Clean up Windows Server Update Services


There are many ways to achieve a well-functioning Windows Server Update Services (WSUS) system. Unfortunately, not all of them lead to the final destination, many are rather stages on the way. One of these stages I would like to introduce to you here, solved with some PowerShell.

73549586e86744dea0deaa25705d3bcc Clean up Windows Server Update Services 3

First some theory, when a computer requests the WSUS server, it gets not only a list of updates released for it, but also a list of updates that have not been rejected and for which the computer has not yet given any feedback. So also the updates that are not approved, so that the computer can give feedback to the WSUS: I need this update too. So the WSUS knows which updates are in addition needed.

Why is that bad? Bad is the wrong word, but it can cause problems. Each WSUS client can only process a certain number of updates. If he gets more, he makes a partial report back and tries again later for the rest. Depending on which products, classifications and languages are configured on the WSUS, this can easily run into the hundreds of thousands. New computers take unnecessarily longer to receive updates, especially if they only try once a day. This can also lead to performance problems on the WSUS server. Therefore Microsoft has already made some changes to some adjustments to some parameters of the WSUS Server based on Windows Server 2016. Please also read the article “Problems with the Windows Server Update Service – 0x8024400D“.

But what can you do? Cleaning up is the answer. Since it always takes a little time to do this manually and I am usually lazy, I have written a script. But first let’s see what can be cleaned up.

Updates that may not be needed


Before you use this script, make sure you are sure that you will not need the updates in the future. The only option to undo this is to approve all updates, whether they are needed or not. Alternatively, set up the WSUS again and start over.

Also important, approved updates are also treated accordingly, i.e. rejected!

This script therefore falls into the category of “Fabian’s Shotgun Scripts“, as the term was invented by his colleagues, for everything that you should think about 3 times before and check if the backups are working.

Itanium Updates

A long time ago Intel introduced the Itanium platform. There are still updates for Windows Server 2008 and 2008 R2. If you don’t need them, this can save 0-6 updates per month.

Microsoft Office

Unfortunately I can usually only select the Office version in the categories, not the architecture. There you can also do some optimization. So if you only use the 32-bit version of Office, you can delete the x64 update. But remember the warning! It’s better if you only use x64 and can delete the x86 updates.

Preview Updates

Do you like to test the preview versions of Microsoft? In my test lab maybe, but at customers environment? No, thanks.

Language packs

If you do not use language packages or the feature “LanguageFeatureOnDemand”, you can save several dozens of updates.

Drivers in general

If you have purchased drivers in the past and now want to change that again, you will find a solution here, too.


Drivers in particular

What I have implemented for customers are the rejection of special vendor drivers. Some vendors go to great efforts to provide driver updates via WSUS. This is very admirable, but can also be annoying if you don’t use products of the manufacturer. Examples are Microsoft with their Surface devices or the company Dell.

OfficeWebApp and SharePoint

There are also updates for OfficeWebApps and SharePoint that are distributed through the Office channels. Again, you should consider very carefully whether you want to use this option.

Superseeded or obsolete updates

Even though the WSUS Cleanup Wizard supposedly cleans them up, this does not always seem to work. With this, it will.

Additional functions

The script can also send an email with the rejected updates afterwards. This is especially useful if you want to run the script through the task scheduling. If you start it manually, the list will always be displayed, but be careful: On the first run it can be larger than the window buffer of the PowerShell window. So it is best to enlarge it before.

Also there is a function “WhatIf” here nothing is changed but only a what if list is generated. Optimal if you want to check the result before.


Following the script

After the script a WSUS database optimization is recommended, especially after the first run. Also the WSUS Cleanup Wizard should be run. This will remove unnecessary files from the hard disk and create some space again.

Where do you get the script now? Like most of my scripts in the Microsoft TechNet Gallery.

This article first appeared on in German.

This article is a translation of the article “Windows Server Update Services bereinigen” (Published – 2018-03-08). Links may refer to other articles, these may also be available in English language.