With the use of the Software Vulnerability Manager over time, the number of packages created in Windows Server Update Services (WSUS) can begin to take up valuable disc space on the server that is facilitating the WSUS role. Simply declining and deleting packages in Software Vulnerability Manager does not remove the packages from the \UpdateServicePackages folder where Software Vulnerability Manager packages reside.

This article describes the steps necessary to review and remove old third-party packages created by Software Vulnerability Manager from your local WSUS server to reclaim disc space.

NOTE: This article is intended to help with removing packages related to Software Vulnerability Manager. If you have any questions specifically about WSUS, contact Microsoft. 

Remove obsolete patch packages

Remove patches via the Software Vulnerability Manager interface

1. In Software Vulnerability Manager, go to Patching > Available.
2. Review the packages and determine which are no longer relevant. For example, every package older than the latest patched version is now vulnerable and should be considered for removal.
3. Select Decline and then delete the old or irrelevant package entries.

Run the Cleanup Wizard for SCUP

If you are using System Center Updates Publisher (SCUP), you may need to run the Cleanup Wizard for SCUP.

1. Open the WSUS administration console from Server Manager and navigate to Options > Server Cleanup Wizard.
2. By default, the wizard will remove unneeded content and computers that have not contacted the server for 30 days or more. Select all options you’d like to remove, then click Next.
3. The wizard will begin the cleanup process and then show a summary of what will be removed. Select Finish to complete the process.

Delete packages with WSUSutil

Run WSUSutil with the parameter listunreferencedpackagefolders and delete the packages that it lists.

1. Open the Command Prompt as an Administrator.
2. Execute the following commands to export the list of declined and deleted packages in WSUS to a text file (for example, deletefolders.txt).

cd "C:\Program Files\Update Services\Tools"

WsusUtil.exe listunreferencedpackagefolders > c:\temp\deletefolders.txt​

3. Open the below file to review the list of declined and deleted packages in WSUS:

 C:\temp\deletefolders.txt

4. Delete the beginning lines of the file that say the following:

The following folders are not referenced by any of the updates in your WSUS server.

5. In front of each remaining line, add the following line: 

rmdir /q /s

For example: rmdir /q /s C:\Sources\WSUS\UpdateServicesPackages\598ecbc7-2208-401b-9f0c-8eb57488aee

6. Save the file with the name deletefolders.cmd.
7. Double-click on the deletefolders.cmd file to run it and delete unreferenced packages from the filesystem.

Delete all third-party packages using PowerShell

As an alternative to the above instructions, the following PowerShell commands can be used to delete all the third-party packages from your WSUS server. These commands should be executed on your WSUS server with Administrator rights.

[Reflection.Assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")

$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();

$wsus.GetUpdates() |

Where { $_.UpdateSource -ne "MicrosoftUpdate" } |

ForEach-Object {

    $wsus.DeleteUpdate($_.Id.UpdateId.ToString())

    Write-Host $_.Title removed

}

Additional steps for certain use cases

In some scenarios, you may need to follow additional steps to remove the remaining obsolete packages. If your WSUS has had an in-place reinstall with new certificates, old packages signed with the old certificates may remain in the content directory.

In this situation, you’ll need to force the deletion of all patches by going to C:\Program Files\Update Services\UpdateServicesPackages\ and deleting them.

If you need help determining which patches to delete, follow the instructions below.

1. Enter one of the GUID folders.
2. Find the CAB file that has the same name as the GUID.
3. Right-click on the file and select Properties.
4. Select the Digital Signatures tab.
5. Double-click on the certificate in the Signature List.
6. Select View Certificate in the new window.
7. Select the Details tab in the new window and find the Serial Key field. The serial key is unique. It will show you if the certificate that code-signed this package is the one you are using in your domain actively. To check this:
   1. In WSUS, open MMC > File > Add or Remove Snap-In > Certificates > Local Computer.
   2. Openand check the certificate's serial key there. This is the certificate you currently use.
8. Delete patches signed with a certificate that is not in the WSUS Certificate store. Don’t delete any patches signed with your current certificate.