I have been running a local WSUS for years. My experience so far, in line with what others said here:
- use a separate MS SQL instance and follow this Microsoft guide to improve WSUS DB's performance (just ignore the Configuration Manager part and do the SQL part)
- give it a plenty of disk space (I have 2 TB)
- schedule a weekly reboot of the WSUS machine — this tremendously helped improve stability and availability for me
- be selective regarding the software and versions it shall download — keep it at the bare minimum for your actual infrastructure, and when a new software or version is introduced in your infra, update WSUS settings
- have a custom cleanup script to get rid of the trash it keeps downloading
The cleanup script is important so that you don't waste space. Consider this:
1) WSUS has no CPU platform parameter (!) so it downloads updates for
all platforms including completely obsolete stuff like Itanium. Hence i have this in my script:
Code:
# Decline all ARM64 Updates
Write-Host "Declining ARM64 updates"
SearchAndDecline(‘ARM64-based Systems’)
SearchAndDecline(‘ARM64’)
# Decline all Itanium / IA64 updates (although there shouldn't be any these days)
Write-Host "Declining IA64 updates"
SearchAndDecline(‘Itanium’)
SearchAndDecline(‘IA64’)
…and yes, Microsoft uses
different names for the same thing, sometimes.
2) Unused versions and editions of operating systems can be recognized only by their names:
Code:
# Decline updates for old releases of Windows 10 (add more as time progresses)
Write-Host "Declining outdated Windows 10 updates"
SearchAndDecline(‘Windows 10 Version 1507’)
SearchAndDecline(‘Windows 10 Version 1511’)
SearchAndDecline(‘Windows 10 Version 1607’)
SearchAndDecline(‘Windows 10 Version 1703’)
3) Localized names: If you use anything else than English, to a great surprise, again that has no parameter in WSUS and the
names of products are sometimes localized. Consider this ("consumer editions" translated in Czech):
Code:
# Decline unnecessary Windows 10 updates
Write-Host "Declining unnecessary Windows 10 updates"
SearchAndDecline("Windows 10 (uživatelské edice)")
SearchAndDecline("Windows 10 (consumer editions)")
4) Manually decline obsolete and superseded updates.
5) Manually clean up (remove) updates that were obsoleted or are unneeded
I have all this scheduled to run daily. My PowerShell script is attached. Credit goes to someone somewhere on the Internet for a head start on this.
P.S. Be
very patient. The WSUS GUI is just
incredibly slow.