For those of you who may have not "synched" yet today, I'm also pleased to let you know the latest MSI.dll fix addressing it's portion of the Svchost/msi issue (KB927891)  is also available via WU and WSUS today!

-Bobbie

There is a really valuable blog post on the Hey Scripting Guy! blog that explains how to install and configure WSUS on Windows Server 2012 using PowerShell. Enjoy!

http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx

P.S. we're looking at improving our own PowerShell coverage in WSUS in the future as part of our work towards compliance with Microsoft's Common Engineering Criteria. If there are scenarios you find particularly painful or just missing, please let us know in the comments below. We'll consider and respond to every piece of feedback!

When you use System Center Configuration Manager (SCCM) to manage updates, SCCM causes clients not to use WSUS servers directly for all operations (such as reporting). In this configuration, it is possible for multiple WSUS instances as part of SCCM to share the same database but not be configured as a NLB cluster. Technet states:

When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. If you share the same database, it significantly mitigates, but does not completely eliminate the client and the network performance impact that you might experience when clients switch to a new software update point. A delta scan still occurs when a client switches to a new software update point that shares a database with the old software update point, but the scan is much smaller than it would be if the WSUS server had its own database.

To set up such a configuration, you would install multiple SCCM SUPs with WSUS on shared database, configure WSUS/SUP to store content on a file share, but stopping short of enabling NLB.

1. Install SQL
2. Install first WSUS server creating database
3. Install other WSUS servers creating database
4. Create share for content (computer accounts must have change permission)
5. On first WSUS server Use WSUSutil movecontent to change location
6. On each WSUS server, in IIS ensure the “Content” virtual directory path is set to the share, and specify an account to use to connect to the path (to cater for anonymous access).
7. Add SUP (Software Update Point) role to first server and synch.
8. Add SUP role to other servers.

Rather than connecting to WSUS directly, clients are choosing a random SUP to connect to (which is their expected behavior, and why the NLB is not needed on the server side). This is a supported configuration of WSUS, but only when WSUS is being used in a SCCM deployment.

Have you checked out our homepage lately?  Who says you can't get something for nothing?

http://www.microsoft.com/technet/windowsserver/wsus/default.mspx

Updates under Windows 8 Dynamic Update Category are used by Windows 8 and Windows Server 2012 to obtain critical driver, component and setup improvements during initial setup. These updates are automatically obtained by PCs during setup.  In environments managed by WSUS, SCCM or Intune, it’s important to approve this category to ensure your devices have access to the same critical updates to ensure successful initial setup of your PC.  For additional information about Dynamic Updates, see TechNet link http://technet.microsoft.com/en-us/library/jj618316.aspx.”

Hi Folks –

Just want to make sure you know we are actively following up on the comments posted on the svchost/msi issue.   We are working on reproducing the reported performance issues on various systems in our labs.  We will keep you posted as to the findings.

I also want to provide some clarification with install instructions for both the new client and the MSI fix, as well as upcoming available automatic distribution options, and the performance expectations after the MSI fix and new client are installed.

Build 0374 AU client/ WSUS 3.0 client:

While we are engaged in a world-wide deployment of the new AU client (build .0374), this staged deployment is occurring in a wave which we expect to complete by early June.  This means that for AU users, the new client bits will just automatically self update when visiting the site before mid –June, and for WSUS users, you will be able to download the bits after 5/22/2007 (or upgrade to WSUS 3.0 now).

To make the client available earlier vs. waiting for the duration of  the world-wide roll-out, we released the client in a ‘stand-alone’ form which you can download from the Download Center now.    The version of the client is 0374 – and  can be installed directly from:

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x64.exe

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-ia64.exe

Further instructions can be found in http://msdn2.microsoft.com/en-us/library/aa387285.aspx

Please verify on your systems, the client version here is:  <windows dir>\system32\wuaueng.dll is 7.0.6000.374

KB927891/MSI fix:

To make sure you have the latest MSI fix in  KB927891,  make sure your MSI.dll  binary version for supported platforms are exactly as documented under files in:

http://support.microsoft.com/kb/927891 .

This MSI fix will be available via MU/WU (and there by WSUS) by late May early June.

Expected results:  It’s important to note that with the MSI fix and the new client installed,  the CPU may still go near 100%, but the system should still be responsive and not lock up.  If another task requires CPU cycles they will be shared, but if the system is idle, MSI will use the full cycles available.  If a task is running at the same time as MSI, the system may be slightly slower,  but should still be responsive during this time.  Key to remember the MSI fix and the new client address  unresponsive or locked systems.  CPU spikes during some scans are expected, machine unresponsiveness is not. If your watching the process monitor, you will still see 100% CPU during some scans and this is expected behavior.

Next steps for problem systems:  

 If, after checking these installations, and reviewing expected behavior, iyou are still experiencing this issue and have a system which we can remote into, or obtain logs from,  for further investigation, please contact me directly at bobbieh@microsoft.com.  The windowsupdate.log from the system experiencing the performance issue would be helpful information as well as full system description of hardware, platform and additional programs installed and running.

Thank you,

Bobbie Harder

PM, WSUS CPE

WSUS Admins:

On April 15^th the Office Genuine Advantage (OGA) notifications update (KB949810) was inadvertently published to WSUS servers for approximately twenty-four hours. This update was intended for Microsoft Office users in the pilot countries of Italy, Spain, Turkey and Chile, but because of WSUS publication, it became available to WSUS managed clients inside and outside of these intended countries.  This update has since been removed from WSUS.  For servers which synchronized the OGA update package, the package required a EULA acceptance before it could be made available to WSUS managed clients, via either manual approval, or auto-approval rules.   OGA notifications are designed to alert customers who are using non-genuine software, and are thus more vulnerable to activation exploits and the risks of counterfeit. As such, this update was marked critical for WSUS.

We are available to offer full assistance if you have problems or questions related to this issue, via your regular support channels.  Customers who want to learn more about OGA notifications can reference the online KB Article.  Customers who require support should submit  a Technical Support Request for Microsoft Genuine Advantage Issues.  

Some content in this section was written by Marta Barillas, a SDET on the WSUS engineering team.

This blog post applies to Windows Server 2012 and Windows Server 2012 R2.

• For instructions using WSUS 3.x with NLB, please see this TechNet article: http://technet.microsoft.com/library/dd939896(v=ws.10).aspx
• NLB is not supported on WSUS 2.x or earlier versions. WSUS 2.x is out of support and if you are still using it, you should upgrade to WSUS 3.2 which is available free of charge from Microsoft.

Requirements for NLB in WSUS 6.x

The requirements to run WSUS in a NLB cluster include:

• All nodes in the NLB cluster should be running the same version of WSUS and the same version of Windows, and should have the same Windows Updates installed. Prior to Windows Server 2012, the same WSUS-specific patches must also be installed across all servers in the cluster.
• SQL DB should be shared across all WSUS from the same NLB (WID is not supported for NLB, and the SQL DB need not be clustered -- though it may be clustered) *
• Content directory should be shared across all WSUS in that NLB cluster (see "Configuring Content Sharing") below*

* If you are not running WSUS in a NLB configuration, then the WSUS servers must not share a database or content directory.

Prior to Windows Server 2012, WSUS 3.2 requires a special set up command line as described in the Network Load Balancing topic in WSUS 3.x documentation. Please refer to that documentation (in the in-box HTML help/CHM file) if you are using WSUS 3.2.

Additionally, all requirements for NLB also apply above and beyond the requirements discussed above.

Sample test configuration

• WSUS 6.3 --- Windows Server 2012 R2 (2 units)
• SQL Server --- SQL Server 2012 SP1 (1 unit)
• WSUS Client ---- Windows 7 SP1 (1 unit)

Step 1. Install WSUS

The steps to install WSUS are the same for NLB and non-NLB scenarios. You can install WSUS using PowerShell or Server Manager.

Note: When you use PowerShell to install WSUS 6.x, you must run post-installation tasks from the command line.

Option1: Install WSUS for NLB using PowerShell (recommended)

1. Run this PowerShell command to install WSUS and the RSAT management tools:

Install-WindowsFeature updateservices-services,updateservices-db,updateservices-rsat

Note: updateservices-rsat is Optional; it will install the WSUS MMC console and cannot be installed when installing WSUS on a Server Core installation.

1. Once you have installed WSUS from the command line you need to run postinstall from the command line.

& 'C:\Program Files\Update Services\Tools\WsusUtil.exe' postinstall SQL_INSTANCE_NAME=<Name> CONTENT_DIR=<Path>

Note:

• SQL_INSTANCE_NAME is the name of the SQL Server & CONTENT_DIR is the path to the directory where downloaded update files will be stored. CONTENT_DIR should be a UNC path, as mapped network drives are NOT supported. For example, for example \\server1\share1\contentdir would be valid. Z:\contentdir would NOT be valid.
• For simplicity in testing, you can use an account that has administrator privileges on the SQL server, and you can also use the default instance. You don't need to specify a named instance.
• This step should be run in serial (not in parallel) across all WSUSs in the NLB.
• All WSUS servers in the NLB group must use the same content directory and the same SQL database.

Option 2: Install WSUS for NLB using Server Manager

Alternatively, you can install WSUS using the Server Manager GUI.

1. Launch Server Manager
2. Select “Add roles and features”
3. Click Next until reaching “Server Selection” tab, and select the server name to perform installation.

Note: local server is selected by default.

1. Click Next to “Server Roles” tab, and select “Windows Server Update Services”

1. A dialog will be displayed asking to include Features required for WSUS installation.
2. If WSUS Console should not be installed, uncheck “Include management tools” option on the dialog box.
3. Click “Add Features” on the dialog box.

• Click Next until reaching “ Role Services” tab, and:

1. Unselect “WID Database” option
2. Select “WSUS Services” & “Database” options

• Click Next to “Content” tab, and type the shared ContentDir path. This should be a UNC path, as mapped network drives are NOT supported.
• Click Next to “DB Instance” tab, and type the SQL Server machine name.

1. Click the “Check connection” button.

• Click Next to “Confirmation” tab
• Click “Install” and wait for installation to complete.
• Click on “Launch Post-Installation tasks” link displayed after installation is completed.

Note: This step must be run in serial (not in parallel) across all WSUSs in the NLB.

Step 2. Configure Content Sharing

WSUS Content Sharing is required when using a Shared Database. Documentation for creating a shared file location can be found at: http://technet.microsoft.com/library/dd939896(v=ws.10).aspx. Relevant portions of that article are included here:

Create a shared file location

You should create a single shared file location that is available to all of the front-end WSUS servers. You can use a standard network file share and provide redundancy by storing updates on a RAID controller, or you can use a Distributed File System (DFS) share. The domain machine account of each front-end WSUS server must have Change permissions on the root folder of the file share. That is, if there is a WSUS server installed locally on the computer that has the DFS share, the Network Service account should have change permissions on the root folder. In addition, the user account of the administrator who will run WsusUtil.exe movecontent should have Change permissions.

After you install a WSUS update, check the NTFS file system permissions for the WSUSContent folder. The NTFS file system permissions for the WSUSContent folder may be reset to the default values by the installer.

It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller.

For Windows Server 2012 (WSUS 6.2), The Scripting Guy wrote about the command line and GUI steps to be used to install a Front-End WSUS Server: http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx

Step 3. Install/Configure NLB

The actual configuration of NLB is detailed on TechNet here: http://technet.microsoft.com/en-us/library/cc754833(v=WS.10).aspx

In our own NLB test environment, we have the following settings set to ON:

• Single affinity
• Unicast
• “Enable spoofing MAC Address” ON (for the NIC in Hyper-V, if you are using a VM)

Step 4. Check that things are working

4.1. Test that the master server can switchover in the event of downtime

Run the following command to ensure that multiple servers are listed:

• Wsusutil listfrontendservers

Shut down the master server. Then run the command again (on a different WSUS machine) and verify that the master server has been switched.

4.2. Test the WSUS client connection

On the WSUS server, assuming that you are using the default port (8530), run the following command

• netstat -nao | find "8530"

Verify that clients are able to connect. On a client machine which is configured to use the WSUS NLB cluster, run the following command:

• wuauclt /resetauthorization /detectnow

Upgrade/Patch Considerations

Because of sharing same DB, patching can be tricky because only WSUS machines with the same version must be sharing DBs, as the DB schema could be changing as part of the patching.

If you are running WSUS in a NLB configuration, then you must upgrade all WSUS servers together. To do this, disconnect each server from the database & upgrade, then once all servers are disconnected from the database & content directory, you can start re-connecting WS2012 servers to the database & content directory. For one NLB cluster sharing a single database, you could follow these steps:

1. Backup the database.
2. Remove all WSUS machines from the NLB.
3. Stop the IIS services in all machines: ‘Net stop w3svc’
4. Stop the wsus services in all machines: ‘Net stop wsusservices’
5. Perform patching on all WSUS
6. From 1 of the WSUS machine, run postinstall. This will update the database, so it is not needed to be rerun from other servers.
7. Start the wsus services in all machines (if needed): ‘Net start wsusservices’
8. Start the IIS services in all machines (if needed): ‘Net start w3svc’
9. Enable WSUS machines on NLB.

A few people on the microsoft.public.windows.server.update_services newsgroup mentioned concern over a flood of ATI Radeon Graphic Card updates. There were close to 4000 sync'ed recently to their WSUS 3 and WSUS 2 servers, and there was worry that something strange had happened.

Short answer: It's fine, though unpleasant to look at.

Here's some more background, partially from Bobbie Harder and with additional material from the rest of the product team.  We'll give you the technical backgrounder, and then some tips and tricks for dealing with large numbers of items in the UI.

As a reminder, the newsgroups are really the best place to discuss issues, provide feedback, and get help from the community and MVPs.  Responses to blog posts are occasionally read, but eventually get drowned in automated spam. 

Technical backgrounder

Yes you will see the meta data synched for 3976 versions of this driver, one for every unique hardware ID that it supports
on Vista.  That said, Keep in mind only metadata is synched down. The binaries are not synchronized until the driver is approved.  But dont worry
about having to cross reference every supported HW type that needs this driver in your environment.  Just do a bulk approve ( via multiselect and
approve) and the clients which need a particular driver and the correct detection logic will do the right thing.

Also be assured that we really only have about 8MB total binary size for all these updates.  All but 2 of the updates reference the binaries of primary
packages for x86 & x64 so you will not be downloading 4MB x 3976.  By all means dont just bulk decline these unless your positive you don't have this
type of card in your environment.  WSUS only synchs critical drivers and this is one.  Hope this helps.

We are changing the publishing process for the future btw so that multiple HWIDs will be associated to one update in the future.  thnks - Bobbie

UI Tips and Tricks

There are a couple of methods in the WSUS 3 UI that can help you manage the complexity you're hitting with this group of updates.

Right click the Updates view and create a new view.  You can create views to specifically include, or exclude this kind of driver.

Right click in an updates view, and choose Group By, and group by the update name.  Since these updates have the same name, they'll be grouped together in one bunch that you can expand or collapse.  On my machine, you'll see there are 3,982 items.  Once grouped, you can select the group header and do bulk operations like approve or decline.

-- matthew

Hi WSUS Admins - Just a reminder, the DST update made available to your WSUS servers today (KB931836) is classified as an update rollup so AU and SMS/ITMU pick it up too.  For WSUS that means, you'll want to make sure either to modify your auto approval rules (if you use them), or remember to approve this update manually. 

 Also, for any of you laggerts out there still using (let's see if i still remember how to spell it), ...... SUS, the update will be available since we were able for SUS, to classify it appropriately for pickup (critical).   

As I posted Friday, remember the 931836 update plays nicely with any previous DST updates released earlier you may have installed. 

Cheers-

thnks - Bobbie

Hi WSUS Admins:

We’ve noticed some confusion about the recently released updates for Microsoft .NET Framework 3.5 SP1.  So, let’s see if we can help clarify the differences in the packages.  These updates apply to x86 and x64 computers.  The detailed update descriptions describe both the platform and OS architecture that apply for each of the updates. You’re also likely wondering about the differences in the update titles. Here are the differences:

1.      The update titled “Microsoft .NET framework 3.5 Family Update (KB959209)” updates computers already running .NET Framework 3.5 SP1 with the latest compatibility fixes.  So, if you only want to update existing .NET Framework 3.5 SP1 computers with the latest fixes, then approve these packages.

2.      The update titled “Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847)” will upgrade computers with .NET Framework 2.0, 3.0, 3.5 to the latest version of the .NET Framework 3.5 SP1, and will also apply KB959209 (#1 above). If you want to upgrade/update all of your computers to the latest version of the .NET Framework and apply the latest compatibility fixes, then approve these packages.

If  you know you only need the latest compatibility fixes for 3.5 SP1, then we recommend you only approve the Microsoft .NET framework 3.5 Family Update (KB959209).   Otherwise, we recommend that you approve the second update.

Thanks,

The WSUS team

Hello folks,

The MU team has published a note on their blog regarding a new category on Windows Update and WSUS in preparation for Win 7 beta updates and drivers in the not so distant future.

Thanks!

WSUS Team.

Symptoms

• When installing WSUS through the Add Roles and Features Wizard (ARW), the Post-Installation task fails and the generated log folder (*.tmp) is empty, AND
• The Tools folder is missing after WSUS was installed. Note: By default, the Tools folder is installed to the following location: %SystemDrive%\Program Files\Update Services\Tools

This behavior has been seen when:

• Uninstalling WSUS
• Manually deleting WSUS folder: %SystemDrive%\Program Files\Update Services
• Manually deleting WSUS registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services
• Re-installing WSUS

Root Cause

When uninstalling WSUS Role via ARW the “API and PowerShell cmdlets” feature is not uninstalled by default (unless explicitly selected by the user). Deleting the remaining WSUS folders and registry keys leaves the server in a bad state and the re-installation fails because it is expecting this feature to be already installed.

Workaround

Uninstall all the WSUS roles and features and re-install WSUS.

Workaround 1: To uninstall WSUS roles and features using Windows PowerShell

1. In PowerShell, review features installed by calling: Get-WindowsFeature UpdateServices*
2. To remove features, call: Uninstall-WindowsFeature <featureName>

Workaround 2: To uninstall WSUS roles and features using the Server Manager Console

In Server Manager, launch Remove Roles and Features Wizard (RRW), unselect items to be uninstalled, and complete the Wizard:

1. In Server Roles tab unselect ‘Windows Server Update Services’ option
2. In Features tab unselect ‘Remote Server Administration Tools -> Role Administration Tools -> Windows Server Update Services Tools’ option

We recommend restarting the server to ensure that all WSUS components are removed. After uninstalling WSUS roles and features, you may reinstall the WSUS roles and features.

To reinstall WSUS, launch the Add Roles and Features Wizard and then select the “Windows Server Update Services” option. You may optionally reinstall the Windows Server Update Services Tools. After the ARW completes successfully, you may run the WSUS post-installation tasks.

Hi Folks,

I know there has been some confusion around the DST updates KB928338 and KB929120.  Hopefully this will help. Yesterday, Dec 12 we released two time zone updates to WU, MU, WSUS and the catalog.  The first of these updates, KB 928388, addresses 30 time zone changes for Windows Operating Systems, and most notably the changes in the US and Canada DST rules for 2007.  This update was classified as optional for customers and companies who wish to deploy it now. While this update is being offered as optional now, once Outlook and Exchange tools are completed, so that all updates and tools can be run at the same time, we expect to change the classification of 928338 to high priority or critical.  For more information please see: http://www.microsoft.com/windows/timezone/dst2007.mspx.

Yesterday we also released KB929120 to update the DST rules for the West Australia time zone.  The State of West Australia recently introduced daylight saving time on a trial basis for the next three years.  However,  the law was passed after the Global time zone update (KB 928388) was developed and tested, so we could not include the W. Australia  rules into the initial package.   That means basically that KB929120 only updates the DST rules for the West Australia time zone, and as such, we classified it as a high priority or critical update available to clients that are set to any Australia time zone and that have OS's on any English locale.  We decided on this high priority, critical update classification as these customers are the most likely to be affected by this change.

Additionally the update (KB929120) was also made available as an optional update for all other WSUS clients which are not in an Australian time zone, or that are in an Australian time zone but not running an OS with an English locale.  Depending on synchronization options, WSUS Admins might see two updates for KB 929120, (as a few have already reported), a critical and an optional update.  Both updates are identical, but the detection logic is based on the parameters indicated above.   Approving the critical update for install will make the update available on ONLY clients set to any Australia Time Zone and which are on an English locale OS.  Approving the optional update will make the udpate available to systems not in an Australian time zone, or that are in an Australian time zone, but not running an OS with an English locale.

Hope this helps - sorry for the lengthy post but want to make sure i address some of this confusion.

thanks,

Bobbie

Hi all,

We wanted to let you know that a new version of the Windows Update Agent is being released on Windows Update over the next couple of months. Because WSUS and Windows Update both use the same Windows Update Agent, this means that WSUS-managed end-user who navigates to WU to perform an interactive sync will receive an updated version of WUA as this new agent is rolled out over the next few months. Machines who's end-users don't explicitly navigate to WUA to perform an interactive scan will continue to use the existing version of WUA. This will result in a mixture of WUA versions in most corporate environments. Because WUA is backwards compatible, machines that recieve the newer agent will continue to work just fine with WSUS.

You can read more about this change in the Windows Update blog at http://blogs.technet.com/mu/archive/2008/07/03/upcoming-update-to-windows-update.aspx.

-Marc Shepard

WSUS Program Manager Lead

In my last entry on new powershell API samples, I mentioned providing some tips and tricks for automated reporting from your WSUS server in conjunction with Excel. 

This will help walk you through creating a trending report for various interesting aspects of your deployment, and displaying it graphically in Excel.  There will be some "solution left as an exercise for the reader" aspects, but I'll point you in the right direction through the pitfalls that I found tricky.  See the attachment to this post for a sample chart.

First, a quick reminder on the location of the script repository for our PowerShell API samples: ttp://www.microsoft.com/technet/scriptcenter/scripts/sus/server/default.mspx?mfr=true.  We don't intend these to necessarily be wonderful examples of the best use of PowerShell, but more of a handy way to introduce you to the API and give a headstart on creating your own solutions.

One of the most common requests we've had is around reporting information only for approved updates.  That lead to a sample for server status for just approved updates: http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvms02.mspx

As you'll see in the sample output, it has a simple one line CSV style output which is perfect for importing into your favorite tools.  It also includes both the server name and date, so you can easily order or filter the results. 

Naturally you'll need to start by installing PowerShell, and saving the script to a .ps1 file.  I recommend starting this sample running on your server - you can modify the sample to connect to a remote server via a console only install, but I'd suggest limiting the number of moving pieces until you get it all working end-to-end once.  Make sure you can run the .ps1 file from the command line.  You may need to modify your script execution environment options.  (That's one of those exercises for the reader.)

Next, create a scheduled task to run your script every night and append the output to a file.   Below is a sample command line in the Scheduled Tasks.  Make sure to try the command line from a cmd prompt to make sure you have your paths and access right - it's annoying to wait a couple of days for the scheduled task to run and discover you botched the command line.

%windir%\system32\WindowsPowerShell\v1.0\powershell.exe -command C:\WsusScript\ServerStatusForApprovedUpdates.ps1 >> C:\ReportingData\ServerStatusForApprovedUpdates.csv

Now wait a couple of days, and you should start getting some nice output.  Here's some sample data to give you a headstart:

WSUSSAMPLE,3/15/2007,3713,952,1540,1032,14,0,42,28
WSUSSAMPLE,3/17/2007,8611,900,2660,814,112,0,279,118
WSUSSAMPLE,3/18/2007,8744,900,6665,813,112,0,307,119
WSUSSAMPLE,3/19/2007,8895,900,4026,833,117,0,311,117
WSUSSAMPLE,3/20/2007,9684,900,6740,958,146,0,330,136
WSUSSAMPLE,3/21/2007,10132,891,6641,2471,168,0,398,159
WSUSSAMPLE,3/22/2007,10454,891,7249,2378,172,0,444,161
WSUSSAMPLE,3/23/2007,10729,891,7531,2404,184,0,445,176

Once you've got that in a .CSV file, start Office Excel 2007.  Sorry if you're on an older version - that's the version I'm working on.  I suspect you can get all of this done on an older version, but I haven't gone back to verify.

Look across the menu options across the top, and choose the Data tab.  The third option of "Get External Data" is "From Text."  This will give you a browser where you point to the .csv file you're writing via the scheduled task.  Excel should recognize the file and set the right defaults for almost everything.  The fancy bits come after you click finish.  You'll want to do 2 things before finishing.

1. Excel asks where you want to insert the data - choose a spot down about 20 rows, so you can leave spot for a graph at the top.
2. Click Properties.  Here you uncheck "Prompt for file name on refresh", check "Refresh data when opening the file", and "Overwrite existing cells with new data, clear unused cells." 

Now, every time you open the Excel file you'll get the very latest data from your automatically generated file.

Next, go to the "Insert" tab, and add a line graph with markers (not stacked).  Move the graph over into the empty space you reserved, and then choose the Design tab menu option for Select Data.  Select the area where your data is coming in.  You'll also want to give names to the Legend Entries based on the columns of the imported data, and remove any columns you're not interested in.  You may also want to create two separate graphs - one for computers, and one for updates - because you're likely to have significantly different total numbers of computers and updates and would want the data clearly separated and scaled appropriately.

Voila!  Save the spreadsheet, and open it again in a couple of days.  Post here if I've missed a step, to brag if you've gotten your own solution working, or have any nifty ideas for enhancing this for others.

 Hi WSUS Admins,

Just a heads up to let you know we will be releasing revised .NET Framework 3.5 Service Pack 1 (SP1) and Family Update packages to address confusion caused from the initial release on 1/27/2009.  In these revised packages, we’ve made 2 changes:

1.       We’ve reduced the file size of the packages for each architecture (x86 and x64). The original packages were 237 MB in size, the revised packages are 53 MB (x86) and 97 MB (x64).

2.       We’ve clarified the titles to minimize confusion about what each package contains and what it is applicable to.

Please note that while the packaging has been updated, there have been no changes made to the binary payload inside these packages, and no new fixes are included beyond those already in the original release on 1/27/2009.  Therefore, machines that have previously installed the .NET 3.5 SP1 do not need to install the revised package(s).   We expect to publish these revised updates within the next few weeks.

We will expire the old packages the same day we release the new revised packages.  The new update packages will be:

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86

This combined  Service Pack and update is applicable to .NET versions 2.0 through 3.5.

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86

This combined Service Pack and update is applicable to systems running a version of .NET prior to version 2.0, or to systems that have no prior version of .NET framework installed.

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x64

This combined Service Pack and update is applicable to .NET versions 2.0 through 3.5.

Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x64

This combined Service Pack and update is applicable to systems running a version of .NET prior to version 2.0, or to systems that have no prior version of .NET framework installed.

 We appreciate your feedback and thank you!

http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/default.mspx?mfr=true

Sorry it's a bit of a slow process - but we're still trying to trickle out more API examples based on scenario requests from customers and ISVs.

3 more scripts will be up sometime today, including:

• Importing your AD group structure as target groups.
• Show list of computers needing reboots
• A basic report on only updates that have been approved. You can do things like scheduling this report via "Scheduled Tasks," and archive the reports on a regular basis.  We've also gathered data over time, and used Excel to show trending graphs.  If you're interested in some tips/tricks on displaying reports within Excel, comment here and we'll share our experience.

On March 26, 2013, we will be adding a new product to your WSUS server – Microsoft Lync Server 2013. This product will be under the “Microsoft Lync Server and Microsoft Lync” product family. It will include updates for Microsoft Lync Server 2013. It will allow for a variety of update types, e.g. service packs, optional updates, critical updates, and security updates. Microsoft Lync Server 2013 updates will also be available in the Microsoft Update Catalog at http://catalog.update.microsoft.com. You should synchronize the Microsoft Lync Server 2013 product if you have this product in your managed environment. For additional information about Lync Server 2013, see http://www.microsoft.com/uc/default.mspx. Servicing of the Microsoft Lync 2013 client product can be found under the Office product family, more specifically, under the Office 2013 product.

Client script samples are making life easier when managing AU across environments. Check out the TechNet Community Script Center's AU script samples,  and Rob Dunns' addition of install/present reboot notice, onTorgeir Bakken's force client update (to latest version) then email logfile to designated recipient....(from MS samples)!  Good Stuff!!

http://www.microsoft.com/technet/community/columns/scripts/default.mspx

http://uphold2001.brinkster.net/vbshf/forum/forums/thread-view.asp?tid=199&posts=1

WSUS admins, 

Microsoft Security Essentials antimalware definitions are now available via WSUS. Microsoft Security Essentials is a core antimalware service for consumers and home-based small businesses that Microsoft released in September of 2009. This was done because academic institutions around the world (particularly in Asia) provide students with low cost or free internet access and provide students with update services through WSUS.  Many students are protecting their computers with Security Essentials, and the universities requested that the definition updates be provided via WSUS.

With this change, there is a new product family (Microsoft Security Essentials) and product name (Security Essentials)  WSUS in the admin console.  Note that the addition of this product family and product name is only to accommodate the definition updates for Security Essentials.  This is not a replacement or a rename for any current Microsoft a/v product.

MU and Microsoft Security Essentials teams

A couple of important updates were released to Microsoft Update and WSUS, along with this short note regarding what those updates do (and don't) apply to.  (Thanks to Thao Doan from the Visual Studio team for the info!)

-Don

-------------

This morning (January 29, 2007) we have published two bundles of Visual Stusio 2005 Service Pack 1 on Mircrosoft Updates: VSTS and Express. Their description is below:

--------------

Hi all,

If you use Microsoft Office, a great new resource has recently come online to help you understand how Office updates work. The Office Sustained Engineering blog features release announcements, known issues, explanations of update behavior, and other information about Office updates. If you work with Office updates, it’s worth monitoring this page for the latest info, such as the recent announcement that Office 2007 SP1 will be delivered through Automatic Updates starting in mid-June. Check it out!

Cecilia Cole

WSUS Program Manager