Deep Dive Maintaining the WSUS Catalog by Declining Updates for Better Update Scanning

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi my name is Justin chiffon I'm the engineering lead I patched my PC we develop a third-party patch management solution for Microsoft SCCM pride in my current role I was also a premier field engineer for Microsoft supporting SCCM in this video we're gonna do a couple of different things the first thing that's kind of interesting we're gonna go through a environment that has a wsus catalog that has not been properly maintained meaning we haven't done any maintenance around declining superseded updates so we're gonna have quite a large wsus catalog and we're gonna go over to a client and compare the scan time and the catalog download time we're then gonna compare that to our wsus environment after we put in a maintenance plan for declining updates configuring our IAS settings for memory and CPU limits and doing some indexing so a little background on this issue this initially started happening and being known to the the community about two and a half years ago as the catalog started growing in a hit a point to where it was so large Windows seven clients that were on the base level of Windows 7 Service Pack 1 the Windows Update agents started having some memory issues around scanning the catalog because they the catalog was just growing getting so big it was having timeouts and CPU performance issues caused a lot of problems during building captures where you wouldn't have a recent version of the update agent and it would just basically fail to scan and and not sending results back to your site so there's a blog post that went out I'm gonna reference this within the video and throughout the video as well as include a link within the description but basically it's a guy that kind of goes over wsus maintenance and how we can go in and index the database and do things such as declining updates and and having that all set we'll come back to that but what I've got in my environment I've got a software update point that has been configured and I've got a few different products in here it's certainly nothing out of the ordinary if anything I would say I probably fewer products selected than probably many production environments would so just quickly scrolling through this we've got office 2010 13 16 and 365 we've got our Windows 10 Windows 7 and Windows 8.1 as well as Windows Server 2008 2008 r2 2012 2012 r2 and 2016 so there's not really all that much selected but what we're going to do is go and look over at our wsus catalog so within WCS we can basically come in to the all updates filled within that node and what I'm viewing is any except declined with a status of any so we if we actually look in here we can see that we have about 12,000 updates that are currently not declined so what that means is on the client if an update isn't declined it's going to scan against that so we're going to download the metadata and then see whether it's applicable to us but what we can do if we just kind of browse out and click on a column if we add these superseded ins field and we sort by that I mean just kind of go up here and let's go up the other way so what we can see is if the update doesn't have anything in here that means that it's not superseded so as we start scrolling down just keep going down here so once we get to these superseded updates and you can tell that by the icon so if the icon is kind of with the computer down in the bottom right that means it's superseded so we can look at the scroll Bowler over here kind of go down and see what we've got going on if the icon is in the middle that means it's also superseded by newer update so we'll keep going down and now we've got the active updates that are showing here that have superseded other updates so if we kind of go through select this look at that scroll bar so if we kind of go up here we can see that we have probably about 2/3 of the updates within this catalog are actually superseded so what that means is a newer update has replaced it and generally speaking there's not going to be really any reason why you would want to ever scan or deploy these updates as long as you have that newer one being deployed within your environment now on the config manager side this is a new site and I just synchronized my updates so within config manager the console we can actually verify that the number is quite a bit smaller than 12,000 so it's right about 4,100 so it is gonna filter out any superseded updates based on your superseded int settings here so within your software update point you can configure whether you want to immediately expire superseded updates and then there get purged out of your console within a week but since this was a clean environment they just did not show up during that initial syn okay I'm just gonna go ahead and start the client up by default it's delayed so it can take a couple a couple minutes or so and then we're just gonna review the log file as I did clear the logs just while we've restarted so we could start fresh when we're viewing these but what I'm going to do is start a network capture so I'm just using a free trial of this application that I found to be pretty helpful so we'll get that started in the background here and what we'll do we'll go look at the scan agent log and then we'll we'll initiate a scan on our client now this is a client that has just registered not long ago and it hasn't performed any type of software update scan within our environment so we'll open up that log we're also kind of brows over to the windows update log and we'll let that run and we'll we'll do a few things while we're waiting for that to finish the first thing I'm going to do is stop the component for the state manager so this component is what processes updates into the database for compliance that gets sent back from our machines so I'm open up my configuration manager where we can stop different components we're gonna browse down to the components and look at the SMS underscore state system so this is gonna be the component and I don't want to go too deep into what we're doing here but what we're going to do is look at the file that gets sent up but what we're gonna do in the next video is basically covered the software update flow all the way down from all the client components up to the server components the reason I wanted to do this is I'm going to show you the size difference between a state message that gets sent up for your update compliance for a environment that isn't declining update versus one that is we can also verify in the is logs for wsus that our client is hitting the server and we can kind of look at what's going on on the backend so this dot 190 or dot 200 here this is our client so we can see that it is doing the scan in the background it's hitting is and doing a few different things here now it's okay to see some red now what I did on this Windows 7 machine is I did update the Windows Update agent to the latest one that was publicly available for download other than that it's not fully patched at all it's just the base level Service Pack 1 machine with that latest Windows Update agent so what you will notice is we will get a couple of scan retries during the initial scan and that's ok we can just kind of monitor this but what I'll do I'll go ahead and pause this while we wait for the scan to complete all right so that scan just completed yeah I'm so it looks like it took about a little bit over four to five minutes for the scan now if we come and look at our network trace what we're gonna look at is the Ethernet the ipv4 the TCP a filter and then we're going to look at the port so what we can verify here is we can look for port 8 5 3 1 so that's what my wsus server is running on on there'd be nothing else communicating on that port except there wsus scanning so what we can look at is our download and upload size so if we look over at the download what we can see is that the total data for our catalog that was downloaded from WS was about 13 and a half megabytes ok so jumping back over to our client we can look at the state message dot log this is where any type of compliance changes are going to be stored for update compliance when we send to our management point for processing into our database let me just look at the appended one and we can see that it was sent up to the management point so what we did on that management point when we stopped that component we basically stopped the component that actually processed a software update compliant sent up from our clients into our database so that's gonna live in our inboxes and this can be another reason while software updates can have a big impact if you're not maintaining them because you have your all your clients sending their states so if that catalogs huge it's going to be much more data coming into your environment so within the auth in the state cyst we're gonna have an incoming folder but it looks like there's nothing there so it must've got processed let me go and look over here it looks like that component might have restarted itself but luckily I do have a previous one that was stored so this file was about 270 KB but what this contains is all this software update states that have been changed so for example these IDs actually translate into a software update ID so if we go and run a search with an all software updates based on this ID it's gonna actually return a update and we can see it does look like the compliance did change so that file definitely did get processed but the main thing I wanted to note is that file size it was about 270 Kb when the catalog was full sized so that's going to be the catalog scan to get sent up to config manager to process into the database so now we're going to do is go ahead and implement a maintenance plan for how we're gonna go in and decline these updates so there's a few things that I want to start off with if you haven't already changed your wsus IES application pool settings this would be a good time to do that so we did cover this during our initial video but what we're gonna do here is go into IES go into our application pools and then your wsus website look at the W sus poll and in the Advanced Settings so the default value here is going to be 1000 for the queue length you would want to set that to 2000 I've already done that and then the next setting is we would want to change the memory by 4 times which I've already done that as well but if you if you're using a default environment what this would be if it wasn't a multiple of 4 you've probably seized something here like 180 for 3200 so you'd want to make sure you change that and then recycle the is service the next thing I'm going to do is index my database for wsus now the blog post does mention you could run the wsus cleanup before doing the indexing if you wanted to but in my case I'm gonna index and then setup my maintenance script that does all the cleanups and it has the WCS cleanup built into the declining updates within that script so within the post and I'll link out there is a script that we can use for maintaining wsus with regards to the re-indexing of the database just to make sure that we have good performance as that database becomes fragmented so within SCCM i'm gonna open up my sequel management studio on that server that's running wsus and then i'm gonna run a new query and paste in that command for indexing and an executed now we could either run this on a schedule through sequel management studio or we could create a new maintenance plan and have it run that script automatically for us so it looks like it's done so that did the indexing for me now if you're using a wig database hopefully you're not but maybe if you have child sups you are within the guide it does go through the process of how you could use sequel CMD to run the maintenance command for indexing on a wid environment and why we'll and why will in sequel on our ws environment there is a maintenance script that we can run that creates two different indexes that helps the process of declining updates to go much quicker so there's a few blog posts that I'll link out to that kind of covers what we're actually doing here this will be one of them but just note this will make the process of declining updates about 30 times faster if you go ahead and make these indexes so what we're going to do we're going to make sure we have the sus DB selected it looks like it does actually call that within the script I believe so you could even run this on wherever you're currently at in sequel I'm going to execute that looks like I had that highlight let me just execute it all again and we can just verify that it made those two indexes that makes the cleanup process much faster and now we're at a point where we can go ahead and start putting in our maintenance script for declining updates so there's a few out there so within the blog post there's a PowerShell script within the main blog that kind of talks about this when it was initially causing problems with scanning where you can download a PowerShell script that runs here but actually the script that I'm gonna be using is one from brian dam so i'll link out to his blog post this is the best one that i do so I've implemented multiple ones back when I was a PFE including the one from the blog post as well as some other ones but this one I was super impressed with they gave a lot of custom options that we can do for doing things like running the wsus maintenance tasks after the script declining and removing expired updates from your software update groups and SCCM so there are a lot of nice things that we can configure within here that would not be available in some of the other scripts so we'll just no doubt we have about 12,000 updates currently that are active and not declined so what I'm going to do is go ahead and look at my script I've pre-downloaded I'll include a link out to his post but what you're gonna get here when you extract it is a PowerShell script and then we're gonna get a plugins folder now within the plugin plugins folder there's actually a pretty cool options here so what I'm gonna do is go over to the Windows 10 versions so within here we're gonna see a bunch of different versions that we can call a call out as unsupported and what that will do that will decline any of those versions of Windows 10 any of the updates matching that so for example if I come over here and look at my if I create a new update view and look at the upgrades classification we're gonna see a bunch of different updates that will go through and upgrade our machines to different versions of Windows so we can see all these versions 1511 which isn't supporting more 1603 1703 1709 and we're also gonna have within our updates we're gonna have a bunch of different cue mobile updates for all these versions so if we search for 1607 for example we're gonna have all these different updates for those versions of Windows 10 now let's say that you've moved on and you're at the latest version of 1803 and you have like five versions before that that you don't really care about so these are also going to come into our catalog and take up a lot of space and scan data on our clients so within the script we can do some customization and tell-tell it whether we want to decline unsupported versions so in my lab I'm just going to decline everything except the current version of 1803 because that's what I'm running on all my clients now obviously in production you might be running 1709 and even 1703 so you wouldn't want to decline updates that you currently have out there for the different builds of Windows 10 so I'll go ahead and save that and in order for this to be active we're just gonna go ahead and cut it and I'm gonna move it from the disabled folder to the into the root of the plugins folder there's some other things you can do here like declining the previous versions for office 365 so you always get the latest version and you don't scan against the older you can also decline different editions of Windows 10 so if you only support when Windows 10 Enterprise for example you can go and decline others same thing with languages and we can decline different languages within here but I think this looks good for what I'm going to use initially so what I'm gonna do is go ahead and come to my task scheduler so I'm going to create a maintenance task that's gonna run this PowerShell script so I'm going to create a new basic task call it WS maintenance we're gonna run it daily now most environments you could probably do this weekly or even monthly but within our labs we've actually got third-party updates publishing out and we generally do three to four catalog releases per patch my PC and we would expire the previous version so I'm just gonna keep this daily within my environment but this could certainly be weekly or probably even monthly if you were only doing just Microsoft updates and run it at 3 a.m. you would probably want to avoid running it at the same time that your software update point is set to synchronize and for the script we're going to run PowerShell Exe and then within the PowerShell script there there's a variety of different options that we can that we can use here that's not what I want we want to go back to the root and then the invoke so he goes over a lot of the different examples of options we can add but for this example let me just bring in to the screen what I'm doing on so I'm running the script I'm declining superceded updates I'm also declining by title so I'm declining Itanium ia-64 and beta so any update title that contains this will also be declined we're declining by plugins so that's gonna run the option I did to decline the previous builds we're gonna clean our software update group so any update groups that have expired updates they'll get removed out if any update groups are left as empty it will go ahead and clean and remove those we're gonna run the WCS cleanup wizard we're going to resync our sup we're gonna reset the max time for our cumulative updates within Windows just so it has longer than the default of 10 minutes so it doesn't fell I think this has been increased in the latest configuration manager bill it's where it does run longer than 10 minutes so that should be less of an issue I'm going to go ahead and keep that to increase that to 60 minutes for the time out so I'm gonna go ahead and copy that argument and then we're going to paste that into the task and then do next we're going to open the properties and what we're gonna do is change it so that it runs under system context so that will run whether or not a user is logged in and that one sure we have full access to W sauce on this machine and I'll go ahead and choose run with highest privileges go ahead and do ok and we'll go ahead and start running so we come back to that scripts folder there is going to be a maintenance log that will show up so the first thing it's going to do is to go out and search for all the updates and then it's going to go through and decline anything based on the options that we enabled so I'll go ahead and pause here and then we'll come back to this alright so this script has been going about ten or fifteen minutes now one thing I do want to look at is this is also gonna help us clean up the Windows 10 updates for the servicing so if we take a look at how many updates we have currently it's right about 980 update so we can see all these different additions and all these different versions for the feature upgrades so we'll just take a note of that and we'll come back in once we get everything optimized and see how much that drops from 980 alright so the core part of the script is now done so we you can see that we had a total of about twelve thousand one hundred and one updates we had a six thousand two hundred ninety three that were superseded and then we had some additional ones that we declined based on titles and the total number of declined updates for this script for this run was 7805 so that almost was about double of what we had total that we declined so we do have a few additional things going on here since I had the option to enable the software update point sync enabled we can see that it did initiate a software update point sync if we come over to our logs and SCCM we can verify that w sync manager is now performing a software update point sync so we'll pause and wait for that to complete alright so the first run is done now I did miss a few things I'm going to come back and configure if we come looking wsus we can see that we still have the additional languages for the feature updates so what I'm going to do is come back over go to my script and then the plugins disabled and then I'm going to copy the languages paste that over and then edit that and what I'm going to do is disable the all languages from here and only have English closed that and then we're going to come run this again and see if we if we get those additional languages completed it looks like it's still monitoring the update sync though so we'll just give that a few minutes and then we'll come back in alright so the script is now complete so if we come back in here and we'll go ahead and run it one more time and see if it declines the languages that we had alright so we can see it's running and we can see that it's declining all those languages for the future upgrades that we didn't have enabled since we only had en for English enabled it's going ahead and removing all of those ok so we can see that that took an additional 73 updates out so if we come back into Debbie sauce and refresh we can see for the feature upgrades we've only got four enabled so that's going to be the 1803 that we that we have supported all the previous ones were declined in my case I'm going to go ahead and decline the Great Britain version of en-us since I don't need that within our lab now one thing I did notice with the script is it doesn't decline the Windows 7 and Windows 8 upgrades since since SCCM they actually block this so for example if we come and look at the future upgrades we can see that we've got all these showing expired now but we can see we don't have any of those Windows 7 or Windows 8 feature upgrades to Windows 10 because SCCM doesn't support that that's a standalone wsus feature so what I'm going to do here just to account for these now this is something Brian said the D is going to update a script to support declining the win7 and win 8 feature upgrades through wsus to decline those within the script so I'm gonna go ahead and get those declined so an SCCM the win 7 or when 8 feature updates would be only available through a task sequence all right so went ahead and declined those additional update so if I click refresh now we've only got two feature upgrades currently showing up now so this looks really good so going back we can go to our all updates and do a refresh here and we can see after the maintenance that we did we're down from about twelve thousand one hundred updates to 3583 so that's quite a bit of that catalog that should be minimized when our clients are doing our scan let me just check our WF sync manager log it looks like the sync was successful here now I do have a child software update point that's not online that's why it's failing to connect there but I'm not too worried about that so for the future upgrades the script automatically ran the sync after we did these languages but I don't think it ran after we did our feature updates and see what's that expired equals no so it actually looks like we're good so I must have declined all those updates before the sync was completely done so now we only have those two feature updates showing all the other ones are expired so we can see all these updates same thing with all software updates so we are gonna have quite a few updates now that will be showing expired that we're declined so by default SCCM will remove any updates that are expired if they aren't being deployed in a software update group within seven days from the expiration date but what we can do here is i've got a script that we can run that will configure the w sync manager component to delete those more frequently than that seven days so we can get all these things to delete immediately so I'll include this in the video but basically what we're doing we're pointing out to the server that's running the software update point we're gonna give it a site code and we're gonna give it the value e one so the default value is every seven days if an updates been expired for seven days and it's not being deployed it's gonna purge it from the SCCM site so I'm going to change that to zero so it's going to purge it right away so then what I'll do is come over to here through the Downloads folder and I'm going to run the adjust and then we're going to give it the server name and the site code we can see that we changed that age from seven to zero and then if we come back and look at the W sync manager log we'll give that a moment to kick in but I believe this there we go deleting old updates that should automatically force it to trigger this when that component gets changed and there we go so we deleted a sixteen hundred and eighty updates from the console so if we do a little refresh here there really shouldn't be anything expired showing so that looks pretty clean and then for the feature updates it's also going to remove them from there so there should be only the two updates so this looks really good so now what we'll do we'll go back to our client for Windows seven I'm gonna revert this back to a clean state where it hasn't done any scan yet so we'll start that guy back up okay or reconnect okay let's go ahead and get that tray started before before our scan starts let's see if we can get that component stopped so we can check out the state message that gets sent up opponents we're gonna stop that state system so that the updates don't get processed and we'll come back to our client go ahead and get that scan going it looks like all the components seem to be running now we'll look at that scan agent and we'll wait for that to complete all right so on the client side we're all done we can see that we didn't get any of the scan retries with the clean catalog like we did for the other one so that looked really good the timing was about three minutes I did get a peek at the state message file but it looks like the component did start back up automatically it was about 250 KB so it was a bit smaller but the big savings are definitely going to be on the W side since SCCM can already kind of clear out some of those superseded and expired updates I'm still looking back at our trace if we zoom in on our W scan port we can see that we went from 13 and a half megabytes to a scan of downloading the catalog of only one point eight seven Meg so quite uh you know quite a large bit of resources that we're gonna be saving there especially on that initial scan I'm back on the sec M side of things I did notice that it did go through some additional deletion of expired updates so it did purge out an additional seven thousand one hundred and eighty-nine updates from the console that that were declined within wsus but I think that covers really what I was looking at accomplishing in this video with regards to maintaining your wsus environment I will note that there are quite a few additional options as far as different community scripts for declining updates there's also going to be some more configurations that we can do within is and I'll link out to the deployment research site for a blog post that covers a few additional items that you can do if you're having issues declining updates with timeouts and is as well as some additional things that we can configure with regards to some other scripts but I think the core thing here is if you can get this implemented even how I did it initially if you haven't done any type of maintenance you can see that catalog size you can get a savings of you know about eighty-five to ninety percent of what the clients gonna have to download and scan so that's all I've got today I think in the next video we're probably going to be covering software updates the flow of updates that will go through all the configuration Manager client components as well as the Windows Update agent and then on the server side we'll go into how updates get processed into the database and how the views work within your con and then after we go through the flow of the updates we'll probably do something around some ways that we can manage our software update groups and deployments and a following video
Info
Channel: Patch My PC
Views: 40,977
Rating: undefined out of 5
Keywords: SCCM SUP, WSUS Cleanup, SCCM SUP Cleanup, WSUS Expired Updates
Id: wqBaTp855sk
Channel Id: undefined
Length: 35min 41sec (2141 seconds)
Published: Mon Jun 04 2018
Related Videos
Patch My PC and Dune Desormeaux at CLESCUG on Third-Party and Microsoft Updates in SCCM
Patch My PC
1.8K
How to Deploy Software Updates Using Microsoft SCCM (ADRs, Update Groups, and More)
Patch My PC
191K
How To Configure PKI for Microsoft SCCM to Use HTTPS/SSL Instead of HTTP
Patch My PC
97K
WSUS Maintenance and SQL Optimization for ConfigMgr with Q&A
Patch My PC
2.7K
Setup Internet-Based Client Management (IBCM) in Microsoft SCCM to Manage Internet Clients
Patch My PC
40K
Deep Dive into How the Site Server Works in Configuration Manager (SCCM)
Patch My PC
4.5K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
How to Create, Manage, and Deploy Applications in Microsoft SCCM (EXE and MSI Installs)
Patch My PC
123K
Microsoft SCCM Post Installation and Configuration (Boundaries, Client Settings, and more)
Patch My PC
71K
How to create Ultimate Excel Gantt Chart for Project Management (with Smart Dependency Engine)
The Office Lab
417K
The Server Room - Integrate MDT Build 8443 with SCCM 1706 - Episode 012
BTNHD
7.8K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.