In the Command prompt window, type the following command: certificateName is the DNS name of the WSUS server. To enable custom update signing, you must install a package signing certificate on your WSUS server. WSUS requires two ports for SSL: one port that uses HTTPS to send encrypted metadata, and one port that uses HTTP to send updates. Do you have the name of the proxy server and the user credentials for the proxy server, if you need them? If a computer attempts to retrieve update files on the HTTPS port, the transfer will fail. You can use the Secure Sockets Layer (SSL) protocol to help secure the WSUS deployment. Expand the WSUS Administration site so you see the list of web services and virtual directories for WSUS. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. Because you cannot require SSL on the server, the only way to make sure that client computers can use a security channel is by using a URL that specifies HTTPS. The group policy settings will be used to obtain automatic updates from Windows Server Update Services (WSUS). If you use any port other than 443 for SSL, you must include that port in the URL also. This’ll improve WSUS availability. If the corporate network uses proxy servers, the proxy servers must support HTTP and SSL protocols and use basic authentication or Windows authentication. If you have only a WSUS/SUP role on a dedicated server like me then, you can set the private memory limit to 0. To do so, launch Internet Information Services. On the Web Server (IIS) Role information page, read the information then click Next to proceed. For more information about how to use SSL certificates in IIS, see Require Secure Sockets Layer (IIS 7). Configure the cluster network by using the Network Configuration Wizard. Can this computer connect to the upstream server (such as the server that is designated to download updates from Microsoft Update)? Expand Web Sites, right-click the website for the WSUS server, and then click Properties. Under IIS Manager App – Expand Server name – Sites – WSUS … Internet Information Services (IIS) Manager → Server → Application Pools → Select “WSUSPool” → Actions Advanced → Recycling → change “Private Memory Limit (KB)“. For more information and for instructions about how to install certificates and set up this environment, see the following topics: Implementing and Administering Certificate Templates, Active Directory Certificate Services Upgrade and Migration Guide. Find the WSUS pool and choose the Advanced settings. Log on to the computer by using a user account that is a member of the local Administrators group or the WSUS Administrators group. In the Windows Update details pane, double-click Specify intranet Microsoft update service location. Configure computer groups in this topic. At the top of the start menu, right-click Command prompt, and then click Run as administrator. After selecting the appropriate language options for your deployment, click Next to continue. On the Update Source page, select Synchronize from another Windows Server Update Services server. In this section, locate the parameter named Private Memory Limit (KB). Local administrators cannot disable Automatic Updates. Comprehensive Windows Server Update Services (WSUS) configuration and optimization script.. Select the appropriate product options for your deployment, and then click Next. Create computer groups in the WSUS administration console to manage updates in your organization. Set the time for the First synchronization, and then specify the number of Synchronizations per day that you want this server to perform. Use the following options to modify the existing proxy server configuration: Select the check box for Use a proxy server when synchronizing. Scroll down to the Recycling section. By default, these ports are configured as follows: On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS, On WSUS 6.2 and later (at least Windows Server 2012 ), port 8530 for HTTP and 8531 for HTTPS are used. When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. To enable anonymous read access, follow the steps for the applicable version of IIS: Enable Anonymous Authentication (IIS 7), as documented in the IIS 7 Operations Guide. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. Checks to see if you have a dirty database, and if you do, fixes it. Although the connection between Microsoft Update and WSUS requires ports 80 and 443 to be open, you can configure multiple WSUS servers to synchronize with a custom port. The following is a summary of recommended changes, and a related screenshot. You should require SSL for the following virtual roots only: You should not require SSL for the following virtual roots: The certificate of the certification authority (CA) must be imported into the local computer Trusted Root CA store, or the Windows Server Update Service Trusted Root CA store on downstream WSUS servers. Configure WSUS by using the WSUS Configuration Wizard, 2.5. Configure the WSUS web services to require SSL. The IIS and WSUS services must be stopped to prevent the database from being accessed while the Network Load Balancing (NLB) clusters are upgraded. WSUS encrypts update metadata only. Windows Server Update Services Wizard Select Role Services to Install WSUS. Microsoft best practice WSUS database optimization and re-indexing. Click OK to close the Enable client-side targeting policy and return to the Windows Update details pane. Just a note, in your screenshots you’ve changed “Service Unavailable” Response Type to TcpLevel, but you haven’t actually mentioned doing it in the text anywhere. If the proxy server supports basic authentication, select the Allow basic authentication (password is sent in cleartext) check box. The firewall on the WSUS server must be configured to allow inbound traffic on these ports. When the queue is full, new requests receive a 503 “Service Unavailable” response. If you have set up active directory in your network, you can configure one or multiple computers simultaneously by including them in a Group Policy Object (GPO), and then configuring that GPO with WSUS settings. In IIS, for the wsus website, I added an additional https binding, port 443, and set the hostname to wsus.domain.com, and bound the *.domain.com certificate to it. By default, anonymous read access is enabled for the default and all new IIS websites. The Choose Products page allows you specify the products for which you want updates. If your server requires a Proxy server to connect to the internet, check Use a proxy server when synchronizing.Then enter the details of the proxy server and click Next. After you click Finish, the WSUS Management Console appears. This setting indicates to the WSUS server which group the client computer will use. To configure this WSUS server to download updates directly from Microsoft accept the default option below – Synchronize from Microsoft Update.Then click Next. There are several considerations associated with custom update signing. Muchas Gracias por el aporte. 10. If you use any port other than 443 for HTTPS traffic, WSUS will send clear HTTP traffic over the port that numerically comes before the port for HTTPS. Allow local admin to choose setting. Use the following procedures to configure Automatic Updates for client computers: Step 4: Configure Group Policy Settings for Automatic Updates, 2.3. Then click Next. WSUS is a local Windows Updates repository. This includes all client computers, downstream servers, and computers that run the WSUS Administration Console. My server had more RAM available so the solution was to raise the amount of memory available to IIS. if this is a replica server, select the This is a replica of the upstream server check box. Click Next. Use the WSUS Configuration wizard to perform the base WSUS configuration. The servers will use port 443 for synchronization. If you want to update Group Policy sooner, you can open a Command prompt window on the client computer and type gpupdate /force. Click Enabled, and then select one of the following options under the Configure automatic updating setting: Notify for download and notify for install. Certificate Distribution. Otherwise, you should be careful about this settings. After selecting the proper options for your deployment, click Next to proceed. after discovering that it expired), WSUS offered no functionality to enable this. To set up two proxy servers, each of which will handle one protocol for WSUS, use the following procedure: Log on to the computer that is to be the WSUS server by using an account that is a member of the local Administrators group. The default port number is 80. You should expect a 10 percent loss of performance because of the cost of encrypting all the metadata that is sent over the network. Note the information in the Windows Server Update Services page. If you do not select this option, you need to use WSUS Management Console to perform the initial synchronization. If you face trouble in setting up these prerequisites to installing the Shavlik Patch plugin it would be best to work directly with Microsoft support. Recently, I deployed Windows Server Update Services on a new Windows Server 2019 – Server Core install, and experienced this issue during the first synchronization. If you use WSUS with a remote SQL Server database, the connection between the WSUS server and the database server is not secured by SSL. When you type the intranet address of your WSUS server, make sure to specify which port is going to be used. This option lets local administrators to use Automatic Updates in Control Panel to select a configuration option. Deploy Internet Protocol security (IPsec) to help secure network traffic. When you have the answers for these questions, you can start configuring the following WSUS network settings: Updates Specify the way this server will obtain updates (from Microsoft Update or from another WSUS server). The maximum amount of private memory a worker process can consume before causing the application pool to recycle. Before you start the configuration process, be sure that you know the answers to the following questions: Is the server's firewall configured to allow clients to access the server? Then click Next. You must create the group on the WSUS server, and add domain-member computers to that group. Then click Next to proceed. He is a Solution Architect on enterprise client management with more than 17 years of experience (calculation done on the year 2018) in IT. In the Group Policy Management Console (GPMC), browse to the GPO on which you want to configure WSUS, and then click edit. Think your Private Memory Limit is missing a zero. You can set up one proxy server that handles both protocols for WSUS during the WSUS server software installation. You can create as many custom computer groups as you need to manage updates in your organization. When the self-signed certificate expires or nears expiration, WSUS will log events in the event log. Although most of corporate firewalls allow this type of traffic, there are some companies that restrict Internet access from the servers due the company's security policies. Link this WSUS GPO to an active directory container that is appropriate for your environment. If there is a corporate firewall between WSUS and the Internet, you might have to configure the firewall to ensure that WSUS can obtain updates. In addition to NTFS permissions occasionally being incorrectly set for WSUS, from time-to-time we find IIS permissions being incorrect or out of sync. The best way to configure Automatic Updates depends on the network environment. These settings are found in IIS Manager > Application Pools > choose WsusPool and then click the Advanced Settings link in the right side pane of IIS manager. This is a manual execution only.