It's been a long time. Actually, I have moved on to a different role and WSUS is not my bread & butter :-). I am focusing on Project Management; you can follow me on twitter - http://twitter.com/Athif.

I wanted to share few lessons learned in patch management. Here we go...

SIMPLE LESSONS LEARNED in Patch Management:

1. Test, Test and Test: It is important to test updates in your unique environment before the roll-out

2. Back-up before patch-up: I canNOT stress this anymore - Always folks Always perform a backup before you install any updates/patches/hotfix

3. Restart before and After: As a best practice restart the server before applying any patch/security update. You never know - there might be pending operations

One last time - Happy Patching :-)

What lessons have you learned? Share your lessons learned by adding a comment on this post.

MORE INFORMATION:

I just downloaded Technet Magazine - January 2007 HTML help file and when I opened, I noticed the topics in the .chm file cannot be viewed and I realized that it was getting blocked and all I had to do is to unblock the file (see the procedure below) and this time I can see the contents happily:-)

1. Right-click the CHM file, and then click Properties.
2. Click Unblock.
3. Double-click the .chm file to open the file.

More information is available in the KB article - http://support.microsoft.com/kb/902225/EN-US/

 

Posted by Mohammed Athif Khaleel | with no comments
Filed under:

On Tuesday, November 28, 2006, Rights Management Services Client with Service Pack 2 (KB917275) was downloaded by WSUS Server as classified under Service Packs.

According to Brian Lich [MSFT], "The RMS client should be not offered via WSUS because it is not considered a critical update.  We are investigating this."

The RMS client is offered on Windows Update and Microsoft Update to Windows 2000 and Windows XP computer as an Optional/Recommended update.  It's also available on the Microsoft Download Center.

I have approved this update for INSTALL and so far I haven't seen any issue. Happy patching!

 

A question was asked in the WSUS Mailing List (hosted by Shavlik Technologies on www.patchmanagement.org) -

 

I am using WSUS 2.0 and I was wondering if there was a way to extract the computer hardware information it collects?

 

Oh yes, this is possible.

 

You can extract computer hardware data in table 'dbo.tbComputerTarget' in SUS database (SUSDB). You can query for the following information;

 

TargetID        ComputerID    SID     LastSyncTime LastReportedStatusTime      LastReportedRebootTime          IPAddress      FullDomainName        OSMajorVersion        OSMinorVersion        OSBuildNumber          OSServicePackMajorNumber  OSServicePackMinorNumber  OSLocale       ComputerMake          ComputerModel         BiosVersion    BiosName       BiosReleaseDate       ProcessorArchitecture          ClientGuid      RequestedTargetGroupName IsRegistered

 

For instance, you can query it directly using SQL Query Analyzer or OSQL;

 

USE SUSDB

SELECT     FullDomainName, IPAddress, ComputerMake, ComputerModel, BiosName, BiosVersion, OSMajorVersion, OSServicePackMajorNumber

FROM         tbComputerTarget

 

Hope that helps! Happy patching.

 

WSUS Product Team has already announced the release of WSUS 3.0 beta 2 public beta. This is the first public beta for WSUS 3.0 which is preceded by a private TAP beta.

Quick Info:

Program Start Date 8/14/2006
Program End Date 2/28/2007
Nomination Start Date 8/8/2006
Nomination End Date 2/28/2007

You can register and download WSUS 3.0 Beta 2 from http://connect.microsoft.com/availableconnections.aspx or from http://www.microsoft.com/windowsserversystem/updateservices/default.mspx.

Once registered, you can download WSUSSetup-x86.exe, 56.23 MB using Microsoft File Transfer Manager automatically.

Title WSUS 3 Beta 2 Setup-x86
Release Date 8/11/2006
Size 56.23 MB
Version 5451.90
Category Build
Milestone Beta 2
Description
WSUS 3.0 beta 2 Setup x86

Get Started:

WSUS 3.0 Beta 2 Prerequisites

  1. Microsoft Internet Information Services (IIS) 6.0
  2. Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows Server 2003. To download this software, go to the Download Center (http://go.microsoft.com/fwlink/?LinkID=47251).
  3. Microsoft .NET Framework Version 2.0 Redistributable Package 
    1. (x86) - To download this software, go to the Download Center http://go.microsoft.com/fwlink/?LinkID=68935 
    2. (For x64) - also go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70637
  4. Microsoft Report Viewer Redistributable 2005. To obtain this software, go to the Download Center (http://go.microsoft.com/fwlink/?LinkID=70410).
  5. Microsoft Management Console 3.0 for Windows Server 2003 (KB907265).
    1. (x86) - To download this software, go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70412
    2. (For x64) - also go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70638

* Note: WSUS 3.0 beta 2 does not support Vista beta clients at this time.

From Connect Windows Server Update Services 3.0 Beta 2:

WSUS 3.0 Beta 2 Vista RC client support!  After beta 2 releases, we will be adding a new download that will make sure your WSUS 3.0 beta 2 server can service the new RC version of Vista clients when it ships.  This downloadable beta update will be available from the WSUS beta Connect site in the downloads section in the 4th quarter of calendar year 06 - when Vista RC releases! Check back for news on this update to test WSUS 3.0 beta 2 with your Vista RC beta clients.

Happy patching!

Listen to this article Listen to this article

Talkr.com allows you to listen to text-only blogs on your iPod. It's a free service to convert the blog text into podcast (Podcasting your blog). Registration is very easy. Once registered, you can add your blog RSS Feed in Talkr Partners Account.

This is for your information. Happy podcasting.

More information is available on http://www.talkr.com.

Listen to this article Listen to this article

Many a times folks in WSUS newsgroup want to know if -

Is there a way to disable the SSL warning in the To-Do list in WSUSAdmin Console?

To Do List
 

WSUS has detected that you are not using Secure Sockets Layer (SSL). Microsoft recommends using SSL to secure administration and client to server communications for better security. For more information, see Using Secure Sockets Layer (SSL).
 
I used to answer that as - "That is not documented anywhere!!. We will have to live with that". But, thanks to Josh (poster in NG) for this cheeky workaround.
 
WORKAROUND

Make a backup of "C:\program files\Update Services\administration\home\welcome.aspx" file.

Then open the file in notepad and find the last section at the bottom that starts like this:

<td id="tskNotUsingSSL" class="Tasks" style="display: none;">

Now you can't delete that line, but delete everything between the <div> and </div> right below that line - Which means you have to delete the following text between <div> and </div>;


 <div>
          <a href="" onclick="ShowHelp('utilizing_SSL.htm');return false;"
class="B"><img src="<%= Constants.VirtualRoot %>/Common/Images/Warning.gif"
align="absmiddle" /><%= Resources.GetString("L_HomeNotUsingSSLTitle_Text")
%></a></br>
              <%=
String.Format(Resources.GetString("L_HomeNotUsingSSLDescription_Text"),
              "<a href=\"\" onclick=\"ShowHelp('utilizing_SSL.htm ');return
false;\" class=\"Normal\">" +
Resources.GetString("L_HomeNotUsingSSLHelpLink_Text") + "</a>") %>
          <br />
      </div>


Save the file and Voila! Happy Patching :-).

lf the logged in user is part of Local Administrators group, then he can use the custom install option to unselect the updates which will be eventually hidden. These updates will not be offered by the WUA at the next detection/scheduled installation time.

Scripting Guru Torgeir Bakken has posted an excellent .vbs script to unhide those hidden updates.

According to Torgeir Bakken (MVP)

If you are afraid that some users will hide some updates using the custom install option, here is a counter-measure you can use if the computers are in an Active Directory domain.

Use a script that unhides all hidden updates every time the computer starts up.

You could put the vbscript below in a computer startup script (with a GPO) that runs as part of the boot up process (before the user logs in).  It runs under the system context and has admin rights.

--------------------8<----------------------

On Error Resume Next
Dim oSearcher, oSearchResult, i, oUpdate


Set oSearcher = CreateObject("Microsoft.Update.Searcher")


' use locally cached information
oSearcher.Online = False


' find updates that are hidden
Set oSearchResult = oSearcher.Search("IsHidden=1")


If Err.Number = 0 Then
   If oSearchResult.Updates.Count > 0 Then
     For i = 0 to oSearchResult.Updates.Count - 1
       Set oUpdate = oSearchResult.Updates(i)
       ' unhide the update
       oUpdate.IsHidden = False
     Next
   End If
End If

'--------------------8<----------------------

Tip:

IF you configure the deadline whilst approving an update then it will restrict local Administrator from being able to unselect or hide updates.

Steven Manross has created Windows Server Update Services add-ons in the form of an SQL stored procedure and .vbs / Perl scripts to determine if computers currently show as needing updates.

The SQL stored procedure (spSRMCountComputersNeedingUpdates.sql) is used in conjunction with the WSUSReport.vbs or (WSUSReport.pl) scripts to automatically notify an admin via email that there are computers needing Windows Security-related updates.

In step 1, let’s add the sql stored procedure on WSUS Database Server and in step 2 we will run the .vbs script scripts to automatically notify WSUS Administrator via email that there are computers needing updates.

SAMPLE OUTPUT AS SEEN IN EMAIL:

Subject: WSUS: There are computers needing updates

Type: Software KB Article: 816093 Bulletin: MS03-011
Title: 816093: Security Update Microsoft Virtual Machine (Microsoft VM)
Description: This update helps resolve a vulnerability in the Microsoft virtual machine. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.
More Information: http://go.microsoft.com/fwlink/?LinkId=14964
Server Name(s): computer1.domain.com,computer2.domain.com,computer3.domain.com

PRE-REQUISITES:

The .vbs code below requires Outlook CDO components to be installed or some other application that installs the CDO.Message object from the computer running WSUSReport.vbs.

STEP 1:

Let’s start by adding the following code as a stored procedure (spSRMCountComputersNeedingUpdates.sql);

  • In SQL Enterprise Manager under “instancename\Databases\SUSDB\Stored Procedures”.
  • Right click on the Stored Procedure – click on New Stored Procedure.
  • Paste the code below – click on Check Syntax and make sure it is successful.

spSRMCountComputersNeedingUpdates.sql:-


CREATE PROCEDURE [dbo].[spSRMCountComputersNeedingUpdates]  AS

declare @computersNeedingUpdates int
declare @updatesNeededByComputers int
  SELECT @computersNeedingUpdates = COUNT(DISTINCT(C.TargetID)),
         @updatesNeededByComputers = COUNT(DISTINCT(U.LocalUpdateID))
      FROM tbUpdate AS U
    INNER JOIN dbo.tbUpdateStatusPerComputer AS S WITH (INDEX (nc3UpdateStatusPerComputer)) ON U.UpdateID=S.UpdateID
    INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
    WHERE S.SummarizationState IN (2,3,6)  
        AND EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> 'All Computers'
                   )


select @computersNeedingUpdates as computersNeedingUpdates,@updatesNeededByComputers as updatesNeededByComputers

IF @computersNeedingUpdates > 0
  BEGIN

    SELECT U.LocalUpdateID,
      C.FullDomainName as FullDomainName
      FROM tbUpdate AS U
      INNER JOIN dbo.tbPreComputedLocalizedProperty AS PCLP  ON PCLP.UpdateID=U.UpdateID
      INNER JOIN dbo.tbLanguage as L on L.ShortLanguage = PCLP.ShortLanguage
      INNER JOIN dbo.tbLanguageInSubscription as LIS on LIS.LanguageID = L.LanguageID
      INNER JOIN dbo.tbUpdateType AS UT  ON UT.UpdateTypeID=U.UpdateTypeID
      INNER JOIN dbo.tbUpdateStatusPerComputer AS S ON U.UpdateID=S.UpdateID
      INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
      INNER JOIN dbo.tbTargetInTargetGroup AS TITG ON TITG.TargetID = C.TargetID
      INNER JOIN dbo.tbTargetGroup AS TG ON TG.TargetGroupID = TITG.TargetGroupID
      INNER JOIN dbo.tbRevision AS Re ON Re.LocalUpdateID = U.LocalUpdateID
      LEFT JOIN dbo.tbKBArticleForRevision AS KB ON KB.RevisionID = RE.RevisionID
      LEFT JOIN dbo.tbSecurityBulletinForRevision AS SB ON SB.RevisionID = RE.RevisionID
      INNER JOIN dbo.tbMoreInfoURLForRevision AS MI ON MI.RevisionID = RE.RevisionID and MI.ShortLanguage = L.ShortLanguage
      WHERE S.SummarizationState IN (2,3,6)  AND
            EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> 'All Computers'
                    )

    SELECT U.LocalUpdateID,
      UT.Name as UpdateTypeName,
      KB.KBArticleID,
      case when SB.SecurityBulletinID IS NULL Then 'None' Else convert(varchar(15),SB.SecurityBulletinID) End as SecurityBulletinID,
      MI.MoreInfoURL as MoreInfoURL,
      PCLP.Title as UpdateTitle,
      PCLP.Description as UpdateDescription
      FROM tbUpdate AS U
      INNER JOIN dbo.tbPreComputedLocalizedProperty AS PCLP  ON PCLP.UpdateID=U.UpdateID
      INNER JOIN dbo.tbLanguage as L on L.ShortLanguage = PCLP.ShortLanguage
      INNER JOIN dbo.tbLanguageInSubscription as LIS on LIS.LanguageID = L.LanguageID
      INNER JOIN dbo.tbUpdateType AS UT  ON UT.UpdateTypeID=U.UpdateTypeID
      INNER JOIN dbo.tbUpdateStatusPerComputer AS S ON U.UpdateID=S.UpdateID
      INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
      INNER JOIN dbo.tbTargetInTargetGroup AS TITG ON TITG.TargetID = C.TargetID
      INNER JOIN dbo.tbTargetGroup AS TG ON TG.TargetGroupID = TITG.TargetGroupID
      INNER JOIN dbo.tbRevision AS Re ON Re.LocalUpdateID = U.LocalUpdateID
      LEFT JOIN dbo.tbKBArticleForRevision AS KB ON KB.RevisionID = RE.RevisionID
      LEFT JOIN dbo.tbSecurityBulletinForRevision AS SB ON SB.RevisionID = RE.RevisionID
      INNER JOIN dbo.tbMoreInfoURLForRevision AS MI ON MI.RevisionID = RE.RevisionID and MI.ShortLanguage = L.ShortLanguage
      WHERE S.SummarizationState IN (2,3,6)  AND
            EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> 'All Computers'
                    )
    GROUP BY U.LocalUpdateID,UT.Name,KB.KBArticleID,SB.SecurityBulletinID,MI.MoreInfoURL,PCLP.Title,PCLP.Description


  END
--ENDIF
RETURN 1
GO


STEP 2:

Now save the following .vbs code as WSUSReport.vbs for computers needing updates using the stored procedure above. The following code requires Outlook CDO components to be installed or some other application that installs the CDO.Message object from the computer running WSUSReport.vbs.

WSUSReport.vbs:-


'On Error Resume Next
Const adCmdStoredProc = 4
Const adUseClient = 3

'Requires the Outlook CDO components to be installed or some other application that installs the CDO.Message object.

smtp_mail_from = "Some Friendly Name <someaddress@somesite.org>"
smtp_mail_to = "Recipient Name <
recipient@somesite.org>"
smtp_server = "somesmtpserver.somesite.org"
smtp_port = "25"

db = "SUSDB"
appname = "SUSDB Mailer"
db_server = "YOUR-DB-SERVER"

Set Conn = CreateObject("ADODB.Connection")
if Err.Number <> 0 Then
  WScript.Echo "Failed creating ADODB.Connection object -> " & Err.Description
  WScript.Quit(0)
End If

Conn.ConnectionTimeout = 15
Conn.CursorLocation = adUseClient
Conn.Open = "DRIVER={SQL Server};SERVER=" & db_server & ";APP=" & appname & ";DATABASE=" & db & ";Trusted_Connection=yes;"

if Err.Number <> 0 Then
  WScript.Echo "Failed opening ADODB.Connection object with DB info-> " & Err.Description
  WScript.Quit(0)
End If

Set Cmd = CreateObject("ADODB.Command")

if Err.Number <> 0 Then
  WScript.Echo "Failed creating ADODB.Command object -> " & Err.Description
  WScript.Quit(0)
End If
Cmd.CommandText = "spSRMCountComputersNeedingUpdates"
Cmd.CommandType = adCmdStoredProc
Cmd.ActiveConnection = Conn

Cmd.Prepared = 1
Cmd.CommandTimeout = 15

Set RS = Cmd.Execute

if Err.Number <> 0 Then
  WScript.Echo "Failed opening ADODB.Recordset object for Command -> " & Err.Description
  WScript.Quit(0)
End If

rs_count = RS.RecordCount

Dim string

string = "<HTML><BODY>" & vbCrlf

if RS.Fields(0) > 0 Then
  WScript.Echo "Count = " & RS.Fields(0).Value
  Set RSUpdates = RS.NextRecordSet
  Set RSData = RS.NextRecordSet
Else
  WScript.Echo "No updates.  Quitting successfully"
  WScript.Quit(1)
End If

'Loop through all the computers that need updates

  Dim Updates
  Dim Computers
 
  Dim vContainer
  ' Create the dictionary instances.
  Set Updates = CreateObject ("Scripting.Dictionary")
  Updates.CompareMode = StringCompare

x = 0
while (RSUpdates.EOF <> True)
  if Not Updates.Exists(RSUpdates.Fields("LocalUpdateID").Value) Then
    Updates.Add RSUpdates.Fields("LocalUpdateID").Value, RSUpdates.Fields("FullDomainName").Value
  Else
    Updates.Item(RSUpdates.Fields("LocalUpdateID").Value) = Updates.Item(RSUpdates.Fields("LocalUpdateID").Value) & "," & RSUpdates.Fields("FullDomainName").Value
  End If
 
  RSUpdates.MoveNext
Wend

while (RSData.EOF <> True)
  strUpdateID = RSData.Fields("LocalUpdateID").Value
  strSrv = Updates.Item(strUpdateID)
  strUpdateType = RSData.Fields("UpdateTypeName").Value
  strKBID = RSData.Fields("KBArticleID").Value
  strBulletinID = RSData.Fields("SecurityBulletinID").Value
  strInfoURL = RSData.Fields("MoreInfoURL").Value
  strUpdateTitle = RSData.Fields("UpdateTitle").Value
  strUpdateDesc = RSData.Fields("UpdateDescription").Value
  string = string & "<TABLE border = 1>" & vbCrlf & _
           "<TR><TD><b>Type:</B> " & strUpdateType & "</TD><TD><B>KB Article:</B> " & strKBID & "</TD><TD><B>Bulletin:</B> " & strBulletinID & "</TD></TR>" & vbCrlf & _
           "<TR><TD colspan = 3><B>Title:</B> " & strUpdateTitle & "</TD></TR>" & vbCrlf & _
           "<TR><TD colspan = 3><B>Description:</B> " & strUpdateDesc & "</TD></TR>" & vbCrlf & _
           "<TR><TD colspan = 3><B>More Information:</B> <A href=" & strInfoURL & ">" & strInfoURL & "</A></TD></TR>" & vbCrlf & _
           "<TR><TD colspan = 3><B>Server Name(s):</B> " & strSrv & "</TD></TR></TABLE>" & vbCrlf
  RSData.MoveNext
Wend
string = string & "</BODY></HTML>"

Set cdoMessage = CreateObject("CDO.Message")
cdoMessage.Subject = "WSUS: There are computers needing updates"
cdoMessage.From = smtp_mail_from
cdoMessage.To = smtp_mail_to
cdoMessage.HTMLBody = string

cdoMessage.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
cdoMessage.Configuration.Fields.Item("
http://schemas.microsoft.com/cdo/configuration/smtpserver") = smtp_server
cdoMessage.Configuration.Fields.Item("
http://schemas.microsoft.com/cdo/configuration/smtpserverport") = smtp_port
cdoMessage.Configuration.Fields.Update

cdoMessage.Send
If Err.Number = 0 Then
  WScript.Echo "Success"
  WScript.Quit(1)
Else
  WScript.Echo "Error sending CDO Message: " & Err.Description
  WScript.Quit(0)
End If


MORE INFORMATION

Kudos to Steven - http://www.manross.net/links.html

WSUS SP1 Readme is updated (on 21st June 2006) with known issues once you apply WSUS SP1.

Readme for WSUS Service Pack 1: This document describes known issues affecting Windows Server Update Services Service Pack 1 (WSUS SP1).

New Known Issues:

Issue 6: If you are using a proxy server, the SP1 upgrade may clear the proxy configuration username and password

Issue 7: How to recover from a failed upgrade to restore your WSUS server to a consistent state and then retry the upgrade.

Issue 8: WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated

Issue 9: WSUS SP1 is not updating WSUS servers which are setup using remote SQL deployments

Issue 10: Changing the computer name prior to upgrading to WSUS SP1 can cause the upgrade to fail

Direct Link: http://download.microsoft.com/download/7/d/c/7dce8ed3-8d44-421f-902c-95391577ecb5/ReadMe.htm

Bobbie Harder (MSFT) has posted a list of Top known issues whilst upgrading WSUS to WSUS SP1 on microsoft.public.windows.server.update_services. These issues will be updated in a KB and in the online WSUS SP1 readme.

1.  If you are using a proxy server, in some cases the SP1 upgrade may clear the proxy configuration username and password.  This may cause synchronization of updates from Microsoft Servers to generate an "invalid parameter" error. To address this issue, reset the proxy configuration username and password and re-synchronize your server.

2. Remote SQL deployments: WSUS SP1 is not updating WSUS servers which are setup using remote SQL deployments.

Solution:

The WSUS with SP1 setup Package must be run on both the front end and back end servers.

·         Run the setup package on the front end with no switches and choose to upgrade

·         Run the setup package on the back end with no switches and choose to upgrade.

3. Changed Machine Name after RTM install prior to SP1 upgrade can cause the WSUS SP1 upgrade to fail.

Workaround:

Use the following script to remove and re-add the ASPNET and WSUS Administrators groups.  Then run the upgrade again.

osql.exe -S %computername%\WSUS -E -Q "USE SUSDB DECLARE @asplogin
varchar(200) SELECT @asplogin=name from sysusers WHERE name like '%ASPNET'
EXEC sp_revokedbaccess @asplogin"
osql.exe -S %computername%\WSUS -E -Q "USE SUSDB DECLARE @wsusadminslogin
varchar(200) SELECT @wsusadminslogin=name from sysusers WHERE name like
'%WSUS Administrators' EXEC sp_revokedbaccess @wsusadminslogin"

osql.exe -S %computername%\WSUS -E -Q "USE SUSDB DECLARE @asplogin
varchar(200) SELECT @asplogin=HOST_NAME()+'\ASPNET' EXEC sp_grantlogin
@asplogin EXEC sp_grantdbaccess @asplogin EXEC sp_addrolemember
webService,@asplogin"
osql.exe -S %computername%\WSUS -E -Q "USE SUSDB DECLARE @wsusadminslogin
varchar(200) SELECT @wsusadminslogin=HOST_NAME()+'\WSUS Administrators' EXEC
sp_grantlogin @wsusadminslogin EXEC sp_grantdbaccess @wsusadminslogin EXEC
sp_addrolemember webService,@wsusadminslogin"

osql.exe -S %computername%\WSUS -E -Q "backup database SUSDB to
disk=N'<ContentDirectory>\SUSDB.Dat' with init"
Note you may have  to replace <ContentDirectory> in the last line with the
path to your actual content store.

4.            

a. WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated to a  local SQL 2000 server.

Cause:  

A registry key value must be changed in order for WSUS SP1 setup package to recognize there is no wmsde database to update.

Workaround:

If users have migrated WMSDE to a SQL server (local or remote) they must change the value of the following registry key:

1.      HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from "1" to "0" before attempting to upgrade to WSUS SP1.

 

According to Bernd Teichert (blog reader), In some cases, you might have to change the InstallType too on local SQL 2000 Server installation;

2.      HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from "0x80" to "0x20". 

b. WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated to a remote SQL 2000 server.

Cause:  

Two registry key values must be changed in order for WSUS sp1 setup package to recognize there is no wmsde database to update and the update must be initiated on the backend, followed by the front end server.

Workaround:

If users have migrated WMSDE to a SQL server (local or remote) they must change the values of the following registry keys:

1.      HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from "1" to "0" before attempting to upgrade to WSUS SP1.

2.      HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from "0x80" to "0x20". 

After updating these registry key values, initiate upgrade on backend and then on front end servers.

 

5. How to recover from a failed upgrade to restore your WSUS server to a consistent state and then retry the upgrade.

Description:

If the upgrade to WSUS SP1 fails it can leave your WSUS installation in an inconsistent and/or unusable state. In order to retry upgrading to WSUS SP1 you need to get your WSUS installation to a consistent state. To do this you can use the backup database created at the beginning of the upgrade process to restore your WSUS server to a pre-upgrade state.

Workaround:  

If the upgrade operation to WSUS SP1 is unsuccessful, you can use the original WSUS backup database that was created at the start of the upgrade process to restore WSUS to a consistent state. In the event of a failed upgrade follow these steps to retry upgrading to WSUS SP1:

To retry upgrading to WSUS SP1;

1.       Determine the location of the backup database by reviewing the contents of the WSUSSetup_%timestamp%.log file. This file is located in the following folder - %programfiles%\Update Services\LogFiles.

2.       Restore the backup database on the WSUS computer.

·         osql.exe -S <DatabaseInstance> -E -Q "USE master ALTER DATABASE
SUSDB SET SINGLE_USER WITH ROLLBACK IMMEDIATE RESTORE DATABASE SUSDB FROM
DISK=N'<PathToDatabaseBackup>' WITH REPLACE ALTER DATABASE SUSDB SET
MULTI_USER"

·         Remember to replace <DatabaseInstance> and <PathToDatabaseBackup> with values from your installation.

·        For <DatabaseInstance> use the value from the following registry key:
HKLM\Software\Microsoft\Update Services\Server\Setup\SqlServerName

·        For <PathToDatabaseBackup> use the value you identified in step 1.

3.       Uninstall WSUS, but keep the WSUS database, log files and update files when you are prompted to remove them (i.e. Ensure that all options in "Remove Microsoft Windows Server Update Services" are unchecked).

4.       Reinstall WSUS RTM (the original version not WSUS with SP1). Use the existing database when you are prompted to do this. This will return your WSUS system to a consistent state.

5.       Install WSUS SP1.

* Note that you cannot use the backed up database from step 1 above directly in clean install of WSUS SP1 since the database schema has changed between WSUS RTM and WSUS SP1.

For any issues related to WSUS SP1 upgrade, you can post your queries directly on the following thread on microsoft.public.windows.server.update_services.

You see the following error in %Windir%\WindowsUpdate.log

SYMPTOMS

2006-06-15      17:02:23        2104    83c     Misc    ===========  Logging initialized (build:
5.8.0.2469, tz: -0400)  ===========
2006-06-15      17:02:23        2104    83c     Misc      = Process: C:\WINDOWS\system32\wuauclt.exe
2006-06-15      17:02:23        2104    83c     Misc      = Module: C:\WINDOWS\system32\wuaueng.dll
2006-06-15      17:02:23        2104    83c    
DtaStor FATAL: Failed to initialize datastore,
error = 0xC800021F
2006-06-15      17:02:23        2104    83c     Misc    ===========  Logging initialized (build:
5.8.0.2469, tz: -0400)  ===========

CAUSE

It looks like the client datastore failed to initialize.

WORKAROUND

  1. Open a CMD prompt on the client.
  2. Type "net stop wuauserv" (without quotes) <hit enter>.
  3. Type "cd %Windir%\SoftwareDistribution".
  4. Type "RD /s /q Datastore" (this will remove the client datastore).
  5. Type "net start wuauserv" (without quotes) <hit enter> .
  6. Type "wuauclt /detectnow" then check %Windir%\WindowsUpdate.log if it is successful.

OR, just stop the Automatic Updates Service and delete "%Windir%\SoftwareDistribution\DataStore" folder and start Automatic Updates Service and force the update detection (wuauclt /detectnow)

Ten Principles of Microsoft Patch Management

By Christopher Budd, Security Program Manager, Microsoft Corporation


1. Service packs should form the foundation of your patch management strategy.

2. Make Product Support Lifecycle a key element in your strategy.

3. Perform risk assessment using the Severity Rating System as a starting point.

4. Use mitigating factors to determine applicability and priority.

5. Only use workarounds in conjunction with deployment.

6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article.

7. Test updates before deployment.

8. Contact Microsoft Product Support Services if you encounter problems in testing or deployment. An important thing to remember is that Microsoft provides no-charge support for issues related to security updates. You can get in touch with Microsoft for security bulletin support through the Security Support Site at http://support.microsoft.com/securityitpro

9. Use only methods and information recommended for detection and deployment.

10. The Security Bulletin is always authoritative.

 

To identify if you have installed WSUS SP1;

You can check the version number for the wsusservice.exe file located in %ProgramFiles%\Update Services\service\bin\wsusservice.exe.

OR, check the WSUS Build number from WSUSAdmin home page (bottom of the page - Last line)

WSUS SP1 Build 2.0.0.2620
WSUS RTM Build 2.0.0.2472
WSUS RC Build 2.0.0.2340

Posted by Mohammed Athif Khaleel | with no comments
Filed under:

SYMPTOMS

After updating WSUS to WSUS SP1...

  • You might see Red X on WSUS Updates Window in WSUSAdmin console and eventually Synchronization fails.
  • Content file download failed. Reason: The parameter is incorrect. Source File:
    /msdownload/update/v3-19990518/cabpool/windowsmedia10-kb917734-x86-enu_499f­e88d62843835153a4225712e1b2f19120527.exe
    Destination File:
    d:\WSUS\WsusContent\27\499FE88D62843835153A4225712E1B2F19120527
  • Source: Windows Server Update
    Category: Synchronization
    Event ID: 386
    Description:-
    Synchronization failed. Reason: The underlying connection was closed: Unable to connect to the remote server.

KNOWN ISSUE

This is a known issue. Once you upgrade to WSUS SP1, you might want to re-configure Synchronization Options (proxy settings - proxy password) in WSUSAdmin console as they are lost during the upgrade.

Save the settings and perform a manual sync to download the updates. Did it work for you?

The other day, Dave (poster on http://patchmanagement.org/) wanted to know the best resource for finding up to date information on whether or not there is exploit code available for Microsoft Security Patches? Susan immediately replied to check www.incidents.org. They also have an archive http://www.incidents.org/diary.php?date=2006-06-14.

Get the xml feed.

Posted by Mohammed Athif Khaleel | with no comments
Filed under:

There is some confusion in updating WSUS to WSUS SP1 on remote SQL deployments to run with (Front end and Back end) switches. WSUS SP1 update must be initiated on the backend WSUS Server first followed by the front end WSUS Server.

According to Bobbie Harder (MSFT):

You do have to run the setup package (WSUS SP1) on both the back-end Server (first run on back-end server) and then on front-end server without passing any switches. The steps which have been tested and validated should be:

1) Run the setup package on the front-end with no switches and choose to upgrade.

2) Run the setup package on the back-end with no switches and choose to upgrade.

UPDATE 6/13/2006:

3) ALSO, If you have migrated your WSUS server database (WMSDE) to a SQL server (local or remote) you must change the value of the following TWO registry entries before attempting to upgrade to WSUS SP1.:

  1. HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from "1" to "0"
  2. HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from "0x80" to "0x20"

If you are struggling with installing WSUS SP1 then feel free to post your issues on microsoft.public.windows.server.update_services

Brian McCann wants to know a better way to Check the Version of Windows Installer.

According to Windows Installer Team blog, "If you want to check the version of the Windows Installer on your system, check the version of MSI.DLL in the Windows\System32 folder. If the version is 3.1.4000.2435, you have the latest version.

One common point of confusion is that even if you have the latest version of Windows Installer 3.1 on your system and you type in msiexec.exe /? from a command-window, you will still be told that you are on version 3.1.4000.1823 or 3.1.4000.1830. This is because msiexec.exe /? will only give you the version of msiexec on the system -- not the other Windows Installer-related dll's. (The version of msiexec was not updated to 3.1.4000.2435 with the (v2) redistributable, just msi.dll was updated.)"

Luckily, I found a neat .vbs browser hosted script by Michael Harris \(MVP Scripting\). Save the following code as .htm

<html>
<head>
<script language="vbscript">
sub document_onclick()
set installer = createobject("windowsinstaller.installer")
msgbox installer.version
end sub
</script>
</head>
<body>
Click me for Windows Installer version...
</body>
</html>

and you are done:-). Note that the "windowsinstaller.installer" object is not marked safe for scripting in IE browser hosted script... Double click the saved htm file and then you need to click the information bar to allow the blocked ActiveX control in IE

If the machine is configured for automatic updates using WSUS then it will update the installer automatically as mandatory WSUS update :-).

WSUS SP1 is finally released. Besides delivering updates, Windows Server Update Services with Service Pack 1 (WSUS SP1) includes support for Microsoft SQL Server 2005 and the forthcoming Windows Vista operating system. It also provides additional stability and performance improvements. After you install WSUS SP1, you may be required to restart your computer. Note: You cannot remove WSUS SP1 after you install it.

Download Windows Server Update Services with Service Pack 1
http://www.microsoft.com/windowsserversystem/updateservices/downloads/WSUSSP1.mspx

Download WSUS SP1 only - Download the KB919004-x86.exe package now.
http://download.microsoft.com/download/f/6/d/f6d9eb30-2612-47f7-b14a-41a47e8a9a8e/wsus2-kb919004-x86.exe

Description of Windows Server Update Services Service Pack 1
http://support.microsoft.com/?kbid=919004

Updating Microsoft Windows Vista Beta 2 Computers via WSUS
http://technet2.microsoft.com/WindowsServer/f/?en/Library/70c3aea9-4dc2-49ad-a085-dc1b59f1af7d1033.mspx

Readme for WSUS Service Pack 1
http://download.microsoft.com/download/7/d/c/7dce8ed3-8d44-421f-902c-95391577ecb5/ReadMe.htm

Report your issues on microsoft.public.windows.server.update_services

Technorati Profile

So, before you apply Microsoft Security Bulletin MS06-019 on Exchange Servers - Be careful. Take a look at the known issues.

912918 (http://support.microsoft.com/kb/912918/) Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003.

First, Find accounts that have the Full Mailbox Access permission without the Send As permission using the script from http://support.microsoft.com/kb/912918/ and grant the Send As permission either manually using DSA.msc or using the script -SetAll switch.

And then, you are ready to apply MS06-019.

Posted by Mohammed Athif Khaleel | with no comments
Filed under:
More Posts Next page »