Category Archives: WSUS

WSUS Server 2012 R2 Windows 10 Feature Updates not found

Posted on by
Reply

So you are on Server 2012 R2 and have a WSUS server to serve your updates to your Windows 10 clients. Perfect!
But now you need to deploy the upgrade features (i.e. version 1511).

Well first you have to deploy a hotfix to your WSUS server (https://support.microsoft.com/en-us/kb/3095113).

About this hotfix:

This hotfix enables Windows Server Update Services (WSUS) on a Windows Server 2012-based or a Windows Server 2012 R2-based server to sync and distribute feature upgrades for Windows 10. This hotfix is not required to enable WSUS to sync and distribute servicing updates for Windows 10.

And here it comes:

This update must be installed before you sync the upgrades classification. Otherwise, you might encounter issues when you synchronize and distribute feature upgrades for Windows 10. For more information, see the Important update for WSUS 4.0 (KB 3095113).

Uhhh wait, I did not RTFM…..

At least I can see the updates:


But when I deploy them my clients all come with the message ‘File not found’ (or WSUS error 0x8024200D or 0x80246007). And of course they all report failure back. Nice now everything is Red.

But the fix is easy. The new feature updates are delivered as .esd files. And the IIS instance of WSUS doesn’t know what to do with them. So they are not downloaded!

See in the WSUS console under ‘File Information’


Just go to the WSUS console and add the right MIME-type for .esd.

This is application/octet-stream

Just the Content directory will suffice.


Not even a reboot or anything is needed.

And now the clients are downloading the feature update and installing them!

Configuration Manager 2012 – Software Updates That Require Multiple Reboots may Cause Task Sequence Failure

Posted on by
2

Oke so sometimes your OSD Task Sequence in ConfigMgr 2012 (or even 2007..) fails on you? Tried all the usual troubleshoot steps..

Well maybe not all, check your Windows Updates!

Yes, Microsoft has confirmed that there are updates out there that will break your Task Sequence.

This is the KB about that:

KB2894518 – Software Updates That Require Multiple Reboots may Cause Task Sequence Failure within Configuration Manager (http://support.microsoft.com/kb/2894518)

If a Configuration Manager (ConfigMgr 2007 or ConfigMgr 2012) Task Sequence that leverages the Install Software Updates step installs a software update that triggers multiple reboots, the task sequence may fail to complete successfully. This occurs because the first reboot initiated by the software update is properly controlled by the Task Sequence, however the second reboot request is initiated by a Windows component (typically Component-Based Servicing) and therefore not controlled by the Task Sequence.

In short the following updates are affecting your OSD Task Sequence:

  • 2862330 MS13-081: Description of the security update for 2862330: October 8, 2013
  • 2771431 A servicing stack update is available for Windows 8 and Windows Server 2012
  • 2871777 A servicing stack update is available for Windows RT, Windows 8, and Windows Server 2012: September 2013
  • 2821895 A servicing stack update is available for Windows RT and Windows 8: June 2013
  • 2545698 Text in some core fonts appears blurred in Internet Explorer 9 on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2
  • 2529073 Binary files in some USB drivers are not updated after you install Windows 7 SP1 or Windows Server 2008 R2 SP1
  • 2871690 Microsoft security advisory: Update to revoke noncompliant UEFI boot loader modules

Especially the 2862330 has the statement in the description 😉

After you install security update 2862330 on a computer that is running Windows 7 or Windows Server 2008 R2, your computer may restart two times. The additional restart is required to make sure that the security update is completely installed. Installation of this update may leave the system in a partly updated and therefore vulnerable state. To address this issue, the update performs an additional step to update the computer. This additional step may require an additional restart of the computer.

Note Task sequence could fail in System Center Configuration Manager if the task sequence uses an “Install Software Updates” step to install a software updates that require multiple restarts.

WSUS Error 2149842967

Posted on by
Reply

When installing patches and hotfixes silently (wusa.exe <some_patch_or_hotfix.msu /quiet /norestart) it is advisable to check the Setup eventlog.

It is possible that you find some error there:

Windows update could not be installed because of error 2149842967

Actually what Windows is saying:

The update is not applicable to your computer.

Well oke that could also be in normal English 😉

WSUS and ConfigMgr 2012 HTTPS communication

Posted on by
3

When you have your ConfigMgr 2012 site fully communicating over HTTPS you may also want your Software Updates delivered over a secure channel.

Well that´s possible!

More info: http://technet.microsoft.com/en-us/library/bb633246.aspx

When you have the WSUS component installed on the SCCM 2012 SP1 server, the same certificate that was used to secure the ´Default Web Site´ can be used to secure the WSUS Administration site from within IIS.

TIP

Not all the virtual directories within the WSUS Administration site need to be enabled for SSL.
Only enable SSL for:

  • APIRemoting30
  • ClientWebService
  • DSSAuthWebService
  • ServerSyncWebService
  • SimpleAuthWebService

Web Server Configuration

 

To configure WSUS for SSL communication:

  1. Open Internet Information Services (IIS) Manager.
  2. Expand Sites, and select the WSUS administration site (which is often the ‘Default Web Site’).
  3. Click the Bindings action.
  4. Click Add, select HTTPS, and click Edit.
  5. Choose the certificate from the list.
    (Click View to verify the correct certificate was selected, click OK, and then click Close).
  6. Select the APIRemoting30 virtual directory.
  7. Double-click the SSL Settings option.
  8. Enable the Require SSL option and click Apply.
  9. Repeat for the ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService virtual directories.

With the WSUS virtual directories correctly configured, run the following command on the WSUS server to finalize the configuration needed to support SSL:

WSUSUtil.exe configuressl {FQDN.stiteservername}

This utility is located in the Tools folder located within the WSUS installation folder.
(By default, this is folder is C:\Program Files\Update Services\Tools).

 

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles choose your Software Update Point and select Properties.

Now select the Require SSL communication to the WSUS server.

 

And as visible in the WCM.log we have SSL communication: