WSUS

Number of critical and security updates needed

Posted by robd on August 09, 2017
WSUS / 2 Comments

Below is a SQL script that will show how many updates are missing that are classified as critical or security for servers on WSUS:

 

 

Tags: ,

WSUS – Update Services – Error: Connection Error

Posted by robd on July 03, 2017
WSUS / No Comments

WSUS console kept crashing with the reset console error:

So after doing all the normal IIS stuff, got Microsoft involved and here’s what they did to fix it:

  • We checked and ensured that none of the services crashed or stopped after console crashes,
  • We checked and ensured that WSUSPool was also running,
  • We checked and ensured that SQL service was also running on the remote server,
  • We increased the WSUSPool PrivateMemoryLimit to unlimited by setting it to ‘0’ on the IIS console
  • We also increased the Maximum queue length from 1000 to 3000,
  • We stopped WSUSPool and Restarted the IIS service,

We ran below mentioned on SQL to check and find if there are Obsoletes update to clean up but found none

 

  • We found that console was failing to connect with below error as well
  • We removed the WSUS mmc from folder %appdata%\Microsoft\MMC\
  • We tried to connect again to WSUS console but with no avail

 

  • We further investigated and ensured that WSUS s failing to connect with SUSDB as it is timing out
  • We checked and found that SUSDB size was more than 6.5 GB
  • We restarted the SQL Service for instance hosting SUSDB
  • We tried to connect to WSUS console after restarting the service and it connected successfully
  • We see that there were more than 13,000 approved updates on WSUS console
  • This could cause an issue for WSUS to connect as it would take a long time to connect with SUSDB
  • We decided to run PowerShell script to decline superseded updates from WSUS to enhance the performance of WSUS while connecting to SUSDB
  • We ran PowerShell script from below mentioned link to decline superseded updates
    https://blogs.technet.microsoft.com/configurationmgr/2015/04/15/support-tip-configmgr-2012-update-scan-fails-and-causes-incorrect-compliance-status/
  • Superseded updates were declined successfully

  • We changed the WSUS to use customwebsite port 8530 again

  •  
  • WSUS was successfully changed to port 8530
  • We tried to open WSUS console and it connected successfully
  • We ran synchronization on WSUS server and it completed successfully
  • BOOOM WOOP

Tags: ,

WSUS – Error: Unexpected Error

Posted by robd on May 16, 2017
WSUS / 2 Comments

Recently our WSUS console kept crashing either when opening certain computer folders or All Computers.

Error: Unexpected error

So after lots of frustration I rebuild WSUS on Server 2016 and using a proper SQL instance:

Uninstall WSUS PowerShell:

Then re-install with powershell:

Then set the SQL instance using a elevated CMD:

The servers all started populating, great.

Then FAIL again.

After some Googling I found the problem seems to be with a corrupt PC checking in, i.e. the PC checks in, then via WMI all the info is gathered on the PC and if that info is corrupt then WSUS crashes!!

To fix,

Copy the WSUS console error into Notepad++ (don’t use anything else) and look for:

Basically this means that the weird square symbol or SYM symbol is present in the WSUS database and causing WSUS to shit itself:

So we need to find it, open SQL Management Studio and open the SUSDB

Note: if you’re not using proper SQL then open the DB via:

Changed the default view setting by going to the Tools > Options > SQL Server Object Explorer settings, then adjusted the ‘Value for Edit Top <n> Rows command’ from 200 to 0, making the option display all rows.

Navigate down within the SUSDB database, to the dbo.tbComputerTargetDetail table, right-clicked it, and selected ‘Edit All Rows’.

Click the top left corner of the column/rows to select everything, then copy-pasted it into NotePad++

Then copy the SYM from the error and search for it in the info you’ve just copied:

As you can see the ID on the left is 525:

Lets now cross reference this against another table in the SUSDB database via SQL script:

Look for the ID:

Thats the PC!!!

Find it and update the BIOS and anything else you can, then get it to report in again to WSUS:

 

Credit to SterlingT, he’s a wonderful human being:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/90dc15d3-c498-42b8-b36a-bd29be35cf99/wsus-console-unexpected-error-when-choosing-all-computers-folder?forum=winserverwsus

Tags: , , ,

WSUS – Auto Patching Servers

Posted by robd on June 02, 2016
WSUS / 1 Comment

So recently we took the plunge to auto patch and reboot all our servers based on the following schedules:

Schedule_1 WSUS Auto Approve – 7 days Deadline – When new updates are downloaded by WSUS they are held for 7 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Monday after the 7 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Monday at 03:00.

Schedule_2 WSUS Auto Approve – 12 days Deadline – When new updates are downloaded by WSUS they are held for 21 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Tuesday after the 21 day deadline expires at 02:00.  Please note all previous updates that are needed will be installed installed on any Tuesday at 02:00.

Schedule_3 WSUS Auto Approve – 31 days Deadline – When new updates are downloaded by WSUS they are held for 31 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Wednesday after the 31 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Wednesday at 03:00.

 

So in other words patch schedule 1 first and see if the servers break then 5 days later do install the patches on the servers in schedule 2 and then 24 days later do the rest.  I.e. Test, test and finish.

So here’s how we did it:

  • On WSUS setup some Computer Groups i.e. Schedule 1, Schedule 2 and Schedule 3:

Schedules

  • Put your servers in these groups (or if you auto place servers in groups via GPO then I cover that later).
  • Create some Auto Approval Rules under Options in WSUS manager:
    • The following example only applies Critical and Security updates to Computer Folder Schedule 1 and the deadline to install (i.e. install after) is 7 days at 03:00Auto_Approval
    • Auto_Approval2
    • Auto_Approval3
    • IMPORTANT – Once you’ve created the rules click RUN RULE or the rule wont run against the existing updates.
    • RunRule
  • Finally setup the Group Policies for the Servers (example for schedule 1), I applied a security group to the GPO so only the servers in schedule 1 received these updates:
    • Administrative TemplatesWindows Components/Windows Update
      Allow Automatic Updates immediate installation Enabled
      Always automatically restart at the scheduled time EnabledThe restart timer will give users this much time to save their work (minutes): 15

      Configure Automatic Updates Enabled

      Configure automatic updating: 4 – Auto download and schedule the install
      The following settings are only required and applicable if 4 is selected.
      Install during automatic maintenance Disabled
      Scheduled install day: 3 – Every Monday
      Scheduled install time: 03:00
      Enable client-side targeting Enabled

      Target group name for this computer Schedule_1  (Note – if you use GPOs to place servers in computer groups in WSUS then is the setting)

      No auto-restart with logged on users for scheduled automatic updates installations Disabled
      Specify intranet Microsoft update service location Enabled

      Set the intranet update service for detecting updates: http://WSUS01:8530
      Set the intranet statistics server: http://WSUS01:8530

That should be it!!!!

Tags: , , , ,

WSUS Issues – System.IO.IOException

Posted by robd on June 02, 2016
WSUS / 15 Comments

So we auto patch servers using WSUS (Version: 6.2 on Server 2012) which is great as all servers (and we have loads) get patched and we don’t have to do anything (except fix shitty MS updates).

Last week WSUS patched itself and all of a sudden the WSUS Admin console was inaccessible:

WSUS Error

Clicking the copy error to clipboard gave this:

 

So after much Googling I found KB3148812 is the update that broke it.

To recover your console, run the following in an elevated command prompt (assuming Windows is installed on drive C):

cd C:\Program Files\Update Services\Tools

Wsusutil.exe postinstall /servicing

Then reset the server node or reboot WSUS, and you’re back in!

 

Once your back you may find that client scans against WSUS no longer succeed.

To restore client-server communication, enable HTTP Activation on your WSUS server via the Add Features and Roles Wizard in your Server Manager:

HTTP activation

Job Done.

Tags: , , ,

Copy Protected by Chetan's WP-Copyprotect.