August 2005 - Posts
Yes, I am talking about Support Tools for Windows Server Update Services (WSUS). As of now, there are;
Server Diagnostic Tool for troubleshooting Update Services Server. For help on running this tool see readme file.
Client Diagnostic Tool for troubleshooting Client Machines. For help on running this tool see readme file.
Keep an eye on Windows Server Update Services Downloads Page for all the tools related to WSUS.
While Exporting WSUS to a disconnected network server, the following error is logged in the the import log file;
"<ImportError Message="The metadata format is incorrect" /></ImportLog>"
The import was not succesfull and eventually, export fails.
Trivia:
WSUS Admin wants to modify the metadata so that the downsteram WSUS Admin should not be able to see the Un-Approved Updates and so he plays with Package.xml file.
Looks like he is modifying the meta data. This is logged from Package.XML"
<!-- edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Christophe Michel (Thales Security Systems) --> "
And, obivously the import - export fails.
That was right. The user (WSUS Admin) says, "it will work if i don't touch both files. The reason why i modified the two files is that i want to import only appoved metadata in order to downstreamed administrator can't check metadata not approved bu the first online WSUS server."
Moraly of the story: Do not play with the XML file to modify the meta data. That is not supported.
Previous FAQ's;
http://msmvps.com/athif/archive/2005/08/17/63110.aspx
http://msmvps.com/athif/archive/2005/08/30/64594.aspx
Continued from http://msmvps.com/athif/archive/2005/08/17/63110.aspx
Q. Does Windows Server Update Services (WSUS) support patches for Exchange 2000?
A. YES, WSUS Supports patches for Windows 2000+, Exchange 2000+, SQL Server 2000+, and Office XP+ with expanding support. More information on http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx
Quoting from WSUS Overview document, "Initially, Microsoft Update, to which at least one WSUS server must connect to get available updates and update information, will make available updates for Microsoft Windows, Office, SQL Server, and Exchange. Additional Microsoft product updates will become available on Microsoft Update in the future."
More information on WSUS Guides.
Q. If you have a group setup in WSUS as detect-only and you change the options to install, do the updates that are set as detect-only ever get installed after the change or do those updates need to be changed manually?
A. YES, they do get installed after the change. But, this is only after Automatic Update Client (AU) completes the next detection cycle which can be configured for AU Client at the following location in the registry, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, DetectionFrequency (Reg_DWORD) = Time between detection cycles. DetectionFrequency (use default value of 22 hours).
For Quick AU Client Detection & Installation with Windows Server Updates Services, WSUS, see http://msmvps.com/athif/archive/2005/06/29/56200.aspx
Today, I have added another known WSUS issue on Known WSUS Issues at the Wiki.
For more information and troubleshooting tips, keep an eye on http://www.wsuswiki.com/ and the Patch Management Blog :-)
One of the important issue with Windows Server Updates Service (WSUS) Administration is troubleshooting WSUS Server for downloads. You may encounter situations where WSUS Synchronization fails.
We will take a look at the proxy settings.
Most of the times, the culprit is the proxy server where in you have authentication defined on outgoing web proxy requests. This means Anonymous access for proxy is disabled. If you are using ISA Server as your proxy server, then you must create an anonymous access rule for the following windows update websites.
|
• |
http://download.windowsupdate.com |
|
• |
https://*.windowsupdate.microsoft.com |
|
• |
http://*.windowsupdate.microsoft.com |
|
• |
http://*.update.microsoft.com |
The procedure is explained on http://support.microsoft.com/default.aspx?scid=kb;en-us;885819.
And now, you have to configure WSUS to Use user credentials to connect to the proxy server. With this option enabled, you have to enter the username, password & domain of the user account which is having internet access via proxy server. You can also Allow basic authentication but then, remember, password is sent in clear text which is a security threat...We are using WSUS to patch the security threats!!
Procedure:
i). On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services.
ii). On the WSUS console toolbar, click Options, and then click Synchronization Options.
iii). In the Proxy server box, click Use a proxy server when synchronizing, and then enter the server name, and port number of the proxy server in the corresponding boxes.
iv). If you want to connect to the proxy server under specific user credentials, click Use user credentials to connect to the proxy server, and then enter the user name, domain, and password of the user in the corresponding boxes.
v). Under Tasks, click save settings, and then click OK when the confirmation box appears.
vi). Synchronize now.
Unable to generate a temporary class: You see the following error while trying to synchronize WSUS Server with MU & synchronization fails at 99%.
Complete error message is as follows :>>>>>>>>>
System.InvalidOperationException: Unable to generate a temporary class (result=1).error CS2001: Source file 'C:\WINDOWS\TEMP\m9yekbox.0.cs' could not be founderror CS2008: No inputs specified
at Microsoft.UpdateServices.Internal.ClassFactory.CallStaticMethod(Type type, String methodName, Object[] args)
at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetSynchronizationHistory(DateTime fromDate, DateTime toDate)
at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetLastSynchronizationInfo()
at Administration.Manage.Subscriptions.SubscriptionProxy.GetSynchronizationStatus()
at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatusClientFunction(String xPostXml)
at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)
at Microsoft.UpdateServices.Internal.ClassFactory.CallStaticMethod(Type type, String methodName, Object[] args)
at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetSynchronizationHistory(DateTime fromDate, DateTime toDate)
at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetLastSynchronizationInfo()
at Administration.Manage.Subscriptions.SubscriptionProxy.GetSynchronizationStatus()
at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatusClientFunction(String xPostXml)
at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)
This is due to lack of permission for NTAUTHORITY\NETWORK SERVICE account on the TEMP folder. To resolve this issue, assign NETWORK SERVICE the following permissions on C:\Windows\Temp;
List Folder / Read Data
Delete
W2Knews & Redmond magzine confrims SUS support extended from June 6, 2006 to Dec. 6, 2006
More on Support life cycle for Microsoft Software Update Services 1.0
http://support.microsoft.com/kb/905682
As we are aware, Microsoft Windows Malicious Software Removal Tool is not available with SUS though it is available with WSUS or SMS.
There is an excellent KB article which deals in different ways to install this Removal Tool in an enterprise environment using scripts applied via Group Policies. Take a look on http://support.microsoft.com/?kbid=891716&SD=tech
This article contains a cumulative list of content changes that have been made available to Microsoft Software Update Services (SUS) servers as updated on Tuesday, August 9, 2005.
http://support.microsoft.com/?kbid=894199&SD=tech#XSLTH3120121123120121120120
TechNet subsidiaries around the world have been hard at work over the past few weeks, preparing RSS feeds of TechNet home page highlights, security headlines, and local news (see the What's New page on TechNet for a complete list).
The RSS feeds are now available for your reading pleasure in the RSS reader of your choice.
Many a times folks email me for issues related to WSUS and from this time I will blog those emails which can serve as an FAQ too.
The email follows;
==================================================
Mail from Patch Management:
Sender: Claudio
Email: cponcini@pan-energy.com
IP Address: x.x.x.x
Please, could you tell me if I can avoid that message to reboot the computer appear after a patch is delivered and installed in a computer ? The point is that we prefer to "apply" the patch when the computer is rebooted every morning and not at the same time that the path is installed. We know that it won't be applied until the computers reboot but our users can't restart their computers during the working time and also we can't work with WOL (wake up).
Thanks in advance.
Claudio
==================================================
My response:
Hi Claudio,
Comments in line...
Please, could you tell me if I can avoid that message to reboot the computer appear after a patch is delivered and installed in a computer?
Only member of Local Administrators Group can postpone the reboot. More information on my KB article; Automatic Update Client Behavior for Users with Local Administrative Privilege & vice-versa http://support.microsoft.com/kb/555350 It is 1000 times recommended to reboot your PC after patch installation.
The point is that we prefer to "apply" the patch when the computer is rebooted every morning and not at the same time that the path is installed.
You can only set the patch installation time aka "ScheduledInstallTime" thru GPO but you cannot set patch download time. So when the patch is downloaded, it waits for the scheduled installation time and kickoff the installation and only after installation you are required to reboot.
We know that it won't be applied until the computers reboot but our users can't restart their computers during the working time and also we can't work with WOL (wake up).
You have to educate your users. SUS / WSUS is a free tool for patching and with proper user education, you can have a healthy environment.
Hope that answers your questions.
Keeping those emails comming. I respond to almost all of those queries. You can contact me on Md.AthifKhaleelATWSUS.Info
This is a Follow-up Post to Microsoft Windows Installer 3.1 removed from SUS
From Tuesday, May 17, 2005, Windows Installer 3.1 (v2) is available again on Software Update Services (SUS).
More information on http://support.microsoft.com/default.aspx?scid=kb;en-us;894199&sd=RMVP#XSLTH3195121123120121120120
Credit: Thanks Kris Bries for your follow up on this post. Happy Patching!
It's been a long time to blog here. I will try to be consistent :-) tho I cannot promise for hectic work load!
I just noticed The New Protect Your PC site is live and ready to help you enhance the security of your PC.
When you visit the site, it immediately detects which operating system your computer is running, yes, that's TRUE...Give it a try. It then outlines the steps you can take right away to help strengthen your computer's defenses.
