78
WSUS, MU and WU oh my! SMB Technology Network Susan Bradley, Patchaholic
WSUS, MU and WU oh my!SMB Technology Network
Susan Bradley, Patchaholic
We’re going to assume
• You’ve done your homework• http://www.vladville.com/2005/12/sbs-show-8
-patch-management-with-susan.html• Think risk management
WU and MUThe basics of Windows and Microsoft Update
WU versus MU
• Windows Update – Just patches Windows– http://update.microsoft.com/windowsupdate
• Microsoft update– http://update.microsoft.com/microsoftupdate– Patches [at this time] – Windows– Office– Exchange– More to come
• Engine is the same - Troubleshoot the same
MU is optional
• Opt in to MU
MU steps
• Accept EULA• Need to install software to get it to use it• Downloads activeX files • \Windows\Downloaded Program Files • The following ActiveX controls will be
installed:– MUWebControl Class– WUWebControl Class
Is it safe?
• If first visit will get ‘authenticode’ prompt
Checking for updates
Two options to install
• Express Install: This option is recommended and provides the easiest method for installing high priority updates.
• Custom Install: This option enables a user to select which specific updates are installed.
Better ‘history’ interface
Revert to WU
• Go back• Click on Change settings• Check the box
Test connectivity
• https://update.microsoft.com/v6/ClientWebService• If you see this:
• You are good to go
File updated
• Windows Genuine Advantage control• Windows Installer 3.1• Background Intelligent Transfer Service
(BITS) update
Auto updates options
• Download• Will allow you to install them at a later time
But don’t forget the help files
Troubleshooting
• SUS Support file• http://download.microsoft.com/
download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_SUS.EXE
• Operating System and Service Pack Level – Right-click My Computer and select
Properties• Internet Explorer Version and Service Pack
Level – Check the Help > About interface in Internet
Explorer
Items to gather for troubleshooting
• Internet Explorer Cipher Strength – Check the Help > About interface in Internet
Explorer• Network Configuration (local area network
[LAN], DSL, Firewall, Etc) • Tried using the Windows Update v6
Troubleshooter?• Has anything changed on the machine
recently?
In the SUS reporting tool
• Windows Update logs (both Version 4 and Version 6)
• ReportingEvents.log this shows what error was returned to our servers.
• Internet Explorer Registry key data to help with proxy or access issues
• Windows Update Registry key to help with policy and Automatic Updates issues
• Service Output file to show what services are running on the machine and which are stopped.
SUS reporting tool
• Application and System event logs• BITS Admin log to help investigate download
issues• Update.exe installation logs to help with
installation failure issues• Setuplog to help investigate installation
issues• Setupapi.log to help investigate driver
installation issues
Log files
• Start, then click Run, type WINDOWSUPDATE.LOG and then click OK.
• windows update.log – Is the v4 version
• WindowsUpdate.log – Is the v6 version
Common errors
• 0x80072EE2 – 0x80072F78 – 0x80072F76 – 0x80072EFD– 836941 - You receive an "Error 0x80072EE2"
or "Error 0x80072EFD" error message when you try to use Windows Update
– Add Windows Update Web sites to the Trusted Sites list
Common Errors
• 0x80070424
– How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2 (870700)
– This Windows Update error code is caused by unregistered DLL files for Windows Update or Internet Explorer. On Windows XP SP2 and later this may be resolved using the “iexplore /rereg” command.
Common Errors
• 0x80244001/0x800A01AD– These Windows Update error codes can be
caused by a damaged Windows XP XML subsystem. The first step to take is to reregister this component using the command “regsvr32 msxml3.dll”. If this does not resolve the issue, check for more recently updated MSXML Parser and MSXML components from the following link:http://www.microsoft.com/downloads/results.aspx?productID=&freetext=msxml&DisplayLang=en
Common Errors
• When accessing the Update site, you receive the 0x800A01AE error. – This issue may happen if the current session of
Internet Explorer has cached an older version of Wuapi.dll
– Re-register the Windows Update DLL with the commands below
– Click Start, click Run, type cmd, and then click OK. – Type the following commands. Press ENTER after
each command.regsvr32 wuapi.dllregsvr32 wuaueng.dllregsvr32 wuaueng1.dllregsvr32 wucltui.dllregsvr32 wups.dllregsvr32 wups2.dllregsvr32 wuweb.dll
Common Errors
• 0x80248011– This Windows Update error code is normally
related to inconsistent or damaged information in the c:\windows\softwaredistribution folder. Stopping the Automatic Updates service then renaming the c:\windows\softwaredistribution folder to SDOLD then restarting the Automatic Updates service normally is the fix for this issue.Note: Renaming this folder will clear the display of previous successful and failed updates.
Common Errors
• 0x800B0001– This Windows Update error code is related to
3 particular DLL files that are not registered in windows correctly. Registering the following files with REGSVR32 normally fixes this issue:
– Softpub.dll– Mssip32.dll– Initpki.dll
Common Errors
• 0x8024402C– This Windows Update error can be caused by
a damaged installation of BITS and corrupted information in the SoftwareDistribution folder. The solution is normally to re-download the BITS updates (KB883357 and KB842773) from the Microsoft.com website, then stop the Automatic Updates service and rename the SoftwareDistribution folder to SDOLD. Reboot the computer and return to Windows Update.
Diagnose tools
• Look at WindowsUpdate.log from the bottom up
• To enable site tracing for a single visit to the Windows Update site, add “&dev=true” to the end of the URL, as in the example below:http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en&dev=true
Troubleshooting
• Most third party firewalls such as Norton Personal Firewall block SVCHOST (Generic Host Process Win32) communication by default. This can cause issues with Windows Update as SVCHOST communication is required by the Windows Update client to connect to the Windows Update Servers on the internet.
WSUS basicsAre you ready to patch?
WSUS
• Patches the same pieces as MU• More to come• Clients ‘check in’ with server• Not push• Pull• Can force a push if need be via scripting• http://www.microsoft.com/downloads/
details.aspx?FamilyId=3BA03939-A5A9-407B-A4B0-1290BA5182F8&displaylang=en
WSUS installation
• Install on server• Will default go on port 8530• On standard loads up a MSDE instance• Remember …clients may need in registry
http://servername:8530 or Group• Beginners guide to WSUS • http://uphold2001.brinkster.net/vbshf/wsus/
wsus_faq.htm
WSUS issues
• Clients may not check in– Manually put in registry
• Sync process takes a long time– About 24 hours if you pull down all files
Install
• Double-click the installer file WSUSSetup.exe. • Note: • The latest version of WSUSSetup.exe is available on the
Microsoft Web site for Windows Server Update Services at http://go.microsoft.com/fwlink/?LinkId=47374.
• 2. On the Welcome page of the wizard, click Next.• 3. Read the terms of the license agreement carefully,
click I accept the terms of the License Agreement, and then click Next.
• 4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.
• Keep the default options, and click Next.• Select Update Source Page
Install
• Needs a LOT of space• 6 GB
WMSDE is default
• On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003.
• If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper.
• Keep the default options, and click Next.• Database Options Page
WSUS install
Now up to 8 gigs
• WSUS on SBS will chose 8530
On premium – set up the rule [pre done on SBS]
• http://windowsupdate.microsoft.com • http://*.windowsupdate.microsoft.com • https://*.windowsupdate.microsoft.com • http://*.update.microsoft.com • https://*.update.microsoft.com • http://*.windowsupdate.com • http://download.windowsupdate.com• http://download.microsoft.com • http://*.download.windowsupdate.com • http://wustat.windows.com • http://ntservicepack.microsoft.com
Proxy settings
• On the WSUS console toolbar, click Options, and then click Synchronization Options.
• 2. In the Proxy server box, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.
• 3. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password in clear text) check box.
• 4. Under Tasks, click Save settings, and then click OK in the confirmation dialog box.
To get to WSUS
• Admin tools
• http://servername:8530/WSUSAdmin/
WSUS sync
WSUS console
Missing the computers!
Adding the WUAU template
• 1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
• 2. On the Action menu, click Add/Remove Templates.
• 3. Click Add.• 4. In the Policy Templates dialog box,
click wuau.adm, and then click Open. • 5. In the Add/Remove Templates dialog
box, click Close.
Getting the clients to ‘check in’
• In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
• In the details pane, click Specify Intranet Microsoft update service location.
• Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server.
• Click OK, and then configure the behavior of Automatic Updates
Known issue of ‘compression’
• Get the hotfix • Or ‘kick them’ to check into the system
Assigning groups
• Two methods – Group policy– Move computers
GPMC
• Add a new policy
Editing Group policy
• Why NOT edit an existing one?• SP redeployed these and would blow off your
customizations• Add new• Right mouse click on edit
Drill down to the setting
• Computer config• Admin• Components• Windows Update
WU – point it
• First point your intranet updating• Remember 8530
Change the check in interval
• If you like – change the detection frequency
Client side targeting
• This one seems to make things ‘work’
• Put a name in there to get things ‘waking up’
• You’ll move it later
To force it
• GPupdate /force– On server– And on workstation if you want to test it ‘now’
Group Policy settings
• Final results on the GP screen
Servers and Workstations
• Will begin to ‘check in’
Adding ZONES
• Key decision making right here• What risk• What zone• What deployment strategy• Who gets what patches when?• At least have a Zone for the server[s]• One for workstations• More zones?• Your ‘canary testers’?• LOB app machines?
• Groups are your Risk areas• Create the ‘groups’ to match your risk zones
Assign accordingly
• Again think of groups as ‘risk zones’
Don’t gloss over this
• This is your most important step• You are assigning risk values with this
process
More info on WSUS [sbs-ized]
• www.smallbizserver.net
WSUS for your clients
• Can remote in and approve patching• 1. On the WSUS console toolbar, click Updates. By
default, the list of updates is filtered to show only Critical and Security Updates that have been approved for detection on client computers. Use the default filter for this procedure.
• 2. On the list of updates, select the updates you want to approve for installation. Information about a selected update is available on the Details tab. To select multiple contiguous updates, press and hold down the SHIFT key while selecting; to select multiple non-contiguous updates, press and hold down the CTRL key while selecting.
• 3. Under Update Tasks, click Change approval. The Approve Updates dialog box appears.
• 4. In the Group approval settings for the selected updates list, click Install from the list in the Approval column for the Test group, and then click OK.
You as the master WSUSer
• • If you are a Microsoft Certified Partner or Registered Partner, submit two (2)
signed complete originals of the Microsoft SPLA agreement V2.1 Sept03.pdf to Software Spectrum Inc.
• If you are NOT a Microsoft Certified Partner or Registered Partner;• 1) You will need to have a Microsoft Registered Partner number to complete
the attached SPLA MCP addendum. You can become a Registered Partner at http://members.microsoft.com/partner/program/enroll/default.aspx .
• 2) You need to register for the Microsoft Windows® Web Holster Program at http://www.microsoft.com/serviceproviders/webhosting/default.asp
• 3) Submit two (2) signed complete originals of the SPLA MCP addendum V2.1.doc to Software Spectrum Inc.
• 4) Submit two (2) signed complete originals of the Microsoft SPLA agreement V2.1 Sept03.pdf to Software Spectrum Inc.
• All Signed agreements must be mailed to:• Software Spectrum• Attn: Microsoft Contracts Team
3480 Lotus Dr. Plano, TX 75075
Clients can point to you
• As Master WSUS er• Easier if you just remote and approve• Recommend a patch agreement program• You do not guarantee patch status• You offer to work with vendor• Investigate work arounds and mitigations
WSUS info
• http://support.microsoft.com/default.aspx?scid=kb;en-us;894199
Approve updates
• Approval
Approval
• Approval – be patient
Patch issues
• Patch testing – How can we do it in SBSland– Virtual servers– Identified key testers– Review known issues [in each bulletin]– Watch the communities– Don’t bother testing Office/Windows…unless– Standardize …standardize
Patching
• Do you need to patch?• Zoning – who is at risk?• Is that port open?• How can get you?• Resources for determining risks
Risk Resources
• Threats and Countermeasures guide• www.threatsandcountermeasures.com• Ports open• www.grc.com shields up test
Patch resources
• www.patchmanagement.org– WSUS– General Patch Mgmt
• WSUS blog - http://msmvps.com/athif/• WSUS wiki -
http://wsus.editme.com/WSUSonSBS• WSUS blog – http://blogs.technet.com/wsus
What’s better about WSUS?
• 5 key benefits– More products updated (Exchange, Office,
SQL) and more update types (drivers, etc).– Reporting– Target Groups– Install at Shutdown– Scripting/API
Scripting
• Two sets of APIs– Client side– Server side
• Documentation with RC– WUA_SDK.CHM– WUS.CHM
• WSUSADMIN site a reference implementation using APIs
• If you don’t like the UI, you could do it yourself
Troubleshooting
• Main causes of issue are simple configuration errors– “http://wsusservernome/” in a GPO Object
• SelfUpdate tree needs to be on port 80• Tools with the RC
– Clientdiag.exe – diagnoses some issues• Logs
– %systemroot%\WindowsUpdate.log
Securing WSUS traffic
• Forcing WSUSAdmin site to use SSL is simple– Obtain and
install a web certificate
– Enable SSL on WSUSADMIN directory
Admin duties
• Management is done 2 ways:– Via WSUS Admin web site
(http://wsusserver/wsusadmin)– Via Scripting
• WSUS Admin site not overly strong– See WSUS Wiki for reported issues
• Clients need latest versions of Windows AU software.– Comes with XP SP2/2k3 SP1– Older SUS clients can also auto-update via
/selfupdate
Watch your language
• Some initial configuration requires– Synchronisation options
• Schedule• What types of updates• Proxy server settings• Update Source• Languages (ALL languages is the default)
– Automatic Approval options• Which updates should be automatically
approved• Approve for detection vs approve for
installation
WSUS issues
• RESOLVED SBS issues– Dell OEM issue– You cannot install Windows Server Update
Services 2.0 on a computer that is running an original equipment manufacturer version of Windows Small Business Server 2003:
– http://support.microsoft.com/default.aspx?scid=kb;en-us;906798
