Simon says – unleash WSUS performance

Some time ago I was configuring WSUS server on Windows Server 2016, I needed to do it as performance of WSUS on 2012 was like caption of this image:


I’m putting all the changes I made for future reference (this basically also is the purpose of this blog, as my memory is also like the caption of the above image).

Continue reading “Simon says – unleash WSUS performance”

PowerShell script to auto approve WSUS updates for pilot and standard groups.

Recently there has been a need for me to create script that will cover auto approval work for WSUS.

So the idea was tu approve certain patches to pilot group, and after 2 weeks apply these on standard target group and do another pilot group approval for latest time span.

Important! WSUS target groups need to have “Standard” and “Pilot” in their names.

Lines of code that are worth mentioning:

## 64th LINE
## Specify time span between pilot and standard approvals, below is 14 days
$Next_Approval_Date_Raw = (Get-Date).AddDays(14)
## 106 - 108 LINE
## Specify the report file name and path
$CSVFileName = $range+"UpdateTimes.csv"
$CSVPath = 'c:\'
$CSVFile = "$CSVPath$CSVFileName"

So after specifying what period we like we just need to specify the file name and path and we are ready to go!

If we would like to show it on diagram it would look like:


Of course we may add many things to it’s functionality and this is just the very early version of the script. Worth adding might be – and probably will be added in future – a list of updates that were approved to particular target group – it s already there in “verbose” mode, adding possibility to choose the target groups by name other than “Server” or “Workstation”.

Script can be found on TechNet and GitHub.

[SOLVED] WSUS doesn’t approves updates, although it has proper “approval rule”.

Recently I had a strange symptom, for example, when newly created Windows 7 client was searching updates on the Microsoft Update website it saw about 150 of updates, at the same time seeing 1 from local WSUS server.

Sometimes I use to say that something is simple as shovel… or fu*king. WSUS should be one of those things, but apparently it is not. I was already one battle with it – TECHNET THREAD.

Hence I know that WSUS can be let say, a pain in the ass, in parlance.

That state with updates was a little bit strange, all the more, I have “auto approval” rule on my WSUS for almost all updates – i’m just not approving the Service Packs.

The investigation lead me to our root WSUS server. As I looked at the “Update Report” of one conflict update the state was “Not Approved”. I was astonished. Why for God’s sake! Doesn’t the rule says you shall install it you stupid motherfu*ker!

I tried to restart services, the whole server, there was no warnings, no error in event logs.

Then, as I was for hundred time waching the “Automatic Approval” dialog box, I picked one rule, and I thought “hmmm.. why not” and clicked the “Run now” button.

After that operation the updates started to be available for clients! Apparently the “run now” operation unblocked the pipe 🙂 But what was the reason for that, have no idea :/

WSUS and Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\ are not trusted: Error 0x800b0001

I have recently met a problem that I have been receiving 0 updates on my machines that were connected to one of WSUS servers. After analysis it appeared that despite of successfull synchronization there are some problems with it. As far as I know the best solution for this is reinstalling the WSUS server.

After doing this I statring to receive an error:

Digital Signatures on file C:\Windows\SoftwareDistribution\SelfUpdate\ are not trusted: Error 0x800b0001

As I read in the mighty powerfull internet (, I have to install one update (2720211) to  repair this issue.

I have downloaded this update, I opened the WSUS server on full screen, and I have noticed that in right low corner I have nitification baloon with exactly that update… I have installed it, restart the server, run on the client: wuauclt /detectnow and everything was ok