Remove and Reinstall Microsoft WSUS

KB ID 0001679

Problem

I don’t like WSUS, the product is OK (ish) the problem with it is, every time it’s deployed, typically the person it was deployed for never looks after it, or manages it properly, and months/years later it becomes a massive ‘bag of spanners’, which is never the client’s fault, it’s always the poor guy who built it, or the support company’s fault.

If you run WSUS, log into the the thing at least once a week, sort out reporting problems, approve updates accordingly. If I look at your WSUS and see ‘This machine has not reported in for 12 months”. Then I’m going to care as much as you do!

Solution

So let’s say your a conscientious tech and you’ve taken over WSUS from someone else who let it get into a state! There comes a point when its simpler to wipe it out and start again, it might be simpler to create a new server/VM and reinstall from scratch, if that’s the case, do that instead of this! (Remember any GPO’s pointing client to WSUS will need updating, unless the new server has the same FQDN as the old one though!)

Here I’m removing WSUS and re-installing it on the same server, I already have multiple GPOs setup pointing my clients to the WSUS server so I don’t need to do that part.

Warning: If you have ‘Computer Groups’ setup in your GPOs telling client machines that they should be in different computer group object in your WSUS deployment, then take a screenshot of all the group names before you start so you can manually add them back in after rebuild. Note if you have computer groups but don’t reference them with your GPOs you don’t need to do this.

WSUS Removal Procedure

Mine’s a small typical deployment using WID (Windows Internal DataBase), to prove this navigate to C:\Windows\WID, and look for SUSDB. If yours is using SQL you will need to remove that independently, (assuming SQL is only doing WSUS of course!)

Remove WID and WSUS from an administrative Powershell window;

[box]

Uninstall-WindowsFeature -Name UpdateServices,Windows-Internal-Database -Restart

[/box]

KEEP THIS WINDOW OPEN!

Now locate the folder containing all your updates, usually called WSUS (unless it was named something bizarre!) Then delete it.

Now delete the C:\Windows\WID directory.

Now to remove the IIS AppPool for WSUS, 

[box]

Import-Module WebAdministration
IIS:
cd AppPools
del WsusPool

[/box]

Whilst still in web administration, jump up a directory and go to sites, then delete the WSUS Adminisration website;

[box]

cd..
cd .\Sites\
del ".\WSUS Administration\"

[/box]

Reinstall the WSUS components;

[box]I

nstall-WindowsFeature -Name UpdateServices, UpdateServices-WidDB, UpdateServices-Services, UpdateServices-RSAT, UpdateServices-API, UpdateServices-UI

[/box]

Now launch WSUS and complete the configuration. Recreate your WSUS directory, (make sure theres plenty of space for the updates!) In production I would not have this on the C:\ Drive!

Select your new folder.

Next > Untick (if not required) > Next.

Next (Unless you have an upstream WSUS server) > Next (Unless you have a proxy server).

Start connecting > Wait for a while until it will let you continue.

Select the languages you require > Next > select the products you want to update > Next.

Select the ‘type‘ of updates you require, (I typically never select Service Packs, Update Rollups, or drivers, (but that’s my preference.)) > Next > Select automatically and set it for early in the morning > Next.

Let it begin synchronisation > Next > Finish.

You can view synchronisation progress from the main WSUS window

At this point you can setup any computer/server ‘test’ groups you require, and start authorising updates for those groups, or setting auto-authorise if that’s your preferred option.

Computers Not Reporting Into WSUS or Erroring

For the most part manually visiting ‘problem client’ and manually running though the update procedure and rebooting a few times will fix the problem, (assuming that the GPO telling it to get its updates from WSUS is correct!)

But sometimes clients flatly refuses to check in at all, for those run the following Powershell commands on them;

 [box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure

Windows Client(s) not ‘appearing’ in WSUS

Windows Client(s) not ‘appearing’ in WSUS

KB ID 0000591 

Problem

Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.

Here are the steps I usually follow to get the machines listed in the WSUS management console.

Solution

Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;

[box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

 

1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:

Or by running gpresult /R from command line

Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).

2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]

3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.

4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.

5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.

6. If all the above is OK, you can try forcing a registration with the following command;

[box]wuauclt /detectnow[/box]

7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.

8. Scroll all the way to the end, then work upwards looking for errors.

9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.

10. Open the registry Editor and navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]

Locate and delete the SusClientId entry.

11. Restart the Windows Update service and run the following two commands:

[box]wuauclt /resetauthorization /detectnow<br /> wuauclt /reportnow [/box]

Update 16/06/15

Received via Email from Patrick Mauger:

You can add an incorrect binding in IIS to the site WSUS Administration.

You need to add a binding for port 80, because the only ports configured are 8530 and 8531.

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Windows Error Code 0x800F0954

KB ID 0001626

Problem

Seen when attempting to add a Windows Optional Feature;

Windows couldn’t complete the required changes.
The changes could not be completed. Please reboot your computer and try again
Error code: 0x800F0954

Solution

Typically you see this error if your machine is set to get its updates from WSUS. You can change the way Windows operates to get the ‘Feature addition’ files directly from Microsoft with a group policy.

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Navigate to;

[box]

Configuration > Administrative Templates > System 

[/box]

Locate ‘Specify Settings for optional component installation and component repair‘.

Set to Enabled > Tick ‘Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Error sqlservr.exe is using too much memory

KB ID 0000190 

Problem

Seen on SBS 2008 with WSUS.

The Windows internal database (the one used by WSUS) has no memory reservation limit, so it can use as much as it wants, this is a BAD thing!

Your server will struggle because the following consumes to much memory.

SQL/MSSQL$MICROSOFT##SSEE

Solution

1. Click Start > In the search/run box type CMD {enter}.

2. At command line issue the following commands,

    1. [box]
sqlcmd -S .pipemssql$microsoft##sseesqlquery -E
sp_configure ’show advanced options’, 1;
reconfigure;
go
sp_configure ‘max server memory’, 512;
reconfigure;
go
exit
[/box]

Related Articles, References, Credits, or External Links

NA

WSUS Install Error on Windows Server

KB ID 0000295 

Problem

When you try and install WSUS (Windows Update Services 3.0 SP1) onto Windows Server 2008 R2 you see the following error,

Error:
This program is blocked due to compatibility issues
Check online to see if solutions are available from the Microsoft website. If solutions are found, 
Windows will automatically display a website that lists steps you can take.
Program: Windows Server Update Services
Publisher: Microsoft
Location c:{huge hex number}WusSetup.exe

Solution

WSUS 3.0 SP1 is NOT supported on Windows Server 2008 R2, you need to download and install WSUS 3.0 SP2 from here.

Related Articles, References, Credits, or External Links

NA

WSUS Install Error – ‘ The update could not be found. There may be a network connection issue.’

KB ID 0000585 

Problem

Seen on a “Brand New” Install of Windows Server 2008 R2, while attempting to install the Windows Server Update Service.

Windows Server Update Services Installation Failed The update could not be found. There may be a network connection issue.

Solution

1. Internet access was fine, though as it was complaining about an update, I did a full Windows update, and left it running while I went for a coffee.

2. Post update, the installation proceeds without error.

Update 24/05/16

Email From Efre: I had the same problem with WSUS, and the problem was that I was trying to install a new fresh WSUS, having had a previous installation that was out of service. But I had not removed the domain update policies from Active Directory. The new WSUS install reports the same error that you show in your post. Thanks to you I realised that.
 
I hope this helps some else.
Regards

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

Windows Server Update Services – Install and Configure

KB ID 0000592

Problem

Windows Server Update Service or WSUS, (previously called SUS Software Update Services) was an additional download that you could use to let one or more servers in your organisation handle the updates for your Windows clients and Microsoft applications.

With Server 2008 R2, it is now included as a server ‘role’ rather than a download. It’s a great tool for centrally managing and reporting on your network’s update status, and if you do not allow your clients web access, lets you update them without punching holes in your firewall. Also it saves all your clients pulling their updates from Microsoft, and hammering your internet connection.

Solution

WSUS Prerequisites

Before you start, make sure the server you are going to use is fully updated. You will also need 6GB (Approx) to hold the updates.

Step 1 Add and Configure the Windows Server Update Services Role

1. On the WSUS Server run the ServerManager (CompMgmtLauncher.exe) > Roles > Add Role > If you see the “Before you begin page” click Next > Select “Windows Server update Services” > At this point if IIS is not installed it will ask to add the required role service > Let it do so > Next.

2. Next > Next > Next > Install > During the install the WSUS Setup Wizard will start > Next > Accept the EULA > Next > Specify a location to store the updates > Next.

3. You can choose an existing Database or click next to install and use SQL Express > Choose your web site settings > Next.

Note: The default setting will install and configure web services on TCP Port 80 (http). If you have another service or program using that port you will have a problem, (i.e. a program that uses Apache web server, or UPS software that has a management console on port 80, etc). If you choose the second option it will set the site up on TCP port 8530 for http and 8531 for https.

4. Next > Finish > Now the configuration wizard will open > Next > Next > If you are going to pull your updates from another WSUS server enter it here > If not click Next > If you need to enter proxy server details do so > Next > Click “Start Connecting” (this can take a while > Next.

5. Select the languages you want to download > Next > Select the products you would like to download updates for > Next.

6. Select the ‘Classifications’ (types of update) you want to serve > Next > Set your sync schedule (I usually do this once a day) > Next.

7. Next > Finish > Close.

Step 2 Group Policy Settings for WSUS Clients.

Remember these policies are Computer Policies NOT User Policies, you need to link the GPO to your computers, If you link it to an OU containing users nothing will happen!

1. On a domain controller > Start > Administrative Tools > Group Policy Management > Locate the OU containing your computers > Right click and create a new GPO.

2. Give the GPO a name > The Edit the new GPO > Navigate to:

3. Edit the settings on the right to suit your requirements. > Close the group policy editor Window, (to see what settings I usually set see the video above).

4. You clients will get these settings next time they boot, after a maximum of two hours, or after you run “gpupdate /force” on them.

5. If you check your clients you will see their Windows Update settings are now “Grayed Out”

Step 3 Configure Windows Server Update Services.

1. WAIT a while before returning to the WSUS server to configure it, (I typically wait a few days). Assuming your computers are now appearing in the “Computers Section” you need to either manually approve the updates or set them to automatically update.

If your computers fail to ‘appear” see Windows Client(s) not ‘appearing’ in WSUS

2. If you want to simply “Auto approve” all new updates then navigate to Options > Automatic approvals > And Select the “Default Automatic Update Rule” > Click the Hyperlinks in the rule to edit them > Apply > Run Rule > Select ‘Yes’ to save and run.

3. If you want to create computer groups and roll out updates in a more staged manner, you can create different computer groups, and add your computers to those groups.

4. If you want to manually approve updates navigate to Updates > All updates > Select the “Unapproved” updates > Right Click > Approve > Select your computer groups as appropriate.

Note: You can select mass select the updates by holding down Shift, or individually by selecting them while pressing Ctrl.

Related Articles, References, Credits, or External Links

Windows Client(s) not ‘appearing’ in WSUS

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.’

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Managing Forefront Endpoint Protection (FEP) with Microsoft Group Policy (GPO)

KB ID 0000604

Problem

FEP is Microsoft’s offering for antivirus, try to think of it as the corporate version of Security Essentials. Just about everything on the net for managing it seems to be geared to managing it with SCCM. Which is fine if you have SCCM, but what if you don’t? Thankfully you can manage it with group policy, even if information on how to do it is rarer than hens teeth!

With a Microsoft CoreCAL you can use the FEP client, so if you already have CoreCALs, then it’s a solution that can save you some cash on your corporate AV strategy.

Solution

Installing Forefront Endpoint Protection

The client software is available in x64 and x86 bit flavours, it is installed from a single executable (FEPInstall.exe). There is no MSI installer (yeah thanks Microsoft!) So if you want to roll it out on mass, you need to either install it using a startup script, include the software in your ‘Master/Golden Image’ and re-image you machines, or tear your hair out trying to work out SCCM.

Managing Forefront Endpoint Protection with Group Policy

1. First you need to download the policy definitions, copy the FEP2010.admx file to %Systemroot%PolicyDefinitions.

2. Then copy the FEP2010.adml file to %Systemroot%PolicyDefinitionsEN-US

Creating a Group Policy Central Store

3. If you have all your ADMX policy definitions in a central location, all your clients can use them. The correct place for them is in the sysvol directory, in a folder called policies (this is where your clients read their group policies from). To create the directory issue the following command;

[box]MD “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions”[/box]

4. Now copy all your policy files into it, (from the folder we used earlier) with the following command;

[box]xcopy %systemroot%policydefinitions*.* “%logonserver%sysvol%userdnsdomain%policiesPolicyDefinitions” /S /Y[/box]

5. Then either create a new policy, or edit an existing one that’s linked to the COMPUTER objects you want to manage.

6. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > System > Forefront Endpoint Protection 2010[/box]

Here you will find the policy settings you require.

7. When you are controlling settings via GPO this is what you will see on the client machines.

Importing and Exporting Forefront Policy Settings

8. From the files you extracted earlier locate and run the FEP2010GPTool.exe. From here you can import and export all the policy settings from a particular group policy. Microsoft have published a set of policy settings which you can download for various server roles.

Note: By default each policy you import will merge with the existing settings in the GPO, unless you tick the “clear the existing Forefront Endpoint Protection settings before import” option.

Updates for Forefront Endpoint Protection

9. Windows uses it’s existing ‘Windows updates’ path for getting updates. If you have a WSUS server you will need to enable the updates in the ‘Products and Classifications’ section.

10. If you DONT have WSUS but you are behind a proxy, you can manage FEP proxy settings from the following policy.

Related Articles, References, Credits, or External Links

NA

Install SCCM 2007 on Windows Server 2008 R2 – Step by Step

KB ID 0000297

Problem

I had to work out how to do this for a client, and as is my modus operandi, I’ll try and save you some of the pain I endured,

Products Used

System Center Configuration Manager 2007 SP2 Windows Server 2008 R2 SQL 2008 R2 (At time of writing neither officially supported or not supported on SCCM)

Note: I was originally going to use SQL 2005 – hence the reason the SQL servers name is SCCM-SQL2005, however I bit the bullet and used SQL 2008 R2 instead.

Solution

Step 1: SCCM Domain pre install work.

1. Create two groups in Active Directory.

a. sccm administrator group SCCM-ADMIN b. sql administrator group SQL-ADMIN

2. Add both groups to the Domain Admin’s group.

3. Create two new users: sccmadmin and sqladmin.

4. Add sccmadmin to SCCM-ADMIN group and add sqladmin to SQL-ADMIN group.

Step 2: SCCM Pre requisites

1. Add the IIS (Web Server Role).

2. Add the following IIS Role Services:

a. HTTP redirection. b. ASP.Net

c. Windows Authentication. d. IIS6 Metabase compatibility. e. IIS6 WMI compatibility.

3. Add the following “server Features”:

a. Background Intelligent Transfer Service. b. Remote Differential Compression.

4. If you are NOT running Windows Server 2008 R2 Download and install WebDav (already included in Windows Server 2008 R2). If you are running R2 skip to the next step.

5. Server Manager > Roles > Web Server (IIS) > Add Role Services > WebDAV Publishing > Next > Close.

6. To enable WebDav > Start > Administrative Tools > Internet Information Services (IIS) Manager > Expand {server name} > Sites > Default Web Site > WebDav Authoring Rules.

7. Select Enable WebDav (On the right hand side).

8. Select add authoring Rule > All Content > All Users > Permissions > Read > OK.

9. Select the rule you have just created > WebDav Settings.

10. Change “Allow Anonymous Properties Queries” to True > Change “Allow Custom Properties” to False > Change “Allow Property Query with Infinite Depth” to True > Change “Allow hidden files to be listed” to True > Apply.

11. WSUS needs to installed on the SCCM server – Note Server 2008 R2 needs (WSUS Server Update Services 3.0 SP2). If you try and install SP 1 you will see this error.

12. From the WSUS installation choose “Full server installation” > DO NOT accept the default “Use the existing IIS Default Web site” > Use “”Create a Windows Server Update Services 3.0 SP2 Web site” (Note: this will use port TCP 8530 by default).

Step 3: SCCM Install SQL Server.

1. From the SQL install media run setup.exe > Installation > “New Installation or add features to an existing Installation” > OK.

2. Enter product Key if applicable > Next > “I accept…” > Next > Install > Next > Next.

3. Tick Database Engine Services > Tick Management Tools (Basic and Complete) > Next.

4. Next > Accept the defaults > Next > Next.

5. On the Server configuration Page > Select “Use the same account for all SQL Server services > Select the User you created originally (sqladmin) > Set the SQL Server Agent and SQL Server Database Engine Startup type to “Automatic” > Next.

6. Accept “Windows Authentication” > Add in your SCCM-ADMIN group and SQL-ADMIN group > Next > Next > Next > Install.

7. When it’s completed click close.

Step 4: Prepare Active Directory for SCCM

1. Extend the schema > From the install media > SMSSETUP > BIN > 1386 > extadsch.exe

2. Check the above was successful by opening the c:extADsch.txt file it should say “”successfully extended the Active Directory Schema”.

3. We now need to create some active directory objects go to a domain controller > Start > Administrative tools > ADSI Edit > Action > connect to > leave everything on its defaults > OK.

4. Expand the Default naming context > Expand your domain name > Right click “system” > New > Object > Container > Next.

5. Call it “System Management” > Next > Finish > Close ADSI Edit.

6. Still on the domain controller > Start > dsa.msc {enter} > View > Advanced.

7. Expand “system” > Locate the container you created “System Management” > right click it and select properties > Security Tab > Add > Object Types > Tick Computers > OK.

8. Click Advanced > Find Now > Locate and add the SCCM-ADMIN group you created earlier > Also add the SCCM Server itself > OK.

9. Grant allow “Full Control” to both the SCCM admin group and the SCCMserver.

10. Now click advanced > Select the SCCM-ADMIN group > Edit.

11. Change the “Apply to” section from “This object only” to “This object and all descendant objects” > OK > Apply > OK.

12. Repeat the above for the SCCM-Server object.

Step 5: Install SCCM

1. Log on as the sccadmin user.

2. From within the SCCM setup media run splash.hta > Run the Pre requisite checker > Enter the SQL Server name > SCCM server name and the FQDN of the SCCM server > OK.

3. Note If you cannot talk to the SQL server then check that the Windows firewall is not blocking you (on the SQL server Start > run > firewall.cpl > Turn it off).

4. All being well it should say “All required pre requisite tests have completed successfully” > OK.

5. Re-run Splash.hta > This time choose > Install configuration Manager 2007 SP2 > Next > “Install Configuration Manager site Server > Next.

6. Tick “I accept these License terms > Next > Custom Install > Next > Primary Site > Next > Next > enter unlock code is applicable > Next > Accept/change the install directory > Next > Enter a Site code and friendly name > Next.

DO NOT ever try and change this code and don’t forget it!!

7. Change the Site mode to “Configuration Manager Mixed Mode” (Native mode requires certificate services and considerably more work). > Next.

8. Accept the defaults (everything except NAP) > Next.

9. Enter your SQL server name > Next > Next > Next > Next > Next.

10. Select a location to install the updates to > Next.

11. Updates will download this may take some time > when finished it should say it was successful > OK > Next.

12. It will run the pre requisite check again > when finished click begin install.

13. When finished click Next > Finish.

14.Now you need to send out the clients and configure SCCM, I’ll cover that in a later article.

Related Articles, References, Credits, or External Links

SCCM 2007 Initial Setup and Configuration

SCCM OSD Capture a Windows 7 Reference Machine

Message ID 6600: sms wsus configuration manager failed to configure upstream server

KB ID 0000313

Problem

Seen in the SMS_WSUS_SYNC_MANAGER component status.

Solution

This is basically a comms/configuration error, so make sure if you have the firewall on, the correct ports are open! In my case I’d configured the SCCM server as per my own instructions here.

But when I configured the Software Update Point (SUP) I’d told it to use Ports 80 and 443.

1. To check yours, click Start > Administrative Tools > IIS Manager > Locate the “WSUS Administration” site and check the port numbers. (See Mine are 8530 and 8531).

2. You can simply remove your Software Update Point and add it back in with the correct port numbers (Its under Site Database > Site Management > {Your Site} > Site systems > Server name.

 

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)