In Part 3 of this series, we’re going to discuss the complications of having too many updates in your WSUS environment, and their contribution to causing timeout issues.
There are two situations in which we can find ourselves with too many updates. The first is a planning complication; the second a maintenance complication.
When a WSUS server is in the planning stages, one of the determinations that must be made is proper identification of the Product Categories and the Update Classifications that need to be selected for synchronization. Generally speaking, there are two rules you should follow when making these selections:
Select all Update Classifications except "Drivers"
Do NOT select the "Drivers" classification! (Yes, I repeated myself; it’s that important!) The “Drivers” classification contains over 30,000 device driver update packages, and for most organizations, none of those packages will apply to any installed hardware. If you have a server with the “Drivers” classification selected, you might consider rebuilding that server without it.
Select only the Product Categories for products that you actually have installed and need to deploy updates for
Do not select Product Categories you might have someday; do not select Product Categories that can no longer be patched. To determine if a product can no longer be patched, go to the Microsoft Support Lifecycle page, and look up a product. If the Extended Support date has passed, then there are no new updates for that product. Point the product to Microsoft Update, make sure all of the available patches are installed, and leave the Product Category unselected. You’re done patching that product … forever.
Unselect the Product Categories for products that no longer exist in your organization, or have reached the end of the Extended Support period
Presumably, based on the guidance in the previous article, these updates have already been declined. The second part of that step is to update the synchronization rules. This won’t physically remove the updates from the database, but the change will hide them from the console and, more importantly, from many of the queries that look at all updates, including the declined updates. This will reduce the number of updates that need to be processed by client detections, downstream server synchronizations, and the Server Cleanup Wizard.
Regularly run the Server Cleanup Wizard
The Server Cleanup Wizard provides a number of services that can help reduce the total number of updates in the WSUS collection:
- It deletes old revisions of updates.
- It declines superseded updates that do not have active approvals.
The two most significant factors in the content of the WSUS database that affect performance are the total number of synchronized updates and the number of those updates that have approvals.
How many updates should you have?
It’s difficult to put a finite quantity on this value, because it does depend on the required selections for Product Category, Update Classification, and Update Languages. However, as a comparison point, on my English-only WSUS servers, synchronizing all Windows operating systems, most of the “BackOffice” server applications, two versions of Office, and Definition Updates for Defender and MSE, I have fewer than 6,000 updates on my server today.
How many approved updates should you have?
On any given day over the past several years, I have rarely seen the number of approved updates on any one of my WSUS servers exceed 10% of the total number of updates synchronized. Your mileage may vary, but if its more than 15%, you probably want to go back and look at
Part 2 again.
Just to entice you, you can physically delete other updates from the WSUS database. It can be done via API calls with code you write, or by native features of SolarWInds Patch Manager.