WSUS, MU and WU oh my!

SMB Technology Network

Susan Bradley, Patchaholic
We’re going to assume

• You’ve done your homework

• http://www.vladville.com/2005/12/sbs-show-8-patch-m
• Think risk management
 WU and MU
The basics of Windows and Microsoft Update
WU versus MU

• Windows Update
– Just patches Windows
– http://update.microsoft.com/windowsupdate
• Microsoft update
– http://update.microsoft.com/microsoftupdate
– Patches [at this time]
– Windows
– Office
– Exchange
– More to come
• Engine is the same - Troubleshoot the same
MU is optional

• Opt in to MU
MU steps

• Accept EULA
• Need to install software to get it to use it
• Downloads activeX files
• \Windows\Downloaded Program Files
• The following ActiveX controls will be
installed:
– MUWebControl Class
– WUWebControl Class
Is it safe?

• If first visit will get ‘authenticode’ prompt

Checking for updates
Two options to install

• Express Install: This option is

recommended and provides the easiest
method for installing high priority updates.
• Custom Install: This option enables a user
to select which specific updates are installed.
Better ‘history’ interface
Revert to WU

• Go back
• Click on Change settings
• Check the box
Test connectivity

• https://update.microsoft.com/v6/ClientWebService
• If you see this:

• You are good to go

File updated

• Windows Genuine Advantage control

• Windows Installer 3.1
• Background Intelligent Transfer Service
(BITS) update
Auto updates options

• Download
• Will allow you to install them at a later time
But don’t forget the help files
Troubleshooting

• SUS Support file

• http://download.microsoft.com/download/
b/b/1/bb139fcb-4aac-4fe5-a579-
30b0bd915706/MPSRPT_SUS.EXE
• Operating System and Service Pack Level
– Right-click My Computer and select
Properties
• Internet Explorer Version and Service Pack
Level
– Check the Help > About interface in Internet
Explorer
Items to gather for troubleshooting

• Internet Explorer Cipher Strength

– Check the Help > About interface in Internet
Explorer
• Network Configuration (local area network
[LAN], DSL, Firewall, Etc)
• Tried using the Windows Update v6
Troubleshooter?
• Has anything changed on the machine
recently?
In the SUS reporting tool

• Windows Update logs (both Version 4 and

Version 6)
• ReportingEvents.log this shows what error
was returned to our servers.
• Internet Explorer Registry key data to help
with proxy or access issues
• Windows Update Registry key to help with
policy and Automatic Updates issues
• Service Output file to show what services are
running on the machine and which are
stopped.
SUS reporting tool

• Application and System event logs

• BITS Admin log to help investigate download
issues
• Update.exe installation logs to help with
installation failure issues
• Setuplog to help investigate installation
issues
• Setupapi.log to help investigate driver
installation issues
Log files

• Start, then click Run, type

WINDOWSUPDATE.LOG and then click OK.
• windows update.log
– Is the v4 version
• WindowsUpdate.log
– Is the v6 version
Common errors

• 0x80072EE2 – 0x80072F78 – 0x80072F76 –

0x80072EFD
– 836941 - You receive an "Error 0x80072EE2"
or "Error 0x80072EFD" error message when
you try to use Windows Update
– Add Windows Update Web sites to the
Trusted Sites list
Common Errors

• 0x80070424

– How to troubleshoot problems accessing

secure Web pages with Internet Explorer 6
Service Pack 2 (870700)
– This Windows Update error code is caused by
unregistered DLL files for Windows Update or
Internet Explorer. On Windows XP SP2 and
later this may be resolved using the
“iexplore /rereg” command.
Common Errors

• 0x80244001/0x800A01AD
– These Windows Update error codes can be
caused by a damaged Windows XP XML
subsystem. The first step to take is to
reregister this component using the command
“regsvr32 msxml3.dll”. If this does not resolve
the issue, check for more recently updated
MSXML Parser and MSXML components
from the following link:
http://www.microsoft.com/downloads/resul
ts.aspx?
productID=&freetext=msxml&DisplayLang
=en
Common Errors

• When accessing the Update site, you receive the

0x800A01AE error.
– This issue may happen if the current session of
Internet Explorer has cached an older version of
Wuapi.dll
– Re-register the Windows Update DLL with the
commands below
– Click Start, click Run, type cmd, and then click OK.
– Type the following commands. Press ENTER after each
command.
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wups2.dll
regsvr32 wuweb.dll
Common Errors

• 0x80248011
– This Windows Update error code is normally
related to inconsistent or damaged
information in the
c:\windows\softwaredistribution folder.
Stopping the Automatic Updates service then
renaming the c:\windows\softwaredistribution
folder to SDOLD then restarting the Automatic
Updates service normally is the fix for this
issue.
Note: Renaming this folder will clear the
display of previous successful and failed
updates.
Common Errors

• 0x800B0001
– This Windows Update error code is related to
3 particular DLL files that are not registered in
windows correctly. Registering the following
files with REGSVR32 normally fixes this
issue:
– Softpub.dll
– Mssip32.dll
– Initpki.dll
Common Errors

• 0x8024402C
– This Windows Update error can be caused by
a damaged installation of BITS and corrupted
information in the SoftwareDistribution folder.
The solution is normally to re-download the
BITS updates (KB883357 and KB842773)
from the Microsoft.com website, then stop the
Automatic Updates service and rename the
SoftwareDistribution folder to SDOLD.
Reboot the computer and return to Windows
Update.
Diagnose tools

• Look at WindowsUpdate.log from the bottom

up
• To enable site tracing for a single visit to the
Windows Update site, add “&dev=true” to the
end of the URL, as in the example below:
http://update.microsoft.com/windowsupdate/v
6/default.aspx?ln=en&dev=true
Troubleshooting

• Most third party firewalls such as Norton

Personal Firewall block SVCHOST (Generic
Host Process Win32) communication by
default. This can cause issues with Windows
Update as SVCHOST communication is
required by the Windows Update client to
connect to the Windows Update Servers on
the internet.
 WSUS basics
Are you ready to patch?
WSUS

• Patches the same pieces as MU

• More to come
• Clients ‘check in’ with server
• Not push
• Pull
• Can force a push if need be via scripting
• http://www.microsoft.com/downloads/details.
aspx?FamilyId=3BA03939-A5A9-407B-
A4B0-1290BA5182F8&displaylang=en
WSUS installation

• Install on server
• Will default go on port 8530
• On standard loads up a MSDE instance
• Remember …clients may need in registry
http://servername:8530 or Group
• Beginners guide to WSUS
• http://uphold2001.brinkster.net/vbshf/wsus/w
sus_faq.htm
WSUS issues

• Clients may not check in

– Manually put in registry
• Sync process takes a long time
– About 24 hours if you pull down all files
Install

• Double-click the installer file WSUSSetup.exe.

• Note:
• The latest version of WSUSSetup.exe is available on the
Microsoft Web site for Windows Server Update Services at
http://go.microsoft.com/fwlink/?LinkId=47374.
• 2. On the Welcome page of the wizard, click Next.
• 3. Read the terms of the license agreement carefully, click
I accept the terms of the License Agreement, and then
click Next.
• 4. On the Select Update Source page, you can specify
where clients get updates. If you select the Store updates
locally check box, updates are stored on the WSUS server
and you select a location in the file system to store updates.
If you do not store updates locally, client computers connect
to Microsoft Update to get approved updates.
• Keep the default options, and click Next.
• Select Update Source Page
Install

• Needs a LOT of space

• 6 GB
WMSDE is default

• On the Database Options page, you select the

software used to manage the WSUS database. By
default, WSUS Setup offers to install WMSDE if the
computer you are installing to runs
Windows Server 2003.
• If you cannot use WMSDE, you must provide a SQL
Server instance for WSUS to use, by clicking Use an
existing database server on this computer and
typing the instance name in the SQL instance name
box. For more information about database software
options besides WMSDE, see the “Deploying
Microsoft Windows Server Update Services” white
paper.
• Keep the default options, and click Next.
• Database Options Page
WSUS install

Now up to 8 gigs
• WSUS on SBS will chose 8530
On premium – set up the rule [pre done
on SBS]

• http://windowsupdate.microsoft.com
• http://*.windowsupdate.microsoft.com
• https://*.windowsupdate.microsoft.com
• http://*.update.microsoft.com
• https://*.update.microsoft.com
• http://*.windowsupdate.com
• http://download.windowsupdate.com
• http://download.microsoft.com
• http://*.download.windowsupdate.com
• http://wustat.windows.com
• http://ntservicepack.microsoft.com
Proxy settings

• On the WSUS console toolbar, click Options, and

then click Synchronization Options.
• 2. In the Proxy server box, select the Use a proxy
server when synchronizing check box, and then
type the proxy server name and port number (port 80
by default) in the corresponding boxes.
• 3. If you want to connect to the proxy server by
using specific user credentials, select the Use user
credentials to connect to the proxy server check
box, and then type the user name, domain, and
password of the user in the corresponding boxes. If
you want to enable basic authentication for the user
connecting to the proxy server, select the Allow
basic authentication (password in clear text)
check box.
• 4. Under Tasks, click Save settings, and then
click OK in the confirmation dialog box.
To get to WSUS

• Admin tools

• http://servername:8530/WSUSAdmin/
WSUS sync
WSUS console

Missing the computers!

Adding the WUAU template

• 1. In Group Policy Object Editor, click either

of the Administrative Templates nodes.
• 2. On the Action menu, click Add/Remove
Templates.
• 3. Click Add.
• 4. In the Policy Templates dialog box, click
wuau.adm, and then click Open.
• 5. In the Add/Remove Templates dialog
box, click Close.
Getting the clients to ‘check in’

• In Group Policy Object Editor, expand Computer

Configuration, expand Administrative Templates,
expand Windows Components, and then click
Windows Update.
• In the details pane, click Specify Intranet Microsoft
update service location.
• Type the HTTP URL of the same WSUS server in
both Set the intranet update service for detecting
updates and Set the intranet statistics server. For
example, type http://servername:8530 in both text
boxes, where servername is the name of your
WSUS server.
• Click OK, and then configure the behavior of
Automatic Updates
Known issue of ‘compression’

• Get the hotfix

• Or ‘kick them’ to check into the system
Assigning groups

• Two methods
– Group policy
– Move computers
GPMC

• Add a new policy

Editing Group policy

• Why NOT edit an existing one?

• SP redeployed these and would blow off your
customizations
• Add new
• Right mouse click on edit
Drill down to the setting

• Computer config
• Admin
• Components
• Windows Update
WU – point it

• First point your intranet updating

• Remember 8530
Change the check in interval

• If you like – change the detection frequency

Client side targeting

• This one seems to make

things ‘work’
• Put a name in there to
get things ‘waking up’
• You’ll move it later
To force it

• GPupdate /force
– On server
– And on workstation if you want to test it ‘now’
Group Policy settings

• Final results on the GP screen

Servers and Workstations

• Will begin to ‘check in’

Adding ZONES

• Key decision making right here

• What risk
• What zone
• What deployment strategy
• Who gets what patches when?
• At least have a Zone for the server[s]
• One for workstations
• More zones?
• Your ‘canary testers’?
• LOB app machines?
• Groups are your Risk areas
• Create the ‘groups’ to match your risk zones
Assign accordingly

• Again think of groups as ‘risk zones’

Don’t gloss over this

• This is your most important step

• You are assigning risk values with this
process
More info on WSUS [sbs-ized]

• www.smallbizserver.net
WSUS for your clients

• Can remote in and approve patching

• 1. On the WSUS console toolbar, click Updates. By
default, the list of updates is filtered to show only Critical and
Security Updates that have been approved for detection on
client computers. Use the default filter for this procedure.
• 2. On the list of updates, select the updates you want to
approve for installation. Information about a selected update
is available on the Details tab. To select multiple contiguous
updates, press and hold down the SHIFT key while selecting;
to select multiple non-contiguous updates, press and hold
down the CTRL key while selecting.
• 3. Under Update Tasks, click Change approval. The
Approve Updates dialog box appears.
• 4. In the Group approval settings for the selected
updates list, click Install from the list in the Approval
column for the Test group, and then click OK.
You as the master WSUSer

•
• If you are a Microsoft Certified Partner or Registered Partner, submit two (2)
signed complete originals of the Microsoft SPLA agreement V2.1
Sept03.pdf to Software Spectrum Inc.
• If you are NOT a Microsoft Certified Partner or Registered Partner;
• 1) You will need to have a Microsoft Registered Partner number to complete
the attached SPLA MCP addendum. You can become a Registered Partner
at http://members.microsoft.com/partner/program/enroll/default.aspx .
• 2) You need to register for the Microsoft Windows® Web Holster Program at
http://www.microsoft.com/serviceproviders/webhosting/default.asp
• 3) Submit two (2) signed complete originals of the SPLA MCP addendum
V2.1.doc to Software Spectrum Inc.
• 4) Submit two (2) signed complete originals of the Microsoft SPLA
agreement V2.1 Sept03.pdf to Software Spectrum Inc.
• All Signed agreements must be mailed to:
• Software Spectrum
• Attn: Microsoft Contracts Team
3480 Lotus Dr.
Plano, TX 75075
• spprograms@softwarespectrum.com
Clients can point to you

• As Master WSUS er
• Easier if you just remote and approve
• Recommend a patch agreement program
• You do not guarantee patch status
• You offer to work with vendor
• Investigate work arounds and mitigations
WSUS info

• http://support.microsoft.com/default.aspx?
scid=kb;en-us;894199
Approve updates

• Approval
Approval

• Approval – be patient
Patch issues

• Patch testing
– How can we do it in SBSland
– Virtual servers
– Identified key testers
– Review known issues [in each bulletin]
– Watch the communities
– Don’t bother testing Office/Windows…unless
– Standardize …standardize
Patching

• Do you need to patch?

• Zoning – who is at risk?
• Is that port open?
• How can get you?
• Resources for determining risks
Risk Resources

• Threats and Countermeasures guide

• www.threatsandcountermeasures.com
• Ports open
• www.grc.com shields up test
Patch resources

• www.patchmanagement.org
– WSUS
– General Patch Mgmt
• WSUS blog - http://msmvps.com/athif/
• WSUS wiki -
http://wsus.editme.com/WSUSonSBS
• WSUS blog – http://blogs.technet.com/wsus
What’s better about WSUS?

• 5 key benefits
– More products updated (Exchange, Office,
SQL) and more update types (drivers, etc).
– Reporting
– Target Groups
– Install at Shutdown
– Scripting/API
Scripting

• Two sets of APIs

– Client side
– Server side
• Documentation with RC
– WUA_SDK.CHM
– WUS.CHM
• WSUSADMIN site a reference
implementation using APIs
• If you don’t like the UI, you could do it
yourself
Troubleshooting

• Main causes of issue are simple

configuration errors
– “http://wsusservernome/” in a GPO Object
• SelfUpdate tree needs to be on port 80
• Tools with the RC
– Clientdiag.exe – diagnoses some issues
• Logs
– %systemroot%\WindowsUpdate.log
Securing WSUS traffic

• Forcing
WSUSAdmin site
to use SSL is
simple
– Obtain and
install a web
certificate
– Enable SSL on
WSUSADMIN
directory
Admin duties

• Management is done 2 ways:

– Via WSUS Admin web site
(http://wsusserver/wsusadmin)
– Via Scripting
• WSUS Admin site not overly strong
– See WSUS Wiki for reported issues
• Clients need latest versions of Windows AU
software.
– Comes with XP SP2/2k3 SP1
– Older SUS clients can also auto-update via
/selfupdate
Watch your language

• Some initial configuration requires

– Synchronisation options
• Schedule
• What types of updates
• Proxy server settings
• Update Source
• Languages (ALL languages is the default)
– Automatic Approval options
• Which updates should be automatically
approved
• Approve for detection vs approve for
installation
WSUS issues

• RESOLVED SBS issues

– Dell OEM issue
– You cannot install Windows Server Update
Services 2.0 on a computer that is running an
original equipment manufacturer version of
Windows Small Business Server 2003:
– http://support.microsoft.com/default.aspx?
scid=kb;en-us;906798