Remove and Reinstall Microsoft WSUS

KB ID 0001679

Problem

I don’t like WSUS, the product is OK (ish) the problem with it is, every time it’s deployed, typically the person it was deployed for never looks after it, or manages it properly, and months/years later it becomes a massive ‘bag of spanners’, which is never the client’s fault, it’s always the poor guy who built it, or the support company’s fault.

If you run WSUS, log into the the thing at least once a week, sort out reporting problems, approve updates accordingly. If I look at your WSUS and see ‘This machine has not reported in for 12 months”. Then I’m going to care as much as you do!

Solution

So let’s say your a conscientious tech and you’ve taken over WSUS from someone else who let it get into a state! There comes a point when its simpler to wipe it out and start again, it might be simpler to create a new server/VM and reinstall from scratch, if that’s the case, do that instead of this! (Remember any GPO’s pointing client to WSUS will need updating, unless the new server has the same FQDN as the old one though!)

Here I’m removing WSUS and re-installing it on the same server, I already have multiple GPOs setup pointing my clients to the WSUS server so I don’t need to do that part.

Warning: If you have ‘Computer Groups’ setup in your GPOs telling client machines that they should be in different computer group object in your WSUS deployment, then take a screenshot of all the group names before you start so you can manually add them back in after rebuild. Note if you have computer groups but don’t reference them with your GPOs you don’t need to do this.

Mine’s a small typical deployment using WID (Windows Internal DataBase), to prove this navigate to C:\Windows\WID, and look for SUSDB. If yours is using SQL you will need to remove that independently, (assuming SQL is only doing WSUS of course!)

Remove WID and WSUS from an administrative Powershell window;

Unistall-WindowsFeature -Name UpdateServices,Windows-Intern-Database -Restart

KEEP THIS WINDOW OPEN!

Remove WSUS and WID

Now locate the folder containing all your updates, usually called WSUS (unless it was named something bizarre!) Then delete it.

Delete WSUS Updates

Now delete the C:\Windows\WID directory.

Delete WID Directory

Now to remove the IIS AppPool for WSUS, 

Import-Module WebAdministration
IIS:
cd AppPools
del WsusPool

Remove WSUS AppPool

Whilst still in web administration, jump up a directory and go to sites, then delete the WSUS Adminisration website;

cd..
cd .\Sites\
del ".\WSUS Administration\"

Remove WSUS Website

Reinstall the WSUS components;

I

nstall-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI

Install WSUS and WID From PowerShell

Now launch WSUS and complete the configuration. Recreate your WSUS directory, (make sure theres plenty of space for the updates!) In production I would not have this on the C:\ Drive!

Install WSUS Set Update Directory

Select your new folder.

Create WSUS Set Update Directory

Next > Untick (if not required) > Next.

Deploy WSUS on Server 2016.

Next (Unless you have an upstream WSUS server) > Next (Unless you have a proxy server).

Setup WSUS on Server 2019.

Start connecting > Wait for a while until it will let you continue.

Setup WSUS on Server Sync

Select the languages you require > Next > select the products you want to update > Next.

Setup WSUS on Server Products

Select the ‘type‘ of updates you require, (I typically never select Service Packs, Update Rollups, or drivers, (but that’s my preference.)) > Next > Select automatically and set it for early in the morning > Next.

Setup WSUS on Server Shedule

Let it begin synchronisation > Next > Finish.

Setup WSUS on Server Settings

You can view synchronisation progress from the main WSUS window

WSUS Server Check Syncronization Progress

At this point you can setup any computer/server ‘test’ groups you require, and start authorising updates for those groups, or setting auto-authorise if that’s your preferred option.

Computers Not Reporting Into WSUS or Erroring

For the most part manually visiting ‘problem client’ and manually running though the update procedure and rebooting a few times will fix the problem, (assuming that the GPO telling it to get its updates from WSUS is correct!)

But sometimes clients flatly refuses to check in at all, for those run the following Powershell commands on them;

 

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

Force WSUS client to report in correctly

 

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure

Windows Client(s) not ‘appearing’ in WSUS

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *