At the end of 2016 i had a chance to update our WSUS system. We’ve been using WSUS 3 version for almost 6 years on a rather old Windows Server 2008 platform. WSUS was installed as a separate service back then. And now we have used a new Windows Server 2012 R2 as a basis for it (of course, after the release of 2016 it can be considered as outdated already). WSUS 4 is now being deployed as a standard role (Server Role). All other requirements and features are selected and installed automatically. Although WSUS 4 itself both visually and in its functions hasn’t changed much. WSUS 4 deployment and configuration was a breeze and haven’t caused any problems, especially as it is so standartized and simplified in this case. But at the same time we have decided to launch a Windows 10 pilot (2 new PCs). So Windows 10 category and its updates have been enabled in our new WSUS system. And then the hell broke loose..
First of all, if you want to manage and deploy Windows 10 updates via WSUS, you have to provide a lot more storage space. Because one Cumulative update can take 1-1.5 GB 😯 Yes, i can’t wait for a time when MS will introduce their improved Windows 10 updates with a new Windows Update system, which should take less space (it should probably be revealed with the Creators Update in the Spring of 2017). The other thing to keep in mind – Feature Updates or Upgrades (how they are called in WSUS). These are not security or critical updates, but the new builds (just like SR1 – 1511 or Anniversary Update – 1607). WSUS 4 can’t normally deal with them without a few special hotfixes. So enabling this category without them can break your WSUS 4 system. We haven’t even tried this yet, as we are installing the newest build to this day – 1607. I might post about nuances of updating to the newer build via WSUS after the Creators Update arrives next year. But if you are installing WSUS 4, you can prepare for it in advance by installing those hotfixes and doing other required changes (more on this later).
Our problems have began just after enabling Windows 10 category and doing first synchronization of updates list. New installation of Windows 10 1607 couldn’t check for updates against WSUS and showed the 0x8024401C error (i already know this code by heart..) after a few minutes of checking. Moreover, our WSUS server was getting a 100% CPU load for at least ~5 more minutes. I will post all the steps of preparing WSUS 4 for deploying Windows 10 updates to avoid this error. But it won’t help to get rid of it completely. This error will still be there when a fresh installation of 1607 build is checking for updates on WSUS. So, Windows 10 has to be updated from the internet first (from Windows Update servers) and only then it can normally check for updates and get them from the WSUS. It is to be expected that this error will show up again in the future, when more updates accumulate. So we are already looking into WSUS replacement, like Intune or SCCM, especially when Intune can control various other parts of Windows 10, provide MDM features.
In order for WSUS to understand Windows 10 feature upgrades (maybe also other updates) one has to install those Windows Server 2012 R2 updates before synchronizing updates:
KB3159706 this one only distributed via Windows Update, so, before connecting the server to WSUS, you should go to Windows Update menu and check for updates, then go to Recommended section and install it from there. Then you should also make changes described in this article https://support.microsoft.com/en-us/kb/3159706 (they must be applied):
- Launch cmd via Run as Administrator and run this command:
“C:\Program Files\Update Services\Tools\wsusutil.exe” postinstall /servicing
Wait until it shows the „Post install has successfully completed“ message.
- Launch Server Manager > Add Roles and Features, on the Features screen expand the .NET Framework 4.5 Features > WCF Services – check HTTP Activation. Press Add Features > Next > Install. Close.
- Open services.msc – restart the WSUS Service.
- If you don’t use SSL with WSUS, you don’t have to apply the steps related to SSL.
Then the changes necessary to get rid of the above mentioned error are applied:
- Open the IIS Manager on the server, expand Sites, press on WSUS Administration site. Press on the Advanced Settings on the right. Expand Limits and in the field „Connection Time-out (seconds)“ instead of 180 put higher value, e.g. 320.
- In the Application Pools window press on the WsusPool, then go to Advances Settings > and in the Recycling section change Private Memory Limit (KB) to 0 (means unlimited size).
- Stop the IIS service (by pressing Stop in the IIS Manager, when you are on the SERVER (SERVER\administrator))
- Run Notepad via Run as administrator and edit C:\Program Files\Update Services\WebServices\ClientWebService\web.config file replacing:
<httpRuntime maxRequestLength=”4096″ />
<httpRuntime maxRequestLength=”204800″ executionTimeout=”7200″/>
Save the file overwriting the original (make sure it’s not of the txt extension, also, if you copy text from this site, make sure you paste it as a plain text without hidden formatting symbols or just type it in manually).
Start the IIS service.
In such way an already updated Windows 10 machine will be able to check for updates on WSUS. But a fresh installation of 1607 build will still show that error.
UPDATE: looks like MS has finally released a fix for the infamous 0x8024401C error. So one can first try installing it before tweaking the IIS settings. Prerequisites updates still apply though.