At Patch My PC we frequently encounter issues in our customers’ environments that are caused by misconfigurations in their environment. Some of these issues may not be immediately obvious, take time to find, research, and resolve.
While there may not be any immediately obvious issues in your environment, some simple performance tuning can make the world of difference!
With these things in mind, we came up with the idea of a tool that looks for these issues in your environment and provides you with the necessary help to resolve them.
What does MEM Patching Optimizer do?
After connecting to your WSUS Database server, MEMPO will run a series of predefined tests, compare the results to best practice values and let you know what tests have passed and failed.
Over time, we will add more tests as well as the ability to automatically remediate selected issues.
What are the tests and what do they do?
Test SUSDB Response Time
Firstly, we get a baseline of how your WSUS database performs.
This is done by running a simple stored procedure against SUSDB and measuring the time taking for that to complete. You can see this stored procedure in action below
Check that nclLocalizedPropertyID & nclSupercededUpdateID Indexes exist in SUSDB
Based on our research and information in Microsoft Docs, the single most significant factor to WSUS database performance and the root cause for timeouts is not having the custom non-clustered indexes on the WSUS database (SUSDB).
To verify these indexes exist, we run SQL query against SUSDB and ensure the result returns nclLocalizedPropertyID index exists, and nclSupercededUpdateID index exists
Validating the WSUSContent directory
This one is slightly more interesting and proved challenging as all WSUSContent path references should all point to the same path, regardless of whether or not they are Absolute or UNC.
To check this, we query SUSDB, IIS and the local registry, compare those paths and check that they exist and that they all match. This also ensures that the paths are in the correct format as there is a known WSUS bug where the leading \\ can be removed from a UNC path in IIS.
Validating WSUSContent and UpdateServicesPackages permissions
WSUSContent and UpdateServicesPackages having the correct permissions set ensures updates can be published correctly and are important for BITS downloads to work
To validate this, we check for 3 permissions specifically: NT Authority\Network Service, WSUS Administrators and BUILTIN\Administrators. We want to ensure that both groups and the Network Service account have Full Control.
Checking that the WSUS App Pool is running
A super simple one now to break things up a bit, simply ensuring that the WSUS App Pool is running!
Ensuring your WSUS App Pool advanced settings match the Microsoft recommended configuration
Based on the Microsoft documentation for WSUS Best Practices there are 5 things we want to check here: Queue Length, Idle Time-out, Ping Enabled, Private Memory Limit, Regular Time Interval and Identity.
By default, these values are not configured to the best practices for WSUS and should be amended, so we check what they are currently set to, compare them with the recommended values and let you know if they need amended.
In the below screenshot we can see a WSUS App Pool that is misconfigured (left) and 1 that is correctly configured (right)
Checking that the total number of superseded & undeclined updates are within the Microsoft recommended limit
Based on Microsoft’s documentation, any more than 1500 undeclined, superseded updates can cause various issues on both server and client sides.
To check this, Microsoft provide a 1 like SQL query which returns the total number of undeclined, superseded updates in SUSDB
Validate that your IIS WSUSContent directory has the correct authentication configured
1 last simple check is to ensure that the Anonymous Authentication settings for the WSUSContent directory in IIS configured to use the Application Pool Identity.
Note: This only becomes 100% applicable when using a UNC path as the Physical Path in the Content Virtual Directory. Using an Absolute path allows for both IUSR and Application Pool Identity
Checking WSUS is still on a supported version
It’s important to ensure that you’re running a supported version of WSUS, especially for raising support requests!
MEMPO will check the version of Windows Server it is being ran on, which the version of WSUS is tied to. Based on the version of Windows detected, the appropriate result will be displayed!
Note: Information here is on versions of WSUS supported by Patch My PC, but based off Microsoft’s supportability matrix for Windows Server
Additional Information
Limitations
- Currently SQL is the only supported database type
- Currently only queries the local WSUS server
Logging an issue
You can log issues with the MEM Patching Optimizer through its GitHub page
Documentation
All documentation around installation and usage can be found on the Patch My PC Docs page
Download
You can get the latest release of the MEM Patching Optimizer here
Scott McAllister
After being an Exchange admin for 8 years, Scott moved to Patch My PC to work with 3rd party updates, ConfigMgr, WSUS and Intune. He have a strong interest in PowerShell, C#, Azure functions, community tools and anything related to automation.
Scott has started writing on his own blog at Scot Scott McA.
