WSUS is downloading hundreds of old declined updates

Without applying any changes in configuration and settings, WSUS server start downloading hundreds of old updates from 2009 until now (2020) after regular scheduled syncing with Microsoft. It downloaded over 100 GB and I don't know what is the reason for this behavior. How can I handle it?


Solution 1:

This seems to be a common problem among users.Using try and error method to find a way to get rid of unwanted updates worked for me. Declining and deleting all old updates won't solve the problem and they return back after the next sync. Below steps solved the problem:

  1. Disconnect the internet if there are high bandwidth usage and downloading from WSUS.

  2. Stop server synchronizing in WSUS console.

    There could be updates still waiting for download like this:

enter image description here

  1. Run below Powershel script to cancel them all. After that, download status will clear and updates needing files will become 0.

    (Get-WsusServer).CancelAllDownloads()
    Stop-Service -Name WsusService,BITS -Force
    Remove-Item -Path $env:LOCALAPPDATA\Temp\* -Recurse -ErrorAction SilentlyContinue
    Remove-Item -Path $env:SystemRoot\Temp\* -Recurse -ErrorAction SilentlyContinue
    Start-Service -Name WsusService,BITS
    
  2. Disable "Automatic Approval" in WSUS Options page and make sure to check the option to download updates only when they are approved:

enter image description here

  1. Decline all the unwanted old updates downloaded recently. You could do this by sorting updates by Arrival Date then select and decline all the old updates which arrived recently.

  2. Use below Powershell script to delete all declined updates. You could narrow down your selection by modifying the scrip (e.g. by Arrival date) if you have declined updates that won't like to be deleted:

     [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
    $declined=$wsus.GetUpdates() | Where {$_.IsDeclined -eq $true}
    $declined| ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateId.ToString()); Write-Host $_.Title removed }
    
  3. Run server cleanup. Make sure you check all items related to updates.

  4. Start synchronization. Wait until syncing finish. At this level synchronization will take long, a few gigs will download and all the old updates list will return back (good luck to you if it wouldn't) but their files won't download because of our action at level 4.

  5. Repeat level 5 but this time for "Unapproved" updates.

  6. Repeat level 6. I recommend to run this script in "Powershell ISE" for numbers of updates(e.g. 30 updates not all of them at once) then stop it and run level 11 to make sure you are on the right way.

  7. Repeat level 7 and 8. At this level sever shouldn't go for old downloads again.

  8. Return Automatic approval and download setting changed at level 4 to the previous status if you like to.

Solution 2:

In my installation the script given in step 6 by user @harsini to remove declined updates always ran into timeouts because it's first getting ALL updates from the WSUS server and only afterwards narrowing them down to the declined ones on the PS side.
Replace

$declined = $wsus.GetUpdates() | Where {$_.IsDeclined -eq $true}

with

$declined = $wsus.GetUpdates([Microsoft.UpdateServices.Administration.ApprovedStates]::Declined, [DateTime]::MinValue, [DateTime]::MaxValue, $null, $null)  

to get only declined updates directly from the WSUS server.