Hi all,
We wanted to let you know that a new version of the Windows Update Agent is being released on Windows Update over the next couple of months. Because WSUS and Windows Update both use the same Windows Update Agent, this means that WSUS-managed end-user who navigates to WU to perform an interactive sync will receive an updated version of WUA as this new agent is rolled out over the next few months. Machines who's end-users don't explicitly navigate to WUA to perform an interactive scan will continue to use the existing version of WUA. This will result in a mixture of WUA versions in most corporate environments. Because WUA is backwards compatible, machines that recieve the newer agent will continue to work just fine with WSUS.
You can read more about this change in the Windows Update blog at http://blogs.technet.com/mu/archive/2008/07/03/upcoming-update-to-windows-update.aspx.
-Marc Shepard
WSUS Program Manager Lead
Anyone who added "Drivers" to their WSUS synchronization options may have noticed a large number of driver updates showing up in their WSUS server recently, and the majority of them have the same title. We wanted to let you know what's going on and what we are doing about it.
First lets talk about the root cause. Drivers can target one or more hardware IDs, and we have a limitation in our data-model so that each "update" can only support a single hardware ID. What that means is that a single driver is often implemented as multiple updates, all with the same title. What happened recently is a few drivers were released to WSUS that supported a very large number of hardware IDs.
It turns out the proper fix for this is not simple; it involves changes to WSUS, WUA, WU, and our driver publishing pipeline to allow a single driver update to support multiple hardware IDs. We have made a number of these changes already, but all this won't come online until some time after the next WSUS release. A number of folks have asked "can't you just do some quick change to the WSUS UI to group them together" and unfortunately that is an even more complex change to make (although in the WSUS 3 UI update view, we do have a "group by" feature that allows one to at least group the updates by title - but that's only a small part of update handling).
In the short term, we will be making some publishing policy changes to ensure that drivers with a large number of hardware IDs don't flow to WSUS through WSUS/MU server synch. This doesn't mean the drivers won't be available to WSUS - they can still be imported from the MU catalog site (from the WSUS 3 UI, go to the "Updates" node and select "import..."). It's just that they won't flow automatically and surprise those who have added drivers to their synch options.
WSUS Lead Program Manager
We have released a fix for the synchronization issues that Cecilia described in http://blogs.technet.com/wsus/archive/2008/06/18/client-server-synchronization-issues.aspx. For details on how to obtain the update, please refer to http://support.microsoft.com/kb/954960.
If you are installing the update on Server 2008, you need to install the update with elevated privileges or else install will fail. E.g., you can run it from a command prompt that was launched with "Run as administrator”.
We have now addressed this matter by replacing the original cab'ed MSP with a an exe-wrapped version of the original MSP to avoid this extra step.
The update does not support uninstall or have an entry in Add/Remove Programs. But one can verify the update has been installed by checking that the version of Microsoft.UpdateServices.WebServices.Client.Dll (in %Program Files%\Update Services\WebServices\ClientWebService\bin\) is 3.1.6001.66 (it will be 65 if the update has not been applied).
While this update is only available on Download Center today, we are working on making it available through the WU/WSUS pipeline and hope to have that done as soon as possible.
Thanks,
Marc Shepard
Hello folks,
I am finally back from a long vacation, hopefully everyone is doing alright. Since there has been a lot of movement in the blog, I also wanted to bring to your attention the post that the MU folks have just added to their blog which relates to the availability of Windows Search 4. As a reminder, this update will not automatically install on WSUS clients. Windows users will either see it as an "Optional" or "Recommended" update depending on the version you are running.
Thank you.
Cecilia Cole | WSUS Program Manager
Hey all,
You may have noticed that yesterday we made Windows Vista Service Pack 1 available on WSUS to help make it easy for you to deploy into your organization. There are a couple of different packages so I thought I’d jot down a note so you could understand which one will work for your purposes.
If you’re running English, French, German, Japanese or Spanish language system that has English, French, German, Japanese, Spanish, or No MUIs, you should download and approve the package titled: Windows Vista Service Pack 1 Standalone (KB936330) - English, French, German, Japanese, Spanish. Because of some applicability logic in the way the service packs are packaged, if you only download and approve the “all languages” version, SP1 will not be offered to machines running English, French, German, Spanish or Japanese that has an English, French, German, Japanese, Spanish, or No MUIs installed. If you only have these five language systems and MUIs in your organization, we actually recommend you only download and approve the “Windows Vista Service Pack 1 Standalone (KB936330) - English, French, German, Japanese, Spanish” package since it’s much smaller than the “all languages” version.
If you are running an English, French, German, Japanese, or Spanish language system that has a MUI language pack installed you’ll need to download and approve the “all languages” version of the service pack.
Hope this is helpful
I read Marc’s post about Compliance Reporting and it was similar to a problem I deal with in my job. Part of my job is to run Update Management on one of the domains consisting of around 12,000 managed computers at Microsoft using WSUS. We do this in order to validate WSUS (and similar products) in an environment with real users. Another group at Microsoft audits my compliance, and often request a list of non-compliant machines for specific security bulletins. I have adapted Marc’s SQL script to do just that.
I ran into one issue, Marc’s SQL script will blocks clients from scanning while it runs. Since the script can take a long time to execute on larger data sets, I decided to allow SQL to read dirty data and unblock my clients (SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED.).
I hope you find this useful.
Travis Plunk
Software Design Engineer in Test II, WSUS
-- Find computers within a target group that need a security bulletin
USE
SUSDB
go
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
GO
DECLARE
@TargetGroup nvarchar(30)
@Bulletin nvarchar(9)
SELECT
@TargetGroup = 'All Computers'
@Bulletin = 'MS08-030'
-- Find the computers not compliant for each security bulletin in the given @TargetGroup
-- where the approved occured between @Days and @DaysEnd days ago
SELECT ct.Name,@Bulletin as Bulletin,ct.LastReportedStatusTime
FROM PUBLIC_VIEWS.vComputerGroupMembership as cgm INNER JOIN
PUBLIC_VIEWS.vComputerTarget as ct ON
cgm.ComputerTargetId = ct.ComputerTargetId INNER JOIN
PUBLIC_VIEWS.vComputerTargetGroup as ctg ON
cgm.ComputerTargetGroupId = ctg.ComputerTargetGroupId
WHERE (ctg.Name = @TargetGroup)
-- And only select those for which an update is approved for install, the
-- computer status for that update is either 2 (not installed), 3 (downloaded),
-- 5 (failed), or 6 (installed pending reboot), and
-- the update bulletin is the one provided.
AND EXISTS
(SELECT 1
FROM PUBLIC_VIEWS.vUpdateEffectiveApprovalPerComputer as ueapc INNER JOIN
PUBLIC_VIEWS.vUpdateApproval as ua ON
ua.UpdateApprovalId = ueapc.UpdateApprovalId INNER JOIN
PUBLIC_VIEWS.vUpdateInstallationInfoBasic uiib ON
uiib.ComputerTargetId = ct.ComputerTargetId AND
ua.UpdateId = uiib.UpdateId
inner join PUBLIC_VIEWS.vUpdate as u on ua.updateid=u.updateId
WHERE (ueapc.ComputerTargetId = ct.ComputerTargetId) AND
(ua.Action = 'Install') AND (uiib.State IN (2, 3, 5, 6)) AND u.securityBulletin is not null and u.securityBulletin=@Bulletin )
OMPS - Customer Readiness Test