Save my name, email, and website in this browser for the next time I comment. 2. Best Practice – IIS WSUS App Pool – Private memory limit Settings for Remote SUP/WSUS Server. I have checked each of the items above and my server is set as such, but i am still seeing the Red X on the WSUS server and it says “computer has not reported status in 90 days.” The computer being the WSUS server itself. After selecting the appropriate language options for your deployment, click Next to continue. In the Proxy port number text box, type the port number of the proxy server. Consider the following examples: If you use the industry standard port of 443 for HTTPS traffic, WSUS uses the industry standard port 80 for clear HTTP traffic. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. Windows Server Update Services Wizard Select Role Services to Install WSUS. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? Auto download and schedule the install. Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. On the Choose Upstream Server page, there are two options: Synchronize the updates with Microsoft Update, Synchronize from another Windows Server Update Services server. You can create the group policy and apply it at domain level. Best Practice – IIS – WSUS App Pool – Queue Length for SCCM CB SUP? If you choose to get updates only for specific languages, select Download updates only in these languages, and then select the languages for which you want updates; otherwise, leave the default selection. Windows clients "pull" updates from WSUS. Type the name of the upstream server into the Server name text box. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … Choose all the classifications or a subset of them, and then click Next. Best Practices Related to IIS for SCCM SUP WSUS Setup. Configure the cluster network by using the Network Configuration Wizard. Then click Next. If you use the Local Publishing feature from a remote WSUS console, after you apply the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match. If you use any port other than 443 for SSL, you must include that port in the URL also. To determine the WSUS port settings in IIS 6.0 1. Type the port number that the server uses for SSL connections into the Port number text box. Click Enabled, and then, server in the Set the intranet update service for detecting updates and Set the intranet statistics server text boxes, type the same URL of the WSUS server. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process, SCCM 1706 KB4042345 Server Side Fix for Peer Cache, Fix Report Server cannot Open a Connection Error ConfigMgr | SCCM, ConfigMgr Delete Aged Cloud Management Gateway Traffic Data Task | SCCM, Launch Server Manager – Launch IIS Manager, Right-click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Queue Length’ under the General section from the default 1,000 to 30,000, Right click ‘WsusPool’ and select ‘Advanced Settings’, Change the value of ‘Private Memory Limit’ under the, Click OK to save and restart the IIS service, WSUS SUP causes high CPU and clients fail updates scan –, What are the best Practices for Software Updates/Patching in SCCM –, Windows Server 2012 R2 WSUS Issue: Clients cause the WSUS App Pool to become unresponsive with HTTP 503 –. Configure the WSUS web services to require SSL. In an environment that uses active directory directory service, you can use an existing domain-based Group Policy Object (GPO) or create a new GPO. I have a remote WSUS + SCCM SUP server installed on 2012 R2. You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. In the right pane, expand the server name. The Windows Server Update Services Wizard opens. Then click Next to proceed. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. 1. Selecting a subset of languages will save disk space, but it is IMPORTANT to choose all of the languages that are needed by all the clients of this WSUS server. Muchas Gracias por el aporte. There are two default computer groups: All computers and Unassigned computers. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. How can i force it to manually report to the WSUS … WSUS is a local Windows Updates repository. This option automatically begins downloading updates and then notifies a logged-on administrative user before installing the updates. By default, WSUS will use port 8530 for HTTP and 8531 for HTTPS. For more information and for instructions about how to install certificates and set up this environment, see the following topics: Implementing and Administering Certificate Templates, Active Directory Certificate Services Upgrade and Migration Guide. Scroll down to the Recycling section. If you continue to use this site we will assume that you are happy with it. Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server. The steps that are required to set up a certification authority, bind the certificate to the WSUS website, and establish a trust between the client computers and the certificate are beyond the scope of this guide. Move the remote database server and the WSUS server to a private network. This option automatically begins downloading updates and then installs the updates on the day and time that you specify. WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. WSUS can automatically sign these custom update packages for you with an Authenticode certificate. Click Next Step 14: This page will allow you to set the destination directory for the … proxy_port is the proxy server port number. To use SSL, select the Use SSL when synchronizing update information check box. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. Local administrators cannot disable Automatic Updates. Description . When the SUP is hosted on a remote server then, we can have a maximum of 150,000 clients for that SUP. After you set up a client computer, it will take several minutes before the computer appears on the computers page in the WSUS Administration Console. In the Proxy server name text box, type the name of the proxy server. Deploy Internet Protocol security (IPsec) to help secure network traffic. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0). I have seen some things saying IIS settings need adjustment, but not seeing much if these settings also need to be changed in server 2019 also. Configure WSUS by using the WSUS Configuration Wizard, 2.5. You must consider the following limitations when you use SSL to secure a WSUS deployment: Using SSL increases the server workload. To enable custom update signing, you must install a package signing certificate on your WSUS server. IIS Configuration validation and optimization. All the servers referring to this post are running with Server 2012 R2 OS. In addition to NTFS permissions occasionally being incorrectly set for WSUS, from time-to-time we find IIS permissions being incorrect or out of sync. Under IIS Manager App – Expand Server name – Sites – WSUS … Expand Web Sites, right-click the website for the WSUS server, and then click Properties. W2016 Standard WSUS 10.0.14393.2007 IIS 10 Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool. if this is a replica server, select the This is a replica of the upstream server check box. To obtain updates from Microsoft Update, the WSUS server uses port 443 for HTTPS protocol. New active SUP List is: SMS_WSUS_CONFIGURATION_MANAGER SUP0: SERVER.FQDN, group = SERVER.FQDN, nlb = SMS_WSUS_CONFIGURATION_MANAGER Updating active SUP groups... SMS_WSUS_CONFIGURATION_MANAGER Waiting for changes for 1 minutes SMS_WSUS_CONFIGURATION_MANAGER Wait timed out after 0 minutes while waiting for at least one … In IIS Manager on the WSUS server, go to Sites > WSUS Administration. In addition, a hash is computed and sent together with the metadata for each update. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:.\Clean-WSUS.ps1 -FirstRun If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. Private memory limit is set in KB. When the queue is full, new requests receive a 503 “Service Unavailable” response. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. I know this is a thing that should be done, as I’ve read it elsewhere, perhaps you could add it to the text as well for those that are unsure. Click the Web Site tab. Create computer groups in the WSUS administration console to manage updates in your organization. IIS Configuration validation and optimization. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. WSUS uses SSL for metadata only, not for update files. C:\WSUS, or D:\WSUS) Restart the server. Find the WSUS pool and choose the Advanced settings. I was working with Microsoft support for an SCCM SUP related issue on one SCCM CB 1706 environment. The Choose Products page allows you specify the products for which you want updates. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. That post covers the end to end patching process and troubleshooting tips. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. The best way to configure Automatic Updates depends on the network environment. if you choose to synchronize from another WSUS server, specify the server name and the port on which this server will communicate with the upstream server. WSUS ultimately relies on Microsoft IIS on the backend, even when integrated with Configuration Manager. The default ports are the same as those specified in the preceding section Connection between WSUS servers , and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. WSUS also uses SSL to encrypt update metadata. 3. On the WSUS server, open Internet Information Services (IIS) Manager. Select the appropriate product options for your deployment, and then click Next. Expiration. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Certificate Distribution. In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? These settings are found in IIS Manager > Application Pools > choose WsusPool and then click the Advanced Settings link in the right side pane of IIS manager. In the complete WSUS Installation dialog box, click Close when the installation successfully finishes. 2. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS). For client computers that are configured by using the Local Group Policy editor, the GPO is applied immediately, and the update takes about 20 minutes. So when troubleshooting Updating issues, you need to check both the Software Update Point and WSUS, and lowe and behold the WSUS console kept on crashing. Notify me of follow-up comments by email. By default, this option is selected. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. For more information about IPsec, see Creating and Using IPsec Policies. Enter a local or remote path to store updates. Click Next. On the Finished page, you have the option to start the synchronization now by selecting the Begin initial synchronization check box. After selecting the proper options for your deployment, click Next to proceed. Michael Oberhardt June 13, 2019 at 4:51 pm. How to Open IIS WSUS Application Pool – Advanced Settings ? Open a command prompt (Cmd.exe) as an administrator. Although Internet connectivity is required to download updates from Microsoft Update, WSUS offers you the ability to import updates onto networks that are not connected to the Internet. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. You can use any port for SSL. The firewall on the WSUS server must be configured to allow inbound traffic on these ports. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. Modify IIS WSUS Application Pool Settings Launch Server Manager – Launch IIS Manager; IIS Console – Click on Application Pools; Right-click ‘WsusPool’ and select ‘Advanced Settings’ Change the value of 'Queue Length’ under the General section to 30,000; Change 'Service Unavailable' Response Type from default HTTPlevel to TcpLevel After you click Finish, the WSUS Management Console appears. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. Select the Use SSL when synchronizing update information check box, and then click OK. The certificate on a client computer must be imported into the Local computer Trusted Root CA store or Automatic Update Service Trusted Root CA store. The following procedures assume that your network runs active directory. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. On the Connect to Upstream Server page, click start Connecting. So, I was planning to have 30,000 clients under that SUP. In a simple environment, you might link a single WSUS GPO to the domain. You must complete this step if you identified that WSUS needs a proxy server to have Internet access. Configure Secure Sockets Layer (SSL) protocol to help protect Windows Server Update Services (WSUS). 9. The following virtual directories (vroots) are created in IIS (in the Default Web Site by default) for client to server synchronization, server to server synchronization, reporting, and client self-update. The WSUS database can be local or a remote SQL 2008/2012 server. WSUS Administrators; IIS settings. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. This site uses Akismet to reduce spam. Checks to see if you have a dirty database, and if you do, fixes it. An IIS Worker Process was using over 2GB of RAM when the problem would occur. if you choose Synchronize manually, you must start the synchronization process from the WSUS Administration Console. Anoop is Microsoft MVP and Veeam Vanguard ! We use cookies to ensure that we give you the best experience on our website. To determine the WSUS port settings in IIS 6.0 1. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. Troubleshooting Step 5: IIS Application Pool Running and Optimized. You must create the group on the WSUS server, and add domain-member computers to that group. To configure this WSUS server to download updates directly from Microsoft accept the default option below – Synchronize from Microsoft Update.Then click Next. You can find the detailed information in this post. If your server requires a Proxy server to connect to the internet, check Use a proxy server when synchronizing.Then enter the details of the proxy server and click Next. Before realizing what the issue was, I attempted to re-install WSUS and IIS from scratch numerous times … If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. When you configure WSUS to use SSL, consider the following: You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. To enable anonymous read access, follow the steps for the applicable version of IIS: Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide. 11. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). The client computers must trust the certificate that you bind to the WSUS server. (Make sure that this server and the upstream server support SSL.). Hence, we set the WSUS app pool (Application Pool) queue length as 30,000 as you can see in the following screen capture. The default ports are the same as those specified in the preceding section Connection between WSUS servers, and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. In IIS, for the wsus website, I added an additional https binding, port 443, and set the hostname to wsus.domain.com, and bound the *.domain.com certificate to it. The following instructions configure a downstream server to synchronize to an upstream server that uses SSL. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. Manually run Windows Updates on the server in question and select the option to connect to Windows Updates online, which will bypass WSUS, then … At the top of the start menu, right-click Command prompt, and then click Run as administrator. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. To do so, launch Internet Information Services. The private key must be installed on the WSUS server, and the public key must be explicitly installed in the trusted certificate store on all client PCs and servers which are to receive custom-signed updates. WSUS integrated update and computer cleanup. Install the WSUS server role. Remove the WSUS Content folder wherever you had it previously installed (eg. If the certificate is only imported to the Local User Trusted Root CA store, the downstream WSUS server will not be authenticated on the upstream server. Is this post related to WSUS SUP causes high CPU? When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. Step 10: On the Web Server Role (IIS) page, click Next Step 11: Leave all selections as default on the Role Services page and click Next Step 12: Click Next on this screen Step 13: On the Role Services page, make sure WID Database and WSUS Services are selected (They should be selected by default). Proxy If you identified that WSUS needs to use a proxy server to have Internet access, you need to configure proxy settings in the WSUS server. This is a manual execution only. Right-click the computer names that you selected in the previous step, and then click change Membership. If you begin detection manually, you do not have to wait 20 minutes for the client computer to contact WSUS. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. On the Web Server (IIS) Role information page, read the information then click Next to proceed. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. On the WSUS server, open Internet Information Services (IIS) Manager. Expand Web Sites, right-click the website for the WSUS server, and then click Properties. For client computers that are configured with a domain-based Group Policy Object, it can take about 20 minutes for Group Policy to apply the new policy settings to the client computer. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. Certificate Updates/Revocation. All the servers referring to this post are running with Server 2012 R2 OS. I was able to get our setup to just use a wildcard certificate, and port 443 only. If your company restricts access, you need to obtain authorization to allow Internet access from WSUS to the following list of URLs: For a scenario in which WSUS is failing to obtain updates due to firewall configurations, see article 885819 in the Microsoft Knowledge Base. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. If you have a proxy server on the network, you can configure WSUS to use the proxy server. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click edit. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. This is the same way that Microsoft Update distributes updates. The servers will use port 443 for synchronization. Type wuauclt.exe /detectnow, and then press ENTER. Think your Private Memory Limit is missing a zero. On the client computer, open a Command prompt window with elevated privileges. The default port number is 80. Note the information in the Windows Server Update Services page. In the details pane, double-click Configure Automatic Updates. In that case, my recommendation is NOT to set 0 as private memory limit setting. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. Configure computer groups in this topic. Microsoft best practice WSUS database optimization and re-indexing. Shavlik does not provide support for Microsoft products such as Configuration Manager, WSUS, or IIS. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. Microsoft already released a fix for the issue explained in the KB 4039396. In this section, locate the parameter named Private Memory Limit (KB). 2. Verify that the IIS ports configured in the site are same as those configured on the WSUS IIS website. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. We need to open the IIS console and locate the Application pools branch. Retain the default selection, or clear the check box, and then click Next. Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server.