tests that can be used to troubleshoot issues or improve performance of your Client Security servers. You can find out more about the BPA here http://technet.microsoft.com/en-us/library/bb877697.aspx and recent updates and changes to it here: http://support.microsoft.com/kb/976986. One of the checks the BPA performs is for the number of expired definitions on the Forefront Client Security distribution server.

Number of expired definitions:

FCS definition updates will accumulate over time on a WSUS server, consuming disk and database resources.  This check queries for expired FCS definition that are no longer being used and issues a best practice warning if more than a month’s worth are found.

Here is what it looks like in the BPA tool:


The TechNet documentation also contains a list of best practices to use when managing your Client Security Deployment. You can find these best practices here http://technet.microsoft.com/en-us/library/bb418840.aspx . One of the recommendations is to remove old updates from the WSUS server on a monthly basis. There are 2 ways to manually do this: you can use the wsusutil.exe from the command line, or you can use the Server Clean-Up Wizard that is integrated into the management UI beginning with WSUS 3.0:


If you run multiple WSUS servers in an upstream downstream relationship you need to run the cleanup on all downstream servers before running it on the upstream Servers. If you fail to do this you will corrupt the data base of the downstream server and have to rebuild your downstream servers to fix the corruption.

If you have to manage multiple WSUS servers or you want to automate the cleanup process, there are a couple of PowerShell examples over in the Scripting Forum:

Chris Norman
Senior Escalation Engineer