KB ID 0001679
Problem
I don’t like WSUS, the product is OK (ish) the problem with it is, every time it’s deployed, typically the person it was deployed for never looks after it, or manages it properly, and months/years later it becomes a massive ‘bag of spanners’, which is never the client’s fault, it’s always the poor guy who built it, or the support company’s fault.
If you run WSUS, log into the the thing at least once a week, sort out reporting problems, approve updates accordingly. If I look at your WSUS and see ‘This machine has not reported in for 12 months”. Then I’m going to care as much as you do!
Solution
So let’s say your a conscientious tech and you’ve taken over WSUS from someone else who let it get into a state! There comes a point when its simpler to wipe it out and start again, it might be simpler to create a new server/VM and reinstall from scratch, if that’s the case, do that instead of this! (Remember any GPO’s pointing client to WSUS will need updating, unless the new server has the same FQDN as the old one though!)
Here I’m removing WSUS and re-installing it on the same server, I already have multiple GPOs setup pointing my clients to the WSUS server so I don’t need to do that part.
Warning: If you have ‘Computer Groups’ setup in your GPOs telling client machines that they should be in different computer group object in your WSUS deployment, then take a screenshot of all the group names before you start so you can manually add them back in after rebuild. Note if you have computer groups but don’t reference them with your GPOs you don’t need to do this.
WSUS Removal Procedure
Mine’s a small typical deployment using WID (Windows Internal DataBase), to prove this navigate to C:\Windows\WID, and look for SUSDB. If yours is using SQL you will need to remove that independently, (assuming SQL is only doing WSUS of course!)
Remove WID and WSUS from an administrative Powershell window;
[box]
Uninstall-WindowsFeature -Name UpdateServices,Windows-Internal-Database -Restart
[/box]
KEEP THIS WINDOW OPEN!
Now locate the folder containing all your updates, usually called WSUS (unless it was named something bizarre!) Then delete it.
Now delete the C:\Windows\WID directory.
Now to remove the IIS AppPool for WSUS,
[box]
Import-Module WebAdministration IIS: cd AppPools del WsusPool
[/box]
Whilst still in web administration, jump up a directory and go to sites, then delete the WSUS Adminisration website;
[box]
cd.. cd .\Sites\ del ".\WSUS Administration\"
[/box]
Reinstall the WSUS components;
[box]I
nstall-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI
[/box]
Now launch WSUS and complete the configuration. Recreate your WSUS directory, (make sure theres plenty of space for the updates!) In production I would not have this on the C:\ Drive!
Select your new folder.
Next > Untick (if not required) > Next.
Next (Unless you have an upstream WSUS server) > Next (Unless you have a proxy server).
Start connecting > Wait for a while until it will let you continue.
Select the languages you require > Next > select the products you want to update > Next.
Select the ‘type‘ of updates you require, (I typically never select Service Packs, Update Rollups, or drivers, (but that’s my preference.)) > Next > Select automatically and set it for early in the morning > Next.
Let it begin synchronisation > Next > Finish.
You can view synchronisation progress from the main WSUS window
At this point you can setup any computer/server ‘test’ groups you require, and start authorising updates for those groups, or setting auto-authorise if that’s your preferred option.
Computers Not Reporting Into WSUS or Erroring
For the most part manually visiting ‘problem client’ and manually running though the update procedure and rebooting a few times will fix the problem, (assuming that the GPO telling it to get its updates from WSUS is correct!)
But sometimes clients flatly refuses to check in at all, for those run the following Powershell commands on them;
[box]
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates wuauclt /reportnow
[/box]