Clean obsolete patches from WSUS DB

Clean obsolete patches from WSUS DB

Summary

The article describes the steps necessary to remove old third-party packages created by the Software Vulnerability Manager from your local WSUS server. While this reference is helpful is designed to help you with your SVM installation, you should redirect any questions about WSUS to Microsoft forums. 

Synopsis

With the use of the SVM2018 over time, the number of packages created begins to stack up and take up valuable disc space on the server that is facilitating the WSUS role.

Unfortunately, simply declining and deleting the packages does not remove the packages from the \UpdateServicePackages folder where SVM packages reside.

Discussion

Method 1 

Clean up any old or irrelevant packages from the SVM web Interface under Patching > Available menu.

  1. Go through the created packages and determine which packages are no longer relevant.
    1. 1  Every package lower than the latest "Patched Version" is now vulnerable and has to go. 
  2. Decline and then Delete the old or irrelevant package entries you see listed the Available menu.

If using SCUP, it may be necessary to run the cleanup wizard for SCUP in addition to these initial steps:

  1. Clean up your WSUS database from old package metadata information.
  2. Open the WSUS console from Server Manager and navigate to the Options area.
  3. Select the Server Cleanup Wizard.
  4. Run the Server Cleanup Wizard.

Run WsusUtil with the parameter listunreferencedpackagefolders and pipe the result to a file.

  1. Open CMD as an Administratorcd "C:\Program Files\Update Services\Tools"
  2. WsusUtil.exe listunreferencedpackagefolders > c:\test\deletefolders.txt
  3. Open 'C:\test\deletefolders.txt' and see the declined and deleted from SVM packages.  
  4. Remove the beginning lines of the file that read:
    1. "The following folders are not referenced by any of the updates in your WSUS server."
  5. In front of each entry add the following: Rmdir/q/s
    1. e.g : Rmdir /q/s C:\Sources\WSUS\UpdateServicesPackages\598ecbc7-2208-401b-9f0c-8eb57488aee
  6. Once all the entries have Rmdir /q/s in front of them, save the file with a .cmd extension.
  7. Double-click on the deletefolders.cmd file to run it.

Method 2 

Find the attached PowerShell script, which will delete all the third-party packages from your WSUS. Please login to your WSUS server and run the PowerShell as an administrator. You can simply execute the script in the PowerShell, which will delete all the 3rd party packages from your WSUS. 

Workaround

The packages you've so far deleted were patches that you removed from your SVM2018 interface, patches not being used by WSUS and patches that are tagged with Declined status.
Sometimes this will not be perfectly enough though.

  • In the event, you installed new WSUS on top of your old one and you configured new certificates for your new installation, you may end up 'leaving behind' updates that are still active.
    • Since Update Packages are signed with certificates, patches published previously having been signed with older (currently unused certificate):
      • These may not be visible in SVM2018
      • These same patches will not be seen in the WSUS Server Console either.
      • These packages are physically present at \UpdateServicesPackages and they may remain Approved.
      • They may as well be distributed by WSUS to Clients (or synced with Downstream servers) as long as the Clients are suitable for these updates and request it.
    • These patches were signed with a certificate that is no longer used.
      • Therefore, you can't reuse the patches. You can't Decline them either. You can't even see them in SVM2018. They became unusable (and soon there will be new versions anyway.
        • You must force the deletion of all patches by physically going to C:\Program Files\Update Services\UpdateServicesPackages\ and deleting those.
          • If you have a doubt which patches (sitting in folders with long numerical ID names) are to be deleted, then:
            • Enter one of the GUID folders
            • Find the.CAB file that has the same name as the GUID
            • Right-click and select properties
            • Open 'Digital Signatures' TAB
            • Double-click on the certificate in the middle window
            • Select 'View Certificate' in the new window
            • Select 'Details' in the new (third) window and find the Serial Key field.
          • The 'serial key' is unique and it will show you if the certificate that code-signed this package is the one you are using in your domain actively.
            • You can open MMC > File > Add or Remove Snap-In > Certificates > Local Computer on the WSUS.
            • Enter the 'WSUS' folder and check the certificate's serial key there. This is the certificate you currently use.
          • Do not delete any patches signed with your current certificate - delete patches signed with a certificate that is not in the WSUS Certificate store.

User-added image

 

Was this article helpful? Yes No
No ratings
Version history
Revision #:
5 of 5
Last update:
‎Sep 25, 2019 05:46 PM
Updated by: