Date post: | 21-Jan-2018 |
Category: |
Presentations & Public Speaking |
Upload: | kenny-buntinx |
View: | 140 times |
Download: | 0 times |
Servicing your modern Windows workplace like a boss.
About Kenny
@KennyBuntinx
http://be.linkedin.com/in/kennybuntinx/
http://scug.be/sccm
About Tim
@Tim_DK
http://be.linkedin.com/in/timdekeukelaere/
http://www.dekeukelaere.com
Multiple ways of patching
Infrastructure requirements
Do you have the following symptoms ?
- High CPU on your WSUS server – 70-100% CPU in w3wp.exe hosting WsusPool
- High memory in the w3wp.exe process hosting the WsusPool – customers have reported memory usage approach 24GB
- Constant recycling of the W3wp.exe hosting the WsusPool (identifiable by the PID changing)
- Clients failing to scan with 8024401c (timeout) errors in the WindowsUpdate.log
- Mostly 500 errors for the /ClientWebService/Client.asmx requests in the IIS logs
Do you have the following symptoms ?
Index and Clean
&
Getting your WSUS infrastructure ready
The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance :
- https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/
WSUS - Hotfixes Go for Windows Server 2012 R2 with following hotfixes
https://support.microsoft.com/en-us/kb/3095113
https://support.microsoft.com/en-us/kb/3159706
https://support.microsoft.com/en-us/kb/4039871/
Be aware to follow the guidelines of KB3159706
• Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.
• "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing
Go for Windows Server 2016 with following hotfixes
https://support.microsoft.com/en-us/kb/4039396
Getting your WSUS infrastructure ready Prepare the mime type .esd file on IIS
Error 0x8024200d ? – Check for duplicate .esd mime file extensions
Getting your WSUS infrastructure ready Configure your IIS for WSUS correctly and modify the following settings:
a. Queue Length: 9000
b. Make sure that you do not have any CPU limit configurated. Should be 0 by default.
c. Under Rapid-Fail Protection. Set Failure Interval (Minutes): 30, and Maximum Failures: 60
d. Private Memory Limit should not be set to unlimited (e.g. 0).
e. Next modify the web.config file for the clientwebservice virtual application:
Changing webconfig for clientwebservice (located in prog files\update services\webservices\clientweb..)
<httpRuntime executionTimeout="500" maxRequestLength="4096" />
f. Next navigate to %Windir%\ and then run: IISReset.
Getting your WSUS infrastructure ready - Want to include your Surface Drivers as pre-release feature ?
Content Management
Windows 10 Quality UpdatesExpress Updates require WSUS
Delta updates for non WSUS(1607 – 1703 - 1709)
Delta and Cumulative have the same KB number, with the same classification, and release at the same time. Updates can be distinguished by either the update title in the catalog, or by the name of the msu:
◦ 2017-02 \Delta Update** for Windows 10 Version 1607 for x64-based Systems (KB1234567)
◦ 2017-02 \Cumulative Update** for Windows 10 Version 1607 for x86-based Systems (KB1234567)
Express UpdatesSupported in Configuration Manager as of version 1702
Requires Windows 10 1607 w April CU
As of 1706◦ Performance Improvements
◦ Client peer cache support for express installation files for Windows 10 and Office 365
Express UpdatesEnabled in the SUP Component Properties
Express UpdatesConfigured through client settings
Peer CacheNative ConfigMgr solution for peer-to-peer content sharing
All content in the ConfigMgr client cache can be shared to peers
Currently in pre-release
Continuous investments - 1702:◦ Peer cache sources can reject clients when busy
◦ Low battery mode.
◦ CPU load exceeds 80% at the time the content is requested.
◦ Disk I/O has an AvgDiskQueueLength that exceeds 10.
◦ There are no more available connections to the computer.
◦ Additional out of the box reports
Future:
◦ Support for Windows express files
◦ Support for Office 365 delta files
Peer Cache
Cloud Management Gateway
AD CA
Windows Update
Configuring Settings
WSUS Group policyConfigure the GPO of Windows Components/Windows Update for Windows 10 :
• Configure Automatic Updates: Not Configured • Do not connect to any Windows Update
Internet locations: Enabled• Specify intranet Microsoft update service
location: Enabled• Allow updates from an intranet Microsoft
update service location: Enabled
OSD WSUS Scan behaviorCreate a Group called ‘Configure Windows Update Settings’ just before the Windows Update Step and add a new ‘Run Command Line’ :
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization /v DODownloadMode /t REG_DWORD /d 100
REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1
Add a ‘Restart Computer’ Step after the above Step.
Then create a second Group called ‘Remove Windows Update Settings’ just below the last Windows Update Step and add a new ‘Run Command Line’ :
REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /f
REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization /v DODownloadMode /f
Client Settings for Peer Cache
Different settings for SUP
Servicing
Servicing ChannelsFeature updates - Released twice per year (around March and September)
Servicing channels allow organizations to choose when to deploy new features
Do not say : ◦ CB, CBB and LTSB
Do say:◦ Semi-Annual Channel Targeted
◦ Semi-Annual Channel
◦ Long-Term Servicing Channel (LTSC)
Source : https://technet.microsoft.com/en-us/windows/release-info
WAAS – Release Cadence
WAAS – Release Support
WAAS – What about Office?
Approaches for servicing
Windows Update Windows Server Update Services
Windows Update for Business
System Center Configuration Manager
ConfigMgr - In practice …
Policies / MSB
Pro--- Full Control--- Add / Preserve customizations--- Application lifecycle--- Tattooing--- Software Updates--- Control User Experience
Contra--- Operational Cost (recurring)
Pro--- ADR alike--- Set and forget
Contra--- Control level--- No customizations--- Limited scheduling--- User Experience like regular SU
Phased Deployment - Process
Thanks to our event sponsors
Silver
Gold