Software updates maintenance

Applies to: System Center Configuration Manager (Current Branch)

You can schedule and run WSUS cleanup tasks from the Configuration Manager console from the Software Update Point Component properties. When you first select to run the WSUS cleanup task, it will run after the next software updates synchronization.

To schedule and run the WSUS cleanup job

Schedule the WSUS cleanup job by running the following steps:

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.

  2. Select the site at the top of your Configuration Manager hierarchy.

  3. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.

  4. Review the Supersedence behavior. Modify the behavior if needed.

    supersedence behavior screenshot

  5. Click the Supersedence Rules tab, select Run WSUS cleanup wizard. In version 1806, the option is renamed to Run WSUS cleanup after synchronization.

  6. Click OK (Click Close if you're running version 1806).

WSUS cleanup behavior in version 1802 and earlier

Before Configuration Manager version 1806, the WSUS cleanup option runs the following item:

  • The Expired updates option from the WSUS cleanup wizard on the top-level site's WSUS server only.

    WSUS expired update cleanup screenshot

  • A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.

    • This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

Additional maintenance is still needed on the top-level WSUS database and all other WSUS databases in the environment. For more information and instructions, see The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance blog post.

WSUS cleanup behavior starting in version 1806

Starting version 1806, the WSUS cleanup option occurs after every sync and does the following cleanup items:

  • The Expired updates option for WSUS servers on CAS and primary sites.
    • WSUS servers for secondary sites don't run the WSUS cleanup for expired updates.
  • Configuration Manager builds a list of superseded updates from its database. The list is based on the supersedence behavior in the Software Update Point component properties.
    • The update configuration items meeting the supersedence behavior criteria are expired in the Configuration Manager console.
    • The updates are declined in WSUS for CAS and primary sites but not for secondary sites.
  • A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.
    • This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

Note

The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. For example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and expired in Configuration Manager when the superceding update is 2 months old.

All WSUS maintenance needs to be run manually on secondary site WSUS databases. The following WSUS Server Cleanup Wizard options aren't run on the CAS and primary sites:

WSUS cleanup behavior starting in version 1810

Starting version 1810, you can specify supersedence rules for feature updates separately from non-feature updates in the Software Update Point component properties. The WSUS cleanup option occurs after every sync and does the following cleanup items:

  • The Expired updates option for WSUS servers on CAS, primary, and secondary sites.
  • Configuration Manager builds a list of superseded updates from its database. The list is based on the supersedence behavior in the Software Update Point component properties.
    • The update configuration items meeting the supersedence behavior criteria are expired in the Configuration Manager console.
    • The updates are declined in WSUS for CAS, primary, and secondary sites.
  • A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.
    • This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

Note

The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. For example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and expired in Configuration Manager when the superceding update is 2 months old.

The following WSUS Server Cleanup Wizard options aren't run on the CAS, primary, and secondary sites:

WSUS cleanup starting in version 1906

You have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software update points. In addition to declining expired updates in WSUS, Configuration Manager can add non-clustered indexes to the WSUS databases and remove obsolete updates from the WSUS databases. The WSUS maintenance occurs after every synchronization.

Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance

The addition of non-clustered indexes improves the WSUS cleanup performance that Configuration Manager does.

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
  2. Select the site at the top of your Configuration Manager hierarchy.
  3. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
  4. In the WSUS Maintenance tab, select Add non-clustered indexes to the WSUS database.
  5. On each SUSDB used by Configuration Manager, indexes are added to the following tables:
    • tbLocalizedPropertyForRevision
    • tbRevisionSupersedesUpdate

SQL permissions for creating indexes

When the WSUS database is on a remote SQL server, the site server's computer account needs the following SQL permissions:

  • Creating an index requires ALTER permission on the table or view. The site server's computer account must be a member of the sysadmin fixed server role or the db_ddladmin and db_owner fixed database roles. For more information about creating and index and permissions, see CREATE INDEX (Transact-SQL).
  • The CONNECT SQL server permission must be granted to the site server's computer account. For more information, see GRANT Server Permissions (Transact-SQL).

Note

If the WSUS database is on a remote SQL server using a non-default port, then indexes might not be added. You can create a server alias using SQL Server Configuration Manager for this scenario. Once the alias is added and Configuration Manager can make a connection to the WSUS database, indexes will be added.

Remove obsolete updates from the WSUS database

Obsolete updates are unused updates and update revisions in the WSUS database. Generally speaking, an update is considered obsolete once it's no longer in the Microsoft Update Catalog and it isn't needed by other updates as a prerequisite or dependency.

  1. In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
  2. Select the site at the top of your Configuration Manager hierarchy.
  3. Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
  4. In the WSUS Maintenance tab, select Remove obsolete updates from the WSUS database.
    • The obsolete update removal will be allowed to run for a maximum of 30 minutes before being stopped. It will start up again after the next synchronization occurs.

SQL permissions for removing obsolete updates

When the WSUS database is on a remote SQL server, the site server's computer account needs the following SQL permissions:

Known issues for version 1906

Consider the following scenario:

  • You are using Configuration Manager version 1906
  • You have remote software update points using a Windows Internal Database
  • In the Software Update Point Component Properties, you have any of the following selected options under the WSUS Maintenance tab:
    • Add non-clustered indexes to the WSUS database
    • Remove obsolete updates from the WSUS database

In this scenario, Configuration Manager is unable to perform the above WSUS Maintenance tasks for the remote Software Updates Points using a Windows Internal Database. This issue occurs because Windows Internal Database doesn't allow remote connections. You'll see the following errors in the WSyncMgr.log on the site server:

Indexing Failed. Could not connect to SUSDB.
SqlException thrown while connect to SUSDB in Server: <SUP.CONTOSO.COM>. Error Message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
...
Could not Delete Obselete Updates because ConfigManager could not connect to SUSDB: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) UpdateServer: <SUP.CONTOSO.COM>

To work around the issue, you can automate the WSUS maintenance for the remote software update points using a Windows Internal Database. For more information and detailed steps, see The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance.

Updates cleanup log entries

You can verify this cleanup by reviewing the wsyncmgr.log for the following entries:

  • The decline of superseded updates in WSUS is complete when you see this log entry: Cleanup processed <number> total updates and declined <number>
  • The WSUS cleanup is starting when you see this entry: Calling WSUS Cleanup.
  • The WSUS cleanup for expired updates is complete when you see this entry: Successfully completed WSUS Cleanup.
  • The Configuration Manager expired updates configuration items cleanup is starting when you see this entry: Deleting old expired updates...
  • The Configuration Manager expired updates configuration items cleanup is complete when you see this entry: Deleted <number> expired updates total