Decommission WSUS 3 on Small Business Server

I am slowly but surely moving all of the services from Windows SBS 2008 onto our brand new Windows 2016 Server. This article covers the steps I took to decommission WSUS 3 after switching to WSUS 4.

Firstly, I checked that none of my clients were still connecting to WSUS 3. Once I established this, I manually deleted all of the client machines from the Console.

180309 WSUS Cleanup 050.jpg

Next, I set “Any” updates I had previously “Approved” to “Not Approved”.

180309 WSUS Cleanup 001.jpg

Finally, configure the WSUS server to NOT store updates locally.

WSUS 015.jpg

At this point, you can run the WSUS Server Cleanup Wizard and you should see a large amount of hard disk space reclaimed. In my case, this was almost 35GB.

WSUS 020.jpg



Windows 10 Update 1709 woes

I tried many different methods of attack, but on every occasion, Windows 10 Update 1709 continued to fail.

The Error Message was a follows:

0x8007001F – 0x3000D

The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATE operation

Windows Update Installer 020.jpg

Now, I need to point out that my Workstation is connected to a Domain, and that we use Roaming User Profiles. So, if you don’t have this scenario, the solution won’t work for you unfortunately.

Bearing in mind the Error Message, my assumption was that it had something to do with the User Profiles.

In order to get the Workstation to update, I did the following:

[1] Remove ALL of the Roaming Profiles from the Local Workstation using “Control Panel => Advanced System Settings => User Profiles”

Only the Administrator Account (and the Default Profile) should remain.

Untitled 003

[2] Disconnect the Workstation from the Domain (make sure you know the Local Machine Administrator Password)

[3] Using “Regedit”, navigate to “HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\” and remove any remaining Domain Accounts from the list. Don’t remove the Administrator Account (or any other local system accounts).

Untitled 001.jpg

[4] Optionally, clear out any “dead” account folders from within “C:\users”.

If you try the update again, you should find that it works.

When everything is complete, you can re-join the machine to the Domain.

WSUS: Recovering Disk Space

Over time, my WSUS (Windows Server Update Services) Server began to consume alarming amounts of disk space, mainly due to neglect on my part. So, it was time for a bit of a tidy up.

Declining Superseded Updates

The most important thing to realise is that (even though there were over 30,000 items listed within the database) the only updates that are consuming disk space are the ones that have been approved. WSUS does not download updates that have a status of “Unapproved” or “Declined”.

So, lets have a look inside the console.

Go to “All Updates” and filter the results to “Approval: Approved” and “Status: Any”

WSUS Superseded Updates 010b

From the screen capture (above) it can be seen that I have almost 5000 approved updates filling up my server drive. The download folder was in excess of 50GB.

All of these updates would have been required at some point, otherwise I would not have approved them. However, a significant proportion of these will have been “Superseded”. In other words, Microsoft has issued an update that replaces a previous one, and therefore only the newer one is required.

The first step will be to identify and “Superseded” updates and “Decline” them.

The easiest way to identify “superseded” updates is to show the “Supersedence” column within the WSUS Console.

WSUS Superseded Updates 010c

The supersedence icon next to each update will enable us to identify updates that are no longer required:

WSUS Superseded Updates 023 These updates (and any updates without an icon) have not been superseded. These updates are “current” and we need to keep them.
WSUS Superseded Updates 023B These updates have been superseded, and (in most cases) are surplus to requirements.

As stated above, we are only interested in superseded items. Anything that has not been superseded may be needed.

So, let’s go ahead and select a few superseded updates and “Decline” them.

You should only select updates that have been superseded, and where the “Needed” count is zero and the “Installed / Not Applicable” value is 100%.

WSUS Superseded Updates 020b

Just select a dozen or so items to begin with. Then, click on “Decline” (and “Yes” to confirm).

WSUS Server Cleanup Wizard

After “Declining” the updates, Run the WSUS Server Cleanup Wizard. You should see some “Unused” updates have been removed and some disk space has been recovered.

WSUS Superseded Updates 063b

When you are satisfied with the results, go ahead and decline a larger batch of updates. Remember to make sure that they are:

  • Superseded
  • Needed Count = 0
  • Installed / Not Applicable = 100%

A Warning about “WSUS Updates”

These are updates to the WSUS Service itself. If you have inadvertently declined any of these updates, you will need to re-approve them. Otherwise, the WSUS system will not operate properly.

Within “Updates”, go to the “WSUS Updates” container and approve all updates that are listed as “Not Approved”.

WSUS Superseded Updates 051b

“Un-approving” (rather than “Declining) Updates

It is just as valid to “un-approve” updates as it is to “decline” them. However, I found that when an update is “un-approved”, the WSUS Cleanup Wizard waits for 30 days before deleting the download files from the WSUS folder.