Session Title Here Autumn 2011 CC4 and WSUS Windows Server Update Service (WSUS) is built to distribute Microsoft® Windows® updates across networks. On previous networks the installation of updates was manual; WSUS has automated that. This is not news. WSUS has been around for years. We rarely look at WSUS unless it goes wrong. Most of the time it ‘just runs’. It’s because of this we decided we should talk about it. We actually do see quite a few calls in support raised for WSUS, generally these are logged through RM Event Master. This to me sets alarm bells ringing. It’s a great advertisement for RM Event Master, and exactly why we are such big fans of the product, it’s a great safety net. I thought it would be good to see what WSUS does under the bonnet. How does the technology work and what do we commonly see that can be avoided? In this session, we’ll look at how WSUS developed over the years from Windows Updates on stand-­‐
alone Windows machines through to the server updates. We’ll be delving into how CC4 networks deal with these updates and finally look at some of the issues we see, how to diagnose and fix them. Technical Seminars – Autumn 2011 © RM Education 2011 1 Session Title Here Autumn 2011 Technical Seminars – Autumn 2011 © RM Education 2011 2 Session Title Here Autumn 2011 Windows Update It makes sense to look at how the Windows Update Service works on a standalone PC before moving on to look at the technology used in WSUS environments. Windows Update began life in 1995. Windows 95 featured a link in the start menu to the Windows Update web page; from the Windows Update web page you could download additional features for the operating system. By the time Window 98 came out, three years later, you could download additional desktop themes, games, device driver updates and optional components such as net meeting. The initial focus of Windows Update was on free add-­‐ons and new technologies for Windows; security fixes for Outlook Express, Internet Explorer and other applications appeared later, as did access to beta versions of upcoming Microsoft software, most notably Internet Explorer 5. The Y2K bug fix was released via the Windows update service. Microsoft attributed the sales success of Windows 98 in part to Windows Update. So Windows update was a big thing back then, but it was deemed as a manual process – where the user would have to actively access the website to receive updates. Therefore as the user you would need to remember to access the website periodically to get updates. Technical Seminars – Autumn 2011 © RM Education 2011 3 Session Title Here Autumn 2011 Windows update wasn’t actually as manual as it seems. Before Windows Update, users were able to go and find updates to drivers (for instance), but they would have to know the information about previously installed versions, hardware and software to make the right decisions. Windows Update has always scanned the computer before suggesting downloads and this is where the beginning of this technology exists. Windows Update requires Internet Explorer or a third-­‐party web browser that uses the Microsoft MSHTML layout engine, as it must support the use of an ActiveX control to house the software that is executed on the user's computer. While details have changed from version to version (which we’ll look at in a moment), it has always scanned the computer to find what operating system components and software are installed, and compared the versions of those components with the latest available versions. The ActiveX component then interfaces with Windows Installer to install or update those components, and to report the success or failure of those installations back to the Microsoft servers. So for 17 years we have been looked after by the Windows Update service -­‐ it’s no wonder we sometimes forget to learn about how it works. So what’s changed in the versions of Windows Update and when did Windows Server Update Service start? Changes in versions In the previous section we looked at how Windows Update just started as a website, however this was a website that ran ActiveX controls to check components on the computer. The early versions seem reasonably simple compared to what we have now. Microsoft has continued to develop the Windows Update service by adding features. While the principle has stayed the same over the years, features and functions have been added periodically; here we’ll have a look at those changes from the first version (which is noted as v3). Technical Seminars – Autumn 2011 © RM Education 2011 4 Session Title Here Autumn 2011 Critical update notification Shortly after Windows 98 was released Microsoft updated Windows Update with the Critical Update Notification Utility (incidentally it wasn’t always called that, it was originally referred to as a tool, which led to an unfortunate acronym). This let users know when they needed to access Windows Update to download critical updates. This was released through Windows Update and installed a background tool onto the user’s computer that regularly checked the website for updates marked ‘Critical’. This was the first step to the Windows Update Service we know today (and subsequently WSUS). By default this check was carried out every five minutes when Internet Explorer was started; while this was configurable it wasn’t ideal as most users didn’t have access. The check was performed by querying the server for a file, "cucif.cab", which contains a list of all the critical updates released for the user's operating system. The Critical Update Notification Utility then compared this list with the list of installed updates on the user's machine, and displayed a message to the user informing them of new critical updates if they were available. Once the check executed, any custom schedule defined by the user was reverted to the default. Microsoft stated that this was by design in order to ensure that users received notification of critical updates in a timely manner. This method was criticized, as using a single host to defend against attacks meant that host could be compromised and therefore each Windows 98 machine could be infected. This could result in serious infection on a large scale. Technical Seminars – Autumn 2011 © RM Education 2011 5 Session Title Here Autumn 2011 The Critical Update Notification Utility was promoted until 2000. Initial releases of Windows 2000 shipped with it but Windows 95 and NT 4.0 were no longer supported. Eventually it was superseded by Automatic Updates in Windows ME and Windows 2000 SP4. Automatic Updates Automatic Updates no longer required the web browser to download and install updates. It also only checked the Windows Update servers (note this is plural now) once a day. This is very much the start of the update service we see now. Automatic updates were originally seen in Windows ME and made the user much more in control of how often updates were downloaded and installed. Scheduling could be set and the ability to choose how you would be notified (or if you wished to be notified). In Windows XP and Windows 2000 SP3 the Background Intelligent Transfer Service or BITS was used for downloading files from the web. Therefore the downloading of updates was no longer bandwidth intensive and users could happily get on with their web browsing without being disturbed by updates installing. Microsoft Update In 2005 Microsoft released the beta of Microsoft Update. This is an optional update that provides security patches, service packs and other updates for not only Windows but other Microsoft software. Products included Office and Exchange 2003 and SQL Server 2000 originally. It has since expanded to cover a whole host of Microsoft software such as Windows Live, Visual Studio, plus runtimes and distributions. One of the issues seen with Microsoft Update on Windows XP computers with lower memory was that the process could claim all of the computer’s memory (if the computer’s memory was small). I personally remember my Windows XP computer freezing up for hours while it clunked through updates -­‐ very frustrating. Microsoft Office Update Until 2009 Office had an update website where users could access updated versions of Office. While it is stated in a number of articles this no longer exists, it does in the guise of Microsoft Download Centre. It is possible to download Office Service Pack updates from here – however what these articles are probably trying to refer to is that we no longer need to go to these websites because it’s all now included in Microsoft Update. Windows Vista and beyond Technical Seminars – Autumn 2011 © RM Education 2011 6 Session Title Here Autumn 2011 Since the release of Windows Vista, including Windows Server 2008 and Windows 7, Windows Updates no longer utilise the updates website for downloading updates; this is all done through a control panel interface. Interestingly, or not you may argue, I hadn’t noticed this until it was pointed out. Changes that I did notice since installing Windows 7 are that I no longer get a message telling me the system needs a reboot. Either giving the choice to do it now or restart later, now you can put the restart off for up to four hours, which is nice when you are right in the middle of something. Previous to these changes I’d often forget to restart. Equally this can be frustrating as if you are not at your PC, it can reboot without your agreement generally losing you whatever you had open. The technology has changed slightly in Windows Update for Windows Vista and Windows 7, it uses Transactional NTFS when updating Windows System files. This means Windows can recover cleanly should the system shut down without warning during an update. Windows Update technology The update mechanism in Windows has used a number of different technologies over the years, developing new and shedding more the outmoded forms of technology involved. The purpose of looking at the history of the standalone version was to highlight the evolution that has already happened so far. Rather than looking at the technology that is no longer in use in Windows Update, we’ll look at what is currently used in this section. The Software Update Service (SUS) first appeared on Windows 2000, this version downloaded hotfixes and updates only, like Microsoft Update in the standalone version. It was designed to save the administrator having to keep up with all of the updates that were being released by Microsoft. Using SUS would mean not having to make sure every machine on the network had been updated by the user, which meant you didn’t have to rely on either users to keep you from virus hunting and you didn’t have to spend every other week applying updates to hundreds of PCs. SUS only updated Windows, WSUS provided more reporting capabilities and the ability to target updates. With SUS 1.0 once the update was approved it was sent directly to the computers, whether required or not. While today we may take this technology for granted it was a huge step forward to have such control over the updates. So how did they do this, what technology was used that made this possible? There are essentially three components to WSUS; Microsoft Update, Windows Server Update Service and Automatic Updates. Each of these has been pulled together through various different Technical Seminars – Autumn 2011 © RM Education 2011 7 Session Title Here Autumn 2011 incarnations of the updates mechanism. At completely top level these are the parts of the service that work to get updates from Microsoft to the server and then down to the clients. Microsoft Update: The Microsoft website that stores updates for download. Windows Server Update Service: The server component that is installed on a computer running a Windows server operating system inside the corporate firewall. The WSUS server provides the features that administrators need to manage and distribute updates through a web-­‐based tool, which can be accessed from Internet Explorer on any Windows computer on the corporate network. In addition, a WSUS server can be the update source for other WSUS servers within the organisation. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on the network must connect to Microsoft Update to get available update information. The administrator can determine, based on network security and configuration, how many other servers connect directly to Microsoft Update. Automatic Update: The client based component that downloads updates either directly from Microsoft Update or from the WSUS server. As the updates service has developed over the years it’s started to cater for more operating systems, extended to apply updates to software and become even more automated. This means that Microsoft Update needs to hold many updates for various platforms and all the different versions too. This means WSUS and Automatic Updates need to be more intelligent about the way they do things. Otherwise you’d have a lot of failed updates clogging up the system. Technical Seminars – Autumn 2011 © RM Education 2011 8 Session Title Here Autumn 2011 WSUS mechanics We know the three top level components that make WSUS wor;, the bit that most people don’t know (due to lack of information on the web for one) is what happens underneath. I have trawled the web and you don’t generally get much further than the description above. There is another reason for this lack of information -­‐ most administrators don’t need to know more than the top level. WSUS just works. Now you are wiping the coffee from your keyboard and surrounding walls I’ll try to justify that statement. WSUS works well but there are huge gaps in people’s knowledge; therefore it is quite often seen as not working when it is. There are occasions where troubleshooting is needed, we’ll cover that later. Understanding what happens, when and how is important to anyone using a system. It may be that you never have to apply the knowledge but helping to understand what you’re seeing and why will serve you well. Technical Seminars – Autumn 2011 © RM Education 2011 9 Session Title Here Autumn 2011 The native WSUS looks something like: this:
This needs some explanation. We can see the three main components of the update process. Microsoft Update, WSUS server and Automatic Updates. The processes involved in updating is complicated (or cluttered when you try to put all of it into a diagram). I’ve detailed the steps that the native version goes through below. 1. Microsoft create and author updates to Microsoft Update. 2. WSUS server checks for updates. a. This can be done manually or in a scheduled time frame depending on how the administrator has configured these settings in the WSUS console 3. Update metadata is sent to the server. a. At this point only metadata (data about data) is sent. This reduces the size of data being sent on a regular basis. 4. Update metadata is displayed to the local administrator in the WSUS console. a. At this point it is up to the administrator whether they download the updates automatically, use some computers to test or decline updates. Technical Seminars – Autumn 2011 © RM Education 2011 10 Session Title Here Autumn 2011 5. Once updates are approved or marked for testing they are downloaded from Microsoft Update using B.I.T.S (Background Intelligent Transfer Service). 6. Automatic Update on computers will behave in one of two ways (providing they are using WSUS*). a. Check for updates on boot up. b. Check for updates as scheduled by the administrator. 7. When updates are found they will be downloaded using B.I.T.S and installed. *Computers can be configured not to use WSUS. In this case the computer links to Microsoft Update directly and downloads updates. This leaves the patching of computers down to the user. The native version of WSUS is reasonably straightforward. We have added in layers to add to this process; before we look at how it changes we’ll look at why. This is a question we get asked a lot in training. Technical Seminars – Autumn 2011 © RM Education 2011 11 Session Title Here Autumn 2011 CCx and WSUS CC4 was the first RM network to offer WSUS as part of the bundle. One big question is why didn’t we do it earlier? The technology as we’ve seen has been around for as nearly as long as CC3. The first versions of WSUS didn’t do any sorting of updates. They were applied as you approved them; this meant the possibility of pushing updates onto the network that were not required, causing huge headaches for the network team. You just have to think back to a package being allocated at main site to imagine what could have happened. We chose the route of the original Microsoft Update website (although a little less manual), you visit the RM website to check for updates and download them as a package to be distributed to clients. If there was anything urgent we’d make sure you knew about it. This also meant updates could be managed in the same way as packages. Technical Seminars – Autumn 2011 © RM Education 2011 12 Session Title Here Autumn 2011 That doesn’t fully answer the question why was it not used on CC3, or answer the question ‘Why did we rework a tried and tested system for CC4?’ The Community Connect solutions sit on top of Microsoft networks, so technically it should just work. The problem with the updates that are released from Microsoft is they don’t take into consideration the changes we make to a network to ensure things like packages are easier to deliver, users have the right restrictions and applications are delivered to the right people. One change in the wrong place and suddenly package delivery becomes a problem or group policy is not applying as it should. This could be a disaster for a school network. We ensure that we’ve checked updates before they appear on your network, which means there are some extra steps added to the native process. 1. Microsoft create and author updates to Microsoft Update. 2. WSUS server checks for updates. a. This can be done manually or in a scheduled time frame depending on how the administrator has configured these settings in the WSUS console. 3. Update metadata is sent to the WSUS server. a. At this point only metadata (data about data) is sent. This reduces the size of data being sent on a regular basis. 4. Update metadata is displayed to the local administrator in the WSUS console. a. At this point it is up to the administrator whether they download the updates automatically, use some computers to test or decline updates. b. It’s worth mentioning this is what you see in the RM Management Console (RMMC), all updates not just those approved by us. This is only metadata, nothing is downloaded until approved by you. 5. Updates are downloaded at RM, tested and approved* before being published. a. We use GUIDs to match updates we’ve downloaded to the metadata on your WSUS server. b. We publish a list of approved updates on the RM server. 6. CC4 WSUS server checks RM list by comparing XML files. a. This is done during the synch now action – either scheduled or manual. 7. Once updates are approved or marked for testing they are downloaded from Microsoft Update using B.I.T.S (Background Intelligent Transfer Service). 8. Automatic Update on computers will behave in one of two ways. a. Check for updates on boot up. b. Check for updates as scheduled by the administrator (through All Computers group policy). Technical Seminars – Autumn 2011 © RM Education 2011 13 Session Title Here Autumn 2011 9. When updates are found they will be downloaded using B.I.T.S and installed. *The approval process is something else we get asked questions about. We split updates into two categories. The first is updates that require testing. These will typically be updates for the operating systems we ‘wrap’ with CC4 (Windows 2003, 2008, XP, Vista and Windows 7) and any application software that we have packages for. The second is for parts of the network we install as standard, for instance Exchange is installed as native so updates to Exchange will be made directly available. All testing is carried out by our product release group. The process means you should never receive an update that hasn’t been approved by us first unless it is a standard Microsoft Update being applied to a standard Microsoft product. There is further detail to the RM side of WSUS than the above process, while this describes what happens it doesn’t talk about specific components. For CC4 to be able to do this it requires components to be installed to carry out functions. These are held at the WSUS server and computer. CC4 RM components CC4 doesn’t completely replace WSUS; it works with the vanilla components to deliver updates. As we’ve looked at in the previous section, the CC4 version utilises WSUS and the process is added to by CC4. This means you can still access the native version of the WSUS console. You’ll notice in the vanilla version there are more updates shown than in the RMMC. The RMMC cuts down the view so you see updates that are relevant; WSUS shows all updates available on Microsoft Update. There are four components that make up the CC4 side of WSUS. •
•
•
•
RM WSUS Manager Server RMMC WSUS Manager Client WSUS Agent WSUS Agent Shared Each of these components make sure the conversation between WSUS native and WSUS CC4 can be completed. RM WSUS Manager Server talks between the vanilla WSUS and CC4 WSUS, RMMC WSUS Manager Client deals with the RMMC communications, WSUS Agent communicates between CC4 WSUS and Automatic Update on the computer and WSUS Agent Shared interacts with the local installation of Automatic Updates. Technical Seminars – Autumn 2011 © RM Education 2011 14 Session Title Here Autumn 2011 WSUS Agent
Shared
RMMC WSUS
Manager Client
RM WSUS
Manager
Server
WSUS
Agent
CC4 utilises four components that work in the background to make native WSUS and the CC4 RMMC, Database and Automatic Updates to work together harmoniously. These components are RM WSUS Manager Server, RMMC WSUS Manager Client, WSUS Agent and WSUS Agent Shared. The first two sit on the server side and the latter sit on clients. This is not to say that you should never see RM WSUS Manager Server or WSUS Manager Client on a Automatic Update client. If you are using the RM Management Console on computers you’ll see these components too. Here’s what each of the components do. RM WSUS Manager Server This component links Windows Server Update Service to the RM Database version of WSUS. It’s this component that links to the RM servers to check for CC4 approved updates when the Synchronise button is pressed. This needs to be on clients with the RM Management Console installed so that tasks can be updated Technical Seminars – Autumn 2011 © RM Education 2011 15 Session Title Here Autumn 2011 RMMC WSUS Manager Client The RMMC WSUS Manager Client controls the RMMC and its output. It also controls communication between the CC4 database and the RMMC. WSUS Agent The WSUS Agent component sits between client and server and listens for updates. This tool communicates to and from automatic update to make sure any new updates are passed down. This agent is the facilitator of client update installations. WSUS Agent Shared This component manages the installation of the updates. These should all happen in the background and not disturb users. This agent makes sure that reboots only happen when the conditions are right (which we’ll look at in a moment). Making sure WSUS Agent and Agent Shared are both installed on the clients is vital to making sure updates make it down to clients. Technical Seminars – Autumn 2011 © RM Education 2011 16 Session Title Here Autumn 2011 Troubleshooting WSUS As we’ve seen, the ‘WSUS solution’ breaks down into three main components natively -­‐ Microsoft Update, Windows Server Update Service and Automatic Updates. CC4 adds in the connection to the RM servers and connections between the WSUS native console and the RMMC’s WSUS node. Typically we see call volumes around a few of the five areas on CC4. The link to Microsoft Update only needs a web connection; therefore we don’t tend to get high call volumes around that. For the purpose of troubleshooting WSUS it makes sense to split this into three sections. Technical Seminars – Autumn 2011 © RM Education 2011 17 Session Title Here Autumn 2011 Synchronisation There are a few errors that can be thrown up during the process of synchronisation; here we will look at the errors and what can be done to fix any issues that occur. It’s not always as you click the synchronise button that you’ll see the issue, sometimes this can occur when accessing WSUS on the CC4 RMMC. When synchronisation fails in the RMMC you will get an error screen. It’s important (as with any error) to check what it’s saying. As you’ll see here the error screens can look very similar but tell of completely different issues. Missing computer groups The first issue we’ve seen is where synchronisation fails while trying to manually synchronise in the RMMC. The first line of the error (not the title in bold) gives us the clue to the problem. Technical Seminars – Autumn 2011 © RM Education 2011 18 Session Title Here Autumn 2011 “Error Description: Error in Synchronisation, Stack Trace: System.Exception: Test Target group was not found” The RMMC should have two computer groups defined -­‐ CC4 All Computers and Test. If one of these groups cannot be found the synchronisation will fail on opening the WSUS section of the RMMC. To fix this issue you need to go to the WSUS console (native) and check the computer groups available. Under the Computers/All Computers node you should see the groups CC4 All Computers and Test, if either of these are missing you will need to recreate them. Right-­‐click on the All Computers node and select Add Computer Group..., then add in the group that is missing. The groups must be named CC4 All Computers and Test with the correct capitalisation otherwise the system will not recognise them. NB. This is a really useful tip on how to read these errors. While they generally list a number of components, the second line (here relating to Test target group) will give you a far better idea of what you’re looking for. CC4 WSUS also has tools built in to fix issues such as this. If you go to C:\Program Files\RM\Connect\WSUS Manager, there is an exe file that adds the server groups back in without needing to remember them. Proxy Authentication Failure The error here is also straightforward, as the title of this section suggests the proxy authentication has failed. This will occur if there are authentication details required to access your proxy. These need to be set (or reset) in your WSUS server’s registry. The keys that need to be edited are in HKLM\Software\RM\Connect\Update and are called ProxyUsername and ProxyPassword. Enter you username and password for the proxy into the value field for each key. This will give the WSUS server the ability to contact the Microsoft Update and RM servers without you needing to authenticate each time. The server does not require a restart here so this can be carried out while users are still on the network. There is also a useful little application which saves digging through the registry to find keys and edit them. It’s in C:\Program Files\RM\Connect\RM Update Manager. In this folder the .exe file is named ‘RM.Networks.packagedeployment.updateservice.proxyconfig.exe’ -­‐ luckily it’s the only exe file in there. This gives a box to populate proxy server and port. If a username and password need to be set use the registry edit above. Something to ensure is that the proxy is also set in the native WSUS console. As WSUS needs to synchronise in a number of different areas it needs the proxy set in two places too. Technical Seminars – Autumn 2011 © RM Education 2011 19 Session Title Here Autumn 2011 The proxy server set by registry key ensures the CC4 communication with the RM Education servers can take place. The proxy settings also need to be set with the Microsoft WSUS so that WSUS can communicate with Microsoft Update. This is set within options (on the tree view in the WSUS console). Moving the WSUS database There have been occasions where the WSUS database has been moved, reinstalled or just installed. While it appears to be working just fine, once the installation is finished and checked suddenly the updates disappear and WSUS native stops working. This happens on the occasion where an external hard drive is used to install or reinstall. WSUS will look for the biggest drive on the server. Therefore if the external hard drive is bigger than any other drive in the server it will be installed there, hence WSUS being tested and it still working while the hard drive is plugged in. As soon as the hard drive is removed it takes updates and key components of the installation with it. This leaves the server with the symptoms of WSUS not opening correctly and updates suddenly disappear from the server. Installation overview shows as unknown for computers We saw a spate of computers on sites showing as unknown in the WSUS installation overview (within the RMMC). This issue seems to be something many customers have either chosen to ignore or have not seen due to not using the overview. This is caused by the computer SUS ID being issued to more than one computer. The SUS ID is WSUS’s way of uniquely identifying the WSUS client. When a client checks in it will use its SUS ID. If more than one computer has the same SUS ID, even if they are reporting the same status for an update, what happens is WSUS sees two answers and is unable to determine the status. To solve this issue new client IDs need to be compiled; this is currently something Support can do for you. Technical Seminars – Autumn 2011 © RM Education 2011 20 Session Title Here Autumn 2011 Housekeeping The Knowledge Library is a very rich resource on the subject of CC4 WSUS. I’d personally recommend this being the first place to look. These three articles are the go to articles for WSUS. Each is derived from support calls we’ve seen. This isn’t an exhaustive list of articles but three that are certainly worth checking. The last of these articles is the type of thing this section will focus on. As I mentioned at the start of these notes, the general consensus with WSUS is that it just runs. Many customers I’ve spoken to have said that since it being set up they’ve not touched it. Some have been advised to never look in the native WSUS console. It’s important to look at WSUS from time to time to ensure its smooth running. In this section we’re going to look at housekeeping and best practice. We’ll touch on areas where we see regular mistakes and some issues that have been seen that are down to configuration. Technical Seminars – Autumn 2011 © RM Education 2011 21 Session Title Here Autumn 2011 CC4 WSUS CC4 WSUS requires some configuration by you. In this section we’ll look at what you should check in the RMMC. The first we’ll look at is testing computers; the majority of establishments don’t use testing computers. It’s good to know that you trust us to test out updates for you, and we do put a lot of effort into that. As we’ve already outlined the RM server takes a list of updates directly from Microsoft Update, effectively a mirror of your WSUS server. Our Product Release Group (PRG) team take these updates and put them into two piles, one for review and the others to be released. The review pile is for updates -­‐ those that affect our supported operating systems and anything we have created a CC4 package for. The other updates, those we don’t look at, relate to products we don’t add any components to. Exchange is a good example of this, we install exchange as native, therefore we trust Microsoft to release updates for their own products without breaking them. The reason we ask for you to test these products is the same. As Microsoft don’t know how we configure our networks, we don’t know how you configure yours. Testing Testing is something that most establishments I’ve spoken to don’t do. It’s understandable as there are no guidelines to what to test, how to test or where to test. Where do you start with an update? There are applications and settings on your network that are mission critical. If one of these goes down or is affected then you’ll have the whole school banging on your door, these are the parts to test at bare minimum. Testing logon times and profiles will help make sure you are covered should any update cause a problem. Testing computers should not be standard computers on the network. If you don’t have ‘spare’ computers, use some that are used less regularly. This will limit the frustration of users having PCs that are being ‘guinea pigged’. Technical Seminars – Autumn 2011 © RM Education 2011 22 Session Title Here Autumn 2011 Scheduled installation The installation of updates can occasionally fail because of Microsoft Message Queuing (MSMQ) getting blocked with tasks. This will result in sporadic installations. You may see a subset of computers that have picked up updates, then another subset that have not. The next time around the results could be the other way around. This can be caused by MSMQ getting clogged up where perhaps applications are being assigned on the network. To avoid this it’s worth checking your installation schedule and change it to run on one day. We would always recommend getting updates to computers as quickly as possible, however if updates aren’t getting installed on computers, changing the installation schedule will help.. WSUS native Let us begin by looking at the WSUS console. Many customers have been told not to look at the native console, others don’t know where to find the console. What I am not suggesting is to start administering WSUS through the native console, this can have negative effects. WSUS native runs as it would on a vanilla Microsoft system behind the CC4 configuration. This means there are still tasks to check, it is the responsibility of the network administrator to check these settings.The WSUS console is found in administrative tools on your WSUS server. The console has a tree view on the left-­‐hand side; we’ll be looking in the options node. Technical Seminars – Autumn 2011 © RM Education 2011 23 Session Title Here Autumn 2011 In the right-­‐hand pane, you have a list of options to view. Some of these should be checked and I’ll be looking at sections you should look at. If I haven’t mentioned it, it’s because they don’t need settings checking or changing. Technical Seminars – Autumn 2011 © RM Education 2011 24 Session Title Here Autumn 2011 Update Source and Proxy Server We have seen cases of the update source being changed. This should be configured to download updates from Microsoft Update. Other update sources don’t necessarily give the same metadata list as Microsoft Update. This means that the RM Education servers list and the upstream server list don’t match. This can mean missing out on important updates or installing updates that are not validated on the network. The proxy server settings are for the native WSUS system. This means that the proxy will also need to be set in the registry or using the tool mentioned in the troubleshooting section. Changing one without the other will result in updates not being downloaded correctly and therefore your network not being up to date. Technical Seminars – Autumn 2011 © RM Education 2011 25 Session Title Here Autumn 2011 Update Languages The update languages have been known to be fiddled with. I can understand why someone may set this up incorrectly but it’s important to be only downloading one language. There is very little reason to download all the languages, as users don’t read updates so no matter how many languages are spoken in your establishment, you are highly unlikely to need more than one. It’s worth checking this if the folder containing your updates is filling up. The folder to check is D:\WSUS\WSUSContent\. Once you’ve done any clean ups in WSUS (final section of these notes) and made sure you are not downloading huge swathes of languages set a benchmark for this folder. This will give an idea if something unusual has happened if it suddenly leaps up by a GB or two in size. Technical Seminars – Autumn 2011 © RM Education 2011 26 Session Title Here Autumn 2011 Products and Classifications It is the responsibility of the network administrator to make sure this section is kept up to date. We saw a number of customers wondering why no Office 2007 updates were being installed on the network when the switch first started to happen. This is another symptom of WSUS being left to run in the background. As programs and operating systems are updated the products section of WSUS also needs updating. The image above shows you how not to configure your Office downloads unless you are currently supporting Office from 2002/XP up to 2010. As with update languages, it’s best to make sure you are only downloading what is needed. Once updated the old updates need to be removed, to do this we can use the WSUS Server Cleanup Wizard. Technical Seminars – Autumn 2011 © RM Education 2011 27 Session Title Here Autumn 2011 WSUS Server Cleanup Wizard This handy tool is built in to WSUS native. It’s worth noting this is a Microsoft tool, therefore they don’t make allowances for longer breaks. Therefore, like tombstoning in Active Directory, the native timescale is shorter than required for an educational establishment. You can use the server cleanup tool to remove updates that are no longer needed, have been superseded or discontinued by Microsoft. This will also remove computers from WSUS that are no longer contacting the server (this is set to 30 days without contact). To keep the network clean and tidy with updates, it’s worth going through this once a year to make sure everything is cleared out. If you see the WSUSContent folder expanding then this is also a good place to start. Technical Seminars – Autumn 2011 © RM Education 2011 28 Session Title Here Autumn 2011 Summary WSUS in essence is a simple mechanism. There are three core elements of which two you have responsibility over. The main thing to keep checked and in order is the WSUS console. It’s still true to say that WSUS can generally sit in the background and carry on without too much interaction. As long as updates are tested and WSUS is cleaned up on a regular basis, WSUS still shouldn’t take up much of your time. With CC4 at top level we see two changes to the standard setup; these are more additions than changes. The inclusion of an extra step in approval (the RM Education servers) and connections between WSUS native and the CC4 Database and RMMC. We still recommend administration of updates on a day to day basis should be carried out through the RMMC, but there are tasks and checks that should be done through the WSUS console. Documentation on WSUS is widespread in the Knowledge Library. It’s well worth having a look through these articles before calling Support. Technical Seminars – Autumn 2011 © RM Education 2011 29