IIS Worker Role (WSUS) Causing HIGH CPU Utilization 100%

Problem Statment: Client failed to Scan for updates and WSUS server CPU utilization (w3wp.exe) process explode to 99%/100%. Some Clients pass through, few have failed the root cause is Windows 10 Client getting a cumulative update, or example, KB4022723, KB4022715, KB4025339, etc. See here for the list of Windows 10 1607 updates.

Microsoft is aware of the known issue with KB4034658 and currently investigating to provide the hotfix.

Symptoms :

  • High CPU on your WSUS server – 70-100% CPU in w3wp.exe hosting WsusPool.
  • WSUSPool worker process (w3wp.exe) high memory utilization.
  • Constant recycling of the W3wp.exe hosting the WsusPool
  • Clients failing to scan with 8024401c (timeout) errors in the WindowsUpdate.log
  • Mostly 500 errors for the /ClientWebService/Client.asmx requests in the IIS logs

Remediation :

1) Stop the WSUS service and go to IIS manager\application pools and then open the advanced settings on the WSUSPool.

2)Set CPU memory limits to 50% (You can move it up to 70\80 once your CPU usage has stopped hitting 100% for a couple days).

3) Private Memory Limit: Set to 10 GB, minimum of 8 GB recommended by Microsoft.
Set to 0 for unlimited, depends on your current environment.

4) Queue length is kept at 15000 but it depends on how many clients its supporting at your site, however increasing this can help.

5) Now if you are having connection errors when connecting to the WSUS console you need to get onto the SUS_DB.

6) Add Server memory and CPU’s for virtual environments. If you have hotplug enable for your VM’s you can do it directly else have change control to get it done.

7) Clean WSUS obsolete updates :
Run the store procedure “spGetObsoleteUpdatesToCleanup” to gather the amount of obsolete updates. If you haven’t cleaned by past 1 year you could have WSUS DB nearly to 1000+ updates.
Note: It’s highly recommended to clean WSUS on a timely basis, every year should be better in my opinion.

8) Now run the following script to delete them:

DECLARE @msg nvarchar(100)

CREATE TABLE #results (Col1 INT)
INSERT INTO #results(Col1) EXEC spGetObsoleteUpdatesToCleanup

SELECT Col1 FROM #results

INTO @var1
BEGIN SET @msg = ‘Deleting ‘ + CONVERT(varchar(10), @var1)
RAISERROR(@msg,0,1) WITH NOWAIT EXEC spDeleteUpdate @localUpdateID=@var1
DROP TABLE #results

9) Run WSUS Server Cleanup Wizard to remove “Superseded and Expired Updates ” as well.

10) After Cleanup is finished , we need to re-index WSUS database , run below script

Download here . For more details how to Cleanup WSUS click here.

Microsoft is working to provide hotfix ASAP for this open issue, till then follow above steps to keep your WSUS environment healthy.


Now Available: Update 1702 for System Center Configuration Manager

March 26, Microsoft has announced that they have released SCCM version 1702 for Current Branch (CB) that includes some great new features and product enhancements. If you are running with SCCM environment version 1606 or 1610 the new update will be available as an in-console and can be directly upgraded to SCCM CB 1702. If for some reason it is not visible in our SCCM console,  if yes? Please find the PowerShell script here to ensure that you are in the first wave of the customer to get the update.

SCCM 1702 updates include many new features and enhancement in Windows 10 management and new functionality using Configuration Manager connected with Microsoft Intune. Let’s discuss a few of the enhancement below:

  • Support for Windows 10 Creators Update – This version of Configuration Manager now supports the release of upcoming Windows 10 Creators Update. You can upgrade Windows 10 ADK to the latest version for full OS imaging support.
  • Express files support for Windows 10 Cumulative Update – Configuration Manager now supports Windows 10 Cumulative Update using Express files.
  • Deploy Office 365 apps to clients – Beginning in version 1702, from Office 365 Client Management dashboard, you can start the Office 365 Installer that lets you configure Office 365 installation settings, download files from Office Content Delivery Networks (CDNs), and deploy the files as an application in Configuration Manager.
  • Customize high-risk deployment warning – You can now customize the Software Center warning when running a high-risk deployment, such as a task sequence to install a new operating system.
  • Close executable files at the deadline when they would block application installation – If executable files are listed on the Install Behavior tab for a deployment type and the application is deployed to a collection as required, then a more intrusive notification experience is provided to inform the user, and the specified executable files will be closed automatically at the deadline.
  • Conditional access for PCs managed by System Center Configuration Manager – Now production ready in update 1702, with conditional access for PCs managed by Configuration Manager, you can restrict access to various applications (including but not limited to Exchange Online and SharePoint online) to PCs that are compliant with the compliance policies you set

Few enhancements included which connected with Microsoft Intune.

  • Android for Work support – You can now enroll devices, approve and deploy apps, and configure policies for devices with Android for Work.
  • Lookout threat details – You can view threat details as reported by Lookout on a device.
  • Apple Volume Purchase Program (VPP) enhancements – You can now request a policy sync on an enrolled mobile device from the Configuration Manager console.
  • Additional iOS configuration settings – We added support for 42 iOS device settings for configuration items.

Microsoft has removed and dropped support for following product with the new release of SCCM 1702.

  • SQL Server 2008 R2, for site database servers. This version of SQL Server remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008 R2, for site system servers and most site system roles. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.
  • Windows Server 2008, for site system servers and most site system roles.
  • Windows XP Embedded, as a client operating system. This version of Windows remains supported when you use a Configuration Manager version prior to version 1702.

Microsoft has made improvement in-console search as:

  • Object Path:
    Many objects now support a column named Object Path. When you search and include this column in your display results, you can view the path to each object. For example, if you run a search for apps in the Applications node and are also searching sub-nodes, the Object Path column in the results pane will show you the path to each object that is returned.
  • Preservation of search text:
    When you enter text into the search text box, and then switch between searching a sub-node and the current node, the text that you typed will now persist and remain available for a new search without having to re-enter it.
  • Preservation of your decision to search sub-nodes:
    The option that you choose for searching the current node or all sub-nodes now persists when you change the node you are working in. This new behavior means that you do not need to constantly reset this decision as you move around the console. By default, when you open the console the option is to search only the current node.

Send feedback from the Configuration Manager console

You can use the in-console feedback options to send feedback directly to the development team. You can find the Feedback option:

  • In the ribbon, at the far left of the Home tab of each node.
  • When you right-click on any object in the console.
    Righ-click option

Choosing Feedback opens your browser to the Configuration Manager UserVoice feedback website.

Peer Cache improvements

Beginning with version 1702, a peer cache source computer will reject a request for content when the peer cache source computer meets any of the following conditions:

  • Is in low battery mode.
  • CPU load exceeds 80% at the time the content is requested.
  • Disk I/O has an AvgDiskQueueLength that exceeds 10.
  • There are no more available connections to the computer.

Additionally, three new reports are added to your reporting point. You can use these reports to understand more details about rejected content requests, including which boundary group, computer, and content was involved.

Content library cleanup tool

Use the content library cleanup tool to remove content from distribution points when that content is no longer associated with an application.

Software update points are added to boundary groups

Beginning with version 1702, clients use boundary groups to find a new software update point, and to fall-back and find a new software update point if their current one is no longer accessible. You can add individual software update points to different boundary groups to control which servers a client can find. For more information, see software update points in the configuring boundary groups topic.

Windows 10 ADK tracked by build version

The Windows 10 ADK is now tracked by build version to ensure a more supported experience when customizing Windows 10 boot images. For example, if the site uses the Windows ADK for Windows 10, version 1607, only boot images with version 10.0.14393 can be customized in the console. For details about customizing WinPE versions, see Customize boot images.

Default boot image source path can no longer be changed

Default boot images are managed by Configuration Manager and the default boot image source path can no longer be changed in the Configuration Manager console or by using the Configuration Manager SDK. You can continue to configure a custom source path for custom boot images.

Deploy Office 365 apps to clients

Beginning in version 1702, from the Office 365 Client Management dashboard, you can start the Office 365 Installer that lets you configure Office 365 installation settings, download files from Office Content Delivery Networks (CDNs), and deploy the files as an application in Configuration Manager.

Android for Work support

Starting with 1702, Hybrid mobile device management with Microsoft Intune now supports Android for Work device enrollment and management.

Improvements to certificate profiles

You can now create a PFX certificate profile that supports S/MIME and deploy it to users. The certificate can then used for S/MIME encryption and signing on all iOS devices that the user has enrolled. Additionally, you can now specify multiple certification authorities (CAs) on multiple Certificate registration point site system roles and then assign which CAs process requests as part of the certificate profile.

Please find the complete doc here.

SCCM site information not publishing in DNS for Multiple Domains

Problem Statement: My current Organization(ex. MAK.com) has a merger with new Organization (Ex: ABC.com Company). We have AD trust relationship established between the new domain. When I am trying to install the SCCM client on ABC.com machines I am getting error in my locationsevices.log as  “DNS Service Record using _msms_mp_<Site Code>.tcp_<Domain Name> lookup DNS return error 9003″


Solution:  I would like to check whether DNS is working fine and try to check all ports and communication is enabled to my SCCM server from the target machine hosted in (ABC.com) domain.

1) Check for the mpcontrol.log to check the Management Point status the below message suggest MP is working fine and healthy.


2) Re-Check in SCCM Server if DNS publishing is enabled for all the intranet Management points.


3) To fix the DNS issue we can configure DNS publishing, enable dynamic updates by enabling it on DNS Zone.

DNS dynamic.png

Wait for few mins (15-20 mins) and check mpcontrol.log  and you will see in the logs SRV registration will be successful.

DNS_service record.png

5) If still, you face issue then the last step we can do is that we can publish SRV record manually. Let’s see below step by step how we can achieve it.

We need to create an SRV record in DNS server manually.  GoTo-> DNS Manager -> _sites ->_tcp -> Other New Records.




We will fill following fields in the SRV record as below:

_Service: _mssms_mp_<sitecode> (ex: _mssms_mp_P01)
_Proto: _tcp
Name: Specify the domain name (ex: ABC.com)
Priority: 0 (not used)
Weight: 0 (not used)
Port: 80 or 443
Target: The SCCM site server (ex: BLRSCCMPRI.COM)


Wait for 10-15 mins and check the client machines(target machines) in ABC.com where we want to install the SCCM Client.

Now agent will be installed successfully.

This slideshow requires JavaScript.

SCCM Technical Preview 1701 now available!

Microsoft System Center Technical Preview update 1701 is available now let’s see in brief all new features available with new SCCM 1701 version. Microsoft has come out with few exciting few in TP 1701 we will be discussing below. All the information about SCCM TP 1701 is available at official siteWhen we install version 1701 your console version will update to 5.00.8482.1000. Let’s discuss SCCM TP 1701 new features:

1) UEFI inventory data:  A new hardware inventory class SMS_Firmware and property UEFI is available to help collect hardware information before we set the UEFI property should be set to value as “True”.



2) Improvement to OSD: The maximum number of the application that can be installed in Install Application Task step increased from 9 to 99.

3) Device health attestation via Management Point:  A new advanced feature in Management point component properties. To configure on-device health attestation service URL, click on ADD button and provide URL.


4)Updated Content Library CleanUp Tool: Command line tool (ContentLibraryCleanUp executable file ) used to remove content which is orphaned from the distribution point.

5) Improvement in Boundary Group for SUP: Configure boundary group to associate one or more host that host a SUP.

6) Host software updates on cloud-based distribution points: This version support cloud-based distribution point to host software updates but with hosting DP on the cloud will introduce additional cost.


Create custom SQL report using Report Builder 3.0

I am writing this post to explain step by step process how we can create a custom report in SCCM (System Center Configuration Manager)  using Report Builder 3.0.

The minimum requirement  to create the custom report using Report Builder we need to install the Reporting Service Point Role in SCCM site.

In this blog, I will create a custom report to fetch application installed and its version.

Let’s get started 🙂

1) Open the SCCM Console and navigate to monitoring . GoTo-> Reports->Create Report.


2) Provide the name of the report which you want to have it  for this scenario I will name it as “Mayukh – Report to List Installed Applications” . Select the path where the report will reside in SCCM under “Reporting“. You can customise and have a custom folder under Reporting in SCCM .


3) Click “Next”  , “Next”  , “Finish” . After you close the wizard Internet-Explorer will automatically launch , security warning dialog box will be prompted click “Run” to proceed. If you have installed Report Builder 3.0 it will directly launch the Report Builder where you can directly customize and create a report.


4) Once the report builder will be launched GoTo-> DataSource -> Click on Properties. We will create a “Datasource” and in case if you have limited admin rights to connect to SQL Database you need to provide your credentials to proceed.


To make sure your credential provide is correct and you can able to connect to Database instance click on “Test Connection“. You can see the successful message box .



5) Now create a dataset and select the Data Source and click “Test Connection“. Click on “Edit Text ” and paste the SQL query . Click “!” to execute the query and see query works as expected and click “Next”.


6) Arrange the different fields as shown below and click “Next”. Click next , next and keep all the settings as default .


7) If you would like to customise and have better look and feel you can design it . Click “Run” to execute the report and check if it works as expected.


8) If everything looks fine , remember to save the report before you exit.

You can download and run the report directly from below link  :











How to Update and Patch Nano Server Using PowerShell ?

We can patch nano server with 4 simple steps as we usually do for any general windows server updates.

1) Check for Updates.
2) Install Updates.
3) Restart the server.
4) List all installed updates.

To get the above action completed we need to write PowerShell Script name it as WindowsUpdates_NanoServer.ps1

Login to your Nano Server and copy the below PowerShell script to the server. The script which check for updates and if any updates are require it will install and reboot the server.

######Check for Updates#####
$ci = New-CimInstance -Namespace root/Microsoft/ Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{ SearchCriteria=”IsInstalled=0″; OnlineScan=$true}

##### Install Updates#######

$ci = New-CimInstance -Namespace root/Microsoft/Windows/ WindowsUpdate -ClassName MSFT_WUOperationsSession
Invoke-CimMethod -InputObject $ci -MethodName ApplyApplicableUpdates

##### Restart the Server#####

Restart-Computer; exit

Note : If you receive a disk space error increase VHD size to 4 GB.

Once you login back run the below script to check whether the all the latest updates are installed?

##### List all installed Updates #####
$ci = New-CimInstance -Namespace root/Microsoft/Windows/WindowsUpdate -ClassName MSFT_WUOperationsSession
$result = $ci | Invoke-CimMethod -MethodName ScanForUpdates -Arguments @{ SearchCriteria=”IsInstalled=1″; OnlineScan=$true}

Configuration Manager 1606 – Stuck in Downloading State

I was trying to update my SCCM environment from 1602 to 1606 , I can see the hotfix got stuck while downloading.


How we can fix it ?

The solution seems to be straight forward , I stop/start SMS_EXECUTIVE service and it fixed the issue.


Within a few minutes, you will see the latest update appear and start to download.

Note : If the issue still persists try to have a look on log file dmpdownload.log.