PowerShell: Automated WSUS Maintenance (Update 1.3)

In a previous post I wrote about some configuration tweaks to improve the performance of your WSUS server. I also included a short PowerShell script to automate the WSUS maintenance process. I’ve improved the script somewhat since then, adding more configuration options. This post will serve as a change log and documentation page.

My WSUS Maintenance script can be downloaded from the Microsoft TechNet Gallery.

Features and Requirements

  • The script will run the WSUS server cleanup process, which will delete obsolete updates, as well as declining expired and superseded updates.
  • It can optionally create a log file and email the log file to an address of your choice.
  • The script can be run locally on a WSUS server, or on a remote sever.
  • The script requires that the WSUS management tools be installed.
  • The script has been tested on Windows 10 and Windows Server 2016.

Configuration

The configuration of the script can be done via command line switches. Here’s a list of all the switches and example configurations.

Command Line Switch Mandatory Description Example
-server Yes The WSUS server that should be cleaned. wsus01
-port Yes The port that the WSUS service is running on. 8530
-l No Location to store the optional log file. The name of the log file is generated automatically. E:\scripts
-sendto No The email address to send the log file to.

*This switch isn’t mandatory but is required if you wish to email the log file.

me@contoso.com
-from No* The email address that the log file should be sent from.

*This switch isn’t mandatory but is required if you wish to email the log file.

Server-Status@contoso.com
-smtp No* SMTP server address to use for the email functionality.

*This switch isn’t mandatory but is required if you wish to email the log file.

mail01.contoso.com

OR

smtp.live.com

OR

smtp.office365.com

-user No* The username of the account to use for SMTP authentication.

*This switch isn’t mandatory but may be required depending on the configuration of the SMTP server.

example@contoso.com
-pwd No* The password of the account to use for SMTP authentication.

*This switch isn’t mandatory but may be required depending on your SMTP server.

P@ssw0rd
-usessl No* Add this option if you wish to use SSL with the configured SMTP server.

Tip: If you wish to send email to outlook.com or office365.com you will need this.

*This switch isn’t mandatory but may be required depending on the configuration of the SMTP server.

N/A

 

Change Log

11/08/2017 1.3

  • Improved, cleaner logging. The log file is no longer produced from PowerShell’s Transcript function.

22/07/2017 1.2

  • Improved commenting on the code for documentation purposes.
  • Added authentication and SSL options for e-mail notification.

22/05/2017 1.1

  • Added configuration via command line switches.

 

PowerShell Code

# -------------------------------------------
# Script: Wsus-Maintenance_v1-3.ps1
# Version: 1.3
# Author: Mike Galvin twitter.com/Digressive
# Date: 11/08/2017
# -------------------------------------------

Param(
    [parameter(Mandatory=$True)]
    [alias("server")]
    $WsusServer,
    [parameter(Mandatory=$True)]
    [alias("port")]
    $WsusPort,
    [alias("l")]
    $LogPath,
    [alias("sendto")]
    $MailTo,
    [alias("from")]
    $MailFrom,
    [alias("smtp")]
    $SmtpServer,
    [alias("user")]
    $SmtpUser,
    [alias("pwd")]
    $SmtpPwd,
    [switch]$UseSsl)

## If logging is configured, start log
If ($LogPath) {
    $LogFile = "wsus-maintenance.log"
    $Log = "$LogPath\$LogFile"
    $LogT = Test-Path -Path $Log
## If the log file already exists, clear it
    If ($LogT) {
        Clear-Content -Path $Log
    }

    Add-Content -Path $Log -Value "****************************************"
    Add-Content -Path $Log -Value "$(Get-Date -format g) Log started"
    Add-Content -Path $Log -Value ""

## Get the WSUS server configured and perform the maintainence operations
    Add-Content -Path $Log -Value "$(Get-Date -format g) WSUS maintenance routine starting..."
    Add-Content -Path $Log -Value ""
    Get-WsusServer -Name $WsusServer -PortNumber $WsusPort
    Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates | Out-File -Append $Log -Encoding ASCII

## If log was configured stop the log
    Add-Content -Path $Log -Value ""
    Add-Content -Path $Log -Value "$(Get-Date -format g) Log finished"
    Add-Content -Path $Log -Value "****************************************"

    ## If email was configured, set the variables for the email subject and body
    If ($SmtpServer) {
        $MailSubject = "WSUS Maintenance"
        $MailBody = Get-Content -Path $Log | Out-String

        ## If an email password was configured, create a variable with the username and password
        If ($SmtpPwd) {
            $SmtpCreds = New-Object System.Management.Automation.PSCredential -ArgumentList $SmtpUser, $($SmtpPwd | ConvertTo-SecureString -AsPlainText -Force)

            ## If ssl was configured, send the email with ssl
            If ($UseSsl) {
                Send-MailMessage -To $MailTo -From $MailFrom -Subject $MailSubject -Body $MailBody -SmtpServer $SmtpServer -UseSsl -Credential $SmtpCreds
            }

            ## If ssl wasn't configured, send the email without ssl
            Else {
                Send-MailMessage -To $MailTo -From $MailFrom -Subject $MailSubject -Body $MailBody -SmtpServer $SmtpServer -Credential $SmtpCreds
            }
        }
    
        ## If an email username and password were not configured, send the email without authentication
        Else {
            Send-MailMessage -To $MailTo -From $MailFrom -Subject $MailSubject -Body $MailBody -SmtpServer $SmtpServer
        }
    }
}

If (!($LogPath)) {
    Get-WsusServer -Name $WsusServer -PortNumber $WsusPort
    Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
}

## End

If you’d like to get in touch with me please leave a comment or tweet me.

-Mike

Follow Mike on Twitter: @Digressive

2 thoughts on “PowerShell: Automated WSUS Maintenance (Update 1.3)

    • Hi Cory,
      I’ve not tested it on a SCCM installation with WSUS, but I see no reason why it shouldn’t work. As as I understand it WSUS is essentially the same, even when it is installed with SCCM.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s