Automated WSUS Maintenance Utility v1.8

In a previous post I wrote about some configuration tweaks to improve the performance of your WSUS server. I also included a short PowerShell script to automate the WSUS maintenance process. I’ve improved the script somewhat since then, adding more configuration options, this post will serve as a change log and documentation page.

This utility is available to download from the Microsoft TechNet GalleryPowerShell Gallery and GitHub.

If you’d like to get in touch with me please use the comments, Twitter (you can tweet me and my DMs are open) or my contact form.

Please consider donating to support my work:

Thank you!



Features and Requirements

  • The script will run the WSUS server cleanup process, which will delete obsolete updates, as well as declining expired and superseded updates.
  • The script can optionally create a log file and e-mail the log file to an address of your choice.
  • The script can be run locally on a WSUS server, or on a remote sever.
  • The script requires that the WSUS management tools be installed.
  • The script has been tested on Windows 10 and Windows Server 2016.


Generating A Password File

The password used for SMTP server authentication must be in an encrypted text file. To generate the password file, run the following command in PowerShell, on the computer that is going to run the script and logged in with the user that will be running the script. When you run the command you will be prompted for a username and password. Enter the username and password you want to use to authenticate to your SMTP server.

Please note: This is only required if you need to authenticate to the SMTP server when send the log via e-mail.

$creds = Get-Credential
$creds.Password | ConvertFrom-SecureString | Set-Content c:\scripts\ps-script-pwd.txt

After running the commands, you will have a text file containing the encrypted password. When configuring the -Pwd switch enter the path and file name of this file.



The table below shows all the command line options available with descriptions and example configurations.

Command Line Switch Mandatory Description Example
-Server Yes The WSUS server that should be cleaned. wsus01
-Port Yes The port that the WSUS service is running on. 8530
-L No Location to store the optional log file. The name of the log file is generated automatically. C:\foo
-Subject No The subject line that the email should have. Encapsulate with single or double quotes. ‘Server: Notification’
-SendTo No The email address to send the log file to.
-From No* The email address that the log file should be sent from.

*This switch isn’t mandatory but is required if you wish to email the log file.
-Smtp No* SMTP server address to use for the email functionality.

*This switch isn’t mandatory but is required if you wish to email the log file.



-User No* The username of the account to use for SMTP authentication.

*This switch isn’t mandatory but may be required depending on the configuration of the SMTP server.
-Pwd No* The location of the file containing the encrypted password of the account to use for SMTP authentication.

*This switch isn’t mandatory but may be required depending on your SMTP server.

-UseSsl No* Add this option if you wish to use SSL with the configured SMTP server.

Tip: If you wish to send email to or you will need this.

*This switch isn’t mandatory but may be required depending on the configuration of the SMTP server.



Change Log

2019-09-04 v1.8

  • Added custom subject line for e-mail.

2019-04-23 v1.7

  • The script will now not run the cleanup process twice.
  • The script will now report if the service isn’t running before starting.

2017-10-16 v1.6

  • Changed SMTP authentication to require an encrypted password file.
  • Added instructions on how to generate an encrypted password file.

2017-10-07 v1.5

  • Added necessary information to add the script to the PowerShell Gallery.

2017-09-25 v1.4

  • Cleaned up formatting, minor changes to code for efficiency.

2017-08-11 v1.3

  • Improved, cleaner logging. The log file is no longer produced from PowerShell’s Transcript function.

2017-07-22 v1.2

  • Improved commenting on the code for documentation purposes.
  • Added authentication and SSL options for e-mail notification.

2017-05-22 v1.1

  • Added configuration via command line switches.


14 thoughts on “Automated WSUS Maintenance Utility v1.8

Add yours

    1. Hi Cory,
      I’ve not tested it on a SCCM installation with WSUS, but I see no reason why it shouldn’t work. As as I understand it WSUS is essentially the same, even when it is installed with SCCM.


  1. Hi Mike,
    I’m trying to run your script for the first time and I’m not sure if it’s doing anything or not. I’m running via PS ISE, it just says running script press CTRL BREAK to stop, but I set it up with a log and I’m not seeing a log being generated. Is this normal, I mean does the log not get generated until the end?


    1. Hi there,

      The script is designed to be run from Task Scheduler (or command line). If you configure the log output, the log will be created as the script is run. It can take a long time to run depending on if the WSUS server has been cleaned up recently. The script is designed to keep WSUS tidy and responsive by running it regularly.



  2. I get the following error. Could it be b/c it hasn’t been run, and no maintenance has been done since it’s inception 6 months ago?

    Invoke-WsusServerCleanup : Execution Timeout Expired. The timeout period elapsed prior to completion of the operation
    or the server is not responding.
    The statement has been terminated.
    At C:\_scripts\Wsus-Maintenance.ps1:133 char:34
    + … susServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -Clean …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (Microsoft.Updat…rCleanupCommand:InvokeWsusServerCleanupCommand) [Invoke-
    WsusServerCleanup], SqlException
    + FullyQualifiedErrorId : UnexpectedError,Microsoft.UpdateServices.Commands.InvokeWsusServerCleanupCommand


    1. Hi Brian, Yes I would say that that’s why it’s not running correctly. Although the script does an pretty good job at keeping WSUS clean and running well, I’ve found that running it on an older server that has never, or has not had any maintenance done recently cause the script to fail. If you run the clean up wizard first then the script should run successfully afterwards. You may have to run the cleanup wizard multiple times – just keep running it until it gives a successful completion report.



  3. Hi there,

    running the script on a Windows Server 2012 R2 as a task, I get an incomplete logfile:
    (Running it manually in Powershell Console or PowerShell ISE does work with complete output logfile…

    4/26/2018 9:46:46 AM Log started

    4/26/2018 9:46:46 AM WSUS maintenance routine starting…

    4/26/2018 9:46:47 AM Log finished

    Running the script with the same parameters and settings as a task on a Windows Server 2016 gives me a detailed output:

    26.04.2018 09:49:13 Log started

    26.04.2018 09:49:13 WSUS maintenance routine starting…

    Gelöschte veraltete Updates:0
    Abgelehnte abgelaufene Updates: 0
    Gelöschte veraltete Updates:0
    Komprimierte Updates:32
    Freigegebener Speicherplatz:0

    26.04.2018 09:49:48 Log finished
    Does anybody has the same problem?



    1. Hi Roland,

      This may or may not help but I’ve had the first result (the less detailed one) on Windows Server 2016 when the cleanup wizard hasn’t been able to complete. I solved it by:

      1) Rebooting the server
      2) Running the clean up wizard manually via Settings in the WSUS MMC

      After I did these things, the script ran normally.

      Not sure if it will help with Windows Server 2012 R2, but hopefully it will help.



  4. Hi there !

    Little suggestion to make this script more friendly with other langages.

    We use french server over here, and the out file and the email were getting a lot of crazy caracters.

    So I modified those lines :

    $WsusMaintCmd | Out-File -Append $Log -Encoding UTF8
    $MailBody = Get-Content -Path $Log -Encoding UTF8 | Out-String

    and then added -Encoding UTF8 to each line starting with Send-Mail-Message

    Thank for your great work !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

Up ↑

%d bloggers like this: