WSUS SP1 Known Issues

Bobbie Harder (MSFT) has posted a list of Top known issues whilst upgrading WSUS to WSUS SP1 on microsoft.public.windows.server.update_services. These issues will be updated in a KB and in the online WSUS SP1 readme.


1.  If you are using a proxy server, in some cases the SP1 upgrade may clear the proxy configuration username and password.  This may cause synchronization of updates from Microsoft Servers to generate an “invalid parameter” error. To address this issue, reset the proxy configuration username and password and re-synchronize your server.


2. Remote SQL deployments: WSUS SP1 is not updating WSUS servers which are setup using remote SQL deployments.


Solution:


The WSUS with SP1 setup Package must be run on both the front end and back end servers.


·         Run the setup package on the front end with no switches and choose to upgrade


·         Run the setup package on the back end with no switches and choose to upgrade.


3. Changed Machine Name after RTM install prior to SP1 upgrade can cause the WSUS SP1 upgrade to fail.


Workaround:


Use the following script to remove and re-add the ASPNET and WSUS Administrators groups.  Then run the upgrade again.


osql.exe -S %computername%\WSUS -E -Q “USE SUSDB DECLARE @asplogin
varchar(200) SELECT @asplogin=name from sysusers WHERE name like ‘%ASPNET’
EXEC sp_revokedbaccess @asplogin”
osql.exe -S %computername%\WSUS -E -Q “USE SUSDB DECLARE @wsusadminslogin
varchar(200) SELECT @wsusadminslogin=name from sysusers WHERE name like
‘%WSUS Administrators’ EXEC sp_revokedbaccess @wsusadminslogin”


osql.exe -S %computername%\WSUS -E -Q “USE SUSDB DECLARE @asplogin
varchar(200) SELECT @asplogin=HOST_NAME()+’\ASPNET’ EXEC sp_grantlogin
@asplogin EXEC sp_grantdbaccess @asplogin EXEC sp_addrolemember
webService,@asplogin”
osql.exe -S %computername%\WSUS -E -Q “USE SUSDB DECLARE @wsusadminslogin
varchar(200) SELECT @wsusadminslogin=HOST_NAME()+’\WSUS Administrators’ EXEC
sp_grantlogin @wsusadminslogin EXEC sp_grantdbaccess @wsusadminslogin EXEC
sp_addrolemember webService,@wsusadminslogin”


osql.exe -S %computername%\WSUS -E -Q “backup database SUSDB to
disk=N'<ContentDirectory>\SUSDB.Dat’ with init”
Note you may have  to replace <ContentDirectory> in the last line with the
path to your actual content store.


4.            


a. WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated to a  local SQL 2000 server.


Cause:  


A registry key value must be changed in order for WSUS SP1 setup package to recognize there is no wmsde database to update.


Workaround:


If users have migrated WMSDE to a SQL server (local or remote) they must change the value of the following registry key:


1.      HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from “1” to “0” before attempting to upgrade to WSUS SP1.


 


According to Bernd Teichert (blog reader), In some cases, you might have to change the InstallType too on local SQL 2000 Server installation;


2.      HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from “0x80” to “0x20”. 


b. WSUS SP1 upgrade can fail in some cases when the WMSDE database has been migrated to a remote SQL 2000 server.


Cause:  


Two registry key values must be changed in order for WSUS sp1 setup package to recognize there is no wmsde database to update and the update must be initiated on the backend, followed by the front end server.


Workaround:


If users have migrated WMSDE to a SQL server (local or remote) they must change the values of the following registry keys:


1.      HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from “1” to “0” before attempting to upgrade to WSUS SP1.


2.      HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from “0x80” to “0x20”. 


After updating these registry key values, initiate upgrade on backend and then on front end servers.


 


5. How to recover from a failed upgrade to restore your WSUS server to a consistent state and then retry the upgrade.


Description:


If the upgrade to WSUS SP1 fails it can leave your WSUS installation in an inconsistent and/or unusable state. In order to retry upgrading to WSUS SP1 you need to get your WSUS installation to a consistent state. To do this you can use the backup database created at the beginning of the upgrade process to restore your WSUS server to a pre-upgrade state.


Workaround:  


If the upgrade operation to WSUS SP1 is unsuccessful, you can use the original WSUS backup database that was created at the start of the upgrade process to restore WSUS to a consistent state. In the event of a failed upgrade follow these steps to retry upgrading to WSUS SP1:


To retry upgrading to WSUS SP1;


1.       Determine the location of the backup database by reviewing the contents of the WSUSSetup_%timestamp%.log file. This file is located in the following folder – %programfiles%\Update Services\LogFiles.


2.       Restore the backup database on the WSUS computer.


·         osql.exe -S <DatabaseInstance> -E -Q “USE master ALTER DATABASE
SUSDB SET SINGLE_USER WITH ROLLBACK IMMEDIATE RESTORE DATABASE SUSDB FROM
DISK=N'<PathToDatabaseBackup>’ WITH REPLACE ALTER DATABASE SUSDB SET
MULTI_USER”


·         Remember to replace <DatabaseInstance> and <PathToDatabaseBackup> with values from your installation.


·        For <DatabaseInstance> use the value from the following registry key:
HKLM\Software\Microsoft\Update Services\Server\Setup\SqlServerName


·        For <PathToDatabaseBackup> use the value you identified in step 1.


3.       Uninstall WSUS, but keep the WSUS database, log files and update files when you are prompted to remove them (i.e. Ensure that all options in “Remove Microsoft Windows Server Update Services” are unchecked).


4.       Reinstall WSUS RTM (the original version not WSUS with SP1). Use the existing database when you are prompted to do this. This will return your WSUS system to a consistent state.


5.       Install WSUS SP1.


* Note that you cannot use the backed up database from step 1 above directly in clean install of WSUS SP1 since the database schema has changed between WSUS RTM and WSUS SP1.


For any issues related to WSUS SP1 upgrade, you can post your queries directly on the following thread on microsoft.public.windows.server.update_services.

Error 0xC800021F

You see the following error in %Windir%\WindowsUpdate.log


SYMPTOMS


2006-06-15      17:02:23        2104    83c     Misc    ===========  Logging initialized (build:
5.8.0.2469, tz: -0400)  ===========
2006-06-15      17:02:23        2104    83c     Misc      = Process: C:\WINDOWS\system32\wuauclt.exe
2006-06-15      17:02:23        2104    83c     Misc      = Module: C:\WINDOWS\system32\wuaueng.dll
2006-06-15      17:02:23        2104    83c    
DtaStor FATAL: Failed to initialize datastore,
error = 0xC800021F
2006-06-15      17:02:23        2104    83c     Misc    ===========  Logging initialized (build:
5.8.0.2469, tz: -0400)  ===========


CAUSE


It looks like the client datastore failed to initialize.


WORKAROUND


  1. Open a CMD prompt on the client.
  2. Type “net stop wuauserv” (without quotes) <hit enter>.
  3. Type “cd %Windir%\SoftwareDistribution“.
  4. Type “RD /s /q Datastore” (this will remove the client datastore).
  5. Type “net start wuauserv” (without quotes) <hit enter> .
  6. Type “wuauclt /detectnow then check %Windir%\WindowsUpdate.log if it is successful.


OR, just stop the Automatic Updates Service and delete “%Windir%\SoftwareDistribution\DataStore” folder and start Automatic Updates Service and force the update detection (wuauclt /detectnow)

Ten Principles of Microsoft Patch Management

Ten Principles of Microsoft Patch Management


By Christopher Budd, Security Program Manager, Microsoft Corporation






1. Service packs should form the foundation of your patch management strategy.


2. Make Product Support Lifecycle a key element in your strategy.


3. Perform risk assessment using the Severity Rating System as a starting point.


4. Use mitigating factors to determine applicability and priority.


5. Only use workarounds in conjunction with deployment.


6. Issues with Security Updates are documented in the Security Bulletin Master Knowledge Base Article.


7. Test updates before deployment.


8. Contact Microsoft Product Support Services if you encounter problems in testing or deployment. An important thing to remember is that Microsoft provides no-charge support for issues related to security updates. You can get in touch with Microsoft for security bulletin support through the Security Support Site at http://support.microsoft.com/securityitpro


9. Use only methods and information recommended for detection and deployment.


10. The Security Bulletin is always authoritative.


 

How to identify if you have installed WSUS SP1

To identify if you have installed WSUS SP1;


You can check the version number for the wsusservice.exe file located in %ProgramFiles%\Update Services\service\bin\wsusservice.exe.


OR, check the WSUS Build number from WSUSAdmin home page (bottom of the page – Last line)


WSUS SP1 Build 2.0.0.2620
WSUS RTM Build 2.0.0.2472
WSUS RC Build 2.0.0.2340

After updating WSUS to WSUS SP1…

SYMPTOMS


After updating WSUS to WSUS SP1…



  • You might see Red X on WSUS Updates Window in WSUSAdmin console and eventually Synchronization fails.

  • Content file download failed. Reason: The parameter is incorrect. Source File:
    /msdownload/update/v3-19990518/cabpool/windowsmedia10-kb917734-x86-enu_499f­e88d62843835153a4225712e1b2f19120527.exe
    Destination File:
    d:\WSUS\WsusContent\27\499FE88D62843835153A4225712E1B2F19120527

  • Source: Windows Server Update
    Category: Synchronization
    Event ID: 386
    Description:-
    Synchronization failed. Reason: The underlying connection was closed: Unable to connect to the remote server.

KNOWN ISSUE


This is a known issue. Once you upgrade to WSUS SP1, you might want to re-configure Synchronization Options (proxy settings – proxy password) in WSUSAdmin console as they are lost during the upgrade.


Save the settings and perform a manual sync to download the updates. Did it work for you?

Upgrading WSUS to WSUS SP1 on remote SQL deployments

There is some confusion in updating WSUS to WSUS SP1 on remote SQL deployments to run with (Front end and Back end) switches. WSUS SP1 update must be initiated on the backend WSUS Server first followed by the front end WSUS Server.


According to Bobbie Harder (MSFT):


You do have to run the setup package (WSUS SP1) on both the back-end Server (first run on back-end server) and then on front-end server without passing any switches. The steps which have been tested and validated should be:


1) Run the setup package on the front-end with no switches and choose to upgrade.


2) Run the setup package on the back-end with no switches and choose to upgrade.


UPDATE 6/13/2006:


3) ALSO, If you have migrated your WSUS server database (WMSDE) to a SQL server (local or remote) you must change the value of the following TWO registry entries before attempting to upgrade to WSUS SP1.:



  1. HKLM\Software\Microsoft\Update Services\Server\Setup\WmsdeInstalled, from “1” to “0

  2. HKLM\Software\Microsoft\Update Services\Server\Setup\InstallType from “0x80” to “0x20

If you are struggling with installing WSUS SP1 then feel free to post your issues on microsoft.public.windows.server.update_services

Checking the Version of Windows Installer

Brian McCann wants to know a better way to Check the Version of Windows Installer.


According to Windows Installer Team blog, “If you want to check the version of the Windows Installer on your system, check the version of MSI.DLL in the Windows\System32 folder. If the version is 3.1.4000.2435, you have the latest version.


One common point of confusion is that even if you have the latest version of Windows Installer 3.1 on your system and you type in msiexec.exe /? from a command-window, you will still be told that you are on version 3.1.4000.1823 or 3.1.4000.1830. This is because msiexec.exe /? will only give you the version of msiexec on the system — not the other Windows Installer-related dll’s. (The version of msiexec was not updated to 3.1.4000.2435 with the (v2) redistributable, just msi.dll was updated.)”


Luckily, I found a neat .vbs browser hosted script by Michael Harris \(MVP Scripting\). Save the following code as .htm


<html>
<head>
<script language=”vbscript”>
sub document_onclick()
set installer = createobject(“windowsinstaller.installer”)
msgbox installer.version
end sub
</script>
</head>
<body>
Click me for Windows Installer version…
</body>
</html>


and you are done:-). Note that the “windowsinstaller.installer” object is not marked safe for scripting in IE browser hosted script… Double click the saved htm file and then you need to click the information bar to allow the blocked ActiveX control in IE


If the machine is configured for automatic updates using WSUS then it will update the installer automatically as mandatory WSUS update :-).

WSUS 2.0 SP1

WSUS SP1 is finally released. Besides delivering updates, Windows Server Update Services with Service Pack 1 (WSUS SP1) includes support for Microsoft SQL Server 2005 and the forthcoming Windows Vista operating system. It also provides additional stability and performance improvements. After you install WSUS SP1, you may be required to restart your computer. Note: You cannot remove WSUS SP1 after you install it.


Download Windows Server Update Services with Service Pack 1
http://www.microsoft.com/windowsserversystem/updateservices/downloads/WSUSSP1.mspx


Download WSUS SP1 only – Download the KB919004-x86.exe package now.
http://download.microsoft.com/download/f/6/d/f6d9eb30-2612-47f7-b14a-41a47e8a9a8e/wsus2-kb919004-x86.exe


Description of Windows Server Update Services Service Pack 1
http://support.microsoft.com/?kbid=919004


Updating Microsoft Windows Vista Beta 2 Computers via WSUS
http://technet2.microsoft.com/WindowsServer/f/?en/Library/70c3aea9-4dc2-49ad-a085-dc1b59f1af7d1033.mspx


Readme for WSUS Service Pack 1
http://download.microsoft.com/download/7/d/c/7dce8ed3-8d44-421f-902c-95391577ecb5/ReadMe.htm


Report your issues on microsoft.public.windows.server.update_services


Technorati Profile

Microsoft Security Bulletin MS06-019 – Be careful

So, before you apply Microsoft Security Bulletin MS06-019 on Exchange Servers – Be careful. Take a look at the known issues.


912918 (http://support.microsoft.com/kb/912918/) Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003.


First, Find accounts that have the Full Mailbox Access permission without the Send As permission using the script from http://support.microsoft.com/kb/912918/ and grant the Send As permission either manually using DSA.msc or using the script -SetAll switch.


And then, you are ready to apply MS06-019.