Windows Server Update Services (WSUS) Support Tools

Yes, I am talking about Support Tools for Windows Server Update Services (WSUS). As of now, there are;


Server Diagnostic Tool for troubleshooting Update Services Server. For help on running this tool see readme file.


Client Diagnostic Tool for troubleshooting Client Machines. For help on running this tool see readme file.


Keep an eye on Windows Server Update Services Downloads Page for all the tools related to WSUS.

WSUS Export Import: Windows Server Update Services (WSUS) FAQ Continued – II

While Exporting WSUS to a disconnected network server, the following error is logged in the the import log file;

“<ImportError Message=”The metadata format is incorrect” /></ImportLog>”

The import was not succesfull and eventually, export fails.


Trivia:


WSUS Admin wants to modify the metadata so that the downsteram WSUS Admin should not be able to see the Un-Approved Updates and so he plays with Package.xml file.


Looks like he is modifying the meta data. This is logged from Package.XML”
<!– 
edited with XMLSPY v5 rel. 3 U (http://www.xmlspy.com) by Christophe Michel (Thales Security Systems) 
  –>


And, obivously the import – export fails.


That was right. The user (WSUS Admin) says, “it will work if i don’t touch both files. The reason why i modified the two files is that i want to import only appoved metadata in order to downstreamed administrator can’t check metadata not approved bu the first online WSUS server.”


Moraly of the story: Do not play with the XML file to modify the meta data. That is not supported.


Previous FAQ’s;


http://msmvps.com/athif/archive/2005/08/17/63110.aspx


http://msmvps.com/athif/archive/2005/08/30/64594.aspx

Windows Server Update Services (WSUS) FAQ Continued – I

Continued from http://msmvps.com/athif/archive/2005/08/17/63110.aspx


Q. Does Windows Server Update Services (WSUS) support patches for Exchange 2000?


 


A. YES, WSUS Supports patches for Windows 2000+, Exchange 2000+, SQL Server 2000+, and Office XP+ with expanding support. More information on http://www.microsoft.com/windowsserversystem/updateservices/evaluation/compare.mspx


 


Quoting from WSUS Overview document, “Initially, Microsoft Update, to which at least one WSUS server must connect to get available updates and update information,  will make available updates for Microsoft Windows, Office, SQL Server, and Exchange. Additional Microsoft product updates will become available on Microsoft Update in the future.”


 


More information on WSUS Guides.


 


Q. If you have a group setup in WSUS as detect-only and you change the options to install, do the updates that are set as detect-only ever get installed after the change or do those updates need to be changed manually?


 


A. YES, they do get installed after the change. But, this is only after Automatic Update Client (AU) completes the next detection cycle which can be configured for AU Client at the following location in the registry, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU, DetectionFrequency (Reg_DWORD) = Time between detection cycles. DetectionFrequency (use default value of 22 hours).


 


For Quick AU Client Detection & Installation with Windows Server Updates Services, WSUS, see http://msmvps.com/athif/archive/2005/06/29/56200.aspx


 

Windows Server Update Services (WSUS) Server & Internet Security and Acceleration Server (ISA)

 One of the important issue with Windows Server Updates Service (WSUS) Administration is troubleshooting WSUS Server for downloads. You may encounter situations where WSUS Synchronization fails. 


 


We will take a look at the proxy settings.


 



Most of the times, the culprit is the proxy server where in you have authentication defined on outgoing web proxy requests. This means Anonymous access for proxy is disabled. If you are using ISA Server as your proxy server, then you must create an anonymous access rule for the following windows update websites.


 


http://download.windowsupdate.com

https://*.windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

http://*.update.microsoft.com


  


The procedure is explained on http://support.microsoft.com/default.aspx?scid=kb;en-us;885819.


 


And now, you have to configure WSUS to Use user credentials to connect to the proxy server. With this option enabled, you have to enter the username, password & domain of the user account which is having internet access via proxy server. You can also Allow basic authentication but then, remember, password is sent in clear text which is a security threat…We are using WSUS to patch the security threats!!


 


Procedure:


 


i). On your WSUS server, click Start, point to All Programs, point to Administrative Tools, and then click Microsoft Windows Server Update Services.


 


ii). On the WSUS console toolbar, click Options, and then click Synchronization Options.


 


iii). In the Proxy server box, click Use a proxy server when synchronizing, and then enter the server name, and port number of the proxy server in the corresponding boxes.


 


iv). If you want to connect to the proxy server under specific user credentials, click Use user credentials to connect to the proxy server, and then enter the user name, domain, and password of the user in the corresponding boxes.


 


v). Under Tasks, click save settings, and then click OK when the confirmation box appears.


 


vi). Synchronize now.

Error while trying to synchronize Windows Server Update Services (WSUS) Server with Microsoft Update (MU)

Unable to generate a temporary class: You see the following error while trying to synchronize WSUS Server with MU & synchronization fails at 99%.


 


Complete error message is as follows :>>>>>>>>>


 


System.InvalidOperationException: Unable to generate a temporary class (result=1).error CS2001: Source file ‘C:\WINDOWS\TEMP\m9yekbox.0.cs’ could not be founderror CS2008: No inputs specified


 


   at Microsoft.UpdateServices.Internal.ClassFactory.CallStaticMethod(Type type, String methodName, Object[] args)


   at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetSynchronizationHistory(DateTime fromDate, DateTime toDate)


   at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetLastSynchronizationInfo()


   at Administration.Manage.Subscriptions.SubscriptionProxy.GetSynchronizationStatus()


   at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatusClientFunction(String xPostXml)


   at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)


 


   at Microsoft.UpdateServices.Internal.ClassFactory.CallStaticMethod(Type type, String methodName, Object[] args)


at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetSynchronizationHistory(DateTime fromDate, DateTime toDate)


at Microsoft.UpdateServices.Internal.BaseApi.Subscription.GetLastSynchronizationInfo()


at Administration.Manage.Subscriptions.SubscriptionProxy.GetSynchronizationStatus()


   at Administration.Reporting.CurrentStatus.CurrentStatusProxy.GetHomeStatusClientFunction(String xPostXml)


   at Administration.Reporting.ReportingXPost.Page_Load(Object sender, EventArgs e)


 


This is due to lack of permission for NTAUTHORITY\NETWORK SERVICE account on the TEMP folder. To resolve this issue, assign NETWORK SERVICE the following permissions on C:\Windows\Temp;


 


List Folder / Read Data


Delete

Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

As we are aware, Microsoft Windows Malicious Software Removal Tool is not available with SUS though it is available with WSUS or SMS.


 


There is an excellent KB article which deals in different ways to install this Removal Tool in an enterprise environment using scripts applied via Group Policies. Take a look on http://support.microsoft.com/?kbid=891716&SD=tech

Sample scripts for managing the client-side version of Windows Update