RSS

Tag Archives: Update Management

Microsoft – Important changes to the update mechanism in Windows 8 and Windows Server 2012

For a very long time, the update mechanism for both Windows clients and Windows servers have been the same. With Windows 8 and Windows Server 2012 this has changed.

Even though I’d already found out that something had changed with the Windows 8/Windows Server 2012 update mechanism by using it, I didn’t really know what changed and why.

  1. Windows 8 Modern (Metro) Apps security patching does not work the same as regular security patching. For more information, read “Microsoft’s new security patching routine raises concerns“.
  2. Default behavior after you install an important update in Windows 8 or in Windows Server 2012 is that you receive a notice that you have to restart the computer in three days. If the restart does not occur in three days, the computer displays a 15-minute countdown and then automatically restarts. By default, this automatic restart is delayed if the computer is locked, and the countdown will begin the next time that you sign in to the computer. Update KB2835627 has been released that introduces a new registry key called AlwaysAutoRebootAtScheduledTime which enables you to configure a forced restart after installation if desired.
  3. This great blog post provides more insight: “Managing Updates with Deadlines in an era of Automatic Maintenance“. The reactions are also very interesting.Some of the key takeaways from this post:
    • A new feature called Automatic Maintenance, runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more.
      • The setting for when to download and install updates doesn’t work in the same way as it did. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective. It is included in the automatic maintenance and there isn’t a way to individually specify which maintenance tasks run on which day.
      • The Windows Update Agent doesn’t have to be active in the background all the time because of this. This consolidation reduces system resource usage and battery usage.
    • If you want to be in control of when updates will be installed you have to use WSUS and set deadlines for updates.

Even though I understand the reasoning behind the change, I would have preferred that Microsoft gave customers options to choose their preferred method. In my opinion this method makes sense for clients, but not so much for servers.

Also for some (smaller) companies the specific day and time patching method (including downloading from Microsoft Update) worked fine and now they might have to install, configure and maintain a WSUS server (including patch approvals) to achieve the same result.

What do you think about this ? Leave a comment on either my blog or on the original blog post : Managing Updates with Deadlines in an era of Automatic Maintenance

Advertisements
 

Tags: , , , , , , , , , , , , , , , , , ,

SCOM2012 – Extract English Only MSP Update Rollup 3 files from CAB using PowerShell (and my vision on updating using WSUS/Microsoft Update)

I created this script to automate extracting English only MSP files from CAB files in the SCOM 2012 Update Rollup 3 (UR3) files. By default it will delete extracted non-English versions. With some minor modifications it can be used for any CAB file though, not just SCOM 2012 Update Rollup 3. It includes a lot of comments, so it is manageable and can be used for getting to know PowerShell better.

SCOM 2012 Update Rollup 3 can be downloaded here : http://catalog.update.microsoft.com/v7/site/search.aspx?q=2750631

The issue with SCOM 2012 Update Rollup 3 is that after downloading you’ll end up with a total of 41 CAB files. The large number of files is because they are for different components and in multiple languages. And what is even worse, is that the file names do not show which file is for which language.This script will extract all cab files to a subfolder and will then removes the non English ones. Below are some of the example files in Update Rollup 3 to give you an idea about the nondescriptive file names:

  • all-kb2750631-amd64-console_1af57997fba722cdd3dfe4b2ddb4b8d8d829dd6f.cab
  • all-kb2750631-amd64-console_3d61c9e090622b2b59ee8bf7b13b922e815bdf15.cab
  • all-kb2750631-amd64-console_494a77ddaa09206f8f61ecdfb2edfcd1e82a497c.cab
  • all-kb2750631-amd64-console_69bb307dbd450cfd8b732c2ac3845c9870bdc6d0.cab
  • all-kb2750631-amd64-console_71c65fc2ded6769edbf610958780b5a8ac374f8c.cab

Deploying SCOM 2012 components and updates to them can be done in multiple ways:                 http://technet.microsoft.com/en-us/library/hh551142.aspx

Most of the work while updating will probably be updating the agents. Basically for SCOM 2012 there are 2 major ways to install agents:

  1. Push installation (initiated from SCOM 2012). Updates can then also be deployed from within SCOM (Remotely Manageable = Yes). Push installation is often preferred, because it is easy and also allows you to push updates to clients from within SCOM 2012. The downside however is that it also requires a lot of open ports (including RPC) which might not always be acceptable:                    http://support.microsoft.com/kb/2566152. Push install and update install can also consume a lot of bandwidth and depending on your architecture (b.e. WAN links), the push install might not be the best way.
  2. A manual installation (anything that is not a push installation). Updates cannot be deployed from within SCOM (Remotely Manageable = No). Manual installation includes running setup manually, using a GPO software install or using deployment tools like System Center Configuration Manager). Using the GUI, you cannot simply set an agent back to remotely manageable = Yes. You can change this in SQL though, but keep in mind that connectivity  requirements still need to be met.

With Update Rollup 3, it is now possible to leverage WSUS / Microsoft Update to deploy updates (not the inital agent) to all SCOM 2012 components. I predict this will probably become the preferred way of updating SCOM 2012 for most companies:
+ It does not require many ports on your firewall to be opened.
+ Better bandwidth management (local WSUS, BranchCache, BITS).
+ Auto detects components on systems (component updates are not forgotten).
+ Still in control of when which updates are deployed/approved.
+ Leverage existing patch/update management procedures and systems WSUS/SCCM (standardization).
– Initial agent installation cannot be performed using WSUS.

PS: Also check these great blog posts when deploying Update Rollup 3:

 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

 
%d bloggers like this: