SIMPLE Lessons Learned in Patch Management

It’s been a long time. Actually, I have moved on to a different role and WSUS is not my bread & butter :-). I am focusing on Project Management; you can follow me on twitter – http://twitter.com/Athif.


I wanted to share few lessons learned in patch management. Here we go…


SIMPLE LESSONS LEARNED in Patch Management:


1. Test, Test and Test: It is important to test updates in your unique environment before the roll-out


2. Back-up before patch-up: I canNOT stress this anymore – Always folks Always perform a backup before you install any updates/patches/hotfix


3. Restart before and After: As a best practice restart the server before applying any patch/security update. You never know – there might be pending operations


One last time – Happy Patching :-)


What lessons have you learned? Share your lessons learned by adding a comment on this post.


MORE INFORMATION:


Unable to open .chm HTML Help files

I just downloaded Technet Magazine – January 2007 HTML help file and when I opened, I noticed the topics in the .chm file cannot be viewed and I realized that it was getting blocked and all I had to do is to unblock the file (see the procedure below) and this time I can see the contents happily:-)


1. Right-click the CHM file, and then click Properties.
2. Click Unblock.
3. Double-click the .chm file to open the file.

More information is available in the KB article – http://support.microsoft.com/kb/902225/EN-US/


 

Rights Management Services Client with Service Pack 2 (KB917275) via WSUS

On Tuesday, November 28, 2006, Rights Management Services Client with Service Pack 2 (KB917275) was downloaded by WSUS Server as classified under Service Packs.


According to Brian Lich [MSFT], “The RMS client should be not offered via WSUS because it is not considered a critical update.  We are investigating this.”


The RMS client is offered on Windows Update and Microsoft Update to Windows 2000 and Windows XP computer as an Optional/Recommended update.  It’s also available on the Microsoft Download Center.


I have approved this update for INSTALL and so far I haven’t seen any issue. Happy patching!


 

Extract computer hardware information from WSUS

A question was asked in the WSUS Mailing List (hosted by Shavlik Technologies on www.patchmanagement.org) –


 


I am using WSUS 2.0 and I was wondering if there was a way to extract the computer hardware information it collects?


 


Oh yes, this is possible.


 


You can extract computer hardware data in table ‘dbo.tbComputerTarget’ in SUS database (SUSDB). You can query for the following information;


 

TargetID        ComputerID    SID     LastSyncTime LastReportedStatusTime      LastReportedRebootTime          IPAddress      FullDomainName        OSMajorVersion        OSMinorVersion        OSBuildNumber          OSServicePackMajorNumber  OSServicePackMinorNumber  OSLocale       ComputerMake          ComputerModel         BiosVersion    BiosName       BiosReleaseDate       ProcessorArchitecture          ClientGuid      RequestedTargetGroupName IsRegistered



 


For instance, you can query it directly using SQL Query Analyzer or OSQL;


 


USE SUSDB


SELECT     FullDomainName, IPAddress, ComputerMake, ComputerModel, BiosName, BiosVersion, OSMajorVersion, OSServicePackMajorNumber


FROM         tbComputerTarget


 


Hope that helps! Happy patching.


 

WSUS 3.0 Beta 2

WSUS Product Team has already announced the release of WSUS 3.0 beta 2 public beta. This is the first public beta for WSUS 3.0 which is preceded by a private TAP beta.


Quick Info:


Program Start Date 8/14/2006
Program End Date 2/28/2007
Nomination Start Date 8/8/2006
Nomination End Date 2/28/2007


You can register and download WSUS 3.0 Beta 2 from http://connect.microsoft.com/availableconnections.aspx or from http://www.microsoft.com/windowsserversystem/updateservices/default.mspx.


Once registered, you can download WSUSSetup-x86.exe, 56.23 MB using Microsoft File Transfer Manager automatically.


Title WSUS 3 Beta 2 Setup-x86
Release Date 8/11/2006
Size 56.23 MB
Version 5451.90
Category Build
Milestone Beta 2
Description
WSUS 3.0 beta 2 Setup x86


Get Started:


WSUS 3.0 Beta 2 Prerequisites

  1. Microsoft Internet Information Services (IIS) 6.0
  2. Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 Windows Server 2003. To download this software, go to the Download Center (http://go.microsoft.com/fwlink/?LinkID=47251).
  3. Microsoft .NET Framework Version 2.0 Redistributable Package 
    1. (x86) – To download this software, go to the Download Center http://go.microsoft.com/fwlink/?LinkID=68935 
    2. (For x64) – also go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70637
  4. Microsoft Report Viewer Redistributable 2005. To obtain this software, go to the Download Center (http://go.microsoft.com/fwlink/?LinkID=70410).
  5. Microsoft Management Console 3.0 for Windows Server 2003 (KB907265).
    1. (x86) – To download this software, go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70412
    2. (For x64) – also go to the Download Center http://go.microsoft.com/fwlink/?LinkID=70638

* Note: WSUS 3.0 beta 2 does not support Vista beta clients at this time.


From Connect Windows Server Update Services 3.0 Beta 2:


WSUS 3.0 Beta 2 Vista RC client support!  After beta 2 releases, we will be adding a new download that will make sure your WSUS 3.0 beta 2 server can service the new RC version of Vista clients when it ships.  This downloadable beta update will be available from the WSUS beta Connect site in the downloads section in the 4th quarter of calendar year 06 – when Vista RC releases! Check back for news on this update to test WSUS 3.0 beta 2 with your Vista RC beta clients.


Happy patching!


Listen to this article Listen to this article

Disable the SSL warning in the To Do List

Many a times folks in WSUS newsgroup want to know if –


Is there a way to disable the SSL warning in the To-Do list in WSUSAdmin Console?


To Do List

 


WSUS has detected that you are not using Secure Sockets Layer (SSL). Microsoft recommends using SSL to secure administration and client to server communications for better security. For more information, see Using Secure Sockets Layer (SSL).
 
I used to answer that as – “That is not documented anywhere!!. We will have to live with that”. But, thanks to Josh (poster in NG) for this cheeky workaround.
 
WORKAROUND

Make a backup of “C:\program files\Update Services\administration\home\welcome.aspx” file.

Then open the file in notepad and find the last section at the bottom that starts like this:

<td id=”tskNotUsingSSL” class=”Tasks” style=”display: none;”>

Now you can’t delete that line, but delete everything between the <div> and </div> right below that line – Which means you have to delete the following text between <div> and </div>;


 <div>
          <a href=”” onclick=”ShowHelp(‘utilizing_SSL.htm’);return false;”
class=”B”><img src=”<%= Constants.VirtualRoot %>/Common/Images/Warning.gif”
align=”absmiddle” /><%= Resources.GetString(“L_HomeNotUsingSSLTitle_Text”)
%></a></br>
              <%=
String.Format(Resources.GetString(“L_HomeNotUsingSSLDescription_Text”),
              “<a href=\”\” onclick=\”ShowHelp(‘utilizing_SSL.htm ‘);return
false;\” class=\”Normal\”>” +
Resources.GetString(“L_HomeNotUsingSSLHelpLink_Text”) + “</a>”) %>
          <br />
      </div>



Save the file and Voila! Happy Patching :-).

Un-hide hidden updates

lf the logged in user is part of Local Administrators group, then he can use the custom install option to unselect the updates which will be eventually hidden. These updates will not be offered by the WUA at the next detection/scheduled installation time.


Scripting Guru Torgeir Bakken has posted an excellent .vbs script to unhide those hidden updates.


According to Torgeir Bakken (MVP)

If you are afraid that some users will hide some updates using the custom install option, here is a counter-measure you can use if the computers are in an Active Directory domain.

Use a script that unhides all hidden updates every time the computer starts up.


You could put the vbscript below in a computer startup script (with a GPO) that runs as part of the boot up process (before the user logs in).  It runs under the system context and has admin rights.


——————–8<———————-


On Error Resume Next
Dim oSearcher, oSearchResult, i, oUpdate


Set oSearcher = CreateObject(“Microsoft.Update.Searcher”)


‘ use locally cached information
oSearcher.Online = False


‘ find updates that are hidden
Set oSearchResult = oSearcher.Search(“IsHidden=1″)


If Err.Number = 0 Then
   If oSearchResult.Updates.Count > 0 Then
     For i = 0 to oSearchResult.Updates.Count – 1
       Set oUpdate = oSearchResult.Updates(i)
       ‘ unhide the update
       oUpdate.IsHidden = False
     Next
   End If
End If

‘——————–8<———————-


Tip:


IF you configure the deadline whilst approving an update then it will restrict local Administrator from being able to unselect or hide updates.

Windows Server Update Services add-ons — by Steven Manross

Steven Manross has created Windows Server Update Services add-ons in the form of an SQL stored procedure and .vbs / Perl scripts to determine if computers currently show as needing updates.


The SQL stored procedure (spSRMCountComputersNeedingUpdates.sql) is used in conjunction with the WSUSReport.vbs or (WSUSReport.pl) scripts to automatically notify an admin via email that there are computers needing Windows Security-related updates.


In step 1, let’s add the sql stored procedure on WSUS Database Server and in step 2 we will run the .vbs script scripts to automatically notify WSUS Administrator via email that there are computers needing updates.


SAMPLE OUTPUT AS SEEN IN EMAIL:


Subject: WSUS: There are computers needing updates


Type: Software KB Article: 816093 Bulletin: MS03-011
Title: 816093: Security Update Microsoft Virtual Machine (Microsoft VM)
Description: This update helps resolve a vulnerability in the Microsoft virtual machine. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.
More Information: http://go.microsoft.com/fwlink/?LinkId=14964
Server Name(s): computer1.domain.com,computer2.domain.com,computer3.domain.com


PRE-REQUISITES:


The .vbs code below requires Outlook CDO components to be installed or some other application that installs the CDO.Message object from the computer running WSUSReport.vbs.


STEP 1:


Let’s start by adding the following code as a stored procedure (spSRMCountComputersNeedingUpdates.sql);

  • In SQL Enterprise Manager under “instancename\Databases\SUSDB\Stored Procedures”.
  • Right click on the Stored Procedure – click on New Stored Procedure.
  • Paste the code below – click on Check Syntax and make sure it is successful.

spSRMCountComputersNeedingUpdates.sql:-




CREATE PROCEDURE [dbo].[spSRMCountComputersNeedingUpdates]  AS


declare @computersNeedingUpdates int
declare @updatesNeededByComputers int
  SELECT @computersNeedingUpdates = COUNT(DISTINCT(C.TargetID)),
         @updatesNeededByComputers = COUNT(DISTINCT(U.LocalUpdateID))
      FROM tbUpdate AS U
    INNER JOIN dbo.tbUpdateStatusPerComputer AS S WITH (INDEX (nc3UpdateStatusPerComputer)) ON U.UpdateID=S.UpdateID
    INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
    WHERE S.SummarizationState IN (2,3,6)  
        AND EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> ‘All Computers’
                   )



select @computersNeedingUpdates as computersNeedingUpdates,@updatesNeededByComputers as updatesNeededByComputers


IF @computersNeedingUpdates > 0
  BEGIN


    SELECT U.LocalUpdateID,
      C.FullDomainName as FullDomainName
      FROM tbUpdate AS U
      INNER JOIN dbo.tbPreComputedLocalizedProperty AS PCLP  ON PCLP.UpdateID=U.UpdateID
      INNER JOIN dbo.tbLanguage as L on L.ShortLanguage = PCLP.ShortLanguage
      INNER JOIN dbo.tbLanguageInSubscription as LIS on LIS.LanguageID = L.LanguageID
      INNER JOIN dbo.tbUpdateType AS UT  ON UT.UpdateTypeID=U.UpdateTypeID
      INNER JOIN dbo.tbUpdateStatusPerComputer AS S ON U.UpdateID=S.UpdateID
      INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
      INNER JOIN dbo.tbTargetInTargetGroup AS TITG ON TITG.TargetID = C.TargetID
      INNER JOIN dbo.tbTargetGroup AS TG ON TG.TargetGroupID = TITG.TargetGroupID
      INNER JOIN dbo.tbRevision AS Re ON Re.LocalUpdateID = U.LocalUpdateID
      LEFT JOIN dbo.tbKBArticleForRevision AS KB ON KB.RevisionID = RE.RevisionID
      LEFT JOIN dbo.tbSecurityBulletinForRevision AS SB ON SB.RevisionID = RE.RevisionID
      INNER JOIN dbo.tbMoreInfoURLForRevision AS MI ON MI.RevisionID = RE.RevisionID and MI.ShortLanguage = L.ShortLanguage
      WHERE S.SummarizationState IN (2,3,6)  AND
            EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> ‘All Computers’
                    )


    SELECT U.LocalUpdateID,
      UT.Name as UpdateTypeName,
      KB.KBArticleID,
      case when SB.SecurityBulletinID IS NULL Then ‘None’ Else convert(varchar(15),SB.SecurityBulletinID) End as SecurityBulletinID,
      MI.MoreInfoURL as MoreInfoURL,
      PCLP.Title as UpdateTitle,
      PCLP.Description as UpdateDescription
      FROM tbUpdate AS U
      INNER JOIN dbo.tbPreComputedLocalizedProperty AS PCLP  ON PCLP.UpdateID=U.UpdateID
      INNER JOIN dbo.tbLanguage as L on L.ShortLanguage = PCLP.ShortLanguage
      INNER JOIN dbo.tbLanguageInSubscription as LIS on LIS.LanguageID = L.LanguageID
      INNER JOIN dbo.tbUpdateType AS UT  ON UT.UpdateTypeID=U.UpdateTypeID
      INNER JOIN dbo.tbUpdateStatusPerComputer AS S ON U.UpdateID=S.UpdateID
      INNER JOIN dbo.tbComputerTarget AS C ON C.TargetID = S.TargetID
      INNER JOIN dbo.tbTargetInTargetGroup AS TITG ON TITG.TargetID = C.TargetID
      INNER JOIN dbo.tbTargetGroup AS TG ON TG.TargetGroupID = TITG.TargetGroupID
      INNER JOIN dbo.tbRevision AS Re ON Re.LocalUpdateID = U.LocalUpdateID
      LEFT JOIN dbo.tbKBArticleForRevision AS KB ON KB.RevisionID = RE.RevisionID
      LEFT JOIN dbo.tbSecurityBulletinForRevision AS SB ON SB.RevisionID = RE.RevisionID
      INNER JOIN dbo.tbMoreInfoURLForRevision AS MI ON MI.RevisionID = RE.RevisionID and MI.ShortLanguage = L.ShortLanguage
      WHERE S.SummarizationState IN (2,3,6)  AND
            EXISTS (SELECT * FROM dbo.tbDeployment AS D
                             INNER JOIN dbo.tbRevision AS Re ON Re.RevisionID=D.RevisionID
                             INNER JOIN dbo.tbTargetGroup AS tg ON tg.TargetGroupID = D.TargetGroupID
                             WHERE Re.LocalUpdateID=U.LocalUpdateID AND
                                   D.ActionID IN (0,2) AND
                                   tg.Name <> ‘All Computers’
                    )
    GROUP BY U.LocalUpdateID,UT.Name,KB.KBArticleID,SB.SecurityBulletinID,MI.MoreInfoURL,PCLP.Title,PCLP.Description



  END
–ENDIF
RETURN 1
GO




STEP 2:


Now save the following .vbs code as WSUSReport.vbs for computers needing updates using the stored procedure above. The following code requires Outlook CDO components to be installed or some other application that installs the CDO.Message object from the computer running WSUSReport.vbs.


WSUSReport.vbs:-




‘On Error Resume Next
Const adCmdStoredProc = 4
Const adUseClient = 3


‘Requires the Outlook CDO components to be installed or some other application that installs the CDO.Message object.


smtp_mail_from = “Some Friendly Name <someaddress@somesite.org>”
smtp_mail_to = “Recipient Name <
recipient@somesite.org>”
smtp_server = “somesmtpserver.somesite.org”
smtp_port = “25”


db = “SUSDB”
appname = “SUSDB Mailer”
db_server = “YOUR-DB-SERVER”


Set Conn = CreateObject(“ADODB.Connection”)
if Err.Number <> 0 Then
  WScript.Echo “Failed creating ADODB.Connection object -> ” & Err.Description
  WScript.Quit(0)
End If


Conn.ConnectionTimeout = 15
Conn.CursorLocation = adUseClient
Conn.Open = “DRIVER={SQL Server};SERVER=” & db_server & “;APP=” & appname & “;DATABASE=” & db & “;Trusted_Connection=yes;”


if Err.Number <> 0 Then
  WScript.Echo “Failed opening ADODB.Connection object with DB info-> ” & Err.Description
  WScript.Quit(0)
End If


Set Cmd = CreateObject(“ADODB.Command”)


if Err.Number <> 0 Then
  WScript.Echo “Failed creating ADODB.Command object -> ” & Err.Description
  WScript.Quit(0)
End If
Cmd.CommandText = “spSRMCountComputersNeedingUpdates”
Cmd.CommandType = adCmdStoredProc
Cmd.ActiveConnection = Conn


Cmd.Prepared = 1
Cmd.CommandTimeout = 15


Set RS = Cmd.Execute


if Err.Number <> 0 Then
  WScript.Echo “Failed opening ADODB.Recordset object for Command -> ” & Err.Description
  WScript.Quit(0)
End If


rs_count = RS.RecordCount


Dim string


string = “<HTML><BODY>” & vbCrlf


if RS.Fields(0) > 0 Then
  WScript.Echo “Count = ” & RS.Fields(0).Value
  Set RSUpdates = RS.NextRecordSet
  Set RSData = RS.NextRecordSet
Else
  WScript.Echo “No updates.  Quitting successfully”
  WScript.Quit(1)
End If


‘Loop through all the computers that need updates


  Dim Updates
  Dim Computers
 
  Dim vContainer
  ‘ Create the dictionary instances.
  Set Updates = CreateObject (“Scripting.Dictionary”)
  Updates.CompareMode = StringCompare


x = 0
while (RSUpdates.EOF <> True)
  if Not Updates.Exists(RSUpdates.Fields(“LocalUpdateID”).Value) Then
    Updates.Add RSUpdates.Fields(“LocalUpdateID”).Value, RSUpdates.Fields(“FullDomainName”).Value
  Else
    Updates.Item(RSUpdates.Fields(“LocalUpdateID”).Value) = Updates.Item(RSUpdates.Fields(“LocalUpdateID”).Value) & “,” & RSUpdates.Fields(“FullDomainName”).Value
  End If
 
  RSUpdates.MoveNext
Wend


while (RSData.EOF <> True)
  strUpdateID = RSData.Fields(“LocalUpdateID”).Value
  strSrv = Updates.Item(strUpdateID)
  strUpdateType = RSData.Fields(“UpdateTypeName”).Value
  strKBID = RSData.Fields(“KBArticleID”).Value
  strBulletinID = RSData.Fields(“SecurityBulletinID”).Value
  strInfoURL = RSData.Fields(“MoreInfoURL”).Value
  strUpdateTitle = RSData.Fields(“UpdateTitle”).Value
  strUpdateDesc = RSData.Fields(“UpdateDescription”).Value
  string = string & “<TABLE border = 1>” & vbCrlf & _
           “<TR><TD><b>Type:</B> ” & strUpdateType & “</TD><TD><B>KB Article:</B> ” & strKBID & “</TD><TD><B>Bulletin:</B> ” & strBulletinID & “</TD></TR>” & vbCrlf & _
           “<TR><TD colspan = 3><B>Title:</B> ” & strUpdateTitle & “</TD></TR>” & vbCrlf & _
           “<TR><TD colspan = 3><B>Description:</B> ” & strUpdateDesc & “</TD></TR>” & vbCrlf & _
           “<TR><TD colspan = 3><B>More Information:</B> <A href=” & strInfoURL & “>” & strInfoURL & “</A></TD></TR>” & vbCrlf & _
           “<TR><TD colspan = 3><B>Server Name(s):</B> ” & strSrv & “</TD></TR></TABLE>” & vbCrlf
  RSData.MoveNext
Wend
string = string & “</BODY></HTML>”


Set cdoMessage = CreateObject(“CDO.Message”)
cdoMessage.Subject = “WSUS: There are computers needing updates”
cdoMessage.From = smtp_mail_from
cdoMessage.To = smtp_mail_to
cdoMessage.HTMLBody = string


cdoMessage.Configuration.Fields.Item(“http://schemas.microsoft.com/cdo/configuration/sendusing“) = 2
cdoMessage.Configuration.Fields.Item(“
http://schemas.microsoft.com/cdo/configuration/smtpserver“) = smtp_server
cdoMessage.Configuration.Fields.Item(“
http://schemas.microsoft.com/cdo/configuration/smtpserverport“) = smtp_port
cdoMessage.Configuration.Fields.Update


cdoMessage.Send
If Err.Number = 0 Then
  WScript.Echo “Success”
  WScript.Quit(1)
Else
  WScript.Echo “Error sending CDO Message: ” & Err.Description
  WScript.Quit(0)
End If


MORE INFORMATION


Kudos to Steven – http://www.manross.net/links.html

WSUS SP1 Readme Updated!!

WSUS SP1 Readme is updated (on 21st June 2006) with known issues once you apply WSUS SP1.


Readme for WSUS Service Pack 1: This document describes known issues affecting Windows Server Update Services Service Pack 1 (WSUS SP1).


New Known Issues:


Issue 6: If you are using a proxy server, the SP1 upgrade may clear the proxy configuration username and password


Issue 7: How to recover from a failed upgrade to restore your WSUS server to a consistent state and then retry the upgrade.


Issue 8: WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated


Issue 9: WSUS SP1 is not updating WSUS servers which are setup using remote SQL deployments


Issue 10: Changing the computer name prior to upgrading to WSUS SP1 can cause the upgrade to fail


Direct Link: http://download.microsoft.com/download/7/d/c/7dce8ed3-8d44-421f-902c-95391577ecb5/ReadMe.htm