Archive for WSUS

Security Patch MS16-072 Breaks GPO on SBS 2008, SBS 2011, and Windows Server 2008/2008R2

Microsoft recently released security hotfix MS16-072 last week. This patch attempts to improve GPO security. But as my fellow MVP’s Susan Bradley and Wayne Small have discovered, this new security update can actually break certain GPO based processes, such as WSUS.

Note: Microsoft has not released a fix to this, nor are we expecting them to do so. But the blog posts below offer instructions for manually fixing this issue.

Here are the two blog posts that Wayne Small posted on his site, identifying the problem and suggested work arounds:

Susan Bradley forwarded the following post from Group Policy Central which includes a PowerShell script and further instructions from Microsoft to manually fix this problem.

KB3119142 Keeps Reinstalling–Microsoft Visual C++ 2012 Update 4

I was working on installing some Microsoft updates on computers at a customer site this evening. Several computers, all Windows 10 O/S, were reporting that KB3119142 was being (re)installed successfully every day.

image

The solution was very simple (with a tip of a hat to a TenForums post):

  • Open up Programs & Features (from Control Panel)
  • Locate and click to select the “Microsoft C++ 2012 Update 4 Redistributable Package X64”
  • Click to Change, then click to Repair
  • Reboot the workstation
  • Rerun Microsoft Update and you should be fine!

image

Windows 10 Upgrade Prompt Coming Soon to a Domain Near You–Possibly

It’s hard to believe it was 5 1/2 months ago (July 2015) that Windows 10 was released. at that time Microsoft also announced a one year window of opportunity to upgrade your Windows 7/8.1 computer to Windows 10 for free.

windows10-upgrade-ad.png

To encourage easy access to the Windows 10 upgrade, home PC’s (non-domain joined corporate/business PC’s) started seeing the Get Windows 10 (GWX) prompt at the bottom of their screen.

Microsoft has now announced that many business PC’s will soon be seeing the GWX taskbar icon and upgrade notification prompts. Eligible PC’s will be those domain joined PC’s running Windows 7 Professional or Ultimate, or Windows 8.1 Pro. PC’s running Windows 7 / 8.1 Enterprise are not eligible for the free upgrade.

But to receive the Get Windows 10 prompt, eligible computers must be receiving updates directly from Windows Update.

To word it differently, if your computers are receiving their updates from Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM), then they will NOT see the Get Windows 10 prompts.

For more information, check out the article at ZDNet.

Do not install Exchange 2010 SP3 RU8 yet

On Thursday Dec 11, 2014 Microsoft released new updates for Exchange 2007, 2010, and 2013. Read more here.

However, an issue has been identified in the Exchange Server 2010 SP3 Update Rollup 8. The update has been recalled and is no longer available on the download center pending a new RU8 release. Customers should not proceed with deployments of this update until the new RU8 version is made available. Customers who have already started deployment of RU8 should rollback this update.

The issue impacts the ability of Outlook to connect to Exchange.

Please note: this issue only impacts the Exchange Server 2010 SP3 RU8 update, the other updates remain valid and customers can continue with deployment of these packages.

SBS 2011 and Windows Update Error 800B0001

As we enter 2014, there are still plenty of new SBS 2011 servers being installed in offices. SBS 2011 is the last version of Microsoft’s Small Business Server (SBS) product line. SBS 2011 comes with Exchange, SharePoint and WSUS pre-installed.

If your site also has Windows 8/8.1 computers, you may discover that running Windows Update on those computers may generate an error 800B0001.

image

Now, if you do your due diligence and search for this error, you will find suggestions that a credential on your Windows 8 computer is corrupt, and that you should run a pair of DISM commands to attempt to repair the situation:

image

But, in most cases, running these commands will NOT resolve the issue. So what’s causing the error?

Simply put, you are missing a couple of required updates on your SBS 2011 server, updates that resolve the issue of Windows 8/8.1 communicating to the WSUS server:

KB 2720211 – Update for WSUS 3.0 SP2

KB 2734608 – Update for WSUS 3.0 SP2

Script to see if a KB update has been installed on a computer

Often, when I am working on a workstation or server, I need to see if a particular KB update has already been applied (installed). Case in point: KB 2862330 was released in October as part of a set of USB/Kernel updates. Immediately there were reports of BSODs with Windows 7 and Windows 2008R2 systems.

Early investigation of this issue found that the BSOD could be avoided in most cases if KB 2533552 was installed prior to installing 2862330.

So, I found myself looking for a simple, easy way to determine if a KB update has been installed on a particular workstation. Gandlaf50 from the Spiceworks’ community forum posted a VB script solution. The script will ask you which computer to check, meaning you could run this from your workstation, and check another computer in your network.

  1. Download the script file to your computer
    image
  2. Rename it from findkb.v_b_s to findkb.vbs
  3. Double click to run the script.
  4. Enter the KB number you wish to check (enter just the number)
    image
  5. Enter the name of the computer to be checked
    image
  6. A message box will display informing you if the KB is installed or not.
    image

Voila!

Windows Update running forever on XP and 2003

There are plenty of reports of both Windows XP and Windows 2003 server systems stalling when running windows update (WU/MU). In some cases, they say that if you wait several hours, or perhaps overnight, the situation will resolve itself.

The long delay is (apparently) due to an IE detection process.

So, what does one do?

The suggestion is to download and manually install the December 10, 2013 Cumulative Security Update for Internet Explorer (MS13-097 / KB2898785). By installing it manually, you remove that detection from the workstation.

image

Exchange 2007 Rollup 11 SBS 2008

I generally like to wait a month before installing Exchange rollups. If you’re running SBS 2008 and Exchange 2007, you may have noticed that Rollup 11 for Exchange 2007 was released on August 13, 2013.

As with all previous Exchange rollups, you can install it via WSUS, or you can install it manually – which is my preference. There is a small trick you need to know to install the rollup manually, so let’s jump in:

  1. Go ahead and download the latest rollup. Rollup 11 can be found here.
  2. You will be asked to select whether to download the 32-bit (x6) or 64-bit (x64). For SBS 2008, you want the x64 version.
  3. Download and save the file to your preferred folder on your server.
  4. Now, if you simply click on the downloaded file and try to install it, it’s not going to work! you will get the following error message “The Installer has insufficient privileges to modify this file: C:\Program Files\Microsoft\Exchange server\RelNotes.htm”.
    image
  5. So you say to yourself, “Oh, I guess I need to right click on the file and ‘run as’ administrator”.
    Go ahead, and try it, and you will be in for a surprise – you won’t find a ‘run as’ option, because this is a .msp file.
    What are you going to do now?
  6. Kudos to my good friend and MVP buddy, Philip Elder, who discovered the following trick to get around this issue:

    Start up a command prompt window using the ‘run as’ administrator, and then within the command prompt window, navigate to the folder where the Rollup file was stored, and type in the full name of the file (including the .msp suffix)
    image

  7. You can now proceed to install the rollup. Be sure to reboot your computer after the installation is completed.

Scheduling the WSUS Cleanup Wizard

I manage several SBS 2008 and SBS 2011 servers. One of the key maintenance issue is the size of the WSUS database. There are plenty of posts from people bemoaning the fact that suddenly the WSUS Content folder has grown to over 20gb (or more)!

WSUS provides an easy way to run the wizard manually. But doing this requires one to log into the server, and start up the wizard. Why do that, when you can schedule the wizard to run on a weekly basis?

Kudos to my good friend and fellow MVP’er, Kevin Royalty, for this information.

STEP 1 – Run the WSUS Cleanup Wizard manually

Before scheduling the wizard to run automatically, it is important to run the wizard manually first, especially if it has not been run in a long time. Do not be concerned if the wizard takes hours (literally) to run the first time. My fellow MVP’er, Philip Elder, blogged that he had one server required 36 hours to do the initial cleanup!!!

Review  my post for running the wizard manually.

image   image

 

STEP 2 – Create the WSUS Cleanup Batch file

  1. Go to the Codeplex site and download the WSUS Cleanup v2 tool (zip file)
    image     image
  2. Extract the files to your desired folder (C:\Scripts in my case). Three files are extracted.
    image     image
  3. You then need to create your own batch script/command, and documentation to do that is available from the Codeplex site
    – OR –
    Just download my script (WSUSCleanup.txt) and save it to your Scripts directory (be sure to rename it from WSUSCleanup.txt to WSUSCleanup.cmd)
    image

 

STEP 3 –  Schedule to run the batch file automatically

The only thing left is to schedule the task to run on a regular basis (perhaps weekly on Sunday mornings).

  1. Click Start –> Administrative Tools –> Task Scheduler
  2. Click Create Basic Task… from the right hand frame
  3. Type in a name (for example Weekly WSUS Cleanup)
  4. Click to run it weekly
  5. Click to run it every Sunday, and set your time (for example 9:00am)
  6. Click to ‘Start a program’
  7. Browse and locate your script (again, as a reminder, if you downloaded my script, be sure to rename the suffix from .txt to .cmd)
  8. Click to select (enable) the ‘Open the Properties dialog box …’ option, then click Finish.
  9. Click to select (enable) the ‘Run whether user is logged on or not’ option, then click OK
  10. You will be prompted to enter the appropriate user account information for running this task.
  11. I would suggest running the task immediately after creating it and monitor to make sure it runs successfully.
    image

WSUS now available for Windows Server 2012 Essentials!

Finally! One of the major features, in the eyes of many I.T. professionals and consultants, missing from the Windows Server 2012 Essentials product was the ability to fully manage, approve/reject, and deploy Microsoft updates to the attached workstations in the network.

This feature, Windows Server Update Services (WSUS), was a built-in server role in all of the Small Business Server (SBS) product line, as well as Windows Server 2012 Standard and Datacenter, with enhanced features.

Microsoft has now released the enhanced version of WSUS for Windows Server 2012 Essentials! It is packaged as a Microsoft hotfix.

Here are the links you need:

  1. Coffee Coaching – HP & Microsoft blog announcement
  2. WSUS features and requirements (KB 2762663)
  3. WSUS 2012 Evaluation Guide
  4. Download the Microsoft WSUS hotfix here
    Instructions:
      • Accept terms and conditions
      • Click to select the desired hotfix
        image
      • Enter your email address and security code
      • A link to the hotfix will be mailed to you
        image
      • Click on the provided link in the email, and you will be asked to run or save the download.
        image