A couple of weeks ago I was thinking that I should blog that it’s a pity that Windows Management Framework (including PowerShell) could be not distributed through WSUS anymore. In the past it was available on through WSUS, but it was removed (expired) at some point due to some issues.
This meant to deploy PowerShell you could not deploy it through regular WSUS, but you had to either:
- Include it in your base image
- Install it manually
- Install it using scripting
- Install it using GPO
- Install it using WSUS add-on solutions to deploy 3rd party packages. Example solutions include, but are not limited to Local Update Publisher (LUP), WSUS package publisher, SolarWinds patch manager.
- Install it using enterprise systems management software. Example solutions include, but are not limited to System Center Configuration Manager (SCCM), Altiris, Landesk Management Suite, Tivoli Endpoint Manager (BigFix)
- Install it using Intune
At many customers of ours this meant that PowerShell was left at version 2.0 for older operating systems unfortunately. For newer operating systems luckily version 3.0 was shipped by default. Still the version would never be updated in most cases.
Apparently the PowerShell team also thought something had to be done about that, because they made the Windows Management Framework (WMF) 5.0 RTM available via the Microsoft Update Catalog. Since it is published to the Microsoft Update Catalog, you have to manually import it to your WSUS environment. Also as the blog post states, before installing ensure you have reviewed known product incompatibilities (Exchange, SharePoint and System Center Virtual Machine Manager) and that the prerequisites are met.
I hope this will mean I will be seeing more up-to-date versions of PowerShell on systems of customers from now on.
One of the disadvantages however is that for operating systems before Windows 8.1/2012, a prerequisite is that WMF4 is installed, which cannot easily be deployed using WSUS unfortunately.
Tags: Powershell, Windows, Windows Management Framework, WMF, WSUS
For a very long time, the update mechanism for both Windows clients and Windows servers have been the same. With Windows 8 and Windows Server 2012 this has changed.
Even though I’d already found out that something had changed with the Windows 8/Windows Server 2012 update mechanism by using it, I didn’t really know what changed and why.
- Windows 8 Modern (Metro) Apps security patching does not work the same as regular security patching. For more information, read “Microsoft’s new security patching routine raises concerns“.
- Default behavior after you install an important update in Windows 8 or in Windows Server 2012 is that you receive a notice that you have to restart the computer in three days. If the restart does not occur in three days, the computer displays a 15-minute countdown and then automatically restarts. By default, this automatic restart is delayed if the computer is locked, and the countdown will begin the next time that you sign in to the computer. Update KB2835627 has been released that introduces a new registry key called AlwaysAutoRebootAtScheduledTime which enables you to configure a forced restart after installation if desired.
- This great blog post provides more insight: “Managing Updates with Deadlines in an era of Automatic Maintenance“. The reactions are also very interesting.Some of the key takeaways from this post:
- A new feature called Automatic Maintenance, runs nightly and performs various tasks such as lightly defragmenting hard drives (or TRIMming SSDs if necessary), checking, repairing, and optimizing the system component store, running anti-virus scans, installing updates, and more.
- The setting for when to download and install updates doesn’t work in the same way as it did. While you can still set Windows Update to download updates and install them automatically or not, the day-of-the-week setting is not effective. It is included in the automatic maintenance and there isn’t a way to individually specify which maintenance tasks run on which day.
- The Windows Update Agent doesn’t have to be active in the background all the time because of this. This consolidation reduces system resource usage and battery usage.
- If you want to be in control of when updates will be installed you have to use WSUS and set deadlines for updates.
Even though I understand the reasoning behind the change, I would have preferred that Microsoft gave customers options to choose their preferred method. In my opinion this method makes sense for clients, but not so much for servers.
Also for some (smaller) companies the specific day and time patching method (including downloading from Microsoft Update) worked fine and now they might have to install, configure and maintain a WSUS server (including patch approvals) to achieve the same result.
What do you think about this ? Leave a comment on either my blog or on the original blog post : Managing Updates with Deadlines in an era of Automatic Maintenance
Tags: ICT, Metro App, metro application, Microsoft, Modern App, modern application, patching, security, update, Update Management, Update Services, updates, Windows, Windows 2012, Windows 2012 Server, Windows 8, Windows Server 2012, Windows Server Update Services, WSUS
One of the tasks of a WSUS administrator is to make sure that WSUS clients are up-to-date. This requires the WSUS clients to report to the WSUS server on a regular basis.
So if clients do not report to the WSUS server, you need to investigate and resolve the issue.
This script will show you which WSUS clients haven’t reported in X days:
http://bjornhouben-web.sharepoint.com/Lists/Scripts/DispForm.aspx?ID=21
Another use case would be if you manage a WSUS infrastructure with an upstream server and multiple downstream servers for each customer. If one or more 3rd parties are responsible for managing the WSUS clients, you could use this script to automatically mail them the clients they’re responsible for that haven’t reported for X days.
Tags: Powershell, report, Script, sync, Windows, WSUS, WSUS client, WSUS infrastructure, WSUS server
I created this script to automate extracting English only MSP files from CAB files in the SCOM 2012 Update Rollup 3 (UR3) files. By default it will delete extracted non-English versions. With some minor modifications it can be used for any CAB file though, not just SCOM 2012 Update Rollup 3. It includes a lot of comments, so it is manageable and can be used for getting to know PowerShell better.
SCOM 2012 Update Rollup 3 can be downloaded here : http://catalog.update.microsoft.com/v7/site/search.aspx?q=2750631
The issue with SCOM 2012 Update Rollup 3 is that after downloading you’ll end up with a total of 41 CAB files. The large number of files is because they are for different components and in multiple languages. And what is even worse, is that the file names do not show which file is for which language.This script will extract all cab files to a subfolder and will then removes the non English ones. Below are some of the example files in Update Rollup 3 to give you an idea about the nondescriptive file names:
- all-kb2750631-amd64-console_1af57997fba722cdd3dfe4b2ddb4b8d8d829dd6f.cab
- all-kb2750631-amd64-console_3d61c9e090622b2b59ee8bf7b13b922e815bdf15.cab
- all-kb2750631-amd64-console_494a77ddaa09206f8f61ecdfb2edfcd1e82a497c.cab
- all-kb2750631-amd64-console_69bb307dbd450cfd8b732c2ac3845c9870bdc6d0.cab
- all-kb2750631-amd64-console_71c65fc2ded6769edbf610958780b5a8ac374f8c.cab
Deploying SCOM 2012 components and updates to them can be done in multiple ways: http://technet.microsoft.com/en-us/library/hh551142.aspx
Most of the work while updating will probably be updating the agents. Basically for SCOM 2012 there are 2 major ways to install agents:
- Push installation (initiated from SCOM 2012). Updates can then also be deployed from within SCOM (Remotely Manageable = Yes). Push installation is often preferred, because it is easy and also allows you to push updates to clients from within SCOM 2012. The downside however is that it also requires a lot of open ports (including RPC) which might not always be acceptable: http://support.microsoft.com/kb/2566152. Push install and update install can also consume a lot of bandwidth and depending on your architecture (b.e. WAN links), the push install might not be the best way.
- A manual installation (anything that is not a push installation). Updates cannot be deployed from within SCOM (Remotely Manageable = No). Manual installation includes running setup manually, using a GPO software install or using deployment tools like System Center Configuration Manager). Using the GUI, you cannot simply set an agent back to remotely manageable = Yes. You can change this in SQL though, but keep in mind that connectivity requirements still need to be met.
With Update Rollup 3, it is now possible to leverage WSUS / Microsoft Update to deploy updates (not the inital agent) to all SCOM 2012 components. I predict this will probably become the preferred way of updating SCOM 2012 for most companies:
+ It does not require many ports on your firewall to be opened.
+ Better bandwidth management (local WSUS, BranchCache, BITS).
+ Auto detects components on systems (component updates are not forgotten).
+ Still in control of when which updates are deployed/approved.
+ Leverage existing patch/update management procedures and systems WSUS/SCCM (standardization).
– Initial agent installation cannot be performed using WSUS.
PS: Also check these great blog posts when deploying Update Rollup 3:
Tags: Background Intelligent Transfer Service, BITS, BranchCache, CAB, cab files, decompress, extract, ICT, manual install, Microsoft, Microsoft System Center Operations Manager 2012, Microsoft Update, operations management, operations manager, Operations Manager 2012, OpsMgr, OpsMgr 2012, OpsMgr 2012 Update Rollup 3, OpsMgr2012, Patch Management, Powershell, push install, Remotely Manageable, rollup, SCCM, SCOM, SCOM 2012, SCOM 2012 Update Rollup 3, SCOM2012, service pack, System Center, System Center Configuration Manager, System Center Operations Manager, System Center Operations Manager 2012, testing environment, Update Management, update rollup, Update Rollup 3, WSUS
Last week I got a beta exam invite for exam “70-688 Managing and Maintaining Windows 8” (in beta it is 71-688). As with most beta exams lately, you only have max two weeks to prepare and there are no books available yet that you can use to study. Therefore I start with looking at what skills are being measured and if there are preparation guides available. From there on I start looking for relevant learning resources for each subject and adding them to the skills that are being measured for easy future reference.
I hope it is useful for you as well.
Read the rest of this entry »
Tags: 070-688, 071-688, 70-688, 71-688, ACT, Action center, AEM, Agentless Exception Monitoring, App-V, App-V 5.0, application compatibility toolkit, application reputation, Application Virtualization, Applocker, asset, asset inventory, authentication, Azure, backup, bcdboot, bcdedit, Beta, biometrics, BitLocker, BranchCache, certificate, client hype-rv, CMAK, computer inventory report, ConfMgr, ConfMgr 2012, ConfMgr2012, Connection Manager, Connection Manager Administration Kit, DaRT, DaRT 8, DCA, DEM, deployment strategy, Desktop Error Monitoring, Diagnostic and Recovery Toolkit, DirectAccess, DirectAccess Connectivity Assistant, disk image, disk image backup, DISM, DNSSEC, domain, EAS, EFS, EHD, Encrypted Hard Drive, Encrypting File System, Endpoint Protection, Exam, Exchange Active Sync, Exchange Activesync, file history, find and fix problems with devices, Firewall, folder redirection, group policy, hardware, hardware and devices troubleshooter, high-touch, Hyper-V, image, IPv4, IPv6, Learning, learning resource, learning resources, lite-touch, Live Mesh, live service, live services, LiveMesh, local account, Managing and Maintaining Windows 8, MBAM, MDOP, MDOP 2011 R2, metered network, metering, metro application, microsoft account, Microsoft Application Virtualization, Microsoft Azure, Microsoft Bitlocker Administration and Monitoring, Microsoft Desktop Optimization Pack, migrate, migration, mobile, mobile device, mobile device management, multifactor authentication, name resolution, native boot, Near Field Communication, network, network metering, NFC, off-network, Office 365, Office 365 Desktop Setup, offline files, Packaged App, PC refresh, PC reset, picture password, Powershell, PowerShell Remoting, prep guide, preparation, preparation guide, prepare, print management, printer, rdp, RDS, Recimg, Recimg.exe, recovery drive, recovery media, remote access, remote desktop protocol, Remote Desktop Services, Remote Server Administration Tools, RemoteApp, removable storage devices, report, roaming profiles, roaming user profiles, RSAT, SCCM 2012, SCCM2012, Secure SIM, security, shim, sideload, sideloader, Skydrive, Skydrive Pro, smart card, Software Restriction Policies, SRP, Storage Spaces, study, Sync center, System Center, System Center 2012, System Center 2012 Endpoint Protection, System Center 2012 Endpoint Protection client, System Center Configuration Manager, System Center Configuration Manager 2012, System Center Desktop Error Monitoring, System Center Endpoint Protection, system restore, trust, trust relationship, Trusted PC, two-factor authentication, UE-V, upgrade, upgrade path, User Experience Virtualization, user state migration tool, usmt, VDI, vhd, Virtual Desktop Infrastructure, virtual hard disk, virtualization, VPN, wet, Windows, Windows 7 file recovery, Windows 8, windows 8 application, Windows 8 FIle History, Windows 8 Image, Windows 8 PC refresh, Windows 8 PC reset, windows 8 upgrade path, Windows Azure, Windows Defender, windows easy transfer, Windows Firewall, Windows Intune, Windows Recovery Environment, Windows store, Windows To Go, Windows Update, wireless, workgroup, WRE, WSUS, zero-touch
blog.bjornhouben.com 