Find the WSUS pool and choose the Advanced settings. You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. Install the WSUS server role. Enter a local or remote path to store updates. Local administrators cannot disable Automatic Updates. Otherwise, you should be careful about this settings. Choose all the classifications or a subset of them, and then click Next. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. On the Choose Upstream Server page, there are two options: Synchronize the updates with Microsoft Update, Synchronize from another Windows Server Update Services server. Click Enabled, and then, server in the Set the intranet update service for detecting updates and Set the intranet statistics server text boxes, type the same URL of the WSUS server. In the Proxy server name text box, type the name of the proxy server. Clients and downstream servers that are configured to use Transport Layer Security (TLS) or HTTPS must also be configured to use a fully qualified domain name (FQDN) for their upstream WSUS server. To use SSL, select the Use SSL when synchronizing update information check box. WID is Windows Internal Database. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. WSUS needs a database to store WSUS Configuration and update metadata. Configure computer groups in this topic. Ensure that IIS Virtual Directories (vDir's/webservices)) are set as shown below: After you have confirmed the security and had to make a change to it in IIS, remember to do a IISRESET. You must re-initialize ClientServicingProxy if the server name, SSL configuration, or port number has changed. Now that you have performed the basic WSUS configuration, read the next sections for more details about changing the settings by using WSUS Management Console. By default, Group Policy updates in the background every 90 minutes, with a random offset of 0-30 minutes. Deploy Internet Protocol security (IPsec) to help secure network traffic. Type the following command: wsusutil ConfigureSSLproxy [< proxy_server proxy_port>] -enable, where: proxy_server is the name of the proxy server that supports HTTPS. The following is a summary of recommended changes, and a related screenshot. In that case, my recommendation is NOT to set 0 as private memory limit setting. When you configure WSUS to use SSL, consider the following: You cannot configure the whole WSUS website to require SSL because all traffic to the WSUS site would have to be encrypted. In addition, a hash is computed and sent together with the metadata for each update. If you select the option Download updates only in these languages, and this server has a downstream WSUS server connected to it, this option will force the downstream server to also use only the selected languages. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. – Remote SUP site system role might or can be installed with WID connectivity. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. How to Open IIS WSUS Application Pool – Advanced Settings ? If this has occurred, you must re-enable the anonymous read access before you can successfully install and operate WSUS. These requirements can be met by using one of the following configurations: A single proxy server that supports two protocol channels. The WSUS database can be local or a remote SQL 2008/2012 server. If you have only a WSUS/SUP role on a dedicated server like me then, you can set the private memory limit to 0. The certificate should be imported into the local computer Trusted Root CA store or into the Windows Server Update Service Trusted Root CA store. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. Computer groups are an IMPORTANT part of Windows Server Update Services (WSUS) deployments. You can find the detailed information in this post. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Use the following procedure to create a new group and assign a computer to this group: In the WSUS Administration Console, under Update Services, expand the WSUS server, expand computers, right-click All computers, and then click add computer Group. Private memory limit is set in KB. Anoop is Microsoft MVP and Veeam Vanguard ! In this case, one proxy server is configured to use HTTP, and the other proxy server is configured to use HTTPS. 3. So, I was planning to have 30,000 clients under that SUP. After installing the prerequisites and configuring the variables for your environment (email settings only if you are accepting all the defaults), simply run:.\Clean-WSUS.ps1 -FirstRun If you wish to view or increase the Application Pool Memory Configuration, or run the Dirty Database Check, you must run it with the required switch. In an environment without active directory, use the Local Group Policy editor to configure Automatic Updates, and then point the client computers to the WSUS server. Some applications, notably Windows SharePoint Services, may remove anonymous access. On the WSUS server, open Internet Information Services (IIS) Manager. if you choose Synchronize automatically, the WSUS server will synchronize at set intervals. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. Because waiting for detection to start can be a time-consuming process, you can use the following procedure to initiate detection immediately. If the IIS website or application pool are not working properly then client devices may have scan errors, or report an unknown scan status. – Maximum number of requests that HTTP .sys will queue for the application pool. Correct config is likely not both but WSUS pool only. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them? In Start Search, type Command prompt. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. On the Web Server (IIS) Role information page, read the information then click Next to proceed. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. When the SUP is hosted on a remote server then, we can have a maximum of 150,000 clients for that SUP. This procedure assumes that you are using the WSUS Configuration Wizard, which appears the first time you launch the WSUS Management Console. In a simple environment, you might link a single WSUS GPO to the domain. Then click Next to proceed. Secure WSUS with the Secure Sockets Layer Protocol, Enabling Anonymous Authentication (IIS 6.0). so weird. Use Internet Information Services (IIS) throttling to limit throttling to one or more web services. A value of 0 means there is no limit. Checks to see if you have a dirty database, and if you do, fixes it. The following procedures assume that your network runs active directory. After you click Finish, the WSUS Management Console appears. Navigate to the %ProgramFiles%\Update Services\Tools\ folder. The default limit is set to 1843200KB or 1.8GB. On the WSUS server, open Internet Information Services (IIS) Manager. Enter a local or remote path to store updates. The following section describes how to configure a corporate firewall that is positioned between WSUS and the Internet. WSUS Configuration Manager will not be able to configure WSUS Server "CMServerName.domain.local" as the WSUS Server remoting API's of version 3.0 SP2 or greater are not installed on this site server. Scroll down to the Recycling section. Keep Internet Information Services (IIS) Manager open for the next steps. Click start, click All Programs, click Administrative Tools, and then click Windows Server Update Service. If you use the Local Publishing feature from a remote WSUS console, after you apply the update to your WSUS Server, the remote WSUS consoles must also be updated so that the API versions match. On the Specify Proxy Server page, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes. Manually run Windows Updates on the server in question and select the option to connect to Windows Updates online, which will bypass WSUS, then … Learn how your comment data is processed. For client computers that are configured by using the Local Group Policy editor, the GPO is applied immediately, and the update takes about 20 minutes. Best Practices Related to IIS for SCCM SUP WSUS Setup. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 10000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS (Stop the IIS first): To add the proxy server that uses the HTTP protocol to the WSUS configuration, use the following procedure: In the left pane, expand the server name, and then click Options. Microsoft reduces the risk of sending update files over an unencrypted channel by signing each update. In the Set computer Group Membership dialog box, select the test group that you created, and then click OK. WSUS Setup automatically configures IIS to distribute the latest version of Automatic Updates to each client computer that contacts the WSUS server. Click Options, and then click Update Source and Proxy Server. Depending on the type of certificate that is used, you might have to set up a service to enable the client computers to trust the certificate that is bound to the WSUS server. So when troubleshooting Updating issues, you need to check both the Software Update Point and WSUS, and lowe and behold the WSUS console kept on crashing. IIS Configuration validation and optimization. WSUS integrated update and computer cleanup. We need to open the IIS console and locate the Application pools branch. During the WSUS Configuration Wizard (discussed in the next section) do not specify a proxy server. If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. To determine the WSUS port settings in IIS 6.0 1. Under IIS Manager App – Expand Server name – Sites – WSUS … To determine the WSUS port settings in IIS 6.0 1. WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. To achieve this you must change the following settings in the WSUS Application Pool. If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. What is Queue Length? On the Web Server (IIS) Role information page, read the information then click Next to proceed. Use the WSUS Configuration wizard to perform the base WSUS configuration. Select the appropriate product options for your deployment, and then click Next. If you wanted to update or revoke a certificate (i.e. Click OK to close the Configure Automatic Updates policy and return to the Windows Update details pane. Scroll down to the Recycling section. WSUS is a local Windows Updates repository. I also have a video tutorial published several months back about SCCM Software Update process. Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“. How can i force it to manually report to the WSUS … Think your Private Memory Limit is missing a zero. Then click Next to proceed. In the Command prompt window, go to the C:\Program Files\Update Services\Tools folder. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. This is a manual execution only. An IIS Worker Process was using over 2GB of RAM when the problem would occur. This option notifies a logged-on administrative user before you download and install the updates. However, the port that you set up for SSL also determines the port that WSUS uses to send clear HTTP traffic. Type the port number that the server uses for SSL connections into the Port number text box. The Choose Products page allows you specify the products for which you want updates. Configure WSUS by using the WSUS Configuration Wizard, 2.5. On the Connect to Upstream Server page, click start Connecting. This is primarily for Server 2012 WSUS, and is a manual execution only. The Windows Server Update Services Wizard opens. We need to open the IIS console and locate the Application pools branch. Two proxy servers, each of which supports a single protocol. 1. In the GPMC, expand computer Configuration, expand Policies, expand Administrative Templates, expand Windows components, and then click Windows Update. In IIS, for the wsus website, I added an additional https binding, port 443, and set the hostname to wsus.domain.com, and bound the *.domain.com certificate to it. If the complete WSUS Installation dialog box appears, click Run. Read the instructions on the Join the Microsoft Update Improvement Program page and evaluate if you want to participate. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. Use computer groups to control the rollout. 2. Removal of device drivers from WSUS repository (greatly improves speed, reliability, and reduces storage space needed). Under IIS Manager App – Expand Server name – Sites – WSUS … You must consider the following limitations when you use SSL to secure a WSUS deployment: Using SSL increases the server workload. Remove the WSUS Content folder wherever you had it previously installed (eg. 10. Creation of daily and weekly optimization scheduled tasks. Or you can create and apply the GPO to a specific OU (containing your computers). In IIS Manager on the WSUS server, go to Sites > WSUS Administration. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). When you configure SSL on client computers, you should consider the following issues: You must include a URL for a secure port on the WSUS server. * Make the following "Advanced Settings" for WSUS Application Pool in IIS: - Queue Length: 25000 from 1000 - Limit Interval (minutes): 15 from 5 - "Service Unavailable" Response: TcpLevel from HttpLevel * (Stop IIS first) Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS: Expiration. Application Pool Memory Configuration to display the current private memory limit and easily set it to any configurable amount including 0 for unlimited. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. You can find the detailed information in this post. Enabling Anonymous Authentication (IIS 6.0), as documented in the IIS 6.0 Operations Guide. For a local database it will use Windows Internal Database (WID) which is a limited version of SQL Express that doesn’t have a GUI or management interface. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. DESCRIPTION: Comprehensive Windows Server Update Services (WSUS) configuration and optimization script. If you want to enable basic authentication for the user who is connecting to the proxy server, select the Allow basic authentication (password is sent in cleartext) check box. Select the Use SSL when synchronizing update information check box, and then click OK. Go to start, type CMD, right-click Command prompt, and then click Run as administrator. For example, they can choose a scheduled installation time. Configure the WSUS web services to require SSL. Click Next if you want to read more about additional settings, or you can click Finish to conclude this wizard and finish the initial WSUS setup. Log on to the WSUS server by using an account that is a member of the WSUS Administrators group or the local Administrators group. This setting indicates to the WSUS server which group the client computer will use. How to Configure IIS WSUS Application Pool? The client computers must trust the certificate that you bind to the WSUS server. The steps below show how to configure IIS on the WSUS Server to use SSL. You can create as many custom computer groups as you need to manage updates in your organization. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. Configure the cluster network by using the Network Configuration Wizard. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. You can create the group policy and apply it at domain level. 2. Save my name, email, and website in this browser for the next time I comment. If there is a corporate firewall between WSUS and the Internet, you might have to configure that firewall to ensure WSUS can obtain updates. If the status is set to Enabled, this computer will identify itself as a member of a particular computer group when it sends information to the WSUS server, which uses it to determine which updates are deployed to this computer. The following checklist summarizes the steps involved in performing the initial configuration for your WSUS server. In the Proxy port number text box, type the port number of the proxy server. For more information about IPsec, see Creating and Using IPsec Policies. Great article, I refer back to this when setting up new SUPs even though I’ve done it a few times and have a fair idea what I’m doing, just to refresh my memory. This is the same way that Microsoft Update distributes updates. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup. Then click Next. You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. WSUS integrated update and computer cleanup. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. Now our Next Step is to change the Bindings and assign a different port number to the HTTP Connection for WSUS, so that the clients are unable to scan against it, thereby freeing up the memory for us. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. I'll see if i can locate any related event logs, but not real sure what i would be looking for if would be WSUS side or IIS side IIS crashing so thinking IIS … Retain the default selection, or clear the check box, and then click Next. Certificate Updates/Revocation. By default, anonymous read access is enabled for the default and all new IIS websites. (Make sure that this server and the upstream server support SSL.). If you have a proxy server on the network, you can configure WSUS to use the proxy server. For example, if you specify that there should be four synchronizations per day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After selecting the appropriate synchronization options for your deployment, click Next to continue. WSUS can automatically sign these custom update packages for you with an Authenticode certificate. Click the Web Site tab. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. Windows clients "pull" updates from WSUS. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. Microsoft best practice WSUS database optimization and re-indexing. Because WSUS initiates all the network traffic, it is not necessary to configure Windows Firewall on the WSUS server. No, this post is not related to the issue which caused high CPU usage for WSUS servers. The default port number is 80. Just a note, in your screenshots you’ve changed “Service Unavailable” Response Type to TcpLevel, but you haven’t actually mentioned doing it in the text anywhere. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). Select your server from the server pool. We use cookies to ensure that we give you the best experience on our website. In the complete WSUS Installation dialog box, click Close when the installation successfully finishes. 3. If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box. Then click Next. Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. Select Enable client-side targeting, select Enabled, and then type the name of the WSUS computer group to which you want to add this computer in the Target group name for this computer box. In the details pane, double-click Configure Automatic Updates. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. On the Choose Classifications page, select the update classifications that you want to obtain. The default ports are the same as those specified in the preceding section Connection between WSUS servers, and the firewall on the WSUS server must also be configured to allow inbound traffic on these ports. You must create the group on the WSUS server, and add domain-member computers to that group. Computer groups permit you to test and target updates to specific computers. WSUS encrypts update metadata only. Find the WSUS pool and choose the Advanced settings. Applies To: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. After selecting the appropriate language options for your deployment, click Next to continue. To do so, launch Internet Information Services. C:\WSUS, or D:\WSUS) Restart the server. We recommend that you create a new GPO that contains only WSUS settings. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. For more information and for instructions about how to install certificates and set up this environment, see the following topics: Implementing and Administering Certificate Templates, Active Directory Certificate Services Upgrade and Migration Guide. Accomplishing this turned into a manual task that was very hard to either do by hand or automate successfully. In addition to NTFS permissions occasionally being incorrectly set for WSUS, from time-to-time we find IIS permissions being incorrect or out of sync. W2016 Standard WSUS 10.0.14393.2007 IIS 10 Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool. By default, WSUS is configured to use Microsoft Update as the location from which to obtain updates. This’ll improve WSUS availability. Note the information in the Windows Server Update Services page. Type wuauclt.exe /detectnow, and then press ENTER. For example, type http://servername in both boxes (where servername is the name of the WSUS server).