Patch Tuesday Blog | Tech Blog

MEM Patching Optimizer (Project-Clippy)

By Scott McAllister

At Patch My PC we frequently encounter issues in our customers’ environments that are caused by misconfigurations in their environment. Some of these issues may not be immediately obvious, take time to find, research, and resolve.

While there may not be any immediately obvious issues in your environment, some simple performance tuning can make the world of difference!

With these things in mind, we came up with the idea of a tool that looks for these issues in your environment and provides you with the necessary help to resolve them.

 

What does MEM Patching Optimizer do?

After connecting to your WSUS Database server, MEMPO will run a series of predefined tests, compare the results to best practice values and let you know what tests have passed and failed.

Over time, we will add more tests as well as the ability to automatically remediate selected issues.

MEM Patching Optimizer configuration

What are the tests and what do they do?

Test SUSDB Response Time

Firstly, we get a baseline of how your WSUS database performs.

This is done by running a simple stored procedure against SUSDB and measuring the time taking for that to complete. You can see this stored procedure in action below

Test SUSDB Response Time

Check that nclLocalizedPropertyID & nclSupercededUpdateID Indexes exist in SUSDB

Based on our research and information in Microsoft Docs, the single most significant factor to WSUS database performance and the root cause for timeouts is not having the custom non-clustered indexes on the WSUS database (SUSDB).

To verify these indexes exist, we run SQL query against SUSDB and ensure the result returns nclLocalizedPropertyID index exists, and nclSupercededUpdateID index exists

Check that nclLocalizedPropertyID & nclSupercededUpdateID Indexes exist in SUSDB

Validating the WSUSContent directory

This one is slightly more interesting and proved challenging as all WSUSContent path references should all point to the same path, regardless of whether or not they are Absolute or UNC.

To check this, we query SUSDB, IIS and the local registry, compare those paths and check that they exist and that they all match. This also ensures that the paths are in the correct format as there is a known WSUS bug where the leading \\ can be removed from a UNC path in IIS.

Validating the WSUSContent directory

Validating WSUSContent and UpdateServicesPackages permissions

WSUSContent and UpdateServicesPackages having the correct permissions set ensures updates can be published correctly and are important for BITS downloads to work

To validate this, we check for 3 permissions specifically: NT Authority\Network Service, WSUS Administrators and BUILTIN\Administrators. We want to ensure that both groups and the Network Service account have Full Control.

Validating WSUSContent and UpdateServicesPackages permissions

Checking that the WSUS App Pool is running

A super simple one now to break things up a bit, simply ensuring that the WSUS App Pool is running!

Checking that the WSUS App Pool is running

Ensuring your WSUS App Pool advanced settings match the Microsoft recommended configuration

Based on the Microsoft documentation for WSUS Best Practices there are 5 things we want to check here: Queue Length, Idle Time-out, Ping Enabled, Private Memory Limit, Regular Time Interval and Identity.

By default, these values are not configured to the best practices for WSUS and should be amended, so we check what they are currently set to, compare them with the recommended values and let you know if they need amended.

In the below screenshot we can see a WSUS App Pool that is misconfigured (left) and 1 that is correctly configured (right)

Ensuring your WSUS App Pool advanced settings match the Microsoft recommended configuration

Checking that the total number of superseded & undeclined updates are within the Microsoft recommended limit

Based on Microsoft’s documentation, any more than 1500 undeclined, superseded updates can cause various issues on both server and client sides.

To check this, Microsoft provide a 1 like SQL query which returns the total number of undeclined, superseded updates in SUSDB

Checking that the total number of superseded & undeclined updates are within the Microsoft recommended limit

Validate that your IIS WSUSContent directory has the correct authentication configured

1 last simple check is to ensure that the Anonymous Authentication settings for the WSUSContent directory in IIS configured to use the Application Pool Identity.

Note: This only becomes 100% applicable when using a UNC path as the Physical Path in the Content Virtual Directory. Using an Absolute path allows for both IUSR and Application Pool Identity

Validate that your IIS WSUSContent directory has the correct authentication configured

Checking WSUS is still on a supported version

It’s important to ensure that you’re running a supported version of WSUS, especially for raising support requests!

MEMPO will check the version of Windows Server it is being ran on, which the version of WSUS is tied to. Based on the version of Windows detected, the appropriate result will be displayed!

Note: Information here is on versions of WSUS supported by Patch My PC, but based off Microsoft’s supportability matrix for Windows Server

Checking WSUS is still on a supported version

Additional Information

Limitations

  • Currently SQL is the only supported database type
  • Currently only queries the local WSUS server

Logging an issue

You can log issues with the MEM Patching Optimizer through its GitHub page

Documentation

All documentation around installation and usage can be found on the Patch My PC Docs page

Download

You can get the latest release of the MEM Patching Optimizer here

Scott McAllister

After being an Exchange admin for 8 years, Scott moved to Patch My PC to work with 3rd party updates, ConfigMgr, WSUS and Intune. He have a strong interest in PowerShell, C#, Azure functions, community tools and anything related to automation.

Scott has started writing on his own blog at Scot Scott McA.

Tech Blog

Discovery Apps - Intune Software Inventory - Feature Image

Discovered Apps – The Intune Software Inventory

It’s no secret that Intune is dominating the market as the leading cloud solution for endpoint management. Even though its initial focus was mobile...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...
Intune Discovery Apps - Detecting your applications and gaining back control Feature Image

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...
Automatic Deployment Rules and ConfigMgr

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...
How to use Dynamic Azure AD Groups and Filters to Improve Targeting Feature Image

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...
Update offline configuration manager environments January 2023 tech blog feature image

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...

Discovered Apps – The Intune Software Inventory

It’s no secret that Intune is dominating the market as the leading cloud solution for endpoint management. Even though its initial focus was mobile...

Intune Scope Tags and Role-Based Access Control Explained

In today's interconnected era, it has become increasingly common for large organizations to have multiple IT departments and workers spread across...

Intune Discovered Apps – Missing Inventory Data

At the tail end of June 2023 and into the first week of July 2023, many admins started to report that application inventory data was missing in...

Intune Discovered Apps – Detecting your applications and gaining back control

Learn more about the power of Intune Discovered Apps for application inventory management. Detect and manage your software inventory...

Intune Microsoft Store Integration App Migration Failures (0x87D1041C)

In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has...

Automatic Deployment Rules (ADR) and ConfigMgr and why you should use them

What is an ADR Getting Started with ADR Creating and Defining an ADR What are Deployment Packages?In this blog we will review Automatic Deployment...

How to use PowerShell to install Windows updates & ensure long-term compliance

In this post I will walk you through how to install Windows updates and report on patch compliance using Windows PowerShell. We will be using:...

Mastering ConfigMgr Client Actions

In this blog post, we’ll take a deep dive into the various SCCM client actions, including when to use them, what they do, and which log files...

How to Use Dynamic Azure AD Groups and Filters to Improve Targeting

Creating Dynamic Groups in Azure AD is a helpful way to automatically add and remove members to a group. However, when using those groups for...

How to update Offline Configuration Manager Environments – Faster

If you've ever had a Patch My PC demo call or watched a Patch My PC video you've probably seen the Patch My PC demo environment. What you might not...