best practices in architect and implementing windows server update services
TRANSCRIPT
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
1/48
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
2/48
Greg ShieldsPartnerConcentrated Technology
WSV302
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
3/48
Agenda
Topics
Part I: Architecting and Implementing WSUS
Part II: Troubleshooting WSUS
Part III: Tips and Tricks for Using WSUS
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
4/48
Architecting and Implementing WSUS
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
5/48
WSUS Product Vision
Simple, zero-cost solution for distributing MicrosoftUpdates content in a corporation
A free RTW add-on for Windows Server
Solution only distributes Microsoft Updates
Distributing 3rd party patches require purchasing advancedmanagement tools such as SCE or Configuration Manager 2007
Provides a foundation for Update Management acrossMicrosoft products: SCE, Configuration Manager 2007,
MBSA, WU, SBS, Forefront Consistent scan results
Unified client scan mechanism (WUA) irrespective of whichserver actually manages the updates
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
6/48
WSUS Momentum
Over 500,000 distinct WSUS servers synchedwith Microsoft Update last month
Used by over 60% medium/large orgs and
built into SBSWSUS 3 released April 30 2007
Huge improvements in performance, deploymentoptions, reporting and UI
Easy in-place upgrade from WSUS2
WSUS 3.0 SP1 released Feb 7, 2008
WSUS 3.0 SP2 released Jan 26, 2009
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
7/48
WSUS Lifecycle/Roadmap
Support lifecycle
Next up: release WSUS3 SP2 RCRTM shortly after Windows Server 2008R2 release
VersionVersion Support endsSupport ends CommentComment
SUS 1.0 Not supported Crazy old now. Dont use.
WSUS2 RTM Not supported Updates still flow
WSUS2 SP1 Not supported EOL is April 9 2009 (now) -two
years after WSUS3 RTM
WSUS3 RTM Not supported One year after WSUS3 SP1
WSUS3 SP1 TBD One year after WSUS3 SP2
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
8/48
WSUS 3.0 SP1/SP2 Adds Features
WSUS 3 SP1 adds the following features:
Installs on Server 2008, integrated with Server Manager (after installingServer Manager update KB940518)
API enhancements for advanced management tools
Bug fixes
WSUS 3 SP2 will add:
Installs on Server 2008 R2 beta
Supports managing Win7 clients
Support for BranchCache
Auto-approval rules with deadlines
Bug fixes (DSS gets languages from USS, target groups sortedalphabetically, more robust setup upgrade)
(RC) Compliance against approved updates
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
9/48
New Features in WSUS SP2
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
10/48
Elements ofArchitectureWhyArchitecture?
Problems are usually results of improper architecture
A correct architecture will drive a better design
Especially in situations of administrator distrust orinsufficient bandwidth
Design your WSUS solution with the same goals asyour AD solution
Roaming users should be dealt with separately
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
11/48
Simple ArchitectureSingle, well-connected site
WSUS Updates from MU
Clients update from WSUS
Single server can handle 25,000 clients
50K clients with 2x front-end servers and big SQL
back-end
Remote SQL configuration reduces server load
Front-end handles update sync load
Back-end handles reporting load
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
12/48
Simple, with Groups ArchitectureLargest use case in production today
Driving forces to move to Machine Groups:
Differing patching requirements or schedules
Test groups
Servers vs. Workstations
Politics
Not necessarily used for load distribution
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
13/48
WSUS Chaining
Chaining involves downstream servers getting updates(and sometimes Group data) from upstream servers
Options for chaining
Distributed vs. Centralized model
Autonomous Mode vs. Replica Mode
Chaining solves the problem of mesh or fullyindependent architectures
Wastes resources and bandwidth
Not that some situations dont mandate mesh or fullyindependent architectures!
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
14/48
Centralized Architecture
Downstream servers arereplicas ofprimary server
Little downstreamcontrol over servers
Downstreamadministrators dropmachines into
predefined groupsAll update approvalsand schedule doneat primary server
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
15/48
Distributed Architecture
Downstream servers obtainupdates from primaryserver, except:
Update approvals do not flowdown. Assigned at each
site individuallyDownstream admins havegreater control. Can creategroups and assign approvals
Used for distribution rather thancontrol of updates
Combinations of centralized and
distributed possible. Depends on
intra-IT trust model.
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
16/48
Disconnected Architecture
Many environments dont have Internet connectivity
Test/dev, government, classified, air gap environments
Data must be imported from the outside
Any the previous architectures will workManual import process required
Gives CM/QA/Security the option to review updates priorto bringing inside
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
17/48
Disconnected Architecture
Match advanced options between source and target
Express installation files & languages must match
Backup and restore updates from source to target
Back up C:\WSUS\WSUSContent
Restore to the same location on the target serverTransfer update metadata from source to target
Navigate to C:\Program Files\Update Services\Tools
Export metadata using wsusutil.exe export {packageName} {logFile}
Import with wsusutil.exe import {packageName} {logFile}
packageName & logFile are unique names you choose
Database validation can take multiple hours
to complete!
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
18/48
Roaming Architecture
Manages updates forexternal resources
WSUS servers distributeapproval metadata
Clients download updatesfrom WindowsUpdate directly
Extra security for internet-facing WSUS server
Useful separate architecture
for mostly off-net clients
Laptop WSUS
Laptops
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
19/48
Roaming Architecture
Four Steps to Internet-facing WSUS
Build server in DMZ andposition behindISA proxy
Locate database onserver not reachablefrom Internet
Enable SSL forcommunications
Host content onMicrosoft Update
Laptop WSUS
Laptops
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
20/48
High Availability Architecture
WSUS 3.0 includes native support for high availability
NLB Clusters connect multiple WSUS web servers via asingle cluster IP
SQL Cluster manages the database
No single point of failureCritical: This design isuseful for availability, butdoes little for performance
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
21/48
Managing Branch Offices
Branch offices are typically managed through replicaWSUS servers
Replica servers take all orders from the central server
Settings at the top flow downward, but take time
Alternatively, unify architecture through a singlecentral server
Single server manages all clients across all offices
Deploy ISA proxy in the branch
Enable BITS peer-cachingUse delta files to reduce network traffic
10x more server disk space
4x less client download
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
22/48
Upgrade Deployment
WSUS 3 SP1 setup supports in-place upgradeOne-way upgrade (no rollback)
Cant be done from WSUS 2 on Server 2000 or using SQL 2000
Alternative is migration upgrade:
Install second server
If original server is WSUS2 SP1:
Perform disconnected replica steps (wsusutil, ntbackup, wsusmigrate)
Switch over client via policy
If original server is also WSUS3
Configure new server to be a replica of the first and sync
After sync, configure new server to be autonomous
Upgrade hierarchy from top down
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
23/48
Troubleshooting WSUS
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
24/48
Errors and Error Codes
Numerous WSUS error codes exist
A complete list of all WSUS error codes is available on-line at http://inetexplorer.mvps.org/archive/windows_update_codes.htm
For example, 0x8DDD0018 occurs when one of theseservices is disabled
Automatic Updates
BITS
Event Log
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
25/48
Errors and Error Codes II
0x80072EE2, 0x80072EFD
This issue occurs because the Windows Updateclient did not receive a timely response from theWindows Update Web site server
Likely a proxy configuration, personal firewall, ortrusted hosts problem
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
26/48
Errors and Error Codes III
0x80246008, 0x8024402C
Caused by BITS malfunctioning or corrupted
Download and extract the BITSAdmin tool from theWindows Support Tools CD
Bitsadmin /util /repairservice /forceIf that doesnt work, try a BITS re-install
Though if you do a BITS re-install, clear out the%SystemRoot%\SoftwareDistribution folder and reboot when done
Its worth mentioning here that there
is no backup download process for WUA.
like HTTP or FTP
If BITS is non-functional, so is patching!
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
27/48
Errors and Error Codes IV
0x80244019
This error is often caused when the Proxy server is not properly configured.
Ensure that your Proxy server allows Anonymous access to these externaladdresses:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://*.download.windowsupdate.comhttp://wustat.windows.com
http://ntservicepack.microsoft.com
Microsoft doesnot publish the IPs
associated with these
FQDNs.
So, if you do perimeter
network security by IPyouve gotta stay
on the ball with these!
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
28/48
WUA Client Issues
To enable auto-updates, ensure:Anonymous access granted to Self Update virtual directory onWSUS server
Auto-updates requires TCP/80 to function on WSUS server
Be aware of GP replication times
90 to 120 minute GP refresh timing will impact speed of clientsbecoming visible in WSUS admin tool
Be aware ofAU detection frequency times
WUA client set to check with server every 22 hours (minus offset).
When WUA checks in is when it checks WUA version
Need to do wuauclt /detectnow to force this to occur on-demand
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
29/48
WUA Client Issues II
Known issue with imaged workstations:If you image your workstations (and who doesnt these days!), you mustchange SID
Sysinternals NewSID, Microsoft SysPrep
Not doing this will prevent WUA from contacting WSUS
To fix this problem:Run one of the above tools to change the SID
HKLM\Software\Microsoft\Windows\ CurrentVersion\WindowsUpdate
Delete PingID, SUSClientID, and AccountDomainSID values
Restart wususerv service
Run wuauclt /resetauthorization /detectnow
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
30/48
WUA Client Issues III
Disabling the Automatic Updates Service or the BITS Service at any point inthe past prevents it from starting properly when you need it!
Reset permissions on these services to re-enable functionality.
Use the Service Control Resource Kit tool (sc.exe) to do this:
sc sdset bits"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
sc sdset wuauserv"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Every disabled client needs this!
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
31/48
Tips and Tricks for Using WSUS
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
32/48
Optimize Patch Distribution
In large, multi-site environments low bandwidth may causeproblems for remote offices
Distributing updates to downstream servers is big problem
Potential solutions:Ensure downloading only the languages you needConfigure patch distribution to occur in the evenings
Stagger patch distributions between tiered sites
Express installation files can exacerbate this
The bandwidth savings in express installation files occurs from WSUS serverto client, not between WSUS servers
Throttle BITS
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
33/48
Throttling BITS
BITS can be throttled either on the WSUS server or additionallyon all the clients
Alleviates network saturation during update distribution and duringclient installation
Be aware that this does slow down update distributions!
Throttle BITS in Group Policy:
Computer Configuration | Administrative Templates | Network |Background Intelligent Transfer Service
Two settings:
Maximum network bandwidth that BITS uses
Limit by Kbps based on time of day or at all times
Be aware that Kbps is kiloBITS not kiloBYTES (divide by 8)
Timeout (in days) for inactive jobs
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
34/48
DNS Netmask Ordering
Non-centralized architectures can better route clientsthrough DNS Netmask ordering
Microsoft DNS Round Robin will first provide an IP addressin the same subnet as the requestor
If no IP exists in the same subnet, a random IP willbe selected
All WSUS hosts must respond to the same FQDN
DNS FQDN record is populated with IP addresses of allWSUS servers in the network
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
35/48
Server Tuning
Run cleanup and DB defrag every few monthsCleanup wizard is a new feature in WSUS 3
Removes stale computers and updates
DB index defrag script available on ScriptCenter
keeps the server running fast
Look out:
Take care to not remove computers that are still active (but havingtrouble contacting the server)
Populate from AD sample tool can help
In a hierarchy, need to run cleanup on each WSUS server.
Clean computers from bottom-up
Clean updates from top-down (or between sync intervals)
Can be automated through the API
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
36/48
Considerations for Updating Servers
Servers require more care than workstationsA rebuild is usually not an acceptable solution for a failed patch installation
Outage windows are shorter
But in some ways servers are easier
Data and system drives usually separated
Hardware configuration is usually more stable or well-understood
Service isolation and redundancy in larger environments limits exposure/risk
People typically arent surfing on servers
The RAID 1 Undo Trick
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
37/48
What About Reboots?
Ive said this before, and Ill say it again:If you have a patch management plan without a reboot strategy, youdont have a patch management plan.
Three methods:
Client-initiated
WSUS-initiated
Script-initiated
Two methodologies:Scheduled reboots vs.rebooting for patch installation
I will argue in favor of
scheduled, forced reboots
over mid-day reboots.
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
38/48
Handling RebootsRebootFile = "computers.txt
LogFile = "results.txt"Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(RebootFile, 1, True)
Set objTextFile = fso.OpenTextFile(LogFile, 2, True)
On Error resume next
Do While f.AtEndOfLine True
strComputer = f.ReadLine
Set objWMIService = GetObject("winmgmts:" & _"{impersonationLevel=impersonate}!\\" & strComputer &
"\root\cimv2")
If Err.Number 0 Then
objTextFile.WriteLine(strComputer & " is not responding.")
Err.Clear
ElseSet colOperatingSystems = objWMIService.ExecQuery("Select
* from _ Win32_OperatingSystem")
objTextFile.WriteLine(strComputer & " is rebooting.")
For Each objOperatingSystem in colOperatingSystems
ObjOperatingSystem.Reboot()
Next
End IfLoop
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
39/48
Custom Reports
UI supports basic customization (filters)
Advanced customization can be built on
WSUS (.Net)API
Can use of PowerShell scripts to generate reportsPublic read-only SQL views
Can use SSRS to generate reports (if full SQL)
Samples available from MSDN
E.g., compliance against approved updates
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
40/48
Match KBs to MSRCs
Ever wish you had a nice mapping ofknowledgebase numbers to MSRC numbers?
The Q-numbers to the MS-numbers
This script outputs a .CSV file that provides justthat mapping
Add the name of your WSUS server into the top
line of the script: strWSUSServer = "
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
41/48
Match KBs to MSRCsstrWSUSServer = "
Set fso = CreateObject("Scripting.FileSystemObject")
Set objTextFile = fso.OpenTextFile("OUTPUT.csv", 2, True)
objTextFile.WriteLine("MS Number,Q Number")
Set conn = CreateObject("ADODB.Connection")
Set rs = CreateObject("ADODB.Recordset")
dbconn = "Driver={SQL Server};Server=" & strWSUSServer & ";Database=SUSDB"
conn.open dbconn
strSQLQuery = "SELECT dbo.tbSecurityBulletinForRevision.SecurityBulletinID,dbo.tbLocalizedProperty.Title FROM dbo.tbLocalizedPropertyForRevision INNER JOINdbo.tbLocalizedProperty ON dbo.tbLocalizedPropertyForRevision.LocalizedPropertyID =dbo.tbLocalizedProperty.LocalizedPropertyID INNER JOINdbo.tbSecurityBulletinForRevision ON dbo.tbLocalizedPropertyForRevision.RevisionID =dbo.tbSecurityBulletinForRevision.RevisionID WHERE(dbo.tbLocalizedPropertyForRevision.LanguageID = 1033) ORDER BY
dbo.tbSecurityBulletinForRevision.SecurityBulletinID"rs.Open strSQLQuery, conn, 3, 3
While Not rs.EOF
objTextFile.WriteLine(rs.Fields(0).Value & "," &Replace(rs.Fields(1).Value, ",", ""))
rs.MoveNext
Wend
WScript.Echo "Done!"
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
42/48
Agent Control
Use WUAAPI to control the agentCustom install schedules
Updating servers in web farms
Implementing install now functionality
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
43/48
On-Demand Patching(You Patch Now!)
Ever wish you had a WSUS big red button?
Such a button might automatically download and install allapproved patches and reboot if necessary
How about this VBScript?
Run this script from any server console
Immediately downloads and installs all approved patches.
If a reboot is required, it will then reboot the server.
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
44/48
The WSUS Big Red Button
Set fso = CreateObject("Scripting.FileSystemObject")
Set objAutomaticUpdates = CreateObject("Microsoft.Update.AutoUpdate")
objAutomaticUpdates.EnableService
objAutomaticUpdates.DetectNow
Set objSession = CreateObject("Microsoft.Update.Session")
Set objSearcher = objSession.CreateUpdateSearcher()Set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")
Set colUpdates = objResults.Updates
Set objUpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")
intUpdateCount = 0
For i = 0 to colUpdates.Count - 1
intUpdateCount = intUpdateCount + 1
Set objUpdate = colUpdates.Item(i)objUpdatesToDownload.Add(objUpdate)
Next
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
45/48
The WSUS Big Red Button
If intUpdateCount = 0 Then
WScript.Quit
Else
Set objDownloader = objSession.CreateUpdateDownloader()
objDownloader.Updates = objUpdatesToDownload
objDownloader.Download()
Set objInstaller = objSession.CreateUpdateInstaller()
objInstaller.Updates = objUpdatesToDownload
Set installationResult = objInstaller.Install()
Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
If objSysInfo.RebootRequired Then
Set objWMIService =GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * fromWin32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
objOperatingSystem.Reboot()
Next
End If
End If
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
46/48
Other API Uses
ISVs use APIs for many other features as wellDistribute 3rd party updates (quite complex)
Gather software and hardware inventory
Distribute updates to non-Windows devicesYour starting point is http://technet.microsoft.com/en-us/wsus/bb466192.aspx
API Samples
Diagnostic Tools
Header Files
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
47/48
Summary
WSUS is simple to use, but scales to enterpriseFlexible server deployment options
Single server, scale up, branch office, scale out, disconnected, roaminglaptops
Flexible update deployment options
Peer caching, delta patching, auto approval rules, auto-reapproverevisions
Periodically tune the server (defrag + cleanup)
Public API and DB views can be used to extend the base
functionality for many advanced scenariosStarting point for all WSUS informationhttp://www.microsoft.com/updateservices
-
8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services
48/48