wsus mu and wu oh my n.
Skip this Video
Loading SlideShow in 5 Seconds..
WSUS, MU and WU oh my! PowerPoint Presentation
Download Presentation
WSUS, MU and WU oh my!

Loading in 2 Seconds...

play fullscreen
1 / 78

WSUS, MU and WU oh my! - PowerPoint PPT Presentation

  • Uploaded on

WSUS, MU and WU oh my!. SMB Technology Network Susan Bradley, Patchaholic. We’re going to assume . You’ve done your homework Think risk management. WU and MU. The basics of Windows and Microsoft Update.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'WSUS, MU and WU oh my!' - jaden

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
wsus mu and wu oh my

WSUS, MU and WU oh my!

SMB Technology Network

Susan Bradley, Patchaholic

we re going to assume
We’re going to assume
  • You’ve done your homework
  • Think risk management
wu and mu

WU and MU

The basics of Windows and Microsoft Update

wu versus mu
WU versus MU
  • Windows Update
    • Just patches Windows
  • Microsoft update
    • Patches [at this time]
    • Windows
    • Office
    • Exchange
    • More to come
  • Engine is the same - Troubleshoot the same
mu is optional
MU is optional
  • Opt in to MU
mu steps
MU steps
  • Accept EULA
  • Need to install software to get it to use it
  • Downloads activeX files
  • \Windows\Downloaded Program Files
  • The following ActiveX controls will be installed:
    • MUWebControl Class
    • WUWebControl Class
is it safe
Is it safe?
  • If first visit will get ‘authenticode’ prompt
two options to install
Two options to install
  • Express Install: This option is recommended and provides the easiest method for installing high priority updates.
  • Custom Install: This option enables a user to select which specific updates are installed.
revert to wu
Revert to WU
  • Go back
  • Click on Change settings
  • Check the box
test connectivity
Test connectivity
  • If you see this:
  • You are good to go
file updated
File updated
  • Windows Genuine Advantage control
  • Windows Installer 3.1
  • Background Intelligent Transfer Service (BITS) update
auto updates options
Auto updates options
  • Download
  • Will allow you to install them at a later time
  • SUS Support file
  • Operating System and Service Pack Level
    • Right-click My Computer and select Properties
  • Internet Explorer Version and Service Pack Level
    • Check the Help > About interface in Internet Explorer
items to gather for troubleshooting
Items to gather for troubleshooting
  • Internet Explorer Cipher Strength
    • Check the Help > About interface in Internet Explorer
  • Network Configuration (local area network [LAN], DSL, Firewall, Etc)
  • Tried using the Windows Update v6 Troubleshooter?
  • Has anything changed on the machine recently?
in the sus reporting tool
In the SUS reporting tool
  • Windows Update logs (both Version 4 and Version 6)
  • ReportingEvents.log this shows what error was returned to our servers.
  • Internet Explorer Registry key data to help with proxy or access issues
  • Windows Update Registry key to help with policy and Automatic Updates issues
  • Service Output file to show what services are running on the machine and which are stopped.
sus reporting tool
SUS reporting tool
  • Application and System event logs
  • BITS Admin log to help investigate download issues
  • Update.exe installation logs to help with installation failure issues
  • Setuplog to help investigate installation issues
  • Setupapi.log to help investigate driver installation issues
log files
Log files
  • Start, then click Run, type WINDOWSUPDATE.LOG and then click OK.
  • windows update.log
    • Is the v4 version
  • WindowsUpdate.log
    • Is the v6 version
common errors
Common errors
  • 0x80072EE2 – 0x80072F78 – 0x80072F76 – 0x80072EFD
    • 836941 - You receive an "Error 0x80072EE2" or "Error 0x80072EFD" error message when you try to use Windows Update
    • Add Windows Update Web sites to the Trusted Sites list
common errors1
Common Errors
  • 0x80070424
    • How to troubleshoot problems accessing secure Web pages with Internet Explorer 6 Service Pack 2 (870700)
    • This Windows Update error code is caused by unregistered DLL files for Windows Update or Internet Explorer. On Windows XP SP2 and later this may be resolved using the “iexplore /rereg” command.
common errors2
Common Errors
  • 0x80244001/0x800A01AD
    • These Windows Update error codes can be caused by a damaged Windows XP XML subsystem. The first step to take is to reregister this component using the command “regsvr32 msxml3.dll”. If this does not resolve the issue, check for more recently updated MSXML Parser and MSXML components from the following link:
common errors3
Common Errors
  • When accessing the Update site, you receive the 0x800A01AE error.
    • This issue may happen if the current session of Internet Explorer has cached an older version of Wuapi.dll
    • Re-register the Windows Update DLL with the commands below
    • Click Start, click Run, type cmd, and then click OK.
    • Type the following commands. Press ENTER after each command.regsvr32 wuapi.dllregsvr32 wuaueng.dllregsvr32 wuaueng1.dllregsvr32 wucltui.dllregsvr32 wups.dllregsvr32 wups2.dllregsvr32 wuweb.dll
common errors4
Common Errors
  • 0x80248011
    • This Windows Update error code is normally related to inconsistent or damaged information in the c:\windows\softwaredistribution folder. Stopping the Automatic Updates service then renaming the c:\windows\softwaredistribution folder to SDOLD then restarting the Automatic Updates service normally is the fix for this issue.Note: Renaming this folder will clear the display of previous successful and failed updates.
common errors5
Common Errors
  • 0x800B0001
    • This Windows Update error code is related to 3 particular DLL files that are not registered in windows correctly. Registering the following files with REGSVR32 normally fixes this issue:
    • Softpub.dll
    • Mssip32.dll
    • Initpki.dll
common errors6
Common Errors
  • 0x8024402C
    • This Windows Update error can be caused by a damaged installation of BITS and corrupted information in the SoftwareDistribution folder. The solution is normally to re-download the BITS updates (KB883357 and KB842773) from the website, then stop the Automatic Updates service and rename the SoftwareDistribution folder to SDOLD. Reboot the computer and return to Windows Update.
diagnose tools
Diagnose tools
  • Look at WindowsUpdate.log from the bottom up
  • To enable site tracing for a single visit to the Windows Update site, add “&dev=true” to the end of the URL, as in the example below:
  • Most third party firewalls such as Norton Personal Firewall block SVCHOST (Generic Host Process Win32) communication by default. This can cause issues with Windows Update as SVCHOST communication is required by the Windows Update client to connect to the Windows Update Servers on the internet.
wsus basics

WSUS basics

Are you ready to patch?

  • Patches the same pieces as MU
  • More to come
  • Clients ‘check in’ with server
  • Not push
  • Pull
  • Can force a push if need be via scripting
wsus installation
WSUS installation
  • Install on server
  • Will default go on port 8530
  • On standard loads up a MSDE instance
  • Remember …clients may need in registry http://servername:8530 or Group
  • Beginners guide to WSUS
wsus issues
WSUS issues
  • Clients may not check in
    • Manually put in registry
  • Sync process takes a long time
    • About 24 hours if you pull down all files
  • Double-click the installer file WSUSSetup.exe.
  • Note:
  • The latest version of WSUSSetup.exe is available on the Microsoft Web site for Windows Server Update Services at
  • 2. On the Welcome page of the wizard, click Next.
  • 3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next.
  • 4. On the Select Update Source page, you can specify where clients get updates. If you select the Store updates locally check box, updates are stored on the WSUS server and you select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.
  • Keep the default options, and click Next.
  • Select Update Source Page
  • Needs a LOT of space
  • 6 GB
wmsde is default
WMSDE is default
  • On the Database Options page, you select the software used to manage the WSUS database. By default, WSUS Setup offers to install WMSDE if the computer you are installing to runs Windows Server 2003.
  • If you cannot use WMSDE, you must provide a SQL Server instance for WSUS to use, by clicking Use an existing database server on this computer and typing the instance name in the SQL instance name box. For more information about database software options besides WMSDE, see the “Deploying Microsoft Windows Server Update Services” white paper.
  • Keep the default options, and click Next.
  • Database Options Page
wsus install
WSUS install

Now up to 8 gigs

on premium set up the rule pre done on sbs
On premium – set up the rule [pre done on SBS]
  • http://*
  • https://*
  • http://*
  • https://*
  • http://*
  • http://*
proxy settings
Proxy settings
  • On the WSUS console toolbar, click Options, and then click Synchronization Options.
  • 2. In the Proxy server box, select the Use a proxy server when synchronizing check box, and then type the proxy server name and port number (port 80 by default) in the corresponding boxes.
  • 3. If you want to connect to the proxy server by using specific user credentials, select the Use user credentials to connect to the proxy server check box, and then type the user name, domain, and password of the user in the corresponding boxes. If you want to enable basic authentication for the user connecting to the proxy server, select the Allow basic authentication (password in clear text) check box.
  • 4. Under Tasks, click Save settings, and then click OK in the confirmation dialog box.
to get to wsus
To get to WSUS
  • Admin tools
  • http://servername:8530/WSUSAdmin/
wsus console
WSUS console

Missing the computers!

adding the wuau template
Adding the WUAU template
  • 1. In Group Policy Object Editor, click either of the Administrative Templates nodes.
  • 2. On the Action menu, click Add/Remove Templates.
  • 3. Click Add.
  • 4. In the Policy Templates dialog box, click wuau.adm, and then click Open.
  • 5. In the Add/Remove Templates dialog box, click Close.
getting the clients to check in
Getting the clients to ‘check in’
  • In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  • In the details pane, click Specify Intranet Microsoft update service location.
  • Type the HTTP URL of the same WSUS server in both Set the intranet update service for detecting updates and Set the intranet statistics server. For example, type http://servername:8530 in both text boxes, where servername is the name of your WSUS server.
  • Click OK, and then configure the behavior of Automatic Updates
known issue of compression
Known issue of ‘compression’
  • Get the hotfix
  • Or ‘kick them’ to check into the system
assigning groups
Assigning groups
  • Two methods
    • Group policy
    • Move computers
  • Add a new policy
editing group policy
Editing Group policy
  • Why NOT edit an existing one?
  • SP redeployed these and would blow off your customizations
  • Add new
  • Right mouse click on edit
drill down to the setting
Drill down to the setting
  • Computer config
  • Admin
  • Components
  • Windows Update
wu point it
WU – point it
  • First point your intranet updating
  • Remember 8530
change the check in interval
Change the check in interval
  • If you like – change the detection frequency
client side targeting
Client side targeting
  • This one seems to make things ‘work’
  • Put a name in there to get things ‘waking up’
  • You’ll move it later
to force it
To force it
  • GPupdate /force
    • On server
    • And on workstation if you want to test it ‘now’
group policy settings
Group Policy settings
  • Final results on the GP screen
servers and workstations
Servers and Workstations
  • Will begin to ‘check in’
adding zones
Adding ZONES
  • Key decision making right here
  • What risk
  • What zone
  • What deployment strategy
  • Who gets what patches when?
  • At least have a Zone for the server[s]
  • One for workstations
  • More zones?
  • Your ‘canary testers’?
  • LOB app machines?
Groups are your Risk areas
  • Create the ‘groups’ to match your risk zones
assign accordingly
Assign accordingly
  • Again think of groups as ‘risk zones’
don t gloss over this
Don’t gloss over this
  • This is your most important step
  • You are assigning risk values with this process
more info on wsus sbs ized
More info on WSUS [sbs-ized]
wsus for your clients
WSUS for your clients
  • Can remote in and approve patching
  • 1. On the WSUS console toolbar, click Updates. By default, the list of updates is filtered to show only Critical and Security Updates that have been approved for detection on client computers. Use the default filter for this procedure.
  • 2. On the list of updates, select the updates you want to approve for installation. Information about a selected update is available on the Details tab. To select multiple contiguous updates, press and hold down the SHIFT key while selecting; to select multiple non-contiguous updates, press and hold down the CTRL key while selecting.
  • 3. Under Update Tasks, click Change approval. The Approve Updates dialog box appears.
  • 4. In the Group approval settings for the selected updates list, click Install from the list in the Approval column for the Test group, and then click OK.
you as the master wsuser
You as the master WSUSer
  • If you are a Microsoft Certified Partner or Registered Partner, submit two (2) signed complete originals of the Microsoft SPLA agreement V2.1 Sept03.pdf to Software Spectrum Inc.
  • If you are NOT a Microsoft Certified Partner or Registered Partner;
  • 1) You will need to have a Microsoft Registered Partner number to complete the attached SPLA MCP addendum. You can become a Registered Partner at . 
  • 2) You need to register for the Microsoft Windows® Web Holster Program at
  • 3) Submit two (2) signed complete originals of the SPLA MCP addendum V2.1.doc to Software Spectrum Inc.
  • 4) Submit two (2) signed complete originals of the Microsoft SPLA agreement V2.1 Sept03.pdf to Software Spectrum Inc.    
  • All Signed agreements must be mailed to:
  • Software Spectrum
  • Attn: Microsoft Contracts Team3480 Lotus Dr. Plano, TX 75075
clients can point to you
Clients can point to you
  • As Master WSUS er
  • Easier if you just remote and approve
  • Recommend a patch agreement program
  • You do not guarantee patch status
  • You offer to work with vendor
  • Investigate work arounds and mitigations
wsus info
WSUS info
  • Approval – be patient
patch issues
Patch issues
  • Patch testing
    • How can we do it in SBSland
    • Virtual servers
    • Identified key testers
    • Review known issues [in each bulletin]
    • Watch the communities
    • Don’t bother testing Office/Windows…unless
    • Standardize …standardize
  • Do you need to patch?
  • Zoning – who is at risk?
  • Is that port open?
  • How can get you?
  • Resources for determining risks
risk resources
Risk Resources
  • Threats and Countermeasures guide
  • Ports open
  • shields up test
patch resources
Patch resources
    • WSUS
    • General Patch Mgmt
  • WSUS blog -
  • WSUS wiki -
  • WSUS blog –
what s better about wsus
What’s better about WSUS?
  • 5 key benefits
    • More products updated (Exchange, Office, SQL) and more update types (drivers, etc).
    • Reporting
    • Target Groups
    • Install at Shutdown
    • Scripting/API
  • Two sets of APIs
    • Client side
    • Server side
  • Documentation with RC
    • WUS.CHM
  • WSUSADMIN site a reference implementation using APIs
  • If you don’t like the UI, you could do it yourself
  • Main causes of issue are simple configuration errors
    • “http://wsusservernome/” in a GPO Object
  • SelfUpdate tree needs to be on port 80
  • Tools with the RC
    • Clientdiag.exe – diagnoses some issues
  • Logs
    • %systemroot%\WindowsUpdate.log
securing wsus traffic
Securing WSUS traffic
  • Forcing WSUSAdmin site to use SSL is simple
    • Obtain and install a web certificate
    • Enable SSL on WSUSADMIN directory
admin duties
Admin duties
  • Management is done 2 ways:
    • Via WSUS Admin web site (http://wsusserver/wsusadmin)
    • Via Scripting
  • WSUS Admin site not overly strong
    • See WSUS Wiki for reported issues
  • Clients need latest versions of Windows AU software.
    • Comes with XP SP2/2k3 SP1
    • Older SUS clients can also auto-update via /selfupdate
watch your language
Watch your language
  • Some initial configuration requires
    • Synchronisation options
      • Schedule
      • What types of updates
      • Proxy server settings
      • Update Source
      • Languages (ALL languages is the default)
    • Automatic Approval options
      • Which updates should be automatically approved
  • Approve for detection vs approve for installation
wsus issues1
WSUS issues
  • RESOLVED SBS issues
    • Dell OEM issue
    • You cannot install Windows Server Update Services 2.0 on a computer that is running an original equipment manufacturer version of Windows Small Business Server 2003: