Thursday, 20 November 2008

WSUS 3.0 Cleaning out redundant computers

Following on from my last post about WSUS 3.0 and Powershell another thing which bugged me about the WSUS 3.0 GUI is the Cleanup Wizard. This is a really useful tool for keeping your WSUS deployment running efficiently.

It includes the ability to clean out computers which haven't synched with the WSUS server for over 30 days - unfortunately 30 days is the default value which can't be changed in the GUI. Arrgh! I've wanted to run this tool for a long time, but 30 days is way too short and I wanted to be able to specify my own time frame, e.g. 200 days.

Luckily I met Marc Shepard at Teched EMEA and during a Q&A session for WSUS I asked why it wasn't possible to change the 30 day value. This developed into a discussion along the lines that the WSUS team didn't wish to promote removing lots of computers from WSUS - I can't remember exactly why now, I think it was along the lines of preventing lots of computers which were actually still alive synching back into WSUS. (Apologies if this is not the correct reason)

Anyway, even though we had a slight difference of opinion about this (I want to remove old computers so that the monthly patch compliance reports are more accurate), Marc kindly agreed to send me over a Powershell script which would run the cleanup computer part of the wizard under the caveat that this was not their recommended method for maintenance.

So here it is, this version will give you a list of computers who have not synched over the specified number of days:

[reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | out-null

$days = read-host "Please enter the number of days since Last Sync you wish to query for"
$ts = new-object TimeSpan($days,0,0,0)

$updateServer = "WSUSServername"
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer($updateServer,$false)

$computerScope = new-object Microsoft.UpdateServices.Administration.ComputerTargetScope
$computerScope.ToLastSyncTime = [DateTime]::UtcNow.Subtract($ts)
$wsus.GetComputerTargets($computerScope) | sort fulldomainname | ft fulldomainname,lastsynctime

If you wish to remove them then simply change the last line to:

$wsus.GetComputerTargets($computerScope) | foreach-object {$_.Delete();}

I have added both of these scripts and the ApproveMultipleUpdates scripts from the last post to the WSUS PowerGUI Powerpack.

Also keep an eye on the WSUS section of the MS Script Center Marc is hoping to soon publish some more Powershell scripts for managing WSUS.

No comments: