Greg Shields

Partner
Concentrated Technology
WSV302
Ogenda
Topics
Part I: Orchitecting and Implementing WSUS
Part II: Troubleshooting WSUS
Part III: Tips and Tricks for Using WSUS
Orchitecting and Implementing WSUS
WSUS Product Vision
Simple, zero-cost solution for distributing Microsoft
Updates content in a corporation
O ͞free͟ RTW add-on for Windows Server
Solution only distributes Microsoft Updates
Distributing 3rd party patches require purchasing advanced
management tools such as SCE or Configuration Manager 2007
Provides a foundation for Update Management across
Microsoft products: SCE, Configuration Manager 2007,
MBSO, WU, SBS, Forefront ͙
Consistent scan results
Unified client scan mechanism (WUO irrespective of which
server actually manages the updates
WSUS Momentum
Over 500,000 distinct WSUS servers synched
with Microsoft Update last month
Used by over 60% medium/large orgs and
built into SBS
WSUS 3 released Opril 30 2007
Huge improvements in performance, deployment
options, reporting and UI
Easy in-place upgrade from WSUS2
WSUS 3.0 SP1 released Feb 7, 2008
WSUS 3.0 SP2 released Jan 26, 2009
WSUS Lifecycle/Roadmap
Support lifecycle
a
 

  
SUS 1.0 Not supported Crazy old now. Don͛t use.
WSUS2 RTM Not supported Updates still flow
WSUS2 SP1 Not supported EOL is Opril 9 2009 (now -two
years after WSUS3 RTM
WSUS3 RTM Not supported One year after WSUS3 SP1
WSUS3 SP1 TBD One year after WSUS3 SP2

Next up: release WSUS3 SP2 RC

RTM shortly after Windows Server 2008
R2 release
WSUS 3.0 SP1/SP2 Odds Features
WSUS 3 SP1 adds the following features:
Installs on Server 2008, integrated with Server Manager (after installing
Server Manager update KB940518
OPI enhancements for advanced management tools
Bug fixes
WSUS 3 SP2 will add:
Installs on Server 2008 R2 beta
Supports managing Win7 clients
Support for BranchCache
Outo-approval rules with deadlines
Bug fixes (DSS gets languages from USS, target groups sorted
alphabetically, more robust setup upgrade
(RC Compliance against approved updates
New Features in WSUS SP2
Elements of Orchitecture
Why Orchitecture?

Problems are usually results of improper architecture

O correct architecture will drive a better design
Especially in situations of administrator distrust or
insufficient bandwidth
Design your WSUS solution with the same goals as
your OD solution
Roaming users should be dealt with separately
͞Simple͟ Orchitecture
Single, well-connected site
WSUS Updates from MU
Clients update from WSUS
Single server can handle 25,000 clients
50K clients with 2x front-end servers and big SQL
back-end
Remote SQL configuration reduces server load
Front-end handles update sync load
Back-end handles reporting load
͞Simple, with Groups͟ Orchitecture
Largest use case in production today
Driving forces to move to Machine Groups:
Differing patching requirements or schedules
Test groups
Servers vs. Workstations
Politics

Not necessarily used for load distribution

WSUS Chaining
Chaining involves downstream servers getting updates
(and sometimes Group data from upstream servers
Options for chaining
Distributed vs. Centralized model
͞Outonomous Mode͟ vs. ͞Replica Mode͟
Chaining solves the problem of ͞mesh͟ or ͞fully
independent͟ architectures
Wastes resources and bandwidth
Not that some situations don͛t mandate ͞mesh͟ or ͞fully
independent͟ architectures!
͞Centralized͟ Orchitecture
Downstream servers are
replicas of
primary server
Little downstream
control over servers
Downstream
administrators drop
machines into
predefined groups
Oll update approvals
and schedule done
at primary server
͞Distributed͟ Orchitecture
Downstream servers obtain
updates from primary
server, except:
Update approvals do not flow
down. Ossigned at each
site individually
Downstream admins have
greater control. Can create
groups and assign approvals
Used for distribution rather than
control of updates

  

 
 


 
 

  





 
͞Disconnected͟ Orchitecture
Many environments don͛t have Internet connectivity
Test/dev, government, classified, air gap environments
Data must be imported from ͞the outside͟
Ony the previous architectures will work
Manual import process required
Gives CM/QO/Security the option to review updates prior
to bringing ͞inside͟
͞Disconnected͟ Orchitecture
Match advanced options between source and target
Express installation files & languages must match
Backup and restore updates from source to target
Back up C:\WSUS\WSUSContent
Restore to the same location on the target server
Transfer update metadata from source to target
Navigate to C:\Program Files\Update Services\Tools
Export metadata using wsusutil.exe export {packageName} {logFile}
Import with wsusutil.exe import {packageName} {logFile}
packageName & logFile are unique names you choose

 
 


 




  
͞Roaming͟ Orchitecture
Manages updates for
external resources Ö 

WSUS servers distribute
approval metadata
Clients download updates Laptops
from Windows
Update directly
Extra security for internet-
facing WSUS server
Useful separate architecture
for mostly off-net clients
͞Roaming͟ Orchitecture
Four Steps to Internet-
facing WSUS Ö 


Build server in DMZ and

position behind Laptops
ISO proxy
Locate database on
server not reachable
from Internet
Enable SSL for
communications
Host content on
Microsoft Update
͞High Ovailability͟ Orchitecture
WSUS 3.0 includes native support for high availability
NLB Clusters connect multiple WSUS web servers via a
single cluster IP
SQL Cluster manages the database
No single point of failure
Critical: This design is
useful for availability, but
does little for performance
Managing Branch Offices
Branch offices are typically managed through replica
WSUS servers
Replica servers take all orders from the central server
Settings at the top flow downward, but take time
Olternatively, unify architecture through a single
͞central server͟
Single server manages all clients across all offices
Deploy ISO proxy in the branch
Enable BITS peer-caching
Use delta files to reduce network traffic
10x more server disk space
4x less client download
Upgrade Deployment
WSUS 3 SP1 setup supports in-place upgrade
One-way upgrade (no rollback
Can͛t be done from WSUS 2 on Server 2000 or using SQL 2000
Olternative is migration upgrade:
Install second server
If original server is WSUS2 SP1:
Perform disconnected replica steps (wsusutil, ntbackup, wsusmigrate
Switch over client via policy
If original server is also WSUS3
Configure new server to be a replica of the first and sync
Ofter sync, configure new server to be autonomous
Upgrade hierarchy from top down
Troubleshooting WSUS
Errors and Error Codes
Numerous WSUS error codes exist
O complete list of all WSUS error codes is available on-
line at http://inetexplorer.mvps.org/archive/
windows_update_codes.htm

For example, 0x8DDD0018 occurs when one of these

services is disabled
Outomatic Updates
BITS
Event Log
Errors and Error Codes II
0x80072EE2, 0x80072EFD
This issue occurs because the Windows Update
client did not receive a timely response from the
Windows Update Web site server
Likely a proxy configuration, personal firewall, or
trusted hosts problem
Errors and Error Codes III
0x80246008, 0x8024402C
Caused by BITS malfunctioning or corrupted
Download and extract the BITSOdmin tool from the
Windows Support Tools CD
Bitsadmin /util /repairservice /force
If that doesn͛t work, try a BITS re-install
Though if you do a BITS re-install, clear out the
%SystemRoot%\SoftwareDistribution folder and reboot when done
 


 







!"


 


#

$
%&


'&$


(

 )


  
Errors and Error Codes IV
0x80244019
This error is often caused when the Proxy server is not properly configured.
Ensure that your Proxy server allows Ononymous access to these external
addresses:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com j

 
http://*.update.microsoft.com 


&*
https://*.update.microsoft.com  
 
 
http://*.windowsupdate.com '+,*
http://download.windowsupdate.com
http://download.microsoft.com )

-




http://*.download.windowsupdate.com  

 
 -
-
&
http://wustat.windows.com -*
 *
 -
http://ntservicepack.microsoft.com 


 
  
WUO Client Issues
To enable auto-updates, ensure:
Ononymous access granted to Self Update virtual directory on
WSUS server
Outo-updates requires TCP/80 to function on WSUS server
Be aware of GP replication times
90 to 120 minute GP refresh timing will impact speed of clients
becoming visible in WSUS admin tool
Be aware of OU detection frequency times
WUO client set to check with server every 22 hours (minus offset .
When WUO checks in is when it checks WUO version
Need to do wuauclt /detectnow to force this to occur on-demand
WUO Client Issues II
Known issue with imaged workstations:
If you image your workstations (and who doesn͛t these days! , you must
change SID
Sysinternals NewSID, Microsoft SysPrep
Not doing this will prevent WUO from contacting WSUS
To fix this problem:
Run one of the above tools to change the SID
HKLM\Software\Microsoft\Windows\ CurrentVersion\WindowsUpdate
Delete PingID, SUSClientID, and OccountDomainSID values
Restart wususerv service
Run wuauclt /resetauthorization /detectnow
WUO Client Issues III
Disabling the Outomatic Updates Service or the BITS Service at any point in
the past prevents it from starting properly when you need it!

Reset permissions on these services to re-enable functionality.

Use the Service Control Resource Kit tool (sc.exe to do this:
sc sdset bits
"D:(O

CCLCSWRPWPDTLOCRRC


SY (O

CCDCLCSWRPWPDTLOCRSDRCWDWO



BO (O

CCLCSWLOCRRC


OU (O

CCLCSWRPWPDTLOCRRC


PU "
sc sdset wuauserv
"D:(O

CCLCSWRPWPDTLOCRRC


SY (O

CCDCLCSWRPWPDTLOCRSDRCWDWO



BO (O

CCLCSWLOCRRC


OU (O

CCLCSWRPWPDTLOCRRC


PU ͞

Every disabled client needs this!

Tips and Tricks for Using WSUS
Optimize Patch Distribution
In large, multi-site environments low bandwidth may cause
problems for remote offices
Distributing updates to downstream servers is big problem

Potential solutions:
Ensure downloading only the languages you need
Configure patch distribution to occur in the evenings
Stagger patch distributions between tiered sites
Express installation files can exacerbate this
The bandwidth savings in express installation files occurs from WSUS server
to client, not between WSUS servers
Throttle BITS
Throttling BITS
BITS can be throttled either on the WSUS server or additionally
on all the clients
Olleviates network saturation during update distribution and during
client installation
Be aware that this does slow down update distributions!

Throttle BITS in Group Policy:

Computer Configuration | Odministrative Templates | Network |
Background Intelligent Transfer Service
Two settings:
Maximum network bandwidth that BITS uses
Limit by Kbps based on time of day or at all times
Be aware that Kbps is kiloBITS not kiloBYTES (divide by 8
Timeout (in days for inactive jobs
DNS Netmask Ordering
Non-centralized architectures can better route clients
through DNS Netmask ordering
Microsoft DNS Round Robin will first provide an IP address
in the same subnet as the requestor
If no IP exists in the same subnet, a random IP will
be selected

Oll WSUS hosts must respond to the same FQDN

DNS FQDN record is populated with IP addresses of all
WSUS servers in the network
Server Tuning
Run cleanup and DB defrag every few months
Cleanup wizard is a new feature in WSUS 3
Removes stale computers and updates
DB index defrag script available on ScriptCenter
keeps the server running fast
Look out:
Take care to not remove computers that are still active (but having
trouble contacting the server
Populate from OD sample tool can help
In a hierarchy, need to run cleanup on each WSUS server.
Clean computers from bottom-up
Clean updates from top-down (or between sync intervals
Can be automated through the OPI
Considerations for Updating Servers
Servers require more care than workstations͙
O rebuild is usually not an acceptable solution for a failed p
atch installation
Outage windows are shorter

But in some ways servers are easier͙

Data and system drives usually separated
Hardware configuration is usually more stable or well-understood
Service isolation and redundancy ʹ in larger environments ʹ
limits exposure/risk
People typically aren͛t ͞surfing͟ on servers
The ROID 1 Undo Trick͙
What Obout Reboots?
I͛ve said this before, and I͛ll say it again:
͞If you have a patch management plan without a reboot strategy, you
don͛t have a patch management plan.͟

Three methods:
Client-initiated 








WSUS-initiated   )

 

 


-

 
Script-initiated

Two methodologies:
Scheduled reboots vs.
rebooting for patch installation
Handling Reboots
RebootFile = "computers.txtũ
LogFile = "results.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(RebootFile, 1, True)
Set objTextFile = fso.OpenTextFile(LogFile, 2, True)

On Error resume next

Do While f.AtEndOfLine <> True
strComputer = f.ReadLine
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & strComputer &
"\root\cimv2")
If Err.Number <> 0 Then
objTextFile.WriteLine(strComputer & " is not responding.")
Err.Clear
Else
Set colOperatingSystems = objWMIService.ExecQuery("Select
* from _ Win32_OperatingSystem")
objTextFile.WriteLine(strComputer & " is rebooting.")
For Each objOperatingSystem in colOperatingSystems
ObjOperatingSystem.Reboot()
Next
End If
Loop
Custom Reports
UI supports basic customization (filters
Odvanced customization can be built on
WSUS (.Net OPI
Can use of PowerShell scripts to generate reports
Public read-only SQL views
Can use SSRS to generate reports (if full SQL
Samples available from MSDN
E.g., compliance against approved updates
Match KBs to MSRCs
Ever wish you had a nice mapping of
knowledgebase numbers to MSRC numbers?
͞The Q-numbers to the MS-numbers͟

This script outputs a .CSV file that provides just

that mapping
Odd the name of your WSUS server into the top
line of the script: strWSUSServer = ͞<Enter WSUS
Server here>"
Match KBs to MSRCs
strWSUSServer = ũ<Enter WSUS Server here>"

Set fso = CreateObject("Scripting.FileSystemObject")

Set objTextFile = fso.OpenTextFile("OUTPUT.csv", 2, True)
objTextFile.WriteLine("MS Number,Q Number")

Set conn = CreateObject("ADODB.Connection")

Set rs = CreateObject("ADODB.Recordset")
dbconn = "Driver={SQL Server};Server=" & strWSUSServer & ";Database=SUSDB"
conn.open dbconn

strSQLQuery = "SELECT dbo.tbSecurityBulletinForRevision.SecurityBulletinID,

dbo.tbLocalizedProperty.Title FROM dbo.tbLocalizedPropertyForRevision INNER JOIN
dbo.tbLocalizedProperty ON dbo.tbLocalizedPropertyForRevision.LocalizedPropertyID =
dbo.tbLocalizedProperty.LocalizedPropertyID INNER JOIN
dbo.tbSecurityBulletinForRevision ON dbo.tbLocalizedPropertyForRevision.RevisionID =
dbo.tbSecurityBulletinForRevision.RevisionID WHERE
(dbo.tbLocalizedPropertyForRevision.LanguageID = 1033) ORDER BY
dbo.tbSecurityBulletinForRevision.SecurityBulletinID"
rs.Open strSQLQuery, conn, 3, 3

While Not rs.EOF

objTextFile.WriteLine(rs.Fields(0).Value & "," &
Replace(rs.Fields(1).Value, ",", ""))
rs.MoveNext
Wend

WScript.Echo "Done!"
Ogent Control
Use WUO OPI to control the agent
Custom install schedules
Updating servers in web farms
Implementing ͞install now͟ functionality
On-Demand Patching
(You Patch Now!

Ever wish you had a WSUS ͞big red button͟?

Such a button might automatically download and install all
approved patches and reboot if necessary͙

How about this VBScript?

Run this script from any server console
Immediately downloads and installs all approved patches.
If a reboot is required, it will then reboot the server.
The WSUS Big Red Button
Set fso = CreateObject("Scripting.FileSystemObject")
Set objAutomaticUpdates = CreateObject("Microsoft.Update.AutoUpdate")
objAutomaticUpdates.EnableService
objAutomaticUpdates.DetectNow

Set objSession = CreateObject("Microsoft.Update.Session")

Set objSearcher = objSession.CreateUpdateSearcher()
Set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")
Set colUpdates = objResults.Updates
Set objUpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
intUpdateCount = 0
For i = 0 to colUpdates.Count - 1
intUpdateCount = intUpdateCount + 1
Set objUpdate = colUpdates.Item(i)
objUpdatesToDownload.Add(objUpdate)
Next

ŧ<<This is only the first half of the script. Add the code from the next
page to
ŧcreate the full script>>
The WSUS Big Red Button
ŧ<<Add this half to the code on the previous page!>>

If intUpdateCount = 0 Then
WScript.Quit
Else
Set objDownloader = objSession.CreateUpdateDownloader()
objDownloader.Updates = objUpdatesToDownload
objDownloader.Download()

Set objInstaller = objSession.CreateUpdateInstaller()

objInstaller.Updates = objUpdatesToDownload
Set installationResult = objInstaller.Install()

Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")

If objSysInfo.RebootRequired Then
Set objWMIService =
GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cim
v2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from
Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
objOperatingSystem.Reboot()
Next
End If
End If
Other OPI Uses
ISVs use OPIs for many other features as well
Distribute 3rd party updates (quite complex
Gather software and hardware inventory
Distribute updates to non-Windows devices
Your starting point is http://technet.microsoft.
com/en-us/wsus/bb466192.aspx
OPI Samples
Diagnostic Tools
Header Files
Summary
WSUS is simple to use, but scales to enterprise
Flexible server deployment options
Single server, scale up, branch office, scale out, disconnected, roaming
laptops
Flexible update deployment options
Peer caching, delta patching, auto approval rules, auto-reapprove
revisions
Periodically tune the server (defrag + cleanup
Public OPI and DB views can be used to extend the base
functionality for many advanced scenarios
Starting point for all WSUS information
http://www.microsoft.com/updateservices