The performance of the software updates process in general, and the Callisto software updates dashboard specifically, depends on the performance of the SQL databases for WSUS and for the Software Update Point tables in the Configuration Manager database. Today, with the arrival of more classes of updates for Windows 10 and the Windows 10 servicing model, the WSUS DB can become unmanageably large, but there are some simple steps we can take to ensure this is kept under control.
Step 1: Validating the Products and Classifications Selected within Configuration Manager
It is highly likely that SCCM is instructing the WSUS engine to synchronise more metadata than is necessary – you may have selected to synchronise metadata about update classifications or products that you don’t use in your environment. We start by examining the configuration of the Software Update Point Site Component;
In the screenshot below, these are typical selections made for Software Update Classifications, except for the “Include Microsoft Surface drivers and firmware updates” option – which should only be selected if you have those devices and actually desire to roll out firmware/drivers using Software Updates (most likely not!)
- If you are using your own Antimalware product and are not using System Center Endpoint Protection or Windows Defender (Windows 10) and you do not care so much about Microsoft Office performing its own link/junk email filtering (because you handle this some other way) – then the Definition Updates category can be de-selected.
- It is highly unlikely that you care about deploying Feature Packs or Tools – these are not security updates which provide protection. So, you can probably untick these Classifications.
- If you are deploying Windows 10, which you most likely will be, then you should have the Upgrades classification enabled – but do be sure you have completed the prerequisites exactly as warned before enabling this Classification.
We then move onto:
In the screenshot below, we see some typical selections made that our customers enable – but maybe don’t need.
For each product selected, we need to ascertain if we have any devices in our environment which use that product and has reported status of any update related to that product. To do this, browse the main “Software Updates” node and apply some search criteria for the product you are validating. You can open a second Configuration Manager console to help you with this task. In the screenshot below, we are validating our selection of the Skype for Business Server 2015 product.
The results above show that we have no systems with this product updates installed or required – so we can safely assume that, at least for the moment, we can go ahead and untick that product selection from our Software Updates Products configuration.
Repeat this validation process for any Product you have enabled which you are not 100% certain if you use in your environment.
When you have completed this task, Configuration Manager will configure the local WSUS synchronisation settings to match (after a few minutes) and when the next synchronisation occurs, less metadata will be synchronised. We now need to address the existing unwanted metadata in the WSUS database.
Cleaning up WSUS
Configuration Manager synchronises its own database of updates with the WSUS SUSDB – if the SUSDB is full of unwanted metadata, then this will affect the performance of the Configuration Manager Software Updates mechanism. Configuration Manager does NOT synchronise declined or expired updates from the SUSDB – so we need to go ahead and use the WSUS console to perform some cleanup.
The WSUS console DOES have a “Server Cleanup Wizard” – however, in our experience this takes forever to complete, if at all, and leaves you uncertain of what is occurring… or how long it needs. So, we recommend not using this for the moment, instead we will find and decline updates manually that we know we do not care about by either creating new Update Views or simply searching for specific information. In the examples below, we can create new Update Views for Definition Updates Classification or any Skype for Business Product.
In the screenshot below, we have found our unwanted “Skype for Business” Updates, we choose to display updates with Approval: “Any Except Declined” and Status of “Any”, select them all and choose to “Decline” them…
Confirm that we want to decline these updates…
You’ll get a useful progress bar to show you how long the decline process is taking…
When complete, the update status in the WSUS console will show as Declined.
We can also Search for updates that we want to decline;
When you have carefully declined updates for Classifications or Products that are not needed in your environment, at the next Configuration Manager synchronisation with the SUSDB it will start its own process of removing the metadata for these updates from its own Database.
Windows 10 Upgrades
One of the most recent causes of large WSUS SUSDB metadata and issues concerning clients failing to scan (timeout errors etc.) is that Microsoft extended the WSUS catalogue to include Feature Upgrades Classification for Windows 10. These updates add a significant overhead to the Software Updates mechanism. If you are (and you should be!) deploying Windows 10 in your environment, then you may want to synchronise this update Classification – but be aware you have correctly implemented the requirements if you are running WSUS on Windows Server 2012/R2 BEFORE you enable this Classification!
In the screenshot below, we have created a new Update View for the Upgrades Classification, and you can see the horror that awaits;
We have all manner of Upgrades for Windows 10 versions, in many languages in the WSUS database that we simply do not require – and so we do not want all this extra metadata in the Configuration Manager Database.
You should identify and remove Upgrades as follows;
- Select and decline ALL updates for Editions of Windows 10 that are not in deployment in your organisation – i.e.: Windows 10 Professional or Education.
- Select and decline ALL updates for Versions of Windows 10 that are not in deployment in your organisation – i.e.: Windows 10 Version 1511 or 1607.
- Select and decline ALL updates in Language Pack Regions which you are not supporting in your environment – i.e.: German (de-de), Korean (kr-kr) etc.
You may need to perform these steps several times a year to keep the WSUS database clean of Upgrades which meet the conditions above, as new upgrades for Windows 10 are released.
When you have completed all the above tasks and validated all of the update Classifications and Products that you are synchronising, this should result in a notable improvement of the SCCM Software Update synchronisation and console node and the Callisto Software Updates page should load in a few seconds: