Hello,
According to the MS article h t t p s : / / technet.microsoft.com/en-us/library/jj635855%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396, the application pool identity should be set to "ApplicationPoolIdentity". However, applying this best practice to IIS10/Server2016 stops the WSUS admin console from being able to connect to WSUS. is there a means to secure IIS but not break WSUS?
Best, Michael