软件更新维护Software updates maintenance

适用范围: Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

可从 Configuration Manager 控制台和软件更新点组件属性中计划和运行 WSUS 清理任务。You can schedule and run WSUS cleanup tasks from the Configuration Manager console from the Software Update Point Component properties. 首次选择运行 WSUS 清理任务时,它将在下一次软件更新同步后运行。When you first select to run the WSUS cleanup task, it will run after the next software updates synchronization.

计划和运行 WSUS 清理作业To schedule and run the WSUS cleanup job

通过运行以下步骤来计划 WSUS 清理作业:Schedule the WSUS cleanup job by running the following steps:

  1. 在 Configuration Manager 控制台中,导航到“管理” > “概述” > “站点配置” > “站点” 。In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.

  2. 选择 Configuration Manager 层次结构顶部的站点。Select the site at the top of your Configuration Manager hierarchy.

  3. 单击“设置” 组中的 “配置站点组件”,然后单击“软件更新点” 以打开软件更新点组件属性。Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.

  4. 评审“取代行为” 。Review the Supersedence behavior. 如果需要,修改行为。Modify the behavior if needed.

    取代行为屏幕截图

  5. 单击“取代规则”选项卡,选择“运行 WSUS 清理向导” 。Click the Supersedence Rules tab, select Run WSUS cleanup wizard. 在版本 1806 中,该选项重命名为“同步后运行 WSUS 清理” 。In version 1806, the option is renamed to Run WSUS cleanup after synchronization.

  6. 单击“确定”(如果运行版本 1806,请单击“关闭”) 。Click OK (Click Close if you're running version 1806).

版本 1802 及更早版本中的 WSUS 清理行为WSUS cleanup behavior in version 1802 and earlier

在 Configuration Manager 版本 1806 之前,WSUS 清理选项运行以下项:Before Configuration Manager version 1806, the WSUS cleanup option runs the following item:

  • 仅限顶层站点的 WSUS 服务器上的 WSUS 清理向导中的“过期更新”选项 。The Expired updates option from the WSUS cleanup wizard on the top-level site's WSUS server only.

    WSUS 已过期更新清理屏幕截图

  • Configuration Manager 数据库中的软件更新配置项每七天进行一次清理,并从控制台中删除不需要的更新。A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.

    • 如果当前已部署,则此清理不会从 Configuration Manager 控制台中删除过期的更新。This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

顶层 WSUS 数据库和环境中的所有其他 WSUS 数据库仍需其他维护。Additional maintenance is still needed on the top-level WSUS database and all other WSUS databases in the environment. 有关详细信息和说明,请参阅 Microsoft WSUS 和 Configuration Manager SUP 维护博客文章的完整指南。For more information and instructions, see The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance blog post.

从版本 1806 开始的 WSUS 清理行为WSUS cleanup behavior starting in version 1806

自版本 1806 起,WSUS 清理选项在每次同步后出现,并执行以下清理项:Starting version 1806, the WSUS cleanup option occurs after every sync and does the following cleanup items:

  • CAS 和主站点上的 WSUS 服务器的“已过期更新”选项 。The Expired updates option for WSUS servers on CAS and primary sites.
    • 用于辅助站点的 WSUS 服务器不会针对过期更新运行 WSUS 清理。WSUS servers for secondary sites don't run the WSUS cleanup for expired updates.
  • Configuration Manager 从其数据库构建已取代的更新列表。Configuration Manager builds a list of superseded updates from its database. 该列表基于“软件更新点”组件属性中的取代行为。The list is based on the supersedence behavior in the Software Update Point component properties.
    • 符合取代行为标准的更新配置项在 Configuration Manager 控制台中已过期。The update configuration items meeting the supersedence behavior criteria are expired in the Configuration Manager console.
    • 在 WSUS 中,对于 CAS 和主站点拒绝更新,但对于辅助站点不拒绝更新。The updates are declined in WSUS for CAS and primary sites but not for secondary sites.
  • Configuration Manager 数据库中的软件更新配置项每七天进行一次清理,并从控制台中删除不需要的更新。A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.
    • 如果当前已部署,则此清理不会从 Configuration Manager 控制台中删除过期的更新。This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

备注

“取代更新过期前需等待的月数”基于取代更新的创建日期。The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. 例如,如果将此设置设为 2 个月,则在 WSUS 中已被取代的更新将被拒绝,而在 Configuration Manager 中,如果取代更新存在 2 个月,更新将过期。For example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and expired in Configuration Manager when the superceding update is 2 months old.

需要在辅助站点 WSUS 数据库上手动运行所有 WSUS 维护。All WSUS maintenance needs to be run manually on secondary site WSUS databases. CAS 和主站点上未运行以下“WSUS 服务器清理向导”选项 :The following WSUS Server Cleanup Wizard options aren't run on the CAS and primary sites:

从版本 1810 开始的 WSUS 清理行为WSUS cleanup behavior starting in version 1810

从版本 1810 开始,可以在软件更新点组件属性中指定独立于非功能更新的功能更新的取代规则。Starting version 1810, you can specify supersedence rules for feature updates separately from non-feature updates in the Software Update Point component properties. WSUS 清理选项在每次同步后出现,并执行以下清理项:The WSUS cleanup option occurs after every sync and does the following cleanup items:

  • CAS、主站点和辅助站点上 WSUS 服务器的“已过期更新”选项 。The Expired updates option for WSUS servers on CAS, primary, and secondary sites.
  • Configuration Manager 从其数据库构建已取代的更新列表。Configuration Manager builds a list of superseded updates from its database. 该列表基于“软件更新点”组件属性中的取代行为。The list is based on the supersedence behavior in the Software Update Point component properties.
    • 符合取代行为标准的更新配置项在 Configuration Manager 控制台中已过期。The update configuration items meeting the supersedence behavior criteria are expired in the Configuration Manager console.
    • 在 WSUS 中拒绝为 CAS、主站点和辅助站点更新。The updates are declined in WSUS for CAS, primary, and secondary sites.
  • Configuration Manager 数据库中的软件更新配置项每七天进行一次清理,并从控制台中删除不需要的更新。A cleanup for software update configuration items in the Configuration Manager database occurs every seven days and removes unneeded updates from the console.
    • 如果当前已部署,则此清理不会从 Configuration Manager 控制台中删除过期的更新。This cleanup won't remove expired updates from the Configuration Manager console if they're currently deployed.

备注

“取代更新过期前需等待的月数”基于取代更新的创建日期。The "Months to wait before a superseded update is expired" is based on the creation date of the superseding update. 例如,如果将此设置设为 2 个月,则在 WSUS 中已被取代的更新将被拒绝,而在 Configuration Manager 中,如果取代更新存在 2 个月,更新将过期。For example, if you use 2 months for this setting, then updates that have been superseded will be declined in WSUS and expired in Configuration Manager when the superceding update is 2 months old.

CAS、主站点和辅助站点上不运行以下“WSUS 服务器清理向导”选项 :The following WSUS Server Cleanup Wizard options aren't run on the CAS, primary, and secondary sites:

从版本 1906 开始的 WSUS 清理WSUS cleanup starting in version 1906

你具有 Configuration Manager 为维护软件更新点正常运行而执行的其他 WSUS 维护任务。You have additional WSUS maintenance tasks that Configuration Manager can run to maintain healthy software update points. 除了可以拒绝 WSUS 中的已到期更新,Configuration Manager 还能向 WSUS 数据库添加非聚集索引,以及从 WSUS 数据库中删除过时的更新。In addition to declining expired updates in WSUS, Configuration Manager can add non-clustered indexes to the WSUS databases and remove obsolete updates from the WSUS databases. 每次同步后都会进行 WSUS 维护。The WSUS maintenance occurs after every synchronization.

根据取代规则在 WSUS 中拒绝过期的更新Decline expired updates in WSUS according to supersedence rules

在 WSUS 中拒绝更新可以从发送到客户端的目录中删除这些更新,从而提升性能。Declining updates in WSUS improves performance by removing those updates from the catalogs sent to clients. 拒绝配置管理器标记为“已取代”的更新可进一步最小化目录并提升性能。Declining updates that Configuration Manager marks as superseded further minimizes the catalogs and improves performance.

  1. 在 Configuration Manager 控制台中,导航到“管理” > “概述” > “站点配置” > “站点” 。In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
  2. 选择 Configuration Manager 层次结构顶部的站点。Select the site at the top of your Configuration Manager hierarchy.
  3. 单击“设置”组中的“配置站点组件” ,再单击“软件更新点” ,以打开“软件更新点组件属性”。Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
  4. 在“WSUS 维护” 选项卡中,选中“根据取代规则在 WSUS 中拒绝过期的更新” 。In the WSUS Maintenance tab, select Decline expired updates in WSUS according to supersedence rules.

将非聚集索引添加到 WSUS 数据库以提高 WSUS 清理性能Add non-clustered indexes to the WSUS database to improve WSUS cleanup performance

添加非聚集索引可提升 Configuration Manager 启动的 WSUS 清理性能。The addition of non-clustered indexes improves the WSUS cleanup performance that Configuration Manager does.

  1. 在 Configuration Manager 控制台中,导航到“管理” > “概述” > “站点配置” > “站点” 。In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
  2. 选择 Configuration Manager 层次结构顶部的站点。Select the site at the top of your Configuration Manager hierarchy.
  3. 单击“设置”组中的“配置站点组件” ,再单击“软件更新点” ,以打开“软件更新点组件属性”。Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
  4. 在“WSUS 维护” 选项卡中,选择“向 WSUS 数据库添加非聚集索引” 。In the WSUS Maintenance tab, select Add non-clustered indexes to the WSUS database.
  5. 在 Configuration Manager 使用的各个 SUSDB 上,它向下面的表添加索引:On each SUSDB used by Configuration Manager, indexes are added to the following tables:
    • tbLocalizedPropertyForRevisiontbLocalizedPropertyForRevision
    • tbRevisionSupersedesUpdatetbRevisionSupersedesUpdate

用于创建索引的 SQL Server 权限SQL Server permissions for creating indexes

如果 WSUS 数据库位于远程 SQL Server 中,则可能需要在 SQL Server 中添加用于创建索引的权限。When the WSUS database is on a remote SQL Server, you might need to add permissions in SQL Server to create indexes. 用于连接到 WSUS 数据库和创建索引的帐户可能会有所不同。The account used to connect to the WSUS database and create the indexes can vary. 如果指定软件更新点属性中的 WSUS 服务器连接帐户,请确保该连接帐户具有 SQL Server 权限。If you specify a WSUS Server Connection Account in the software update point properties, then ensure the connection account has the SQL Server permissions. 如果未指定 WSUS 服务器连接帐户,则站点服务器的计算机帐户需要 SQL Server 权限。If you don't specify a WSUS Server Connection Account, then the site server's computer account needs the SQL Server permissions.

  • 必须对表或视图拥有 ALTER 权限,才能创建索引。Creating an index requires ALTER permission on the table or view. 帐户必须是 sysadmin 固定服务器角色的成员,或是 db_ddladmindb_owner 固定数据库角色的成员。The account must be a member of the sysadmin fixed server role or the db_ddladmin and db_owner fixed database roles. 若要详细了解如何创建索引和权限,请参阅 CREATE INDEX (Transact-SQL)For more information about creating and index and permissions, see CREATE INDEX (Transact-SQL).
  • 必须向帐户授予 CONNECT SQL 服务器权限。The CONNECT SQL server permission must be granted to the account. 有关详细信息,请参阅 GRANT 服务器权限 (Transact-SQL)For more information, see GRANT Server Permissions (Transact-SQL).

备注

如果 WSUS 数据库位于使用非默认端口的远程 SQL Server 上,可能无法添加索引。If the WSUS database is on a remote SQL Server using a non-default port, then indexes might not be added. 在这种情况下,可以使用 SQL Server Configuration Manager 创建服务器别名You can create a server alias using SQL Server Configuration Manager for this scenario. 在别名已添加且 Configuration Manager 可以连接到 WSUS 数据库后,索引便会添加。Once the alias is added and Configuration Manager can make a connection to the WSUS database, indexes will be added.

从 WSUS 数据库中删除过时的更新Remove obsolete updates from the WSUS database

过时更新是 WSUS 数据库中未使用的更新和更新修订。Obsolete updates are unused updates and update revisions in the WSUS database. 一般而言,如果更新不再存在于 Microsoft 更新目录中,则该更新将视为已过时,其他更新就不再需要将其作为先决条件或依赖项。Generally speaking, an update is considered obsolete once it's no longer in the Microsoft Update Catalog and it isn't needed by other updates as a prerequisite or dependency.

  1. 在 Configuration Manager 控制台中,导航到“管理” > “概述” > “站点配置” > “站点” 。In the Configuration Manager console, navigate to Administration > Overview > Site Configuration > Sites.
  2. 选择 Configuration Manager 层次结构顶部的站点。Select the site at the top of your Configuration Manager hierarchy.
  3. 单击“设置”组中的“配置站点组件” ,再单击“软件更新点” ,以打开“软件更新点组件属性”。Click Configure Site Components in the Settings group, and then click Software Update Point to open Software Update Point Component Properties.
  4. 在“WSUS 维护”选项卡上,选择“从 WSUS 数据库中删除过时更新” 。In the WSUS Maintenance tab, select Remove obsolete updates from the WSUS database.
    • 允许在停止前,运行过时更新删除最长 30 分钟。The obsolete update removal will be allowed to run for a maximum of 30 minutes before being stopped. 它将在下一次同步发生后再次启动。It will start up again after the next synchronization occurs.

用于删除过时更新的 SQL Server 权限SQL Server permissions for removing obsolete updates

当 WSUS 数据库位于远程 SQL Server 上时,站点服务器的计算机帐户需要拥有以下 SQL Server 权限:When the WSUS database is on a remote SQL Server, the site server's computer account needs the following SQL Server permissions:

WSUS 清理向导WSUS cleanup wizard

从版本 1906 起,CAS、主站点和辅助站点上不运行以下“WSUS 服务器清理向导”选项 :Starting in version 1906, the following WSUS Server Cleanup Wizard options aren't run on the CAS, primary, and secondary sites:

版本 1906 的已知问题Known issues for version 1906

请考虑以下情形:Consider the following scenario:

  • 你使用的是 Configuration Manager 版本 1906You are using Configuration Manager version 1906
  • 因此具有使用 Windows 内部数据库的远程软件更新点You have remote software update points using a Windows Internal Database
  • 在“软件更新点组件属性”的“WSUS 维护”选项卡下,可以选择以下任一项 :In the Software Update Point Component Properties, you have any of the following selected options under the WSUS Maintenance tab:
    • 将非聚集索引添加到 WSUS 数据库Add non-clustered indexes to the WSUS database
    • 从 WSUS 数据库中删除过时的更新Remove obsolete updates from the WSUS database

在这种情况下,Configuration Manager 无法使用 Windows 内部数据库对远程软件更新点执行上述 WSUS 维护任务。In this scenario, Configuration Manager is unable to perform the above WSUS Maintenance tasks for the remote Software Updates Points using a Windows Internal Database. 导致此问题是因为 Windows 内部数据库不允许远程连接。This issue occurs because Windows Internal Database doesn't allow remote connections. 站点服务器上的 WSyncMgr.log 中将显示以下错误:You'll see the following errors in the WSyncMgr.log on the site server:

Indexing Failed. Could not connect to SUSDB.
SqlException thrown while connect to SUSDB in Server: <SUP.CONTOSO.COM>. Error Message: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
...
Could not Delete Obselete Updates because ConfigManager could not connect to SUSDB: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) UpdateServer: <SUP.CONTOSO.COM>

若要解决此问题,可以使用 Windows 内部数据库为远程软件更新点自动执行 WSUS 维护。To work around the issue, you can automate the WSUS maintenance for the remote software update points using a Windows Internal Database. 有关详细信息和详细步骤,请参阅 Microsoft WSUS 和 Configuration Manager SUP 维护的完整指南For more information and detailed steps, see The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance.

更新清理日志条目Updates cleanup log entries

可通过查看以下条目的 wsyncmgr.log 来验证此清理:You can verify this cleanup by reviewing the wsyncmgr.log for the following entries:

  • 看到此日志项目时,WSUS 中已取代更新的拒绝已完成:Cleanup processed <number> total updates and declined <number>The decline of superseded updates in WSUS is complete when you see this log entry: Cleanup processed <number> total updates and declined <number>
  • 看到此项目时,WSUS 清理开始:Calling WSUS Cleanup.The WSUS cleanup is starting when you see this entry: Calling WSUS Cleanup.
  • 看到此项目时,已完成对已过期更新的 WSUS 清理:Successfully completed WSUS Cleanup.The WSUS cleanup for expired updates is complete when you see this entry: Successfully completed WSUS Cleanup.
  • 看到此项目时,Configuration Manager 过期更新配置项清理开始:Deleting old expired updates...The Configuration Manager expired updates configuration items cleanup is starting when you see this entry: Deleting old expired updates...
  • 看到此项目时,Configuration Manager 过期更新配置项清理已完成:Deleted <number> expired updates totalThe Configuration Manager expired updates configuration items cleanup is complete when you see this entry: Deleted <number> expired updates total