Changes for page Windows Server Update Services (WSUS)
                  Last modified by Sebastian Marsching on 2025/10/22 21:45
              
      
      From version  5.5 
    
    
              edited by Sebastian Marsching
        
on 2025/10/22 21:41
     on 2025/10/22 21:41
      Change comment:
              There is no comment for this version
          
         
      To version  1.2 
    
    
              edited by Sebastian Marsching
        
on 2022/05/29 13:01
     on 2022/05/29 13:01
      Change comment:
              Added tag [Windows]
          
         Summary
- 
          Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
- 
      - Content
-   ... ... @@ -19,110 +19,3 @@ 19 19 In addition to the hints in that article, I found another trick: For me, the Server Cleanup Wizard was timing out when running the "Decline expired updates" action. I could fix this by running the `spDeclineExpiredUpdates` procedure from SQL Studio. I used "WUS Server" for the `adminName` parameter of this procedure. After that I ran the wizard again, and regenerated the indices. After doing this a few times, the wizard would finally complete without timing out. As always, make a backup of the `SUSDB` database before trying any of this. 20 20 21 21 My idea to run `spDeclineExpiredUpdates` was based on the ideas given in [this thread](https://social.technet.microsoft.com/Forums/windows/en-US/7b12f8b2-d0e6-4f63-a98a-019356183c29/getting-past-wsus-cleanup-wizard-time-out-removing-unnecessary-updates?forum=winserverwsus). 22 - 23 -# Optimizing IIS pool settings 24 - 25 -* Queue length: 2000 (default 1000, WAM recommends 25000) 26 -* Idle time-out (minutes): 0 (default 20) 27 -* Ping enabled: False (default True) 28 -* Private memory limit (KB): 0 (unlimited, default 4294967) 29 -* Regular Time Interval (minutes): 0 (default 1740) 30 - 31 -(see <https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/windows-server-update-services-best-practices>) 32 - 33 -# IIS site settings for TLS 34 - 35 -Configure TLS certificate for port 8531. After that, run 36 - 37 -```bat 38 -"%programfiles%\Update Services\Tools\WsusUtil.exe" configuressl <FQDN> 39 -``` 40 - 41 -Require SSL (SSL Settings => Require SSL) for the following endpoints: 42 - 43 -* ApiRemoting30 44 -* ClientWebService 45 -* DssAuthWebService 46 -* ServerSyncWebService 47 -* SimpleAuthWebService 48 - 49 -(see <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852346(v=ws.11)?redirectedfrom=MSDN#35-secure-wsus-with-the-secure-sockets-layer-protocol> and <https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-7-ssl-setup-for-wsus-and-why-you-should-care/>) 50 - 51 -# Enabling compression 52 - 53 -Enable dynamic compression by running 54 - 55 -```bat 56 -cscript "%programfiles%\update services\setup\DynamicCompression.vbs" /enable "%programfiles%\Update Services\WebServices\suscomp.dll" 57 -``` 58 - 59 -# Importing updates into WSUS 60 - 61 - $wsus = Get-WsusServer 62 - $wsus.ImportUpdateFromCatalogSite('<Update ID>', '<Full path to update file>') 63 - 64 -(see <https://www.windowspro.de/wolfgang-sommergut/updates-manuell-wsus-importieren-ie-powershell> (in German)) 65 - 66 -Strong cryptography for the .NET Framework has to be enabled in order for this to work, but even then I somehow couldn’t make this method work, so I resorted to opening the Microsoft Update Catalog in Internet Explorer and directly importing the updates from there (that method worked for me). 67 - 68 -# Selecting the products to be synchronized 69 - 70 -Obviously, this strongly depends on which software is used in the environment, so this list applies to me, but for other environments you will probably have to adapt it. 71 - 72 -**WSUS products that should be synchronized:** 73 - 74 -* “Developer Tools, Runtimes, and Redistributables” (incl. sub-products, for .NET framework and VS runtime updates not included in the Windows product) 75 -* “Microsoft Defender Antivirus” (if you are not using a third-party anti-virus software on all syste,s) 76 -* “Microsoft Server operating system-21H2” (for Windows Server 2022 updates) 77 -* “Windows 10, version 1903 and later” (for Windows 10 updates) 78 - 79 -**Additional WSUS products that might be useful:** 80 - 81 -* “Microsoft SQL Server Management Studio v18” 82 -* “Windows Server, version 1903 and later” (it contains the Malicious Software Removal Tool for Windows Server 2022, which is not included in the “Microsoft Server operating system-21H2” product, but the same removal tool is included in the “Windows 10, version 1903 and later” product, so including one of the two is sufficient) 83 -* “Windows Dictionary Updates” (though it seems there are not any recent updates in this product) 84 -* “Windows Server Manager - Windows Server Update Services (WSUS) Dynamic Installer” (it does not contain any recent updates, so it is a bit unclear whether this product is still used to distribute updates for WSUS, but it does not contain a lot of updates either, so synchronizing it probably won’t hurt) 85 -* “Windows Admin Center” 86 -* “Windows Subsystem for Linux” 87 - 88 -**Driver products:** 89 -(in general, it is a bad idea to synchronize those, unless you are using WSUS Automated Maintenance, which will delete all the driver updates that are synced initially, that only new drivers will appear) 90 - 91 -* “Windows - Client, version 21H2 and later, Servicing Drivers” 92 -* “Windows - Client, version 21H2 and later, Upgrade & Servicing Drivers” 93 -* “Windows - Server, version 21H2 and later, Servicing Drivers” 94 -* “Windows - Server, version 21H2 and later, Upgrade & Servicing Drivers” 95 -* “Windows 10, version 1903 and later, Servicing Drivers” 96 -* “Windows 10, version 1903 and later, Upgrade & Servicing Drivers” 97 - 98 -**Products that are most likely not needed:** 99 - 100 -* “PowerShell - x64” (only needed when using PowerShell Core, not for Windows PowerShell, and we can get PowerShell Core as MSI packages as well, so distributing updates this way probably makes more sense) 101 -* “Microsoft Edge” (seems like this is not needed and Edge is going to be kept up-to-date even if we do not synchronize this product) 102 -* “Dynamic Updates” (and GDR-DU, they are only intended for inclusion in installation images) 103 -* “Windows 10 Feature On Demand” (only contains old stuff, that we probably don’t need anyway) 104 -* “Windows 10 Language Interface Packs” and “Windows 10 Language Packs” (only contain language packs for old versions of Windows 10) 105 -* “Windows 10” (updates for older versions of Windows 10) 106 -* “Windows Media Dynamic Installer” (only very old updates) 107 -* “Windows Ultimate Extras” (only very old updates) 108 - 109 -# Windows Defender Anti-Virus updates and WSUS 110 - 111 -By default, Windows Defender will load definition updates from Windows Update if WSUS is not available (<https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::CheckAlternateDownloadLocation>). 112 - 113 -For computers where automatic installation of updates is not enabled (servers), we can use the `Update-MpSignature` PS cmdlet in a scheduled task in order to install definition updates (<https://docs.microsoft.com/en-us/powershell/module/defender/update-mpsignature?view=windowsserver2022-ps>). 114 - 115 -More information on Defender updates: <https://www.microsoft.com/en-us/wdsi/defenderupdates> 116 - 117 -# Fixing HTTP 413 request entity too large error 118 - 119 -I experienced this problem when running an update scan on Windows Server 2022 clients, while Windows 11 clients still worked fine, but I believe that this can essentially happen with any operating system release. On the affected clients, the update scan would fail with error code 0x80240439. After deleting `C:\Windows\SoftwareDistribution`, the next scan would succeed, but all subsequent scans would fail again. This behavior was reproducible on all Windows Server 2022 clients. 120 - 121 -When generating the Windows Update log file on the client with the PowerShell `Get-WindowsUpdateLog` cmdlet, the log file would show entries like the following ones: 122 - 123 -I found various hints that mostly pointed to the limits in `C:\Program Files\Update Services\WebServices\ClientWebService/Web.config`, but increasing those limits did not help at all. In the end, I found the [relevant piece of information](https://batchpatch.com/forums/x/topic/windows-update-error-1611-106-failure/): The `uploadReadAheadSize` in the IIS configuration had to be increased. This can be done by opening the Internet Information Services ( 124 - 125 -# Resources 126 - 127 -* WSUS Best Practices: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/windows-server-update-services-best-practices> 128 -* WSUS Maintenance: <https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/wsus-maintenance-guide> 
 
