|
1 | | -## ⚙️ WSUS Management Tools |
| 1 | +# ⚙️ WSUS Management Tools |
2 | 2 |
|
3 | | -### 📝 Overview |
| 3 | +## 📝 Overview |
| 4 | +The **WSUS Management Tools** repository provides a curated set of **PowerShell scripts** to automate, maintain, and optimize **Windows Server Update Services (WSUS)** and its **SUSDB (Windows Internal Database)**. |
| 5 | +These tools are designed for **Active Directory** and **standalone** environments, with a lightweight **GUI** for administrators. |
4 | 6 |
|
5 | | -The **WSUS Management Tools** repository provides a curated set of **PowerShell scripts** for automating, maintaining, and optimizing Windows Server Update Services (WSUS) and its underlying **SUSDB (Windows Internal Database)**. These tools are tailored for Active Directory environments and support both standalone and enterprise deployments. |
6 | | - |
7 | | -### ✅ Key Features |
| 7 | +--- |
8 | 8 |
|
9 | | -- **Graphical Interface**: User-friendly GUI for WSUS administrators to execute routine tasks without using the command line |
10 | | -- **Index Optimization**: Automatically generates SQL reindex scripts for fragmented WSUS database indexes |
11 | | -- **Assembly Detection**: Verifies whether WSUS Admin assemblies are correctly loaded from the Global Assembly Cache (GAC) |
12 | | -- **Centralized Logging**: Structured `.log` and `.csv` outputs for documentation and audit purposes |
13 | | -- **Modular Design**: Scripts are standalone and can be used independently or scheduled for automation |
| 9 | +## ✅ Key Features |
| 10 | +- **Graphical Interface**: Run maintenance tasks via GUI (no command line required) |
| 11 | +- **FQDN-Aware**: Automatically detects and uses the server **FQDN** if none is provided in the GUI/JSON |
| 12 | +- **Index Optimization**: Reports fragmentation and generates **smart reindex scripts** for SUSDB |
| 13 | +- **Assembly Detection**: Validates and loads WSUS Admin assemblies from the GAC or known paths |
| 14 | +- **Centralized Logging**: `.log` and `.csv` outputs with structured, timestamped entries |
| 15 | +- **Modular Design**: Scripts can run standalone or be scheduled with Task Scheduler/GPO |
14 | 16 |
|
15 | 17 | --- |
16 | 18 |
|
17 | 19 | ## 🛠️ Prerequisites |
18 | 20 |
|
19 | | -1. **⚙️ PowerShell** |
20 | | - - Requires PowerShell version 5.1 or later |
21 | | - - To verify: |
22 | | - ```powershell |
23 | | - $PSVersionTable.PSVersion |
24 | | - ``` |
| 21 | +1. **PowerShell** |
| 22 | + - Requires **Windows PowerShell 5.1+** |
| 23 | + ```powershell |
| 24 | + $PSVersionTable.PSVersion |
| 25 | + ``` |
25 | 26 |
|
26 | | -2. **🔑 Administrator Privileges** |
27 | | - Scripts must be run with elevated privileges to access WSUS APIs and SUSDB functions |
| 27 | +2. **Administrator Privileges** |
| 28 | + - Must be run **elevated** to access WSUS APIs and SUSDB |
28 | 29 |
|
29 | | -3. **📦 Required Modules** |
30 | | - - `UpdateServices` – installed with the WSUS Administration Console |
31 | | - - `ActiveDirectory` – optional, used for WSUS server discovery in the forest |
| 30 | +3. **Required Modules** |
| 31 | + - `UpdateServices` (included with the WSUS Administration Console / Tools) |
| 32 | + - `ActiveDirectory` *(optional, for WSUS server discovery)* |
32 | 33 |
|
33 | | -4. **🗃 SQLCMD Tools** |
34 | | - - Required for executing SQL queries against the SUSDB using named pipes |
35 | | - - Ensure `sqlcmd.exe` is in the system PATH or manually defined |
| 34 | +4. **SQLCMD Tools** |
| 35 | + - Required to execute SQL scripts on SUSDB (via named pipe: `np:\\.\pipe\MICROSOFT##WID\tsql\query`) |
| 36 | + - Ensure **`sqlcmd.exe`** is installed and on your `PATH` |
36 | 37 |
|
37 | | -5. **🔧 Execution Policy** |
| 38 | +5. **Execution Policy** |
38 | 39 | ```powershell |
39 | 40 | Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned |
40 | 41 | ``` |
41 | 42 |
|
42 | | -6. **📂 SQL Script Files** |
43 | | - - **C:\Scripts\wsus-reindex.sql** (generated by **Generate-WSUSReindexScript.ps1**) |
44 | | - - **C:\Scripts\wsus-verify-fragmentation.sql** |
| 43 | +6. **SQL Script Files** (copy into `C:\Logs-TEMP\WSUS-GUI\Scripts`) |
| 44 | + - `wsus-verify-fragmentation.sql` |
| 45 | + - `wsus-reindex-smart.sql` |
45 | 46 |
|
46 | | - **Important**: When using the SUSDB Maintenance Tasks for *Check Index Fragmentation* and *Rebuild Indexes* in **Maintenance-WSUS-Admin-Tool.ps1**, copy these files to `C:\Logs-TEMP\WSUS-GUI\Scripts`. |
47 | | - |
48 | | -7. **🧩 WSUS Admin Assembly** |
49 | | - Ensure `Microsoft.UpdateServices.Administration.dll` is registered in the GAC |
50 | | - Use **Check-WSUS-AdminAssembly.ps1** to validate the assembly presence and load status |
| 47 | +7. **WSUS Admin Assembly** |
| 48 | + - Ensure `Microsoft.UpdateServices.Administration.dll` is available in the **GAC** |
| 49 | + - Validate with **Check-WSUS-AdminAssembly.ps1** |
51 | 50 |
|
52 | 51 | --- |
53 | 52 |
|
54 | | -## 📜 Script Descriptions (Alphabetical Order) |
| 53 | +## 📜 Script Descriptions |
55 | 54 |
|
56 | | -| **Script Name** | **Function** | |
57 | | -|-------------------------------------|------------------------------------------------------------------------------| |
58 | | -| **Check-WSUS-AdminAssembly.ps1** | Checks if `Microsoft.UpdateServices.Administration.dll` is loaded from GAC; prompts to install WSUS Console if missing | |
59 | | -| **Generate-WSUSReindexScript.ps1** | Generates `wsus-reindex.sql` based on fragmentation and page thresholds using SQLCMD | |
60 | | -| **Maintenance-WSUS-Admin-Tool.ps1** | Performs WSUS cleanup, checkdb, shrink, reindex, and exports declined updates to CSV | |
| 55 | +| Script | Function | |
| 56 | +|--------|----------| |
| 57 | +| **Check-WSUS-AdminAssembly.ps1** | Detects/loads `Microsoft.UpdateServices.Administration.dll`; guides installation if missing | |
| 58 | +| **Maintenance-WSUS-Admin-Tool.ps1** | GUI: decline updates (expired, superseded, unapproved), cleanup obsolete files/computers, SUSDB tasks (CHECKDB, shrink, reindex, backup) | |
| 59 | +| **RebuildWSUS-Classifications.ps1** | Resets WSUS **Classifications** when MMC fails to show all categories (local execution recommended) | |
61 | 60 |
|
62 | 61 | --- |
63 | 62 |
|
64 | | -## 🚀 Usage Instructions |
| 63 | +## 🚀 Usage |
| 64 | + |
| 65 | +### GUI Tool |
| 66 | +1. Right-click **Maintenance-WSUS-Admin-Tool.ps1** → **Run with PowerShell (Admin)** |
| 67 | +2. Configure WSUS server (defaults to **local FQDN** and port `8530` if missing) |
| 68 | +3. Select maintenance tasks (check boxes) |
| 69 | +4. Run and monitor execution in the status window and log |
65 | 70 |
|
66 | | -1. **Run the Script**: Right-click the desired `.ps1` file and select _Run with PowerShell_ as Administrator |
67 | | -2. **Select Maintenance Options**: Use GUI checkboxes or configure parameters in the script |
68 | | -3. **Check Logs**: Logs are saved in `$env:ProgramData\WSUS-GUI\Logs` or custom path |
| 71 | +### Classifications Reset |
| 72 | +Run directly **on the WSUS server** if MMC classifications are incomplete: |
| 73 | +```powershell |
| 74 | +.\RebuildWSUS-Classifications.ps1 -ServerName "wsusn01-tjap.sede.tjap" -Port 8530 -UseSSL:$false |
| 75 | +``` |
| 76 | +After running, reopen **WSUS MMC → Options → Products and Classifications → Classifications**. |
69 | 77 |
|
70 | 78 | --- |
71 | 79 |
|
72 | 80 | ## 📁 Complementary Files |
| 81 | +- `wsus-verify-fragmentation.sql` → SUSDB fragmentation report |
| 82 | +- `wsus-reindex-smart.sql` → Smart reindex logic (skip low pages, reorganize vs rebuild) |
| 83 | +- `settings.json` → GUI persistence file |
| 84 | +- `Logs\` → Example: `WSUS-Maintenance-20250915-095431.log` |
73 | 85 |
|
74 | | -- **wsus-reindex-smart.sql**: Example SQL script created by **Generate-WSUSReindexScript.ps1** |
75 | | -- **wsus-verify-fragmentation.sql**: SQL query for analyzing index fragmentation in SUSDB |
| 86 | +--- |
| 87 | + |
| 88 | +## 💡 Tips |
| 89 | +- **Logs & Configs** |
| 90 | + - Logs: `C:\Logs-TEMP\WSUS-GUI\Logs\` |
| 91 | + - CSV: `C:\Logs-TEMP\WSUS-GUI\CSV\` |
| 92 | + - Backups: `C:\Logs-TEMP\WSUS-GUI\Backups\` |
| 93 | + - Settings: `C:\Logs-TEMP\WSUS-GUI\settings.json` |
| 94 | + |
| 95 | +- **Console Visibility** |
| 96 | + - GUI hides the console window by default |
| 97 | + - Comment out the *Hide Console* block in scripts while debugging |
| 98 | + |
| 99 | +- **Timeout Handling** |
| 100 | + - Some WSUS builds lack `DatabaseCommandTimeout`; this is logged as `[DEBUG]` |
| 101 | + - **CompressUpdates** may time out — run standalone during off-hours if needed |
76 | 102 |
|
77 | 103 | --- |
78 | 104 |
|
79 | | -## 💡 Optimization Tips |
| 105 | +## 🧰 Troubleshooting |
| 106 | + |
| 107 | +- **`sqlcmd.exe` not found** → Install SQL Server Command Line Utilities and add to PATH |
| 108 | +- **`Get-WsusServer failed`** → Ensure WSUS Admin Console is installed and run PowerShell as Admin |
| 109 | +- **MMC missing classifications** → Run `RebuildWSUS-Classifications.ps1` locally on the WSUS server |
| 110 | +- **WinRM errors in remote mode** → Enable remoting with: |
| 111 | + ```powershell |
| 112 | + Enable-PSRemoting -Force |
| 113 | + ``` |
| 114 | + |
| 115 | +--- |
80 | 116 |
|
81 | | -- **Leverage GPO Scheduling**: Automate maintenance using Task Scheduler or GPO-based scripts |
82 | | -- **Centralize Logging**: Update `$logDir` in scripts to store logs on a network share |
83 | | -- **Adapt Paths Per Environment**: Customize variables like `$sqlcmd`, `$namedPipe`, and folder paths |
84 | | -- **Use Staging First**: Test WSUS maintenance tasks in a lab before production |
85 | | -- |
| 117 | +## 🔒 Scheduling & Security |
| 118 | +- Use **Task Scheduler** or **GPO** for recurring maintenance (overnight) |
| 119 | +- Centralize logs by redirecting `$LogDir` to a UNC path |
| 120 | +- Always run as a **WSUS Administrator** account (least privilege recommended) |
0 commit comments