For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. The following procedures assume that your network runs active directory. IIS Configuration validation and optimization. Great article, I refer back to this when setting up new SUPs even though I’ve done it a few times and have a fair idea what I’m doing, just to refresh my memory. Then click Next. This is primarily for Server 2012 WSUS, and is a manual execution only. On the Web Server (IIS) Role information page, read the information then click Next to proceed. Notify me of follow-up comments by email. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Click the Web Site tab. You must import the certificate to all computers that will communicate with the WSUS server. By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. 1. When the queue is full, new requests receive a 503 “Service Unavailable” response. Expiration. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs: For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. Type the port number that the server uses for SSL connections into the Port number text box. For more information and for instructions about how to install certificates and set up this environment, see the following topics: Implementing and Administering Certificate Templates, Active Directory Certificate Services Upgrade and Migration Guide. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. Microsoft best practice WSUS database optimization and re-indexing. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. That post covers the end to end patching process and troubleshooting tips. On the Before you Begin page, review the information, and then click Next. If the proxy server requires that you use a specific user account, select the Use user credentials to connect to the proxy server check box. after discovering that it expired), WSUS offered no functionality to enable this. Two proxy servers, each of which supports a single protocol. Link this WSUS GPO to an active directory container that is appropriate for your environment. I have seen some things saying IIS settings need adjustment, but not seeing much if these settings also need to be changed in server 2019 also. In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab. I have a remote WSUS + SCCM SUP server installed on 2012 R2. To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. My server had more RAM available so the solution was to raise the amount of memory available to IIS. Click Options, and then click Update Source and Proxy Server. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. WSUS has the ability to publish custom update packages to update Microsoft and non-Microsoft products. Select Enable client-side targeting, select Enabled, and then type the name of the WSUS computer group to which you want to add this computer in the Target group name for this computer box. Just a note, in your screenshots you’ve changed “Service Unavailable” Response Type to TcpLevel, but you haven’t actually mentioned doing it in the text anywhere. On the Choose Classifications page, select the update classifications that you want to obtain. Note the information in the Windows Server Update Services page. Is that showing 400MB? 2.2. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. C:\WSUS, or D:\WSUS) Restart the server. Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process, SCCM 1706 KB4042345 Server Side Fix for Peer Cache, Fix Report Server cannot Open a Connection Error ConfigMgr | SCCM, ConfigMgr Delete Aged Cloud Management Gateway Traffic Data Task | SCCM, Launch Server Manager – Launch IIS Manager, Right-click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Queue Length’ under the General section from the default 1,000 to 30,000, Right click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Private Memory Limit’ under the, Click OK to save and restart the IIS service, WSUS SUP causes high CPU and clients fail updates scan –, What are the best Practices for Software Updates/Patching in SCCM –, Windows Server 2012 R2 WSUS Issue: Clients cause the WSUS App Pool to become unresponsive with HTTP 503 –. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. The following is a summary of recommended changes, and a related screenshot. Learn how your comment data is processed. Deploy Internet Protocol security (IPsec) to help secure network traffic. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. On the client computer, open a Command prompt window with elevated privileges. Under IIS Manager App – Expand Server name – Sites – WSUS … This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. To enable anonymous read access, follow the steps for the applicable version of IIS: Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide. Use computer groups to control the rollout. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. Otherwise, you should be careful about this settings. Scroll down to the Recycling section. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. In IIS Manager on the WSUS server, go to Sites > WSUS Administration. You can create the group policy and apply it at domain level. On the Choose Upstream Server page, there are two options: Synchronize the updates with Microsoft Update, Synchronize from another Windows Server Update Services server. The Windows Server Update Services Wizard opens. WSUS doesn't push updates. Think your Private Memory Limit is missing a zero. To enable custom update signing, you must install a package signing certificate on your WSUS server. Then click Next. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing. so weird. He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done on the year 2018) in IT. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. Move the remote database server and the WSUS server to a private network. This’ll improve WSUS availability. Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. Certificate Updates/Revocation. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force. On the WSUS server, open Internet Information Services (IIS) Manager. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. Scroll down to the Recycling section. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. The following checklist summarizes the steps involved in performing the initial configuration for your WSUS server. To achieve this you must change the following settings in the WSUS Application Pool. Computer groups permit you to test and target updates to specific computers. A second approach may be to set Enable 32-Bit Applications to False in the Application Pools Advanced Settings. Type the required user name, domain, and password into the corresponding text boxes. On the Update Source page, select Synchronize from another Windows Server Update Services server. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. If the complete WSUS Installation dialog box appears, click Run. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Configure the cluster network by using the Network Configuration Wizard. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc... You have entered an incorrect email address! An IIS Worker Process was using over 2GB of RAM when the problem would occur. Allow local admin to choose setting. Click Enabled, and then, server in the Set the intranet update service for detecting updates and Set the intranet statistics server text boxes, type the same URL of the WSUS server. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? Create computer groups in the WSUS administration console to manage updates in your organization. Click computers, and then select the computers that you want to assign to this new group. You can find the detailed information in this post. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. All the servers referring to this post are running with Server 2012 R2 OS. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. Creation of daily and weekly optimization scheduled tasks. The firewall on the WSUS server must be configured to allow inbound traffic on these ports. Ensure that IIS Virtual Directories (vDir's/webservices)) are set as shown below: After you have confirmed the security and had to make a change to it in IIS, remember to do a IISRESET. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. Local administrators cannot disable Automatic Updates. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. To do so, launch Internet Information Services. You can check out the post “Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process“. Use the following procedures to configure Automatic Updates for client computers: Step 4: Configure Group Policy Settings for Automatic Updates, 2.3. When you type the intranet address of your WSUS server, make sure to specify which port is going to be used. 11. 9. The default limit is set to 1843200KB or 1.8GB. 3. Auto download and schedule the install. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. WSUS needs a database to store WSUS Configuration and update metadata. WSUS is a local Windows Updates repository. I was working with Microsoft support for an SCCM SUP related issue on one SCCM CB 1706 environment. WSUS also uses SSL to encrypt update metadata. This option notifies a logged-on administrative user before you download and install the updates. I’ve just checked your screenshot and that is correct, though. On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. Private memory limit is set in KB. Navigate to the %ProgramFiles%\Update Services\Tools\ folder. WSUS Administrators; IIS settings. Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. I was able to get our setup to just use a wildcard certificate, and port 443 only. Open IIS; Expand the Server Name; Click in Application Pools; Click in WsusPool The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. In the Proxy port number text box, type the port number of the proxy server. Select the appropriate product options for your deployment, and then click Next. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. Review the features checked below. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. This option automatically begins downloading updates and then installs the updates on the day and time that you specify. In IIS, for the wsus website, I added an additional https binding, port 443, and set the hostname to, and bound the * certificate to it. Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel Best Practice – IIS WSUS App Pool – Private memory limit Settings for Remote SUP/WSUS Server. WSUS integrated update and computer cleanup. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. After installing the WSUS server role on your server, you need to properly configure it. On the WSUS server, open Internet Information Services (IIS) Manager. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). A value of 0 means there is no limit. In Start Search, type Command prompt. Use computer groups to control the rollout. 2. During the WSUS Configuration Wizard (discussed in the next section) do not specify a proxy server. Anoop is Microsoft MVP and Veeam Vanguard ! Configure WSUS by using the WSUS Configuration Wizard, 2.5. For example, type http://servername in both boxes (where servername is the name of the WSUS server). In the details pane, double-click Configure Automatic Updates. After selecting the proper options for your deployment, click Next to proceed. Retain the default selection, or clear the check box, and then click Next. Note the information in the Windows Server Update Services page. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click edit. The steps below show how to configure IIS on the WSUS Server to use SSL. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. To open a command prompt as an administrator, go to Start. So when troubleshooting Updating issues, you need to check both the Software Update Point and WSUS, and lowe and behold the WSUS console kept on crashing. I know this is a thing that should be done, as I’ve read it elsewhere, perhaps you could add it to the text as well for those that are unsure. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. This setting should be as per the hardware configuration of your SCCM site system server. If you’re not using Hyper-V, you will see only one server, i.e., … Enter your email address to subscribe to this blog and receive notifications of new posts by email. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. WSUS Configuration Manager will not be able to configure WSUS Server "CMServerName.domain.local" as the WSUS Server remoting API's of version 3.0 SP2 or greater are not installed on this site server. WSUS can automatically sign these custom update packages for you with an Authenticode certificate. No, this post is not related to the issue which caused high CPU usage for WSUS servers. Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane. Or you can create and apply the GPO to a specific OU (containing your computers). If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. – Maximum number of requests that HTTP .sys will queue for the application pool. Enter a local or remote path to store updates. We use cookies to ensure that we give you the best experience on our website. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. 10. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. By default, this option is selected. He is Blogger, Speaker and Local User Group Community leader. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0).