Changes for page Windows Server Update Services (WSUS)
Last modified by Sebastian Marsching on 2022/05/30 12:44
From version 4.1
edited by Sebastian Marsching
on 2022/05/30 12:28
on 2022/05/30 12:28
Change comment:
There is no comment for this version
To version 1.1
edited by Sebastian Marsching
on 2022/05/29 13:01
on 2022/05/29 13:01
Change comment:
There is no comment for this version
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Tags
-
... ... @@ -1,1 +1,0 @@ 1 -Windows - Content
-
... ... @@ -19,53 +19,3 @@ 19 19 In addition to the hints in that article, I found another trick: For me, the Server Cleanup Wizard was timing out when running the "Decline expired updates" action. I could fix this by running the `spDeclineExpiredUpdates` procedure from SQL Studio. I used "WUS Server" for the `adminName` parameter of this procedure. After that I ran the wizard again, and regenerated the indices. After doing this a few times, the wizard would finally complete without timing out. As always, make a backup of the `SUSDB` database before trying any of this. 20 20 21 21 My idea to run `spDeclineExpiredUpdates` was based on the ideas given in [this thread](https://social.technet.microsoft.com/Forums/windows/en-US/7b12f8b2-d0e6-4f63-a98a-019356183c29/getting-past-wsus-cleanup-wizard-time-out-removing-unnecessary-updates?forum=winserverwsus). 22 - 23 -# Optimizing IIS pool settings 24 - 25 -* Queue length: 2000 (default 1000, WAM recommends 25000) 26 -* Idle time-out (minutes): 0 (default 20) 27 -* Ping enabled: False (default True) 28 -* Private memory limit (KB): 0 (unlimited, default 4294967) 29 -* Regular Time Interval (minutes): 0 (default 1740) 30 - 31 -(see <https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices>) 32 - 33 -# IIS site settings for TLS 34 - 35 -Configure TLS certificate for port 8531. After that, run 36 - 37 -```bat 38 -"%programfiles%\Update Services\Tools\WsusUtil.exe" configuressl <FQDN> 39 -``` 40 - 41 -Require SSL (SSL Settings => Require SSL) for the following endpoints: 42 - 43 -* ApiRemoting30 44 -* ClientWebService 45 -* DssAuthWebService 46 -* ServerSyncWebService 47 -* SimpleAuthWebService 48 - 49 -(see <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852346(v=ws.11)?redirectedfrom=MSDN#35-secure-wsus-with-the-secure-sockets-layer-protocol> and <https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/>) 50 - 51 -# Enabling compression 52 - 53 -Enable dynamic compression by running 54 - 55 -```bat 56 -cscript "%programfiles%\update services\setup\DynamicCompression.vbs" /enable "%programfiles%\Update Services\WebServices\suscomp.dll" 57 -``` 58 - 59 -# Importing updates into WSUS 60 - 61 - $wsus = Get-WsusServer 62 - $wsus.ImportUpdateFromCatalogSite('<Update ID>', '<Full path to update file>') 63 - 64 -(see https://www.windowspro.de/wolfgang-sommergut/updates-manuell-wsus-importieren-ie-powershell (in German)) 65 - 66 -Strong cryptography for the .NET Framework has to be enabled in order for this to work, but even then I somehow couldn’t make this method work, so I resorted to opening the Microsoft Update Catalog in Internet Explorer and directly importing the updates from there (that method worked for me). 67 - 68 -# Resources 69 - 70 -* WSUS Best Practices: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/windows-server-update-services-best-practices> 71 -* WSUS Maintenance: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/wsus-maintenance-guide>