WSUS Product Team Blog

Managing Updates with Deadlines in an era of Automatic Maintenance

2013-06-11T04:18:00Z

Until Windows 8, Windows Update used to manage its own internal scheduling for checking for, downloading, and installing updates. It required that the Windows Update Agent was always running in the background, consuming memory and other system resources. In an effort to increase battery life on portable devices, Windows 8 introduced a new feature called Automatic Maintenance, which runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more. This consolidation allows for all these components to use far less system resources, work consistently, respect the new Connected Standby state for new device types, and consume less battery on portable devices.

What this also means is that on Windows 8 and Windows Server 2012, the setting for when to download and install updates doesn't work in the same way. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective on Windows 8. Indeed, Automatic Maintenance runs once a day by default, and due to the consolidation of maintenance tasks there isn't a way to individually specify which maintenance tasks run on which days.

WSUS provides administrators with a way to control when patches get installed and PCs get rebooted. I'll explain one possible strategy for doing this:

Taking Control of Update Installation

What to do:

Using Group Policy, set your target machines to check for updates but do not automatically install them.
When you want to deploy an update at a particular time, set the deadline for when you want the machine to install updates and restart.
You can use groups in WSUS to set different approvals and different deadlines for different groups of machines.

Here's how it works:

This works because if you have set a deadline, WUA will enforce that deadline even outside of the Automatic Maintenance window, and even if updates are set not to install automatically. The computer will be rebooted (if needed) at the end of the installation process.

Every day, the Windows Update agent contacts WSUS and downloads information about which updates are to be offered to that PC, along with the deadline for each update as specified by the administrator. If an update is overdue, Windows Update will force that update to be installed automatically, even though WUA is configured to NOT generally install every update automatically. Otherwise, the update is offered to the user for manual installation until the deadline is reached. When the deadline is reached or passed, the update is forcibly installed and the machine is rebooted after a 15-minute countdown. If no users are signed in, the machine is rebooted immediately.

If you are running a server and you want to make sure it doesn't reboot until a certain date, then this is the option for you. Your server won't install any updates automatically until one of the updates reaches its deadline, and then the server will be rebooted immediately upon passing of the deadline, assuming that no users are signed in. If there are users signed in, the standard 15 minute timeout applies.

You can limit reboots to "service time" windows if you approve all updates with deadlines during your desired service windows. Machines that are powered off during the service window will be automatically updated when they are powered on once again.

Note: You need to make sure that all the updates you care about have deadlines assigned to them. If you neglect to assign a deadline and you've instructed Automatic Updates to not be automatically installed otherwise, you could be leaving your network in a less secure state if your users don't manually install those updates.

A note about time zones

In WSUS, when you set a deadline, it is interpreted in the time zone of the WSUS server, not the time of the target computer. Be sure to keep this in mind when setting your deadlines to avoid unexpected reboots. Remember, if a reboot is needed, it will occur no more than 15 minutes after the completion of the installation of the update.

Additional reading:

Client Behavior with Update Deadlines: http://technet.microsoft.com/library/cc708585(v=WS.10).aspx
Automatic maintenance is described in detail on TechNet at http://msdn.microsoft.com/library/windows/desktop/hh848037(v=vs.85).aspx
The section titled "Automatic Maintenance and changes to restart behavior after updates are applied by Windows Update" at http://technet.microsoft.com/library/hh994618.aspx#BKMK_WhatsNewEight
For more information about how automatic installation works in Windows 8, you can read more on this blog post on the Building Windows 8 blog.

Installing WSUS on Windows Server 2012 with PowerShell

2013-05-02T18:37:00Z

There is a really valuable blog post on the Hey Scripting Guy! blog that explains how to install and configure WSUS on Windows Server 2012 using PowerShell. Enjoy!

http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/15/installing-wsus-on-windows-server-2012.aspx

P.S. we're looking at improving our own PowerShell coverage in WSUS in the future as part of our work towards compliance with Microsoft's Common Engineering Criteria. If there are scenarios you find particularly painful or just missing, please let us know in the comments below. We'll consider and respond to every piece of feedback!

Update: Solution for WSUS Export Bug is now available for WSUS 3.x SP2

2013-04-16T20:00:00Z

I am pleased to announce that, as of today, a fix for this issue is available from Microsoft for WSUS 3.x, in addition to the Windows Server 2012 update that we published last week.

WSUS 3.x ships back to Windows Server 2003 R2, and ships in x86 and 64-bit versions. This requires additional testing above and beyond what we did for Windows Server 2012, which applies only to that OS and is for 64-bit only. Additionally, the packaging format for Windows Server 2012 is different from what we must use for downlevel OS versions.

An article describing how to get this update is available at:

http://support.microsoft.com/kb/2819484 if you are running Windows Server 2012
http://support.microsoft.com/kb/2828185 if you are running WSUS 3.0 SP2 (WSUS 3.2) on Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2

Direct link to download 64-bit http://www.microsoft.com/download/details.aspx?id=38429
Direct link to download 32-bit http://www.microsoft.com/download/details.aspx?id=38430

Please see my last blog post for more engineering details about why this problem happened in the first place and what decisions we made to try to make this update as bulletproof as possible. This update rolls up and includes all updates to WSUS 3.2, including KB2734608. WSUS 3 SP2 must be installed before you install this update.

Also, I just wanted to take this opportunity to reiterate that all versions of WSUS prior to WSUS 3.0 SP2 are no longer being maintained or supported. WSUS 3.0 SP2 is a free download from the Microsoft Download Center, and any customers using older versions of WSUS should install both WSUS 3.0 SP2 and this hotfix as soon as possible.

Thanks,
The WSUS Team

Problem Solved: The WSUS Export Bug

2013-04-09T22:59:00Z

If you are managing updates for Windows Server 2012, you might have noticed that your WSUS server has been synchronizing a greater than usual number of updates these days. Windows Server 2012 is not only Microsoft’s most powerful, but also Microsoft’s most secure operating system to date. Since RTM, we’ve published dozens of updates that improve the security, reliability, and functionality of Windows. Most notably, the Defender team has been publishing virus and malware definition updates 4 times a day, to ensure that your PC is never left unprotected from even the latest threats.

We’ve also added many new products to WSUS, including updates to Adobe Flash Player, Skype, Lync Server, and Office 2013. There are more WSUS updates than ever before.

All these updates certainly can take a toll on a WSUS server, especially on servers that have auto-approval rules. Many administrators were recently surprised to see that exporting updates from WSUS servers was failing, resulting in zero-size output files. It became clear to us rather quickly that the issue was due to a limitation in the CAB file format, which is an uncompressed file size limit of 2 GB.

I am pleased to announce that, as of today, a fix for this issue is available from Microsoft. An article describing how to get this update is available at:

http://support.microsoft.com/kb/2819484 if you are running Windows Server 2012
http://support.microsoft.com/kb/2828185 if you are running WSUS 3.0 SP2 (WSUS 3.2) on Windows Server 2003 R2, Windows Server 2008, or Windows Server 2008 R2

Many people have been asking on the forums and even through this blog for this fix for some time, and were wondering why it took more than 4 months to complete. To that end, I thought it would be interesting to share some of the engineering story as well.

One of the unique challenges of working on the WSUS team, compared to other server role teams in Windows Server, is that our role actually ships, “out-of box,” all the way back to Windows Server 2003 R2. We had to be very careful to design a solution that would work on all versions of Windows Server since then. To keep everything as simple as possible, we constrained ourselves on using compression algorithms that are already publicly available in the .NET framework or public Win32 API. Here is what we considered:

	Framework	Max Size	Benefits	Drawbacks
GzipStream	.NET 4.0	Unlimited, 4 GB prior to .NET4	Built in CRC	Results in 2 files No support for signtool
DeflateStream	.NET 4.0	Unlimited, not available until .NET4	Supports larger file sizes than CAB	Results in 2 files, harder to work with raw DEFLATE format vs. Gzip, no support for signtool
CAB	.NET 2.0	2 GB uncompressed file limit	Built in CRC Same file format Supported by signtool	Temp files needed (extra disk I/O), 2 GB limit per uncompressed file
Zip64	.NET 4.5	unlimited	Built in CRC	No CLR support for Windows Server 2003 R2; no support for signtool

We decided it wouldn't be a great customer experience to require people to install .NET 4.5 on their servers. Plus, we wanted to preserve compatibility with Windows Server 2003 R2 if at all possible. .NET 4.5 is not available on Windows Server 2003 R2. We could have also adapted the CAB format to produce multiple output files, but we preferred to produce only a single output file, especially since the resulting files are comparatively small. On systems running the latest version of .NET 4.0, the maximum file size is limited only by NTFS file size. While Gzip does store the length of the compressed content using 32 bits, the structure stores only the lowest 32-bits thereby allowing for larger file sizes, limited only by NTFS file size (prior to .NET 4.0, the length of the compressed content couldn’t exceed 32 bits, or about 4 GB). This does mean that there’s a limit of 4 GB on systems using .NET 3.5 (i.e., WSUS 3.0 SP2 (3.2) ). Windows Server 2012 is on .NET 4.5 and therefore not affected by the limit. Similar to CAB, GzipStream also includes built-in CRC error detection, which makes the export and import processes highly reliable. Best of all, the compressed output is generated on-the-fly, without the need for temporary uncompressed output files. This greatly decreases disk I/O and we found it reduces the time needed for import and export significantly.

Using our current export algorithm, the export process results in 2 files, a metadata.txt file and an update.cab file, which must be kept together. The CAB format archives these two files together. However, since Gzip is not an archive format, the end user would have needed to keep these files together manually. We would have preferred to produce only a single export file to ease distribution. Therefore, we changed the WSUS exported data XML schema to allow for both metadata and update data in a single compressed file.

In parallel, we also worked with our test engineers to formulate a test plan for the hotfix. Our test matrix is large, as we need to ensure that every supported version of Windows Server will be able to install this update. For Windows Server 2003 R2, that matrix is made even bigger by our support for both x86 and x64 architectures. We also worked with Customer Support Services (CSS) to gather validation data with regard to cases that were currently opened about this issue. And of course, nothing works perfectly the first time, and we’ve gone through several revisions to make sure that the latest WSUS update is more robust than ever!

At this point, we have a hotfix that we feel really good about releasing: well-informed by customer needs, developed by our esteemed software engineers, and thoroughly tested and validated. I hope that it will improve the experience of the many WSUS admins around the world, and I look forward to hearing your feedback about this update.

Thanks for being a valued Windows Server and WSUS customer!

The WSUS Team

New Product Family for Lync Server 2013

2013-03-26T01:00:00Z

On March 26, 2013, we will be adding a new product to your WSUS server – Microsoft Lync Server 2013. This product will be under the “Microsoft Lync Server and Microsoft Lync” product family. It will include updates for Microsoft Lync Server 2013. It will allow for a variety of update types, e.g. service packs, optional updates, critical updates, and security updates. Microsoft Lync Server 2013 updates will also be available in the Microsoft Update Catalog at http://catalog.update.microsoft.com. You should synchronize the Microsoft Lync Server 2013 product if you have this product in your managed environment. For additional information about Lync Server 2013, see http://www.microsoft.com/uc/default.mspx. Servicing of the Microsoft Lync 2013 client product can be found under the Office product family, more specifically, under the Office 2013 product.

Approving Dynamic Updates

2012-10-09T16:53:50Z

Updates under Windows 8 Dynamic Update Category are used by Windows 8 and Windows Server 2012 to obtain critical driver, component and setup improvements during initial setup. These updates are automatically obtained by PCs during setup. In environments managed by WSUS, SCCM or Intune, it’s important to approve this category to ensure your devices have access to the same critical updates to ensure successful initial setup of your PC. For additional information about Dynamic Updates, see TechNet link http://technet.microsoft.com/en-us/library/jj618316.aspx.”

New Product Family for Microsoft BitLocker Administration and Monitoring

2012-07-11T17:18:55Z

We will be adding a new product family to your WSUS server – Microsoft BitLocker Administration and Monitoring (MBAM). This product family will include updates for the MBAM product. It will allow a variety of
update types, e.g. service packs, optional updates, critical updates, and security updates. MBAM updates will also be available in the Microsoft Update Catalog at http://catalog.update.microsoft.com.

You should synchronize the MBAM family if you have this product in your managed environment. For additional information about MBAM, see http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspx.

Further Hardening of WSUS Now Available

2012-06-08T16:43:00Z

Hello,

As we mentioned previously, Microsoft is releasing an update to further harden the Windows Server Update Services (WSUS) as a defense-in-depth precaution for our customers. This update is now available for download. As an additional measure, we are providing the SHA1 and SHA2 hashes of the WSUS update and the WU client files we released today. This allows administrators to verify that the files they download are from Microsoft. The hashes are listed in the update KB article. We strongly urge WSUS administrators to apply these updates as soon as possible to take advantage of the added security they offer. If you’d like to read more, please review the MSRC blog for more information.

Please follow the following steps to ensure a smooth deployment:

Apply Security Advisory Update 2718704, issued on June 3, which moved unauthorized digital certificates derived from a Microsoft Certificate Authority to the Untrusted Store.
Apply the WSUS update, issued on June 08, see KB 2720211.

Thank you,

WSUS team

Update to Windows Update, WSUS Coming This Week

2012-06-06T19:06:00Z

Hello,

As part of the phased mitigation strategy we outlined on the MSRC blog, an update was released with Security Advisory 2718704 that prevents unauthorized certificates from being used to attack Windows systems. In an effort to provide additional protection for customers, the next action in our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution. Now that we have seen broad adoption of Security Advisory 2718704, our deployment of the security hardening update to Windows Update and Windows Server Update Services (WSUS) infrastructures will begin to roll out over the next few days.

Our hardening introduces two defense-in-depth changes. First, we have further hardened the Windows Update infrastructure so that the Windows Update client will only trust files signed by a new certificate that is used solely to protect updates to the Windows Update client. Second, we are strengthening the communication channel used by Windows Update in a similar way. WSUS customers will also receive an update; more details will be found on the Knowledge Base when the update becomes available.

As with past updates, this update will not change your current Windows Update or Automatic Updates settings. Anytime Windows Update (or Automatic Updates) is turned on, either set to automatically install updates or notify to install updates, Windows Update will take care of updating itself.

It’s important to keep your PC up to date with the latest updates to keep your PC running smoothly and safely.

WU/WSUS Team

New product categories under System Center family

2012-04-06T21:02:00Z

Two new product categories will be added to your WSUS server under the System Center family, entitled System Center 2012 – App Controller and System Center 2012 – Virtual Machine Manager. You will see these new categories when new updates are available for these products. We encourage you to sync these new categories if you have these products in your managed environment.