Windows Server Updates Services (WSUS) is a good solution to keep up to date Windows Servers and Workstations in your environment if you don't have the budget to go with Intune.
From the other side you need to spend some time maybe and few days if you want to add in Autopilot and not troubleshooting every day.
Actually i prefer to spend more time when first install WSUS until i get the most of it and go in my next project without distractions.
If you don't have configure WSUS Server then before start reading read carefully the article How to install & configure WSUS in Windows Server 2016 to understand basic settings of WSUS configuration.
How to configure IIS WSUS Application Pool for best performance
One of the best practices that can apply in WSUS to avoid problems with the performance and timeouts is to properly configure the WSUS Application Pool in IIS.
To achieve this you must change the following settings in the WSUS Application Pool
- Open IIS
- Expand the Server Name
- Click in Application Pools
- Click in WsusPool
- From the right side select Advanced Settings
- Change Queue Length from 1000 to 2000
- Change Ping Enable from True to False
- Change Private Memory Limit(KB) from the Default to 0 and Regular Time Interval from the Default to 0
- Click OK
- Restart the IIS Server
If you already use the WSUS then you will see lot of difference in the performance. If now start to use it you will not have issues with the performance.
How to maintain Windows Updates in WSUS to avoid performance issue
WSUS must be keep it in good performance. To achieve this as first steps it's a good procedue to follow some best practices
One of them is don't keep Windows Updates that aren't use it or has installed from all Servers.
If you delete Windows Updates regularly then you will not have problems with the storage and your Servers will perform faster when check for Windows Updates .
- You can expand the Updates and click in the View that you have Create for the specific Updates. Lets's say that you have the Windows Server 2016.
- Click on it then from Approval click Approve and in Status select Install/Not Applicable.
- Click Refresh and it will get some updates. If you see more careful these updates it doesn't has any icon .
- So select all the Updates and with right click select Decline. Wait until finish and click Close.
- Change the option from Approval to Unapproved and follow the same steps.
- When you finish click in Options.
- Click Server Cleanup Wizard.
- Leave all the options checked and click Next
- Wait until finish and see the results. Click Finish
How to add Computers in WSUS when not reported
I have observe lot of times that Computers not reported in WSUS Administration Console automatically after apply the Group Policy which explain in How to install & configure WSUS in Windows Server 2016 .
There are lot of reasons for this but if you are sure that the GPO already apply and the firewall configuration allow the communication between WSUS and the Server then most of the times you can run the following commands and in few minutes the Server will be appear in WSUS Console
- So login in Server which doesn't appear in WSUS Administration Console
- Open Powershell as Administrator
- If the server is Windows Server 2016 then run the following commands
Stop-Service -Name BITS, wuauserv -Force
Start-Service -Name BITS, wuauserv
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()
- If the Server is Windows Server 2012 R2 then run the following commands
Stop-Service -Name BITS, wuauserv -Force
Start-Service -Name BITS, wuauserv
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
- Wait a few minutes (2-3 minutes maximum) and Refresh the WSUS Administration Console .
- Most of the times when the Server appear in WSUS Administration Console the Installed/Not Applicant is 0%.
- Check the Server and you will see that is Checking for Updates. When finish then the Installed/Not Applicant will be the percent that match base on the installation Updates.
How to automate deployment of Windows Updates in Clients
You have spend lot of time to include all your Server or Workstations in the WSUS Administration Console. You have separate with Groups base on OS. You have separate the Windows Updates base on the OS.
Again you must login in every Server to Install the Windows Updates.
In specific scenarios you want to do it manual for few servers. As i understand these Servers will be the most important in your environment and you don't want to have any issue after that will cause downtime Windows Updates installed .
But what about the rest of them?
At least you want to install the updates automatically and restart the Servers manual or restart at Weekend.
So let's go to create the automation
In the article How to install & configure WSUS in Windows Server 2016 explain how can create and apply the Group Policy to configure the Servers and search for the Windows Updates from the WSUS.
- After you have create the Group Policy you must do a few changes
- Open the Group Policy again for Edit.
- Enable the Policy Allow Automatic Updates immediate installation
- Open the Configure Automatic Updates
- Change the Configure Automatic Updating to 4- Auto download and schedule the install
- Select the option that you want in Scheduled install day
- Open the Automatic Update detection frequency.
- Enable the Policy and decide whenever you want to check for updates.
- But read careful in the right side the Help which say The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified.
- Now force the Group Policy in the WSUS clients and verify the right time that your Server check for Windows Updates and installed.
How to troubleshoot WSUS Clients
When you install a Windows Server with a specific Role you do it because you want to achieve something .
After install WSUS must spend some time until get the results that you want.
Here comes the troubleshooting that maybe needs until resolve issues that maybe appear.
From my experience the most common issues that can face and spend lot of time are the followings:
WSUS Client not reporting but appear in WSUS Administration Console
If you have a WSUS Client offline for more than 30 days and get it online again sometimes for unknown reason the WSUS Client not reporting in WSUS Administration Console
Then to resolve the issue just Delete the WSUS Client from the WSUS Administration Console.
Then follow the instructions from the paragraph How to add Computers in WSUS when not reported to add manual the WSUS Client again.
How to reset WSUS Server when get error from Clients
Most of the times the problem is from WSUS Client. This issue is from the WSUS
In some clients maybe receive the (error code 80244019) when try to install the Windows Updates.
The most common issue is that the WSUS has issue with the download Windows Updates.
To resolve this problem then you can use the command wsusutil reset
- To run the command open the cmd as administrator
- cd in C:\Program Files\Update Services\Tools
- run wsusutil reset
- Wait some time until verify that every update metadata row in the database has corresponding update files stored in the file system. If missing or have been corrupted, WSUS downloads the update files again.
- After finish go back in Windows Server which has a problem to install the Windows Updates and try again.
Where to find WSUS client logs
From any issue or if you want to verify a process you can find the logs from the WSUS Clients which can help you a lot in the path C:\Windows\SoftwareDistribution with a file name ReportingEvents
Believe me that can help you a lot in any issue that you have and can't find actually what cause the error.
If you already use WSUS or you are new with WSUS i hope to find something helpful here.
Have a nice weekend !!!