MEM Patching Optimizer (Project-Clippy)

by | Nov 7, 2022 | Blog, Tech Blog

Patch Tuesday Webinar

Join Patch My PC's Jordan Benzing and Bryan Dam every Thursday succeeding Patch Tuesday for the Patch Tuesday Support Group Webinar.

Patch Tuesday Releases

Tech Blogs

Critical Patches

At Patch My PC we frequently encounter issues in our customers’ environments that are caused by misconfigurations in their environment. Some of these issues may not be immediately obvious, take time to find, research, and resolve.

While there may not be any immediately obvious issues in your environment, some simple performance tuning can make the world of difference!

With these things in mind, we came up with the idea of a tool that looks for these issues in your environment and provides you with the necessary help to resolve them.

 

What does MEM Patching Optimizer do?

After connecting to your WSUS Database server, MEMPO will run a series of predefined tests, compare the results to best practice values and let you know what tests have passed and failed.

Over time, we will add more tests as well as the ability to automatically remediate selected issues.

MEM Patching Optimizer configuration

What are the tests and what do they do?

Test SUSDB Response Time

Firstly, we get a baseline of how your WSUS database performs.

This is done by running a simple stored procedure against SUSDB and measuring the time taking for that to complete. You can see this stored procedure in action below

Test SUSDB Response Time

Check that nclLocalizedPropertyID & nclSupercededUpdateID Indexes exist in SUSDB

Based on our research and information in Microsoft Docs, the single most significant factor to WSUS database performance and the root cause for timeouts is not having the custom non-clustered indexes on the WSUS database (SUSDB).

To verify these indexes exist, we run SQL query against SUSDB and ensure the result returns nclLocalizedPropertyID index exists, and nclSupercededUpdateID index exists

Check that nclLocalizedPropertyID & nclSupercededUpdateID Indexes exist in SUSDB

Validating the WSUSContent directory

This one is slightly more interesting and proved challenging as all WSUSContent path references should all point to the same path, regardless of whether or not they are Absolute or UNC.

To check this, we query SUSDB, IIS and the local registry, compare those paths and check that they exist and that they all match. This also ensures that the paths are in the correct format as there is a known WSUS bug where the leading \\ can be removed from a UNC path in IIS.

Validating the WSUSContent directory

Validating WSUSContent and UpdateServicesPackages permissions

WSUSContent and UpdateServicesPackages having the correct permissions set ensures updates can be published correctly and are important for BITS downloads to work

To validate this, we check for 3 permissions specifically: NT Authority\Network Service, WSUS Administrators and BUILTIN\Administrators. We want to ensure that both groups and the Network Service account have Full Control.

Validating WSUSContent and UpdateServicesPackages permissions

Checking that the WSUS App Pool is running

A super simple one now to break things up a bit, simply ensuring that the WSUS App Pool is running!

Checking that the WSUS App Pool is running

Ensuring your WSUS App Pool advanced settings match the Microsoft recommended configuration

Based on the Microsoft documentation for WSUS Best Practices there are 5 things we want to check here: Queue Length, Idle Time-out, Ping Enabled, Private Memory Limit, Regular Time Interval and Identity.

By default, these values are not configured to the best practices for WSUS and should be amended, so we check what they are currently set to, compare them with the recommended values and let you know if they need amended.

In the below screenshot we can see a WSUS App Pool that is misconfigured (left) and 1 that is correctly configured (right)

Ensuring your WSUS App Pool advanced settings match the Microsoft recommended configuration

Checking that the total number of superseded & undeclined updates are within the Microsoft recommended limit

Based on Microsoft’s documentation, any more than 1500 undeclined, superseded updates can cause various issues on both server and client sides.

To check this, Microsoft provide a 1 like SQL query which returns the total number of undeclined, superseded updates in SUSDB

Checking that the total number of superseded & undeclined updates are within the Microsoft recommended limit

Validate that your IIS WSUSContent directory has the correct authentication configured

1 last simple check is to ensure that the Anonymous Authentication settings for the WSUSContent directory in IIS configured to use the Application Pool Identity.

Note: This only becomes 100% applicable when using a UNC path as the Physical Path in the Content Virtual Directory. Using an Absolute path allows for both IUSR and Application Pool Identity

Validate that your IIS WSUSContent directory has the correct authentication configured

Checking WSUS is still on a supported version

It’s important to ensure that you’re running a supported version of WSUS, especially for raising support requests!

MEMPO will check the version of Windows Server it is being ran on, which the version of WSUS is tied to. Based on the version of Windows detected, the appropriate result will be displayed!

Note: Information here is on versions of WSUS supported by Patch My PC, but based off Microsoft’s supportability matrix for Windows Server

Checking WSUS is still on a supported version

Additional Information

Limitations

  • Currently SQL is the only supported database type
  • Currently only queries the local WSUS server

Logging an issue

You can log issues with the MEM Patching Optimizer through its GitHub page

Documentation

All documentation around installation and usage can be found on the Patch My PC Docs page

Download

You can get the latest release of the MEM Patching Optimizer here

Scott McAllister

After being an Exchange admin for 8 years, Scott moved to Patch My PC to work with 3rd party updates, ConfigMgr, WSUS and Intune. He have a strong interest in PowerShell, C#, Azure functions, community tools and anything related to automation.

Scott has started writing on his own blog at Scot Scott McA.

Tech Blog

PowerShell Uses - Feature Image

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 Apps Guide to Availability and Deadlines Feature Image

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...
Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...
Automatic Deployment Rules and ConfigMgr

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

PowerShell Uses – Things to Start Doing, Things to Stop Doing

There are some things in PowerShell that you need to start doing but also stop doing. What is PowerShell and some of the best practices?

Intune Win32 apps: A Strategic Guide to Availability and Deadlines

Discover the ins and outs of Intune Management Extension in our latest blog post. We’re exploring its behavior with scheduled win32 app...

Windows Defender Exploit Guard breaks Google Chrome

Often, blog titles are sensationalised and designed to draw the readers attention. In September 2023, we did actually observe the behavior described...

Discovered Apps – The Intune Software Inventory

Is there an Intune Software Inventory? How does Intune detect apps installed in my tenant? Find out everything you need to know about Discovered...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...