WSUS Product Team Blog

Hi everyone,

Windows XP Service Pack 3 (SP3) was made available to Windows Server Update Services this morning, classified as a service pack.  It includes previously released updates and hotfixes to Windows XP and creates a new baseline for servicing.  For more information about what's changed and how to deploy, see the Windows XP Service Pack 3 Overview.

One thing you may be aware of, if you happen to be managing any clients running Microsoft Dynamics Retail Management System, is an incompatibility Microsoft Dynamics RMS has with Windows XP SP3.  To address the problem, we’ve added a filter to help prevent Windows XP SP3 from being installed on clients managed by WSUS and will make a fix available soon (more info here).

-Cecilia Cole

WSUS Program Manager

WSUS Admins;

We’ve seen a little bit of confusion around the specific WSUS behavior with the OGA update.  As most of you know the package is expired, so it’s no longer available to your WSUS servers. Also, not to bore the experts who know this, auto-approval rules don’t apply to updates that require explicit EULA acceptance, which this one does.  Only manual approval and EULA acceptance will have made this update available to your clients, even if you had auto-approval rules applied.

The WSUS team

WSUS Admins:

On April 15^th the Office Genuine Advantage (OGA) notifications update (KB949810) was inadvertently published to WSUS servers for approximately twenty-four hours. This update was intended for Microsoft Office users in the pilot countries of Italy, Spain, Turkey and Chile, but because of WSUS publication, it became available to WSUS managed clients inside and outside of these intended countries.  This update has since been removed from WSUS.  For servers which synchronized the OGA update package, the package required a EULA acceptance before it could be made available to WSUS managed clients, via either manual approval, or auto-approval rules.   OGA notifications are designed to alert customers who are using non-genuine software, and are thus more vulnerable to activation exploits and the risks of counterfeit. As such, this update was marked critical for WSUS.

We are available to offer full assistance if you have problems or questions related to this issue, via your regular support channels.  Customers who want to learn more about OGA notifications can reference the online KB Article.  Customers who require support should submit  a Technical Support Request for Microsoft Genuine Advantage Issues.  

Folks,

Today, April 8, the Windows Update team is making the Hyper-V Release Candidate package available as an "Optional Update" via Windows Update for all Windows Server 2008 SKUs. It will also be published as an "Optional Update" to WSUS. For more detailed instructions, please refer to How to Install Windows Server 2008 Hyper-V Release Candidate.

For more information about the availability of new and changed updates available for WSUS, please visit our TechNet site under  "WSUS Updates".

Thank you.

Cecilia Cole | WSUS Program Manager

For more information on WSUS 3.0 SP1, please refer to KB 948014.

Thank you!

WSUS Team

Good morning folks!

I wanted to bring to your attention the fact that on 03/18 , Windows Vista SP1 was made available for Windows Vista systems in English, French, German, Spanish, and Japanese.

For WSUS users, the Standalone Package of the Service Pack and its prerequisites will be available on the MU Catalog Tuesday March 25 but before that, there are a few things to take into consideration:

-      This process applies to WSUS 3.0 RTM and SP1 servers only.

-      If you are running your WSUS server on a Windows 2003 Server, you will first need to download and install the WinTrustVerify update (KB 938759) on that server.

Procedure for importing the Vista SP1 standalone package into a WSUS 3.0 server

1.                  Make sure KB 938759 has been installed on the server. If it has not been installed, the subsequent steps to import of Vista SP1 will fail.

2.                  Open the WSUS Administrator console, then expand the Update Services node, then the node for the WSUS Server.

3.                  Right-click the Updates node and select “Import Updates” which will open the Microsoft Update Catalog web site in a new browser window.

4.                  In the Microsoft Update Catalog site, search for “Vista SP1” and click Search.

5.                  In the Microsoft Update Catalog results, choose the option to "Add" the following packages into the download basket:

6.                  To import the Windows Vista Service Pack 1 Standalone packages, Add “Windows Vista Service Pack 1 – Standalone (x86)” and/or “Windows Vista Service Pack 1 – Standalone (x64)”

7.                  Once the packages are selected, click the ‘View basket’ option.

8.                  Confirm the selections then click “Import” to import the selected packages and any prerequisites into the WSUS Server.  Once complete, click "Close" to close the Import Progress window and close the Microsoft Update Catalog site in the browser.

9.                  In the Windows Service Update Services administrator console, confirm the appropriate packages and prerequisites are available.

Note: for details on the Windows Vista Service Pack 1 and Service Pack 1 Standalone versions, please read the Windows Vista Service Pack 1 Deployment Guide.

To learn about know caveats when upgrading to Windows Vista Service Pack 1, please read KB 948343.

Also, for more details on this release, check out the Windows Vista Service Pack 1 TechNet site.

Please, note that even though this update is only available on the MU catalog site now, it will eventually be released to WSUS as a Service Pack, so it will flow to WSUS servers at a future date. Details on how this will work will be provided in an upcoming KB.

Thank you.

Cecilia Cole

WSUS Program Manager

WSUS 3.0 SP1 will be available on Windows Update within the next few weeks.  The package behavior is:

1.       Upgrade all previous versions of WSUS starting with WSUS 2.0 to WSUS 3.0 RTM running on Windows 2003 SP1+  

2.       All upgrades will require user interaction.

3.       This service pack package will supersede WSUS 3.0 RTM packages. 

4.       Block upgrades of all WSUS installation using remote SQL.   This is now a manual upgrade process.

5.       Do not support upgrading previous versions of WSUS running on Windows 2008.

6.       System Center Essentials 1.0 RTM will not be upgraded to WSUS 3.0 SP1.  This will be handled by a future release of System Center Essentials.

Note: “WSUS 2.0 SP1” and “WSUS 2.0 Client SelfUpdate Update for WSUS 2.0 SP1” packages will be expired.  These updates are still available on the Download Center.

Thank you for your support!

Good afternoon folks!

I just wanted to let you know that we are planning on providing some guidance for the community next week to coincide with the availability of Vista SP1 to WSUS, please check back next week for more information, thank you!

Cecilia Cole | WSUS Program Manager

Hello folks!

I wanted to refresh your memory regarding a post we published a month ago about a new product family called Silverlight. Starting today, it will be available as a feature pack for WSUS admins, and MU users will see it as an optional update. Enjoy!

Thank you.

Cecilia Cole

WSUS Program Manager

Folks,

I wanted to bring to your attention that on February 12, Microsoft will release the IE7 Installation and Availability update to WSUS marked as an Update Rollup package. What this means is that this update will automatically flow only to clients of WSUS severs that have been configured to auto-approve update rollups, which as you know, is not the default or commonly used WSUS configuration. But for those few that do, the IE7 team has provided an excellent guide for planning this deployment at http://support.microsoft.com/kb/946202/en-us.

Thanks.

Cecilia Cole  | WSUS Program Manager

WSUS Admins, happy Monday!

I wanted to remind you that a new Microsoft product family called Silverlight will be available to WSUS customers this Tuesday, January 22nd.

Silverlight blends animation, audio/video, and interactivity on your Microsoft Internet Explorer and Mozilla Firefox web browsers. For more information about the product, installers and updates availability, please read the blog that the folks of the MU team have posted:

There are multiple ways updates can be deployed through WSUS to client machines (“client machines” mean clients of the WSUS server - the machines may be running either client or server operating systems). This posting describes these mechanisms and the way they can be controlled by the administrator in order to ensure unexpected changes do not occur.

·         Explicit approval. An administrator can explicitly approve an update for installation to a group of machines.

·         Auto-reapprove revisions. By default, when a new revision of an approved update is synchronized to the WSUS server we move the approval to the new revision. Normally this is what customers want, since new revisions never contain new binaries, just fixes to the metadata that describe how to automate the installation of the update. However we had one incident when a new revision of the Windows Desktop Search update changed the metadata so that the new revision was offered to *all* machines but the old revision was offered only to machines with older versions of Desktop Search installed, which caused it to be deployed more widely than expected for many customers (see http://blogs.technet.com/wsus/archive/2007/10/25/wds-revision-update-expanded-applicability-rules-auto-approve-revisions.aspx for details). Since then, we’ve added processes to ensure this type of change will not happen again. The administrator has direct control over this and can disable the option to auto-reapprove revisions.

o        Warning: turning off auto-reapprove revisions can create problems if the administrator has “definition updates” (signatures) in their synchronization options, because definition updates get created and expired fairly quickly and the expired ones won’t get auto-unapproved. As described in KB 938947, this can quickly lead to having too many updates approved which can cause problems for client-server communication. If auto-reapprove revisions is turned off, the administrator will need to manage revisions themselves; looking for older revisions that are approved and either unapproving them (if the new revision is marked “expired”) or move the approval to the new revision. We have provided a PowerShell sample script at http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvms09.mspx that can be used to manage revisions.

·         Auto-approve WSUS updates. Some updates are marked as “infrastructure” updates, which means they are needed by WSUS or WUA for proper detection and scanning for many updates. These updates include MSI 3.1. WSUS creates approval rules to these by default, since they are necessary for the update system to work properly. The administrator has direct control over this and can disable the option to auto-approve WSUS updates. If disabled, WSUS will notify the admin in the home page (TODO list) that there are unapproved WSUS updates, which can lead to infrastructure problems (e.g., if MSI 3.1 is not installed on client machines, then many updates including Office Updates, can’t be properly detected).

·         Auto-approval rules. Administrators can create custom rules to auto-approve updates (e.g., auto-approve all security updates to all computers, or auto-approve all updates to a test target group). The administrator has direct control over this and there are no auto-approval rules enabled by default.

·         Initial client self-update. When a WSUS client’s Windows Update Agent (WUA) first synchronizes  against a WSUS server, it checks if the server has a newer version of the agent available in the servers “self-update” tree. If a newer version is available, the agent will self-update before completing the synchronization. Although Automatic Updates will check for self-update on every synchronization, the self update will only occur on the first synchronization unless the admin explicitly applies an update to the WSUS servers self-update tree (the next scenario).

o        Note: Newer versions of WUA on a particular operating system are backwards-compatible with the older versions of WSUS that support that operating system.  So after WUA self-updates to the latest version, the client can later be managed by an  older WSUS server if desired. The agent never “self-downgrades” (it will stay on the latest version of WUA when talking to an older server).

·         Subsequent client self-updates. The WSUS team may provide an update to the WSUS server itself that modifies the client self-update tree on the server. As of this writing, only two such update have been released; WSUS 2 SP1 (which modified the WSUS 2 self-update tree) and KB 936301 (which modified the WSUS 2 SP1 self-update tree). Such updates flow to the WSUS server as normal updates. If the admin approves such an update for install on the WSUS server, then the WSUS server self-update tree will be updated and subsequently all clients that synchronize against the server will self-update. The administrator has direct control over this since clients will only perform this subsequent self-update if the administrator approves an update to the self-update tree.

·         Update from Microsoft Update. End users on client machines can go to Windows Update or Microsoft Update and install updates (and WUA self-updates) directly. The administrator has direct control over this since they can configure the Windows Update Agent to disallow end-user access to Windows Update and Microsoft Update.

WSUS and AU have log files that allow customers to understand when and why a given update was installed on a machine:

·         The Windows Update Agent has a log file “%windir%\WindowsUpdate.log” with verbose logging on updates that have been installed.

·         WSUS 3.0 has a log file “%Program Files%\Update Services\LogFiles\changes.log” that contains a record of all recent approvals and who made them. If the approval was created automatically (e.g., auto-reapprove revision, auto-approval rule, or auto-approve WSUS updates), the user in the log will be “WSUS Service”.

-Marc Shepard, WSUS Lead Program Manager

WSUS Admins, Happy New Year!!

I wanted to provide some guidance on the prerequisite update (KB935509) for Windows Vista Service Pack 1 because it’s a little different than the typical content we release.  You may have read about on the Windows Vista team blog. 

This update, which will be released on Tuesday, is a prerequisite for installing Windows Vista Service Pack 1 on Windows Vista Ultimate and Enterprise editions.   Even if you don't plan on installing the service pack for awhile, you may still want to test and deploy this update.  Not only does it make improvements to the boot loader, but it's also required prior to installing the two upcoming prerequisites for SP1.  The two upcoming prerequisites will have an updated installer technology which will increase performance and reduce failures for the installation of updates, which are great improvements to make even if you choose to wait to deploy SP1. 

Deploying this update and one of the upcoming prerequisites will also eliminate one reboot once you are ready to deploy SP1, which will be available in the first quarter of 2008. In fact, we're distributing the update during this Tuesday's release  in an effort to reduce customer pain associated with multiple reboots.

To learn more about this specific update, see KB article number  KB935509.

One more thing, remember that you can find information on the content released through Windows Update and Microsoft Update from the following site: http://technet.microsoft.com/en-us/wsus/default.aspx

 Thank you!

 Cecilia Cole

WSUS Program Manager