WSUS Configuration Tweaks For Improving Performance

Update 2018-04-20: I’ve rolled the information in this post and updated it, into a new post about setting up a WSUS server from scratch on Windows Server 2016 Core. The post is also suitable for a regular Windows Server 2016 server with a GUI. You can read it here.


I’ve been dealing with some issues with a WSUS server recently. It services around 1000 devices, mostly Windows 10 with some Windows 7, Windows Server 2016/2012 R2/2012 and 2008 R2. The WSUS server provided updates for a variety of Microsoft products including Office, Exchange, SQL, Visual Studio, Windows Defender to name a few.

The WSUS server is running on Windows Server 2016 Standard which is WSUS version 10.0.14393.1066 although I’m sure these configuration tweaks could benefit previous versions too. The WSUS database is the Windows Internal Database.

The issues I’d been experiencing were the Error: Unexpected Error/Reset Server Node (Event ID 7053) issue, generally bad performance, and Windows Update timing out when searching for updates (0x8024401C).

Oh. YOU again.

Thankfully the issues were easily resolved, here’s what I found.

Firstly to tackle the performance issue. I’d setup a Scheduled Task to run a PowerShell script, weekly, to clean up the WSUS database, but this had stopped running due to a username/password error. This was easily fixed. As the script had not run in a few weeks I sensed that the script was going to need some time to run, so I decided to increase the specification of the WSUS VM first. The number of clients that it was expected to service had increased over time too, so I felt it was only right I do this. It was running on 2 vCPUs and 4GB RAM, I increased this to 6 vCPUs and 8GB RAM. Once I’d done this, I ran the script. After an hour or so, it failed which I consider to be normal when database maintenance hasn’t been done in a while. I ran the script again and after a few hours it completed successfully.

I increased the schedule of the script to run daily instead of weekly. I also updated the script to add logging and to email the log when it had completed running – something I had been intending to do but not got around to.

Here’s the completed script for you to use. The logging and email sections of the script follow the same conventions I’ve been using for my Image Factory and Hyper-V backup scripts.

# -------------------------------------------
# Script: wsus-maintenance.ps1
# Version: 1.1
# Author: Mike Galvin
# Date: 24/04/2017
# -------------------------------------------

##Set Variables
$wsussrvr = "wsus1"
$wsusport = "8530"

##Set Log Location
$log = "E:\scripts\wsus-maintenance.log"

##Set Mail Config
$toaddress = ""
$fromaddress = "$"
$subject = "WSUS Maintenance"
$mailserver = ""

##Start Log
Start-Transcript $log

Get-WsusServer -Name $wsussrvr -PortNumber $wsusport
Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates

##Stop Log

##Send Mail
$body = Get-Content -Path $log | Out-String
Send-MailMessage -To $toaddress -From $fromaddress -Subject $subject -Body $body -SmtpServer $mailserver


Now that the general performance and house keeping had been done I left the server along to see how things went for a a day or two. After a day performance was better but I still had some timeouts with Windows 10 clients detecting updates. On previous versions of WSUS I’d always tweaked the IIS Application Pool settings and so far hadn’t had to do that with the Server 2016 version, so I decided to make some changes there. Here’s the changes I made

Changed the Private Memory Limit (KB) to 0 – This actually removes the memory limit. I’d actually suggest making it slight less that the memory available on your server, but I’ve not had any issue from setting this to 0 yet.

Change the Service Unavailable Response from HttpLevel to TcpLevel – The documentation states that change this to TcpLevel will reset the connection rather than return a HTTP 503 error. I found this via a Google Search and haven’t had any issues since making this change.

Change Limit Interval (minutes) from 5 to 15 – This specifies the reset period for the CPU monitoring and throttling limits for the application pool.

Change the Queue Length from 1000 to 2500 – This increases the queue length for the application pool.

I’m not convinced that I needed to do all four of these changes. I think the changes to the Private Memory Limit and Queue Length were necessary but I’m not so sure about the others. I’d suggest that you might want to show more restraint that I did at the time and make one change at a time to see if it solves the issue.

After making these changes the performance of the WSUS server was greatly increased and the Windows 10 clients detected updates without issue, and continue to as I write this.

I take great care to test my ideas and make sure my articles are accurate before posting, however mistakes do slip through sometimes. If you’d like to get in touch with me please use the comments, Twitter (you can tweet me and my DMs are open) or my contact form.

I hope this article helps you out, please consider supporting my work here. Thank you.


6 thoughts on “WSUS Configuration Tweaks For Improving Performance

Add yours

  1. Thank you for this, it indeed improve the situation when updating a Windows 2016 installed form the latest ISO available from VLSC. But as far a Windows 10 1703 (again here latest iso available from VLSC) I am still stuck šŸ˜¦
    My Win10 simply won’t update. It is complaining it cannot connect, in some case I have been stuck at 0% downloading, …


  2. W2016 Standard
    WSUS 10.0.14393.2007
    IIS 10
    Edited the already present MIME type in IIS – .ESD – at top of App pool tree & WSUS pool.
    Correct config is likely not both but WSUS pool only.
    DL stats by desktops immediately improved, no stuck DL of feature updates like 1703, 1709 for clients.
    default MIME Type was: application/
    changed to application/octet-stream
    This was a manual added MIME type in W2012R2, is already in W2016 but some have said online in MSFT forums to change it as clients always get stuck at DL.
    ESD is encrypted W10 client upgrade content and clients or IIS cant work with it without this tweak.


  3. How does this “end” when running from Task Scheduler? I had already cleaned the server previously, ran it once from PowerShell and it cleaned zero of everything (expected) after running for about a minute, but when I run it as a task, it just keeps running until I stop it manually.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

Up ↑

%d bloggers like this: