Keeping WSUS Happy using PowerShell

Some time ago i found a great WSUS cleanup script. I used this at my demo lab and customer sites. WSUS need a little help Winking smile

  • Someone need to deny all patches that are superseeded, this does not happen automatically.
  • Someone needs to cleanup old content, computers, patches and such, this does not happen automatically.
  • Someone needs to care for the database, this does not happen automatically.


The script will do the following

Connect to a database

you might need to change this in the script.

#For Windows Internal Database, use $WSUSDB = ‘\\.\pipe\MICROSOFT##WID\tsql\query’
#For SQL Express, use $WSUSDB = ‘\\.\pipe\MSSQL$SQLEXPRESS\sql\query’

Get the Superseeded Updates

Here is the Posh that fixes that:

$SuperSeededUpdates = Get-WsusUpdate -Approval AnyExceptDeclined -Classification All -Status Any | Where-Object -Property UpdatesSupersedingThisUpdate -NE -Value ‘None’ -Verbose
$SuperSeededUpdates | Deny-WsusUpdate –Verbose

Cleanup WSUS

We run each step sepratly, however, you can change that and run everything in one line…

Cleanup the DB

Last part runs sqlcmd using a .SQL file from MSFT Gallery, and yes, you can download and install the PowerShell tools for SQL and use that instead. Most of your customers dont have thoose tools installed, so sqlcmd.exe it is


The Windows Server Update Services console gives Unexpected Error after KB3159706

The Windows Server Update Services console gives Unexpected Error after KB3159706

Manual steps required to complete the installation of this update

  1. Open an elevated Command Prompt window, and then run the following command (case sensitive, assume “C” as the system volume):
    "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
  2. Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

    HTTP activation

  3. Restart the WSUS service.

If SSL is enabled on the WSUS server

  1. Assign ownership of the Web.Config file to the administrators group (run at an elevated command prompt):
    takeown /f web.config /a
    icacls "C:\Program Files\Update Services\WebServices\ClientWebService\Web.config" /grant administrators:f
  2. Locate the Web.Config file in the following path:
    C:\Program Files\Update Services\WebServices\ClientWebService\Web.Config
  3. Make the following changes in the file.

    Note This code sample represents a single text block. The line spacing is used only to emphasize the text changes, which are shown in bold.

                      These 4 endpoint bindings are required for supporting both http and https
                    <endpoint address=""
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                   <endpoint address=""
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
                    <endpoint address="secured"
                            contract="Microsoft.UpdateServices.Internal.IClientWebService" />
  4. Add the multipleSiteBindingsEnabled=”true” attribute to the bottom of the Web.Config file, as shown:
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

MDT Packages & WSUS a very nice feature.

I long time ago I wrote a acticle mdt-automatisch-updates-via-wsus-laten-installeren-tijdens-het-deployen-van-het-os (Dutch) about using wsus with MDT.

After you deploy a Windows 7 SP1 machine updating takes a lot of time.

You can slipstream windows security updates when you deploy a machine… Windows 7 / Windows 8 / Windows 2008 R2 / Windows 2012.

How you do this: It’s quit simpley. Import de WSUS Content in to Packages.






The error is normal because not everything is imported.


Delete every time you do this. Update & Hotfix packages. If you don’t you will end in a error state when you deploy a machine.

MDT automatisch windows updates via WSUS laten installeren tijdens het deployen van het OS.

1. Ga naar je distributieshare:

2. Open de control map

3. Open CustomSettings.ini
4. Voeg onder aan, het volgende toe

5. Download de volgende 2 bestanden:
x86 versions (WindowsUpdateAgent30-x86.exe) at
x64 version (WindowsUpdateAgent30-x64.exe) at

6. Kopieer WindowsUpdateAgent30-x64.exe in de x:\Distribution\Tools\x64\ map en de
WindowsUpdateAgent30-x64.exe in de x:\Distribution\Tools\x86\ map.

7. Open elke task sequences die je aangemaakt hebt.
Haal de twee vinkjes weg bij:


Dit doe je door de taak aan te klikken en daarna options tab te klikken.
Vinkje weghalen bij Disable this step.


8. Nu kun je gaan testen of het werkt. Ik heb getest met Windows 2003 R2 X64 en het werkt als een trein. 😀