Best Practices Related to IIS for SCCM SUP WSUS Setup

I was working with Microsoft support for an SCCM SUP related issue on one SCCM CB 1706 environment. The support engineer was helpful, and she helped to setup the best practices for IIS settings required for remote WSUS/SUP. All the servers referring to this post are running with Server 2012 R2 OS. This post will help you get some details about a couple of Best Practices Related to IIS for SCCM SUP WSUS Setup.

Is this post related to WSUS SUP causes high CPU?

No, this post is not related to the issue which caused high CPU usage for WSUS servers. Microsoft already released a fix for the issue explained in the KB 4039396. The KB4039396 addressed the issue with WSUS update metadata processing that can cause some clients to time out with a 0x8024401c error.Best Practices Related to IIS for SCCM SUP WSUS Setup

I also have a video tutorial published several months back about SCCM Software Update process. That post covers the end to end patching process and troubleshooting tips. You can check out the post “Video Tutorial to Learn SCCM ConfigMgr CB Software Update Patching Process“.

Best Practice – IIS – WSUS App Pool – Queue Length for SCCM CB SUP?

I have a remote WSUS + SCCM SUP server installed on 2012 R2. When the SUP is hosted on a remote server then, we can have a maximum of 150,000 clients for that SUP. A SUP that is remote from the site server can support up to 150,000 clients when the remote computer meets the WSUS requirements to support this number of clients.

So, I was planning to have 30,000 clients under that SUP. Hence, we set the WSUS app pool (Application Pool) queue length as 30,000 as you can see in the following screen capture.

How to Configure IIS WSUS Application Pool?

  • Launch Server Manager – Launch IIS Manager
  • IIS Console – Click on Application Pools
  • Right-click ‘WsusPool’ and select ‘Advanced Settings’
  • Change the value of ‘Queue Length’ under the General section from the default 1,000 to 30,000
  • Click OK to save and Reset the IIS

Best Practices Related to IIS for SCCM SUP WSUS Setup

What is Queue Length? – Maximum number of requests that HTTP .sys will queue for the application pool. When the queue is full, new requests receive a 503 “Service Unavailable” response.

Best Practice – IIS WSUS App Pool – Private memory limit Settings for Remote SUP/WSUS Server

Private memory limit is set in KB. The maximum amount of private memory a worker process can consume before causing the application pool to recycle. A value of 0 means there is no limit. If you have only a WSUS/SUP role on a dedicated server like me then, you can set the private memory limit to 0. Otherwise, you should be careful about this settings.

When you all the site system roles on a single server then, you should be very careful with private memory limit setting of WSUS Application pool. In that case, my recommendation is NOT to set 0 as private memory limit setting. This setting should be as per the hardware configuration of your SCCM site system server.

How to Open IIS WSUS Application Pool – Advanced Settings ?

  • Launch Server Manager – Launch IIS Manager
  • IIS Console – Click on Application Pools
  • Right click ‘WsusPool’ and select ‘Advanced Settings’
  • Change the value of ‘Private Memory Limit’ under the Recycling section from the default 4000000 to 0 (Updated 11th June 2019 – Check the comment below)
  • Click OK to save and restart the IIS service

Best Practices Related to IIS for SCCM SUP WSUS Setup


  • WSUS SUP causes high CPU and clients fail updates scan – here
  • What are the best Practices for Software Updates/Patching in SCCM – here
  • Windows Server 2012 R2 WSUS Issue: Clients cause the WSUS App Pool to become unresponsive with HTTP 503 – here

Sharing is caring!

6 thoughts on “Best Practices Related to IIS for SCCM SUP WSUS Setup”

  1. Hi Anoop,

    Great article, I refer back to this when setting up new SUPs even though I’ve done it a few times and have a fair idea what I’m doing, just to refresh my memory.

    Just a note, in your screenshots you’ve changed “Service Unavailable” Response Type to TcpLevel, but you haven’t actually mentioned doing it in the text anywhere.

    I know this is a thing that should be done, as I’ve read it elsewhere, perhaps you could add it to the text as well for those that are unsure.

  2. Hi, Anoop

    Think your Private Memory Limit is missing a zero. Is that showing 400MB? I’ve just checked your screenshot and that is correct, though.

    Best wishes…


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.