Servicing your modern Windows workplace like a boss.

About Kenny

@KennyBuntinx

http://be.linkedin.com/in/kennybuntinx/

http://scug.be/sccm

About Tim

@Tim_DK

http://be.linkedin.com/in/timdekeukelaere/

http://www.dekeukelaere.com

Multiple ways of patching

Infrastructure requirements

Do you have the following symptoms ?

- High CPU on your WSUS server – 70-100% CPU in w3wp.exe hosting WsusPool

- High memory in the w3wp.exe process hosting the WsusPool – customers have reported memory usage approach 24GB

- Constant recycling of the W3wp.exe hosting the WsusPool (identifiable by the PID changing)

- Clients failing to scan with 8024401c (timeout) errors in the WindowsUpdate.log

- Mostly 500 errors for the /ClientWebService/Client.asmx requests in the IIS logs

Do you have the following symptoms ?

Index and Clean

&

Getting your WSUS infrastructure ready

The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance :

- https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

WSUS - Hotfixes Go for Windows Server 2012 R2 with following hotfixes

https://support.microsoft.com/en-us/kb/3095113

https://support.microsoft.com/en-us/kb/3159706

https://support.microsoft.com/en-us/kb/4039871/

Be aware to follow the guidelines of KB3159706

• Select HTTP Activation under .NET Framework 4.5 Features in the Server Manager Add Roles and Features wizard.

• "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing

Go for Windows Server 2016 with following hotfixes

https://support.microsoft.com/en-us/kb/4039396

Getting your WSUS infrastructure ready Prepare the mime type .esd file on IIS

Error 0x8024200d ? – Check for duplicate .esd mime file extensions

Getting your WSUS infrastructure ready Configure your IIS for WSUS correctly and modify the following settings:

a. Queue Length: 9000

b. Make sure that you do not have any CPU limit configurated. Should be 0 by default.

c. Under Rapid-Fail Protection. Set Failure Interval (Minutes): 30, and Maximum Failures: 60

d. Private Memory Limit should not be set to unlimited (e.g. 0).

e. Next modify the web.config file for the clientwebservice virtual application:

Changing webconfig for clientwebservice (located in prog files\update services\webservices\clientweb..)

<httpRuntime executionTimeout="500" maxRequestLength="4096" />

f. Next navigate to %Windir%\ and then run: IISReset.

Getting your WSUS infrastructure ready - Want to include your Surface Drivers as pre-release feature ?

Content Management

Windows 10 Quality UpdatesExpress Updates require WSUS

Delta updates for non WSUS(1607 – 1703 - 1709)

Delta and Cumulative have the same KB number, with the same classification, and release at the same time. Updates can be distinguished by either the update title in the catalog, or by the name of the msu:

◦ 2017-02 \Delta Update** for Windows 10 Version 1607 for x64-based Systems (KB1234567)

◦ 2017-02 \Cumulative Update** for Windows 10 Version 1607 for x86-based Systems (KB1234567)

Express UpdatesSupported in Configuration Manager as of version 1702

Requires Windows 10 1607 w April CU

As of 1706◦ Performance Improvements

◦ Client peer cache support for express installation files for Windows 10 and Office 365

Express UpdatesEnabled in the SUP Component Properties

Express UpdatesConfigured through client settings

Peer CacheNative ConfigMgr solution for peer-to-peer content sharing

All content in the ConfigMgr client cache can be shared to peers

Currently in pre-release

Continuous investments - 1702:◦ Peer cache sources can reject clients when busy

◦ Low battery mode.

◦ CPU load exceeds 80% at the time the content is requested.

◦ Disk I/O has an AvgDiskQueueLength that exceeds 10.

◦ There are no more available connections to the computer.

◦ Additional out of the box reports

Future:

◦ Support for Windows express files

◦ Support for Office 365 delta files

Peer Cache

Cloud Management Gateway

AD CA

Windows Update

Configuring Settings

WSUS Group policyConfigure the GPO of Windows Components/Windows Update for Windows 10 :

• Configure Automatic Updates: Not Configured • Do not connect to any Windows Update

Internet locations: Enabled• Specify intranet Microsoft update service

location: Enabled• Allow updates from an intranet Microsoft

update service location: Enabled

OSD WSUS Scan behaviorCreate a Group called ‘Configure Windows Update Settings’ just before the Windows Update Step and add a new ‘Run Command Line’ :

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization /v DODownloadMode /t REG_DWORD /d 100

REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /t REG_DWORD /d 1

Add a ‘Restart Computer’ Step after the above Step.

Then create a second Group called ‘Remove Windows Update Settings’ just below the last Windows Update Step and add a new ‘Run Command Line’ :

REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /v DoNotConnectToWindowsUpdateInternetLocations /f

REG DELETE HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization /v DODownloadMode /f

Client Settings for Peer Cache

Different settings for SUP

Servicing

Servicing ChannelsFeature updates - Released twice per year (around March and September)

Servicing channels allow organizations to choose when to deploy new features

Do not say : ◦ CB, CBB and LTSB

Do say:◦ Semi-Annual Channel Targeted

◦ Semi-Annual Channel

◦ Long-Term Servicing Channel (LTSC)

Source : https://technet.microsoft.com/en-us/windows/release-info

WAAS – Release Cadence

WAAS – Release Support

WAAS – What about Office?

Approaches for servicing

Windows Update Windows Server Update Services

Windows Update for Business

System Center Configuration Manager

ConfigMgr - In practice …

Policies / MSB

Pro--- Full Control--- Add / Preserve customizations--- Application lifecycle--- Tattooing--- Software Updates--- Control User Experience

Contra--- Operational Cost (recurring)

Pro--- ADR alike--- Set and forget

Contra--- Control level--- No customizations--- Limited scheduling--- User Experience like regular SU

Phased Deployment - Process

Thanks to our event sponsors

Silver

Gold