Best Practices in Architecting

and Implementing Windows

Server Update Services (WSUS)
Greg Shields
Partner
Concentrated
Technology

Agenda
Topics
Part I: Architecting and Implementing
WSUS
Part II: Troubleshooting WSUS
Part III: Tips and Tricks for Using WSUS

part 1

Architecting and Implementing

WSUS

WSUS Product Vision

Simple, zero-cost solution for distributing
Microsoft Updates content in a corporation
A free RTW add-on for Windows Server
Solution only distributes Microsoft Updates
Distributing 3rd party patches require purchasing
advanced management tools such as SCE or
Configuration Manager 2007

Provides a foundation for Update

Management across Microsoft products:
SCE, Configuration Manager 2007, MBSA,
WU, SBS, Forefront
Consistent scan results
Unified client scan mechanism (WUA)

WSUS Momentum
Over 500,000 distinct WSUS servers
synched with Microsoft Update last
month
Used by over 60% medium/large orgs
and
built into SBS
WSUS 3 released April 30 2007
Huge improvements in performance,
deployment
options, reporting and UI
Easy in-place upgrade from WSUS2

WSUS Lifecycle/Roadmap
Support lifecycle
Version

Support ends

Comment

SUS 1.0

Not supported

Crazy old now. Dont use.

WSUS2 RTM

Not supported

Updates still flow

WSUS2 SP1

Not supported

EOL is April 9 2009 (now)

-two years after WSUS3
RTM

WSUS3 RTM

Not supported

One year after WSUS3 SP1

WSUS3 SP1

TBD

One year after WSUS3 SP2

Next up: release WSUS3 SP2 RC

RTM shortly after Windows Server
2008
R2 release

WSUS 3.0 SP1/SP2 Adds

Features
WSUS 3 SP1 adds the following features:
Installs on Server 2008, integrated with Server Manager
(after installing Server Manager update KB940518)
API enhancements for advanced management tools
Bug fixes

WSUS 3 SP2 will add:

Installs on Server 2008 R2 beta
Supports managing Win7 clients
Support for BranchCache
Auto-approval rules with deadlines
Bug fixes (DSS gets languages from USS, target groups
sorted alphabetically, more robust setup upgrade)
(RC) Compliance against approved updates

demo

New Features in WSUS SP2

Elements of Architecture
Why Architecture?

Problems are usually results of improper

architecture
A correct architecture will drive a better
design
Especially in situations of administrator distrust
or insufficient bandwidth

Design your WSUS solution with the same

goals as your AD solution
Roaming users should be dealt with
separately

Simple Architecture
Single, well-connected site
WSUS Updates from MU
Clients update from WSUS

Single server can handle 25,000

clients
50K clients with 2x front-end servers and
big SQL back-end

Remote SQL configuration reduces

server load
Front-end handles update sync load
Back-end handles reporting load

Simple, with Groups

Largest use case in production today
Architecture

Driving forces to move to Machine Groups:

Differing patching requirements or schedules
Test groups
Servers vs. Workstations
Politics

Not necessarily used for load distribution

WSUS Chaining
Chaining involves downstream servers
getting updates (and sometimes Group
data) from upstream servers
Options for chaining
Distributed vs. Centralized model
Autonomous Mode vs. Replica Mode

Chaining solves the problem of mesh or

fully independent architectures
Wastes resources and bandwidth
Not that some situations dont mandate mesh
or fully independent architectures!

Centralized Architecture
Downstream
servers are replicas
of
primary server
Little downstream
control over servers
Downstream
administrators drop
machines into
predefined groups
All update
approvals
and schedule done

Distributed Architecture
Downstream servers obtain
updates from primary
server, except:
Update approvals do not
flow down. Assigned at
each
site individually
Downstream admins have
greater control. Can
create groups and assign
approvals

Used for distribution rather

than control of updates

Combinations of centralized and

distributed possible. Depends on
intra-IT trust model.

Disconnected Architecture
Many environments dont have Internet
connectivity
Test/dev, government, classified, air gap
environments

Data must be imported from the outside

Any the previous architectures will work

Manual import process required

Gives CM/QA/Security the option to review
updates prior to bringing inside
ernet
Sneak

Disconnected Architecture
Match advanced options between source and target
Express installation files & languages must match

Backup and restore updates from source to target

Back up C:\WSUS\WSUSContent
Restore to the same location on the target server

Transfer update metadata from source to target

Navigate to C:\Program Files\Update Services\Tools
Export metadata using wsusutil.exe export
{packageName} {logFile}
Import with wsusutil.exe import {packageName}
{logFile}
validation
can choose
take
packageName & logFileDatabase
are unique
names you
multiple hours to complete!

Roaming Architecture
Manages updates for
external resources
WSUS servers distribute
approval metadata
Clients download
updates from Windows
Update directly
Extra security for
internet-facing WSUS
server

Useful separate
architecture for mostly
off-net clients

Laptop
WSUS

Laptops

Roaming Architecture
Four Steps to
Internet-facing
WSUS
Build server in DMZ
and position behind
ISA proxy
Locate database on
server not
reachable from
Internet
Enable SSL for
communications
Host content on

Laptop
WSUS

Laptops

High Availability
Architecture
WSUS 3.0 includes native support for high
availability

NLB Clusters connect multiple WSUS web

servers via a single cluster IP
SQL Cluster manages the database
No single point of failure
Critical: This design is
useful for availability, but
does little for performance

Managing Branch Offices

Branch offices are typically managed
through replica WSUS servers
Replica servers take all orders from the central
server
Settings at the top flow downward, but take
time

Alternatively, unify architecture through a

single central server
Single server manages all clients across all
offices
Deploy ISA proxy in the branch
Enable BITS peer-caching
Use delta files to reduce network traffic

Upgrade Deployment
WSUS 3 SP1 setup supports in-place upgrade
One-way upgrade (no rollback)
Cant be done from WSUS 2 on Server 2000 or using SQL
2000

Alternative is migration upgrade:

Install second server
If original server is WSUS2 SP1:
Perform disconnected replica steps (wsusutil, ntbackup,
wsusmigrate)
Switch over client via policy

If original server is also WSUS3

Configure new server to be a replica of the first and sync
After sync, configure new server to be autonomous

Upgrade hierarchy from top down

part 2

Troubleshooting WSUS

Errors and Error Codes

Numerous WSUS error codes exist
A complete list of all WSUS error codes is
available on-line at
http://inetexplorer.mvps.org/archive/ wind
ows_update_codes.htm
For example, 0x8DDD0018 occurs when one
of these services is disabled
Automatic Updates
BITS
Event Log

Errors and Error Codes II

0x80072EE2, 0x80072EFD
This issue occurs because the Windows
Update client did not receive a timely
response from the Windows Update Web
site server
Likely a proxy configuration, personal
firewall, or trusted hosts problem

Errors and Error Codes III

0x80246008, 0x8024402C
Caused by BITS malfunctioning or corrupted
Download and extract the BITSAdmin tool from
the Windows Support Tools CD
Bitsadmin /util /repairservice /force
If that doesnt work, try a BITS re-install
Though if you do a BITS re-install, clear out the
%SystemRoot%\SoftwareDistribution folder and reboot
Its worth mentioning here that there
when
done

is no backup download process for WUA.

like HTTP or FTP
If BITS is non-functional, so is patching!

Errors and Error Codes IV

0x80244019
This error is often caused when the Proxy server is not properly
configured.
Ensure that your Proxy server allows Anonymous access to these
external addresses:
http://windowsupdate.microsoft.com
Microsoft does
http://*.windowsupdate.microsoft.com not publish the IPs
https://*.windowsupdate.microsoft.com associated with these
http://*.update.microsoft.com
FQDNs.
https://*.update.microsoft.com
http://*.windowsupdate.com
So, if you do perimeter
http://download.windowsupdate.com network security by IP
http://download.microsoft.com
youve gotta stay
http://*.download.windowsupdate.com on the ball with these!
http://wustat.windows.com
http://ntservicepack.microsoft.com

WUA Client Issues

To enable auto-updates, ensure:
Anonymous access granted to Self Update virtual
directory on
WSUS server
Auto-updates requires TCP/80 to function on WSUS server

Be aware of GP replication times

90 to 120 minute GP refresh timing will impact speed of
clients becoming visible in WSUS admin tool

Be aware of AU detection frequency times

WUA client set to check with server every 22 hours
(minus offset).
When WUA checks in is when it checks WUA version
Need to do wuauclt /detectnow to force this to occur ondemand

WUA Client Issues II

Known issue with imaged workstations:
If you image your workstations (and who doesnt these
days!), you must change SID
Sysinternals NewSID, Microsoft SysPrep

Not doing this will prevent WUA from contacting WSUS

To fix this problem:

Run one of the above tools to change the SID
HKLM\Software\Microsoft\Windows\
CurrentVersion\WindowsUpdate
Delete PingID, SUSClientID, and AccountDomainSID
values
Restart wususerv service
Run wuauclt /resetauthorization /detectnow

WUA Client Issues III

Disabling the Automatic Updates Service or the BITS Service
at any point in the past prevents it from starting properly
when you need it!
Reset permissions on these services to re-enable functionality.
Use the Service Control Resource Kit tool (sc.exe) to do this:
sc sdset bits "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
sc sdset wuauserv "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Every disabled client needs this!

part 3

Tips and Tricks for Using WSUS

Optimize Patch Distribution

In large, multi-site environments low bandwidth
may cause problems for remote offices
Distributing updates to downstream servers is big
problem

Potential solutions:
Ensure downloading only the languages you need
Configure patch distribution to occur in the evenings
Stagger patch distributions between tiered sites
Express installation files can exacerbate this
The bandwidth savings in express installation files occurs
from WSUS server to client, not between WSUS servers

Throttle BITS

Throttling BITS
BITS can be throttled either on the WSUS server or
additionally on all the clients
Alleviates network saturation during update distribution
and during client installation
Be aware that this does slow down update distributions!

Throttle BITS in Group Policy:

Computer Configuration | Administrative Templates |
Network | Background Intelligent Transfer Service
Two settings:
Maximum network bandwidth that BITS uses
Limit by Kbps based on time of day or at all times
Be aware that Kbps is kiloBITS not kiloBYTES (divide by 8)
Timeout (in days) for inactive jobs

DNS Netmask Ordering

Non-centralized architectures can better
route clients through DNS Netmask ordering
Microsoft DNS Round Robin will first provide an
IP address in the same subnet as the requestor
If no IP exists in the same subnet, a random IP
will
be selected

All WSUS hosts must respond to the same

FQDN
DNS FQDN record is populated with IP addresses
of all WSUS servers in the network

Server Tuning
Run cleanup and DB defrag every few months
Cleanup wizard is a new feature in WSUS 3
Removes stale computers and updates
DB index defrag script available on ScriptCenter
keeps the server running fast

Look out:
Take care to not remove computers that are still active
(but having trouble contacting the server)
Populate from AD sample tool can help

In a hierarchy, need to run cleanup on each WSUS server.

Clean computers from bottom-up
Clean updates from top-down (or between sync intervals)
Can be automated through the API

Considerations for Updating

Servers
Servers require more care than workstations
A rebuild is usually not an acceptable solution for a failed
p
atch installation
Outage windows are shorter

But in some ways servers are easier

Data and system drives usually separated
Hardware configuration is usually more stable or wellunderstood
Service isolation and redundancy in larger environments

limits exposure/risk
People typically arent surfing on servers
The RAID 1 Undo Trick

What About Reboots?

Ive said this before, and Ill say it again:
If you have a patch management plan without a reboot
strategy, you dont have a patch management plan.

Three methods:
Client-initiated
WSUS-initiated
Script-initiated

Two methodologies:
Scheduled reboots vs.
rebooting for patch installation

I will argue in favor of

scheduled, forced
reboots
over mid-day reboots.

Handling Reboots
RebootFile = "computers.txt
LogFile = "results.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(RebootFile, 1, True)
Set objTextFile = fso.OpenTextFile(LogFile, 2, True)
On Error resume next
Do While f.AtEndOfLine <> True
strComputer = f.ReadLine
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If Err.Number <> 0 Then
objTextFile.WriteLine(strComputer & " is not responding.")
Err.Clear
Else
Set colOperatingSystems = objWMIService.ExecQuery("Select *
from _
Win32_OperatingSystem")
objTextFile.WriteLine(strComputer & " is rebooting.")
For Each objOperatingSystem in colOperatingSystems
ObjOperatingSystem.Reboot()
Next
End If
Loop

Custom Reports
UI supports basic customization
(filters)
Advanced customization can be built
on
WSUS (.Net) API
Can use of PowerShell scripts to generate
reports

Public read-only SQL views

Can use SSRS to generate reports (if full SQL)

Samples available from MSDN

E.g., compliance against approved updates

Match KBs to MSRCs

Ever wish you had a nice mapping of
knowledgebase numbers to MSRC
numbers?
The Q-numbers to the MS-numbers

This script outputs a .CSV file that

provides just that mapping
Add the name of your WSUS server into
the top line of the script: strWSUSServer
= <Enter WSUS Server here>"

Match KBs to MSRCs

strWSUSServer = <Enter WSUS Server here>"
Set fso = CreateObject("Scripting.FileSystemObject")
Set objTextFile = fso.OpenTextFile("OUTPUT.csv", 2, True)
objTextFile.WriteLine("MS Number,Q Number")
Set conn = CreateObject("ADODB.Connection")
Set rs = CreateObject("ADODB.Recordset")
dbconn = "Driver={SQL Server};Server=" & strWSUSServer & ";Database=SUSDB"
conn.open dbconn
strSQLQuery = "SELECT dbo.tbSecurityBulletinForRevision.SecurityBulletinID,
dbo.tbLocalizedProperty.Title FROM dbo.tbLocalizedPropertyForRevision INNER
JOIN dbo.tbLocalizedProperty ON
dbo.tbLocalizedPropertyForRevision.LocalizedPropertyID =
dbo.tbLocalizedProperty.LocalizedPropertyID INNER JOIN
dbo.tbSecurityBulletinForRevision ON
dbo.tbLocalizedPropertyForRevision.RevisionID =
dbo.tbSecurityBulletinForRevision.RevisionID WHERE
(dbo.tbLocalizedPropertyForRevision.LanguageID = 1033) ORDER BY
dbo.tbSecurityBulletinForRevision.SecurityBulletinID"
rs.Open strSQLQuery, conn, 3, 3
While Not rs.EOF
objTextFile.WriteLine(rs.Fields(0).Value & "," &
Replace(rs.Fields(1).Value, ",", ""))
rs.MoveNext
Wend

Agent Control
Use WUA API to control the agent
Custom install schedules
Updating servers in web farms
Implementing install now functionality

On-Demand Patching
(You Patch Now!)

Ever wish you had a WSUS big red button?

Such a button might automatically download
and install all approved patches and reboot if
necessary

How about this VBScript?

Run this script from any server console
Immediately downloads and installs all
approved patches.
If a reboot is required, it will then reboot the
server.

The WSUS Big Red Button

Set fso = CreateObject("Scripting.FileSystemObject")
Set objAutomaticUpdates =
CreateObject("Microsoft.Update.AutoUpdate")
objAutomaticUpdates.EnableService
objAutomaticUpdates.DetectNow
Set objSession = CreateObject("Microsoft.Update.Session")
Set objSearcher = objSession.CreateUpdateSearcher()
Set objResults = objSearcher.Search("IsInstalled=0 and
Type='Software'")
Set colUpdates = objResults.Updates
Set objUpdatesToDownload =
CreateObject("Microsoft.Update.UpdateColl")
intUpdateCount = 0
For i = 0 to colUpdates.Count - 1
intUpdateCount = intUpdateCount + 1
Set objUpdate = colUpdates.Item(i)
objUpdatesToDownload.Add(objUpdate)
Next
<<This is only the first half of the script.
next page to
create the full script>>

Add the code from the

The WSUS Big Red Button

<<Add this half to the code on the previous page!>>
If intUpdateCount = 0 Then
WScript.Quit
Else
Set objDownloader = objSession.CreateUpdateDownloader()
objDownloader.Updates = objUpdatesToDownload
objDownloader.Download()
Set objInstaller = objSession.CreateUpdateInstaller()
objInstaller.Updates = objUpdatesToDownload
Set installationResult = objInstaller.Install()
Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")
If objSysInfo.RebootRequired Then
Set objWMIService = GetObject("winmgmts:
{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery("Select * from
Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
objOperatingSystem.Reboot()
Next
End If
End If

Other API Uses

ISVs use APIs for many other features
as well
Distribute 3rd party updates (quite
complex)
Gather software and hardware inventory
Distribute updates to non-Windows
devices

Your starting point is

http://technet.microsoft. com/enus/wsus/bb466192.aspx
API Samples

Summary
WSUS is simple to use, but scales to enterprise
Flexible server deployment options
Single server, scale up, branch office, scale out,
disconnected, roaming laptops

Flexible update deployment options

Peer caching, delta patching, auto approval rules, autoreapprove revisions

Periodically tune the server (defrag + cleanup)

Public API and DB views can be used to extend the
base functionality for many advanced scenarios
Starting point for all WSUS information
http://www.microsoft.com/updateservices

question &
answer

Resources
www.microsoft.com/teched

www.microsoft.com/learning

Sessions On-Demand &

Community

Microsoft Certification & Training

Resources

http://microsoft.com/techne
t

http://microsoft.com/ms
dn

www.microsoft.com/learning
Resources
for IT Professionals

Resources for Developers

Microsoft Certification and Training

Resources

Windows Server Resources

Make sure you pick up
your copy of Windows
Server 2008 R2 RC from
the Materials Distribution
Counter

Learn More about Windows Server 2008

R2:
Technical
Learning Center (Orange
www.microsoft.com/WindowsServer2008R2
Section):
Highlighting Windows Server 2008 and R2
technologies
Over 15 booths and experts from Microsoft and our
partners

Complete an
evaluation on
CommNet
and enter to
win!

 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S.
and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.