WSUS (SUP) Servers in ConfigMgr 2012 custom Configuration Settings

Issue(s) to be resolved:

  1. WSUS Server (the SUP servers in Configmgr 2012), RapidFail currently Enabled (TRUE).  For our WSUS pool, during a particularly heavy patch release cycle, the clients were timing out, and going into retry mode.  This caused the Application Pool for WSUS (called wsusPool) to fail and not restart on it's own.  The clients continued to try; and due to the large number of failures and timeouts were "failing over" to other WSUS servers, which prompted them to need a full sync; and then those failover servers were getting hit hard and the wsuspool on them were failing and not restarting on their own.
  2. Ensure the PrivateMemoryLimit on the WsusPool is 20gb, presuming the server has 21gb or more of memory.

Manual Fix: On the WSUS Servers, RapidFail on the wsusPool was set to FALSE, PrivateMemorylimit was set to 20971520

Automated Fix: We wanted to be sure that if we created more WSUS servers, or for some unknown reason some iis reset or patch would reset RapidFail to TRUE... it would automatically be set back to FALSE. 

What we've implemented is a Compliance Setting using Powershell scripts.  Import --> This <-- into your console, Compliance Settings, Baselines.

What you'll likely want to tweak for your own environment is perhaps your SUP servers shouldn't have 20gb ram dedicated to the WSUSpool--you have different settings.  In the CI currently called "WSUSPool Private Memory Limit should be 20971520", edit multiple things:  

  1. Detection methods, check that the "Greater Than" for how much totalmemory your SUP servers have matches your reality.  If your SUP servers have 16gb, and you want to give 8gb (for example) to the Wsuspool, then change that -gt to something like 8000000000 
  2. Settings, for the Discovery, no change  For the Remediation, change the -Value to match exactly what you intend to have your wsuspool memory be; i.e., if you want to ensure it's 8gb, 8 * 1024 * 1024 = 8388608  
  3. Compliance, change the value to match (8388608)  
  4. you'll likely want to change the names of the rules from "should be 20971520" to instead match your reality.

When you deploy the baseline, make sure you check the box about remediation as well.  Target your SUP servers (by collection), and of course, test that remediation works like you expect it to work.

 

 

 

 

 

CM12

  • Created on .
Copyright © 2018 - The Minnesota System Center User Group