2.2. To use SSL, select the Use SSL when synchronizing update information check box. By default, when each client computer first contacts the WSUS server, the server adds that client computer to both of these groups. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done on the year 2018) in IT. You can create as many custom computer groups as you need to manage updates in your organization. WSUS encrypts update metadata only. We recommend that you create a new GPO that contains only WSUS settings. You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation. When the queue is full, new requests receive a 503 “Service Unavailable” response. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. Choose all the classifications or a subset of them, and then click Next. My server had more RAM available so the solution was to raise the amount of memory available to IIS. Anoop is Microsoft MVP and Veeam Vanguard ! WSUS doesn't push updates. Click Options, and then click Update Source and Proxy Server. There are two default computer groups: All computers and Unassigned computers. On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes. Learn how your comment data is processed. To do so, launch Internet Information Services. An IIS Worker Process was using over 2GB of RAM when the problem would occur. This site uses Akismet to reduce spam. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 1000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * (Stop IIS first) Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS: Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … When an update is downloaded, WSUS checks the digital signature and hash. The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. All the servers referring to this post are running with Server 2012 R2 OS. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. He is Blogger, Speaker and Local User Group Community leader. To achieve this you must change the following settings in the WSUS Application Pool. If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status. After selecting the proper options for your deployment, click Next to proceed. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. The default ports are the same as those specified in the preceding section Connection between WSUS servers , and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. Manually run Windows Updates on the server in question and select the option to connect to Windows Updates online, which will bypass WSUS, then … Hence, we set the WSUS app pool (Application Pool) queue length as 30,000 as you can see in the following screen capture. On the Web Server (IIS) Role information page, read the information then click Next to proceed. The Configure Automatic Updates policy opens. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. This is primarily for Server 2012 WSUS, and is a manual execution only. The Set Sync Schedule page enables you to select whether to perform synchronization manually or automatically. Install the WSUS server role. Type the port number that the server uses for SSL connections into the Port number text box. One of the best practices that can apply in WSUS to avoid problems with the performance and timeouts is to properly configure the WSUS Application Pool in IIS. Right-click the computer names that you selected in the previous step, and then click change Membership. This is a manual execution only. Correct config is likely not both but WSUS pool only. Microsoft best practice WSUS database optimization and re-indexing. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. After installing the WSUS server role on your server, you need to properly configure it. Auto download and notify for install. A value of 0 means there is no limit. These requirements can be met by using one of the following configurations: A single proxy server that supports two protocol channels. You can find the detailed information in this post. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update. At the top of the start menu, right-click Command prompt, and then click Run as administrator. Me funciono. 9. In a more complex environment, you might link multiple WSUS GPOs to several organizational units (OUs), which will enable you to apply different WSUS policy settings to different types of computers. If the update has been changed, it is not installed. Select your server from the server pool. Best Practices Related to IIS for SCCM SUP WSUS Setup. Microsoft best practice WSUS database optimization and re-indexing. Scroll down to the Recycling section. How to Open IIS WSUS Application Pool – Advanced Settings ? By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. 2. Use the following procedures to configure Automatic Updates for client computers: Step 4: Configure Group Policy Settings for Automatic Updates, 2.3. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. if you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server. You can create the group policy and apply it at domain level. IIS Configuration validation and optimization. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. Log on to the computer by using a user account that is a member of the local Administrators group or the WSUS Administrators group. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them? The best way to configure Automatic Updates depends on the network environment. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed. After you click Finish, the WSUS Management Console appears. Is this post related to WSUS SUP causes high CPU? Configure WSUS by using the WSUS Configuration Wizard, 2.5. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. For example, they can choose a scheduled installation time. Under IIS Manager App – Expand Server name – Sites – WSUS … Scroll down to the Recycling section. So, I was planning to have 30,000 clients under that SUP. How can i force it to manually report to the WSUS … if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. Computer groups permit you to test and target updates to specific computers. Note the information in the Windows Server Update Services page. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. On the Before you Begin page, review the information, and then click Next. A second approach may be to set Enable 32-Bit Applications to False in the Application Pools Advanced Settings. proxy_port is the proxy server port number. Find the WSUS pool and choose the Advanced settings. To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. In this section, locate the parameter named Private Memory Limit (KB). Think your Private Memory Limit is missing a zero. We need to open the IIS console and locate the Application pools branch. Firewall If you identified that WSUS is behind a corporate firewall, there are some additional steps that must be done at the edge device to properly allow WSUS traffic. In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection. Open a command prompt (Cmd.exe) as an administrator. In this case, set one channel to use HTTP and the other channel to use HTTPS. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. WSUS needs a database to store WSUS Configuration and update metadata. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. This option notifies a logged-on administrative user before you download and install the updates. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. No, this post is not related to the issue which caused high CPU usage for WSUS servers. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. Enter your email address to subscribe to this blog and receive notifications of new posts by email. 2. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): In the right pane, expand the server name. On the Choose Classifications page, select the update classifications that you want to obtain. If the certificate is imported to the Local User's Trusted Root CA store only, Automatic Updates will fail server authentication. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. To determine the WSUS port settings in IIS 6.0 1. The servers will use port 443 for synchronization. Configure the WSUS web services to require SSL. Best Practice – IIS WSUS App Pool – Private memory limit Settings for Remote SUP/WSUS Server. If you continue to use this site we will assume that you are happy with it. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. WSUS ultimately relies on Microsoft IIS on the backend, even when integrated with Configuration Manager. All the servers referring to this post are running with Server 2012 R2 OS. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. Then click Next. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. What is Queue Length? Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. Use the WSUS Configuration wizard to perform the base WSUS configuration. Step 10: On the Web Server Role (IIS) page, click Next Step 11: Leave all selections as default on the Role Services page and click Next Step 12: Click Next on this screen Step 13: On the Role Services page, make sure WID Database and WSUS Services are selected (They should be selected by default). The WSUS database can be local or a remote SQL 2008/2012 server. Click the Web Site tab. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. WSUS is a local Windows Updates repository. Then click Next to proceed. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). Find the WSUS pool and choose the Advanced settings. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. Proxy If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server. If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box. The following section describes how to configure a corporate firewall that is positioned between WSUS and the Internet. Configure Secure Sockets Layer (SSL) protocol to help protect Windows Server Update Services (WSUS). Note the information in the Windows Server Update Services page. 1. For example, if you use port 8531 for HTTPS, WSUS will use port 8530 for HTTP. Enter a local or remote path to store updates. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. In a simple environment, you might link a single WSUS GPO to the domain. WSUS Administrators; IIS settings. I'll see if i can locate any related event logs, but not real sure what i would be looking for if would be WSUS side or IIS side IIS crashing so thinking IIS … You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. Selecting a product category selects all the products in that category. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. IIS Configuration validation and optimization. If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. The Windows Server Update Services Wizard opens. WSUS integrated update and computer cleanup. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. Type the name of the upstream server into the Server name text box. In the add computer Group dialog box, in Name, specify the name of the new group, and click then add. This’ll improve WSUS availability. The following is a summary of recommended changes, and a related screenshot. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. The listening interfaces and ports are configured in the IIS site(s) for WSUS and in any Group Policy settings used to configure client PCs. There are several considerations associated with custom update signing. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. For example, if you are using HTTP, you should type http://servername:8530. Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“. I’ve just checked your screenshot and that is correct, though. Creation of daily and weekly optimization scheduled tasks. If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. if this is a replica server, select the This is a replica of the upstream server check box. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. W2016 Standard WSUS 10.0.14393.2007 IIS 10 Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool. How to Configure IIS WSUS Application Pool? I was able to get our setup to just use a wildcard certificate, and port 443 only. Then click Next. Allow local admin to choose setting. When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. (Make sure that this server and the upstream server support SSL.). Type wuauclt.exe /detectnow, and then press ENTER. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. Select the appropriate product options for your deployment, and then click Next. Michael Oberhardt June 13, 2019 at 4:51 pm. This procedure assumes that you are using the WSUS Configuration Wizard, which appears the first time you launch the WSUS Management Console. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. The following checklist summarizes the steps involved in performing the initial configuration for your WSUS server. You can find the detailed information in this post. On the Update Source page, select Synchronize from another Windows Server Update Services server. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. The Choose Products page allows you specify the products for which you want updates. By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. The following procedures assume that your network runs active directory. On the Connect to Upstream Server page, click start Connecting. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. In the Proxy port number text box, type the port number of the proxy server. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. Some applications, notably Windows SharePoint Services, may remove anonymous access. The default limit is set to 1843200KB or 1.8GB. 2. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): Navigate to the %ProgramFiles%\Update Services\Tools\ folder. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. C:\WSUS, or D:\WSUS) Restart the server. That post covers the end to end patching process and troubleshooting tips. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. In an environment that uses active directory directory service, you can use an existing domain-based Group Policy Object (GPO) or create a new GPO. If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. So when troubleshooting Updating issues, you need to check both the Software Update Point and WSUS, and lowe and behold the WSUS console kept on crashing. Certificate Distribution. WSUS integrated update and computer cleanup. I know this is a thing that should be done, as I’ve read it elsewhere, perhaps you could add it to the text as well for those that are unsure. If you want to participate in the program. Open IIS; Expand the Server Name; Click in Application Pools; Click in WsusPool Checks to see if you have a dirty database, and if you do, fixes it. Deploy Internet Protocol security (IPsec) to help secure network traffic. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Enable client-side targeting enables client computers to add themselves to target computer groups on the WSUS server, when Automatic Updates is redirected to a WSUS server. To remove a proxy server from the WSUS configuration, clear the check box for Use a proxy server when synchronizing.