The information below is somewhat out of date for the final version of the reporting APIs.  Functionality in the UI is very much the same as in RC, but the API behavior was changed to make it easier to get correct results.  We'll make another blog post soon.   -- Matthew

Blog entry from beta2/pre-RC timeframe:

One of the big areas of feedback for the WSUS 3.0 Beta has been around reporting features.  Looks cool, but so far the results haven't been as predictable (or correct) as they should have been.  I'll cover some of the philosophy behind the feature, give some insights on how the APIs used for reporting work, and build all that together into where we went astray for the Beta. 

WSUS has never, to date, provided direct access to our database.  From the customer's perspective, aside from a few options in setup to configure the DB, we might as well be storing information in CSVs.  We've taken that approach to avoid complexity around publishing and maintaining compatibility around our schemas and stored procedures.  Without published support for the schema, you can't do extended reporting with great products like SQL Reporting Services.  Further, remote console administration is hampered by database engines like the system component DB engine that doesn't allow remoting, and remote DB installs introduce double-hop authentication issues.  Instead, our reporting is exposed via our API. 

Two of the key APIs we use for reporting are available from IUpdateServer: GetSummariesPerUpdate(UpdateScope updatesToInclude, ComputerTargetScope computersToInclude) and a similar GetSummariesPerComputerTarget(UpdateScope, ComputerTargetScope)

Looking over the scopes, you'll see that you can do some really powerful things:  Text searches, items that are (or aren't) in particular states, time based searches, et cetera.

As the old saying goes, however, Absolute Power bring Absolute Corruption.  In our case, maybe that's Absolute Confusion.

Say you want to ask a question like: "For every update in my organization with failures, show me how many computers didn't fail for that update."

You might logically start constructing your API call something like this: GetSummariesPerUpdate(), using an update scope with IncludedInstallationStates = Failed, and a computer scope that has ExcludedInstallationStates = Failed.

To understand what happens next, we'll go back to how the GetSummaries calls work.

GetSummariesPerUpdate() starts off by getting all Updates from the DB that have at least one computer in the state you specified in the IncludedInstallationStates.  Put succinctly, that's every update that has at least one computer that reported a failure for that update. 

Then, a list of computers is generated - every computer that meets the computer criteria.  In our example using ExcludedInstallationStates, that's every computer that has no failures for any update. Remember this point: no failures for any update, not no failures for a particular update in the first list.

Now, for the final trick:  For every update in the first list, we figure out the state (relevant to each update) for every computer in the second list.  Count up the tally of each state, and that's the summaries returned for each update. 

Once again, you've now got a list of summaries for every update that had at least one computer with a failure, and a summarization of computer states only against computers that had no failures at all for any update. 

If you haven't figured out why this is bad, I'll go over what you might have expected with the initial question. 

Imagine your organization has 2 computers (Ca, and Cb), and 2 updates (U1, and U2).  Both computers successfully installed U1, and both failed U2.

Our scenario wanted "show me all updates with no failures, and a count of states for all computers that didn't fail that update."  You'd expect to see U1 (no failures), with a count of 2 computer successes for that update.

Instead, you'd see U1 (no failures) and 0s in all summary fields.  All of the computers had at least one failure, and so were excluded from being summarized for all updates.  A detailed report in our UI would show no computers at all, just like the summary counts said.

Getting questions like this scenario right can be a little tricky - and often require some post processing.  I'll just say "this is why we have Betas," and is why we're so busy for the RC release.  I think you'll be pleased with the changes.

-- matthew

Hi WSUS Admins , Just wanted you all to know for those of you which have clients participating in the Forefront beta, there will be an increase in the publishing frequency of the definition updates. 

Microsoft Forefront Client Security will be providing definition updates at an increased frequency, effective immediately.  These updates, which were previously offered approximately once per day, will now be made available as they are released by Microsoft’s global malware research organization.

 We have included some additional information about Microsoft Forefront and Microsoft Forefront Client Security below, and you can learn more by visiting http://www.microsoft.com/forefront and http://www.microsoft.com/clientsecurity.  Other questions or concerns should be directed to your Microsoft TAP or private beta point of contact.

 Q. What is Microsoft Forefront Client Security?

A.  Microsoft Forefront Client Security provides unified malware protection for business desktops, laptops and server operating systems that is easier to manage and control. Built on the same highly successful Microsoft protection technology already used by millions of people worldwide, Forefront Client Security helps guard against emerging threats such as spyware and rootkits as well as traditional threats such as viruses, worms and Trojan horses.  By delivering simplified administration through central management and providing critical visibility into threats and vulnerabilities, Forefront Client Security helps you protect your business with greater confidence and efficiency. Forefront Client Security integrates with your existing infrastructure software, such as Active Directory, and complements other Microsoft security technologies for better protection and greater control.  Microsoft Forefront Client Security was previously known as Microsoft Client Protection.

 Q. What is Microsoft Forefront?

A. Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with existing IT infrastructure and through simplified deployment, management, and analysis. The Microsoft Forefront line of business security products helps provide protection for client machines, server applications, and the network edge. 

Three new product categories will be added to your Windows Server Update Services (WSUS) Beta2 server over the next day or two, under the Microsoft Windows family. The new categories will be entitled “Windows Vista”, “Windows Ultimate Extras” and “Windows Vista Ultimate Language Packs.” The Windows Vista category is being included in preparation for the Windows Vista release. Over the life of Windows Vista, the Windows Vista Ultimate Extras category will include all Extras as they are released. Windows Ultimate Extras will be offered through WSUS and will work only on computers running Windows Vista Ultimate.

The Windows Vista Ultimate Language Packs category will allow Microsoft to deliver Multilingual User Interface Packs to customers who have Windows Vista Ultimate. Language Packs will not be available through WSUS. Enterprises with volume licensing agreements can download the Language Packs from the MVLS Web site instead.

Chinmay Parekh (WSUS)

There have been numerous posts where people ask about ways to delay (or cancel) the reboot of the client machine once the update is "installed".

Let me attempt to elaborate on the relationships between download, install and reboot operations and how they should be spaced in time for the client machine to be in the most stable and secure state.

Summary:

(1) Download and install are two independent and distinct operations.

(2) Install and reboot are two very closely tied operations.

Just downloading the update on your machine has no effect in patching the machine.

A downloaded but not-installed update does not affect the security or functionality of the machine in any way.

On the other side, for an update which requires reboot; the install and reboot operations should be tied together very tightly. For an update that requires reboot, the update is NOT installed until the system reboots. A partially installed update (pending reboot) results in a non-updated and insecure state of the machine. Also since this is a ‘synthesized’ state, it can result in instability.

Ideally, install and reboot should be a quantum operation.

Let me explain this point with an example.

Let's say update U requires reboot.

You install U on your machine and have not rebooted the machine yet.

At this stage the update is NOT fully installed. Only after the machine is rebooted, the update is fully installed.

So as an admin, one should try to view install and reboot operations as part of a single transaction.

The admin should attempt to minimize the time for which any machine is in a reboot pending state.

Conclusion:

Admins are far better off to schedule the installation of reboot required updates at a time when the system can be safely rebooted vs delaying reboot to introduce stability risk in combination with the system not being updated and protected.

Next:

There are various settings in the group policy which the can control the reboot behavior of client machine and the user experience around this.

Most relevant ones being

· No auto-restart for scheduled Automatic Updates installation

· Delay restart for scheduled installations

· Re-prompt for restart with scheduled installations

I will blog about it next. Stay Tuned…

Chinmay Parekh (WSUS)