Windows: Setup a WSUS Server for Windows 10 Clients with Feature Support

Hi,

in this post I will describe all steps to install a Windows Update Server at top an a Windows Server 2012R2 to fully support the Windows 10 Feature updates.


First of all install a Windows Server 2012R2 and install all updates. Especially KB2919355 is requiered. Windows Server2008 R2 with WSUS 3 SP2 only support Windows 10 Updates, not Features.

To install WSUS simply enable the

D:\> Install-WindowsFeature -Name UpdateServices,UpdateServices-Services,UpdateServices-WidDB -IncludeManagementTools
Success Restart Needed Exit Code      Feature Result
------- -------------- ---------      --------------
True    No             Success        {ASP.NET 4.5, Windows Server Update Servic...
WARNING: Additional configuration may be required. Review the article Managing WSUS Using PowerShell at TechNet Library
(http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using
PowerShell.

Before starting the sync, 2 fixes must be installed to enable Windows 10 Feature support. Its importent to install these fixes before syncing updates otherwise all previously synced updates have to delete and you have to start resync again after installation.

Check for Update KB2919355 and install updates KB3095113 (Enable Feature Support) and KB3159706 (ESD Decryption support).

C:\Windows\system32>systeminfo|findstr /i 2919355
                           [03]: KB2919355
c:\> wusa Windows8.1-KB3095113-v2-x64.msu
c:\> wusa AMD64-all-windows8.1-kb3159706-x64.msu

Create a Directory where the Updates are stored

D:\> mkdir D:\WSUS
D:\> & "C:\Program Files\Update Services\Tools\WsusUtil.exe" postinstall CONTENT_DIR=D:\WSUS

Enable WSUS and IIS Service

D:\> sc config W3SVC start= delayed-auto
D:\> sc config WsusService start= delayed-auto
D:\> sc config WSusCertServer start= delayed-auto

To change the default TCP Ports, a custom website must be enabled (default after installation)

D:\> wsusutil usecustomwebsite true

Let us assume http should be TCP/22222, then the https port must be httpPort+1 => 22223
Change the IIS Ports of the customwebsite. Open the IIS Management Console

IIS MMC
IIS MMC

WSUS HTTP Port
WSUS HTTP Port

WSUS HTTPS Port
WSUS HTTPS Port

you also have to change the http port in the registry to tell the WSUSUpdate Service on which port the IIS is running.

D:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup"  /t REG_DWORD /v PortNumber /d 22222 /f

Adjust both WSUS incoming firewall rules (TCP Ports 8530=>22222 and 8531=>22223)

WSUS Firewall rule http
WSUS Firewall rule http

WSUS Firewall rule https
WSUS Firewall rule https

Reboot to get all changes active.

Addionally you have to install the Microsoft Microsoft Report Viewer to have a look at the Reports of Updates and Clients.

Start MMC and connect.

Update: If you have a large number of client which connects to your WSUS, the default settings for the IIS WSUS Apppool could be to conservative. The WsusPool then goes temporary offline. If this happens try to increase “Queue Length” and the “Private memory limit” properties of the Apppool.

To resolve the issue open System EventLog and Filter for EventSource WAS.

Eventlog WSUS Apppool Error
Eventlog WSUS Apppool Error

Increase Queue Limit

WsusPool queue length
WsusPool queue length

Disable worker process limit

WsusPool max worker processes
WsusPool max worker processes

Increase Memory limit

WsusPool private memory
WsusPool private memory

Also disable the SQL remote query timeout. Connect to the SQL Server and set timeout to 0 (disable timeout)

USE SUSDB ;  
GO  
EXEC sp_configure 'remote query timeout', 0 ;  
GO  
RECONFIGURE ;  
GO  

otherwise in some replication scenarios a SQL timeout will occur:

SqlException: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. ---> System.ComponentModel.Win32Exception: The wait operation timed out
at Microsoft.UpdateServices.DatabaseAccess.DBConnection.DrainObsoleteConnections(SqlException e)
at Microsoft.UpdateServices.DatabaseAccess.DBConnection.ExecuteReader()
at Microsoft.UpdateServices.Internal.DataAccess.HideUpdatesForReplicaSync(String xmlHiddenUpdateIds, String xmlAllUpdatesIds)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ProcessHiddenUpdates(Guid[] hiddenUpdates, UpdateIdentity[] allUpdates)
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ReplicaSync()
at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)

If you want to upgrade Windows 10 to a new feature version, i.e. 1511 to 1607 the IIS must known how to handle .esd files. Add the MIME Type application/octet-stream for file extension .esd to IIS by using the IIS Management Console

Add IIS esd-mimetype
Add IIS esd-mimetype

On the clients the Policy “User Configuration/Administrative Templates/Windows Components/Store/Turn off the offer to update to the latest version of Windows” must not be set. Check the registry key

C:\> reg query HKLM\Software\Policies\Microsoft\WindowsStore -v DisableOSUpgrade
    DisableOSUpgrade    REG_DWORD    0x0

Michael

Ref: Windows 10 Update History
Migration from WID to SQL Server

Leave a Reply