Is this post related to WSUS SUP causes high CPU? Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. Open IIS; Expand the Server Name; Click in Application Pools; Click in WsusPool Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update. Private memory limit is set in KB. I know this is a thing that should be done, as I’ve read it elsewhere, perhaps you could add it to the text as well for those that are unsure. Find the WSUS pool and choose the Advanced settings. We use cookies to ensure that we give you the best experience on our website. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. Type the name of the upstream server into the Server name text box. Scroll down to the Recycling section. Review the features checked below. We need to open the IIS console and locate the Application pools branch. Great article, I refer back to this when setting up new SUPs even though I’ve done it a few times and have a fair idea what I’m doing, just to refresh my memory. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): In Start Search, type Command prompt. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. To determine the WSUS port settings in IIS 6.0 1. Type wuauclt.exe /detectnow, and then press ENTER. Install the WSUS server role. Type the required user name, domain, and password into the corresponding text boxes. One of the best practices that can apply in WSUS to avoid problems with the performance and timeouts is to properly configure the WSUS Application Pool in IIS. The following is a summary of recommended changes, and a related screenshot. Local administrators cannot disable Automatic Updates. This option notifies a logged-on administrative user before you download and install the updates. Click Next Step 14: This page will allow you to set the destination directory for the … On the Connect to Upstream Server page, click start Connecting. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs: For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. On the Choose Upstream Server page, there are two options: Synchronize the updates with Microsoft Update, Synchronize from another Windows Server Update Services server. Review the features checked below. Correct config is likely not both but WSUS pool only. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). You must import the certificate to all computers that will communicate with the WSUS server. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. For example, if you are using HTTP, you should type http://servername:8530. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel Click computers, and then select the computers that you want to assign to this new group. In addition to NTFS permissions occasionally being incorrectly set for WSUS, from time-to-time we find IIS permissions being incorrect or out of sync. On the client computer, open a Command prompt window with elevated privileges. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. Note the information in the Windows Server Update Services page. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. To add the proxy server that uses the HTTP protocol to the WSUS configuration, use the following procedure: In the left pane, expand the server name, and then click Options. Then click Next. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. If you have only a WSUS/SUP role on a dedicated server like me then, you can set the private memory limit to 0. (Make sure that this server and the upstream server support SSL.). If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. Best Practice – IIS WSUS App Pool – Private memory limit Settings for Remote SUP/WSUS Server. Click Next. Configure WSUS by using the WSUS Configuration Wizard, 2.5. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed. A SUP that is remote from the site server can support up to 150,000 clients when the remote computer meets the WSUS requirements to support this number of clients. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. The client computers must trust the certificate that you bind to the WSUS server. Notify me of follow-up comments by email. If your server requires a Proxy server to connect to the internet, check Use a proxy server when synchronizing.Then enter the details of the proxy server and click Next. This setting indicates to the WSUS server which group the client computer will use. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. To achieve this you must change the following settings in the WSUS Application Pool. Under IIS Manager App – Expand Server name – Sites – WSUS … If you continue to use this site we will assume that you are happy with it. after discovering that it expired), WSUS offered no functionality to enable this. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). Proxy If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server. In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab. Select your server from the server pool. On the Before you Begin page, review the information, and then click Next. The WSUS database can be local or a remote SQL 2008/2012 server. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): The Configure Automatic Updates policy opens. In that case, my recommendation is NOT to set 0 as private memory limit setting. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … In the Proxy port number text box, type the port number of the proxy server. On the Update Source page, select Synchronize from another Windows Server Update Services server. Microsoft best practice WSUS database optimization and re-indexing. Computer groups permit you to test and target updates to specific computers. Link this WSUS GPO to an active directory container that is appropriate for your environment. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. On the Finished page, you have the option to start the synchronization now by selecting the Begin initial synchronization check box. – Remote SUP site system role might or can be installed with WID connectivity. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. Configure the cluster network by using the Network Configuration Wizard. In the add computer Group dialog box, in Name, specify the name of the new group, and click then add. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. 2. The maximum amount of private memory a worker process can consume before causing the application pool to recycle. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Then click Next to proceed. Keep Internet Information Services (IIS) Manager open for the next steps. If the complete WSUS Installation dialog box appears, click Run. WSUS integrated update and computer cleanup. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. Select product categories, such as Windows, or specific products, such as Windows Server 2012. By default, anonymous read access is enabled for the default and all new IIS websites. After installing the WSUS server role on your server, you need to properly configure it. After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. I have seen some things saying IIS settings need adjustment, but not seeing much if these settings also need to be changed in server 2019 also. W2016 Standard WSUS 10.0.14393.2007 IIS 10 Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool. WSUS Administrators; IIS settings. Two proxy servers, each of which supports a single protocol. The firewall on the WSUS server must be configured to allow inbound traffic on these ports. Select Enable client-side targeting, select Enabled, and then type the name of the WSUS computer group to which you want to add this computer in the Target group name for this computer box. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. Configure Secure Sockets Layer (SSL) protocol to help protect Windows Server Update Services (WSUS). IIS Configuration validation and optimization. If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force. If the database connection must be secured, consider the following recommendations: Move the WSUS database to the WSUS server. The following procedures assume that your network runs active directory. If the update has been changed, it is not installed. Selecting a product category selects all the products in that category. Specify how and when automatic updates are applied to client computers. Choose all the classifications or a subset of them, and then click Next. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them? If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. Auto download and notify for install. Click the Web Site tab. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. I’ve just checked your screenshot and that is correct, though. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. If you want to participate in the program. 1. You can create the group policy and apply it at domain level. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. A value of 0 means there is no limit. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. These procedures also assume that you are familiar with Group Policy and you use it to manage the network. To determine the WSUS port settings in IIS 6.0 1. Some applications, notably Windows SharePoint Services, may remove anonymous access. Configure computer groups in this topic. By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. Or you can create and apply the GPO to a specific OU (containing your computers). Log on to the computer by using a user account that is a member of the local Administrators group or the WSUS Administrators group. Allow local admin to choose setting. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. Deploy Internet Protocol security (IPsec) to help secure network traffic. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. WSUS doesn't push updates. A second approach may be to set Enable 32-Bit Applications to False in the Application Pools Advanced Settings. This is the same way that Microsoft Update distributes updates. Enter your email address to subscribe to this blog and receive notifications of new posts by email. If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box. 3. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. If you use the Local Publishing feature from a remote WSUS console, after you apply the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication. Certificate Updates/Revocation. In the complete WSUS Installation dialog box, click Close when the installation successfully finishes. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. 2.2. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. Checks to see if you have a dirty database, and if you do, fixes it. To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing. WID is Windows Internal Database. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. On the WSUS server, open Internet Information Services (IIS) Manager. After you click Finish, the WSUS Management Console appears. Move the remote database server and the WSUS server to a private network. Click Options, and then click Update Source and Proxy Server. In a simple environment, you might link a single WSUS GPO to the domain. Ensure that IIS Virtual Directories (vDir's/webservices)) are set as shown below: After you have confirmed the security and had to make a change to it in IIS, remember to do a IISRESET. You can find the detailed information in this post. Creation of daily and weekly optimization scheduled tasks. There are two default computer groups: All computers and Unassigned computers. If you have a proxy server on the network, you can configure WSUS to use the proxy server. In the details pane, double-click Configure Automatic Updates. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. At the top of the start menu, right-click Command prompt, and then click Run as administrator. Select the Use SSL when synchronizing update information check box, and then click OK. When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. Auto download and schedule the install. The default port number is 80. WSUS needs a database to store WSUS Configuration and update metadata. 10. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. This’ll improve WSUS availability. So, I was planning to have 30,000 clients under that SUP. As a best practice, create at least one computer group to test updates before you deploy them to other computers in your organization. Scroll down to the Recycling section. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. Click the Web Site tab. Step 10: On the Web Server Role (IIS) page, click Next Step 11: Leave all selections as default on the Role Services page and click Next Step 12: Click Next on this screen Step 13: On the Role Services page, make sure WID Database and WSUS Services are selected (They should be selected by default). If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status. Troubleshooting Step 5: IIS Application Pool Running and Optimized. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. These requirements can be met by using one of the following configurations: A single proxy server that supports two protocol channels. There are several considerations associated with custom update signing. How to Configure IIS WSUS Application Pool? Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Configure the WSUS web services to require SSL. For more information about IPsec, see Creating and Using IPsec Policies. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. 2. Select the role services to install for Windows Server Update Services (WSUS) WSUS Services; SQL Server Connectivity; Click on Next to continue; NOTE! Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane. The default ports are the same as those specified in the preceding section Connection between WSUS servers, and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. This is primarily for Server 2012 WSUS, and is a manual execution only. I was working with Microsoft support for an SCCM SUP related issue on one SCCM CB 1706 environment. Find the WSUS pool and choose the Advanced settings. – Maximum number of requests that HTTP .sys will queue for the application pool. Windows Server Update Services Wizard Select Role Services to Install WSUS. If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection. Click start, click All Programs, click Administrative Tools, and then click Windows Server Update Service. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. When an update is downloaded, WSUS checks the digital signature and hash. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. You must create the group on the WSUS server, and add domain-member computers to that group. To configure this WSUS server to download updates directly from Microsoft accept the default option below – Synchronize from Microsoft Update.Then click Next. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS). Enter a local or remote path to store updates. We need to open the IIS console and locate the Application pools branch. On the Web Server (IIS) Role information page, read the information then click Next to proceed. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. Me funciono. 2. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. During the WSUS Configuration Wizard (discussed in the next section) do not specify a proxy server. The best way to configure Automatic Updates depends on the network environment. If the proxy server requires that you use a specific user account, select the Use user credentials to connect to the proxy server check box. For example, type http://servername in both boxes (where servername is the name of the WSUS server). The Windows Server Update Services Wizard opens. The KB4039396 addressed the issue with WSUS update metadata processing that can cause some clients to time out with a 0x8024401c error. The default limit is set to 1843200KB or 1.8GB. Learn how your comment data is processed. After selecting the appropriate language options for your deployment, click Next to continue. Expiration. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … This site uses Akismet to reduce spam. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. You can create as many custom computer groups as you need to manage updates in your organization. Type the port number that the server uses for SSL connections into the Port number text box. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. On the Choose Classifications page, select the update classifications that you want to obtain. Just a note, in your screenshots you’ve changed “Service Unavailable” Response Type to TcpLevel, but you haven’t actually mentioned doing it in the text anywhere.