Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. IIS Configuration validation and optimization. In Start Search, type Command prompt. Specify how and when automatic updates are applied to client computers. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. WSUS is a local Windows Updates repository. That post covers the end to end patching process and troubleshooting tips. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Note the information in the Windows Server Update Services page. If you’re not using Hyper-V, you will see only one server, i.e., … The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website. Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing. Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process, SCCM 1706 KB4042345 Server Side Fix for Peer Cache, Fix Report Server cannot Open a Connection Error ConfigMgr | SCCM, ConfigMgr Delete Aged Cloud Management Gateway Traffic Data Task | SCCM, Launch Server Manager – Launch IIS Manager, Right-click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Queue Length’ under the General section from the default 1,000 to 30,000, Right click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Private Memory Limit’ under the, Click OK to save and restart the IIS service, WSUS SUP causes high CPU and clients fail updates scan –, What are the best Practices for Software Updates/Patching in SCCM –, Windows Server 2012 R2 WSUS Issue: Clients cause the WSUS App Pool to become unresponsive with HTTP 503 –. You can check out the post “Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process“. so weird. after discovering that it expired), WSUS offered no functionality to enable this. I was working with Microsoft support for an SCCM SUP related issue on one SCCM CB 1706 environment. By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. Step 10: On the Web Server Role (IIS) page, click Next Step 11: Leave all selections as default on the Role Services page and click Next Step 12: Click Next on this screen Step 13: On the Role Services page, make sure WID Database and WSUS Services are selected (They should be selected by default). In IIS, for the wsus website, I added an additional https binding, port 443, and set the hostname to wsus.domain.com, and bound the *.domain.com certificate to it. Scroll down to the Recycling section. For client computers that are configured by using the Local Group Policy editor, the GPO is applied immediately, and the update takes about 20 minutes. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Configure the cluster network by using the Network Configuration Wizard. To enable custom update signing, you must install a package signing certificate on your WSUS server. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. Selecting a product category selects all the products in that category. Select the role services to install for Windows Server Update Services (WSUS) WSUS Services; SQL Server Connectivity; Click on Next to continue; NOTE! Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc... You have entered an incorrect email address! On the Update Source page, select Synchronize from another Windows Server Update Services server. I also have a video tutorial published several months back about SCCM Software Update process. Select the Use SSL when synchronizing update information check box, and then click OK. This option notifies a logged-on administrative user before you download and install the updates. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Remove the WSUS Content folder wherever you had it previously installed (eg. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. Checks to see if you have a dirty database, and if you do, fixes it. IIS Configuration validation and optimization. A second approach may be to set Enable 32-Bit Applications to False in the Application Pools Advanced Settings. Select your server from the server pool. Anoop is Microsoft MVP and Veeam Vanguard ! This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. For more information about IPsec, see Creating and Using IPsec Policies. We need to open the IIS console and locate the Application pools branch. WSUS integrated update and computer cleanup. We recommend that you create a new GPO that contains only WSUS settings. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. By default, anonymous read access is enabled for the default and all new IIS websites. Select product categories, such as Windows, or specific products, such as Windows Server 2012. How can i force it to manually report to the WSUS … To determine the WSUS port settings in IIS 6.0 1. Retain the default selection, or clear the check box, and then click Next. I’ve just checked your screenshot and that is correct, though. Microsoft already released a fix for the issue explained in the KB 4039396. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. On the Choose Languages page, you have the option to select the languages from which WSUS will receive updates - all languages or a subset of languages. For a local database it will use Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a GUI or management interface. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. Microsoft best practice WSUS database optimization and re-indexing. You must complete this step if you identified that WSUS needs a proxy server to have Internet access. If you want to participate in the program. Select Enable client-side targeting, select Enabled, and then type the name of the WSUS computer group to which you want to add this computer in the Target group name for this computer box. To enable anonymous read access, follow the steps for the applicable version of IIS: Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. On the Connect to Upstream Server page, click start Connecting. WID is Windows Internal Database. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. Some applications, notably Windows SharePoint Services, may remove anonymous access. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. Manually run Windows Updates on the server in question and select the option to connect to Windows Updates online, which will bypass WSUS, then … The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. All the servers referring to this post are running with Server 2012 R2 OS. If you have a proxy server on the network, you can configure WSUS to use the proxy server. Navigate to the %ProgramFiles%\Update Services\Tools\ folder. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. This setting should be as per the hardware configuration of your SCCM site system server. WSUS needs a database to store WSUS Configuration and update metadata. if this is a replica server, select the This is a replica of the upstream server check box. Auto download and schedule the install. In the Options pane, click Update Source and Update Server, and then click the Proxy Server tab. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. In an environment that uses active directory directory service, you can use an existing domain-based Group Policy Object (GPO) or create a new GPO. In this section, locate the parameter named Private Memory Limit (KB). Computer groups permit you to test and target updates to specific computers. To open a command prompt as an administrator, go to Start. WSUS Configuration Manager will not be able to configure WSUS Server "CMServerName.domain.local" as the WSUS Server remoting API's of version 3.0 SP2 or greater are not installed on this site server. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. How to Open IIS WSUS Application Pool – Advanced Settings ? The steps below show how to configure IIS on the WSUS Server to use SSL. Note the information in the Windows Server Update Services page. If the complete WSUS Installation dialog box appears, click Run. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. Learn how your comment data is processed. Great article, I refer back to this when setting up new SUPs even though I’ve done it a few times and have a fair idea what I’m doing, just to refresh my memory. The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. WSUS integrated update and computer cleanup. The KB4039396 addressed the issue with WSUS update metadata processing that can cause some clients to time out with a 0x8024401c error. The Choose Products page allows you specify the products for which you want updates. 11. Then click Next to proceed. In that case, my recommendation is NOT to set 0 as private memory limit setting. Certificate Updates/Revocation. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. The firewall on the WSUS server must be configured to allow inbound traffic on these ports. You can use any port for SSL. I was able to get our setup to just use a wildcard certificate, and port 443 only. Then click Next. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication. Click computers, and then select the computers that you want to assign to this new group. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. In the right pane, expand the server name. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. If you use any port other than 443 for SSL, you must include that port in the URL also. In a simple environment, you might link a single WSUS GPO to the domain. I'll see if i can locate any related event logs, but not real sure what i would be looking for if would be WSUS side or IIS side IIS crashing so thinking IIS … If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. Click Next Step 14: This page will allow you to set the destination directory for the … Notify me of follow-up comments by email. Description . Auto download and notify for install. Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane. If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status. Click Options, and then click Update Source and Proxy Server. 2. proxy_port is the proxy server port number. Use computer groups to control the rollout. W2016 Standard WSUS 10.0.14393.2007 IIS 10 Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool. The Set Sync Schedule page enables you to select whether to perform synchronization manually or automatically. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. Enter a local or remote path to store updates. The default port number is 80. On the WSUS server, open Internet Information Services (IIS) Manager. Move the remote database server and the WSUS server to a private network. If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. Two proxy servers, each of which supports a single protocol. On the WSUS server, open Internet Information Services (IIS) Manager. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. Install the WSUS server role. By default, this option is selected. You can find the detailed information in this post. The following procedures assume that your network runs active directory. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. Link this WSUS GPO to an active directory container that is appropriate for your environment. So, I was planning to have 30,000 clients under that SUP. In the complete WSUS Installation dialog box, click Close when the installation successfully finishes. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. Otherwise, you should be careful about this settings. In this section, locate the parameter named Private Memory Limit (KB). Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. After installing the WSUS server role on your server, you need to properly configure it. Computer groups are an IMPORTANT part of Windows Server Update Services (WSUS) deployments. Find the WSUS pool and choose the Advanced settings. – Maximum number of requests that HTTP .sys will queue for the application pool. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. There are several considerations associated with custom update signing. After selecting the proper options for your deployment, click Next to proceed. Best Practices Related to IIS for SCCM SUP WSUS Setup. When the queue is full, new requests receive a 503 “Service Unavailable” response. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs: For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base. After you click Finish, the WSUS Management Console appears. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. Click start, click All Programs, click Administrative Tools, and then click Windows Server Update Service. if you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server. Creation of daily and weekly optimization scheduled tasks. Then click Next to proceed. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0). The Configure Automatic Updates policy opens. To achieve this you must change the following settings in the WSUS Application Pool. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. In IIS Manager on the WSUS server, go to Sites > WSUS Administration. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed. In addition to NTFS permissions occasionally being incorrectly set for WSUS, from time-to-time we find IIS permissions being incorrect or out of sync. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. You can create as many custom computer groups as you need to manage updates in your organization. Or you can create and apply the GPO to a specific OU (containing your computers). On the Choose Classifications page, select the update classifications that you want to obtain. This’ll improve WSUS availability. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Creation of daily and weekly optimization scheduled tasks. Windows Server Update Services Wizard Select Role Services to Install WSUS. If you wanted to update or revoke a certificate (i.e. WSUS encrypts update metadata only. The servers will use port 443 for synchronization. Review the features checked below. Configure Secure Sockets Layer (SSL) protocol to help protect Windows Server Update Services (WSUS). On the Web Server (IIS) Role information page, read the information then click Next to proceed. The steps that are required to set up a certification authority, bind the certificate to the WSUS website, and establish a trust between the client computers and the certificate are beyond the scope of this guide. The default ports are the same as those specified in the preceding section Connection between WSUS servers , and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. WSUS should now be completely gone from your system. In addition, a hash is computed and sent together with the metadata for each update. WSUS ultimately relies on Microsoft IIS on the backend, even when integrated with Configuration Manager. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. In the add computer Group dialog box, in Name, specify the name of the new group, and click then add. In the Proxy port number text box, type the port number of the proxy server. During the WSUS Configuration Wizard (discussed in the next section) do not specify a proxy server. (Make sure that this server and the upstream server support SSL.). Me funciono. 2. If the proxy server requires that you use a specific user account, select the Use user credentials to connect to the proxy server check box. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update. Type wuauclt.exe /detectnow, and then press ENTER. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? You can find the detailed information in this post. In the details pane, double-click Configure Automatic Updates. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. This is the same way that Microsoft Update distributes updates. We need to open the IIS console and locate the Application pools branch. Under IIS Manager App – Expand Server name – Sites – WSUS … To do so, launch Internet Information Services. If the update has been changed, it is not installed. Open a command prompt (Cmd.exe) as an administrator. 2. On the Web Server (IIS) Role information page, read the information then click Next to proceed. C:\WSUS, or D:\WSUS) Restart the server. In this case, set one channel to use HTTP and the other channel to use HTTPS. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. These procedures also assume that you are familiar with Group Policy and you use it to manage the network. In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click edit. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. To determine the WSUS port settings in IIS 6.0 1. WSUS uses SSL for metadata only, not for update files. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. This is primarily for Server 2012 WSUS, and is a manual execution only. On the Before you Begin page, review the information, and then click Next. The following is a summary of recommended changes, and a related screenshot. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Under IIS Manager App – Expand Server name – Sites – WSUS … If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server. 3. This setting indicates to the WSUS server which group the client computer will use. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? To add the proxy server that uses the HTTP protocol to the WSUS configuration, use the following procedure: In the left pane, expand the server name, and then click Options. Allow local admin to choose setting. What is Queue Length? On the Finished page, you have the option to start the synchronization now by selecting the Begin initial synchronization check box. Use computer groups to control the rollout. The client computers must trust the certificate that you bind to the WSUS server. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. These settings are found in IIS Manager > Application Pools > choose WsusPool and then click the Advanced Settings link in the right side pane of IIS manager. This procedure assumes that you are using the WSUS Configuration Wizard, which appears the first time you launch the WSUS Management Console. The Windows Server Update Services Wizard opens. How to Configure IIS WSUS Application Pool? WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force. The default limit is set to 1843200KB or 1.8GB. At the top of the start menu, right-click Command prompt, and then click Run as administrator. Microsoft best practice WSUS database optimization and re-indexing. Troubleshooting Step 5: IIS Application Pool Running and Optimized. Type the port number that the server uses for SSL connections into the Port number text box. We use cookies to ensure that we give you the best experience on our website. 3. WSUS doesn't push updates. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. 1. Ensure that IIS Virtual Directories (vDir's/webservices)) are set as shown below: After you have confirmed the security and had to make a change to it in IIS, remember to do a IISRESET.