This has been a busy year for changes in WSUS and Patch Manager. In this article I’m going to summarize these changes. Treat this like a checklist. If there’s something on this list you’ve not yet done, use the next couple of weeks to develop a remediation plan. If you need help with any of this, post a message in the Thwack Patch Manager or PatchZone forums, and I’ll be happy to respond.
Following the EminentWare acquisition, Patch Manager v1.72 was released and implemented a new licensing model (see KB3552) . This new licensing model
granted access to the 3rd Party Updates Pack to all Patch Manager customers,
- eliminated the need for activation on Secondary Application Servers, and
- changed the methodology of how the 3rd Party Updates catalog is synchronized.
If you’re still running one of the EminentWare Extension Packs – this update should be a New Year’s Resolution for sure! Details on upgrading to v1.72 and troubleshooting a common licensing issue are discussed in KB3602 and KB3562 respectively.
KB2718704, the first of many updates precipitated by the Flame fiasco, was released. This update replaced the certificates used by the WUAgent to validate digital signatures on files signed by Microsoft, and by WSUS to establish SSL connections for synchronization. I talked about this in the Product Blog (June 4). For some really technical details on what this update does, read these Microsoft Security Research & Defense (SRD) blog posts [ June 3 | June 6 ]
Also in June, we released a free tool - the Diagnostic Tool for the WSUS Agent - designed to make your efforts in troubleshooting communications and behavioral issues with the Windows Update Agent much easier. Most notable about this tool is that it runs on 64-bit systems, and it provides guidance on known causes and the proper solutions for many of the issues encountered with configuring the WUAgent and communicating with a WSUS Server.
Two events of significance occurred in July: one from Microsoft, and the other from SolarWinds.
- updated the digital signatures on the WSUS resources.
- updated the Windows Update Agent to use those new digital signatures.
- updated the WSUS API to create 2048-bit certificates for use with local publishing.
- rolled up a couple of previous local publishing related hotfixes.
Probably the two most significant issues with this update were
- that it was exceptionally difficult to successfully install (partly due to Microsoft’s rush to getting it out the door; see these WSUS Support Blog Posts [ June 20 | July 23 ] for guidance installing KB2720211), and
- that without it, systems that updated the WUAgent via AU/WU/MU were no longer able to communicate with an unpatched WSUS server due to the certificate changes (See KB958045 and this WSUS Support Blog Post for details).
This is a required WSUS update. If you’ve not yet installed it, doing so needs to be at the top of your patch management to-do list. However, you should also consider installing KB2734608 as an alternative to KB2720211. It’s reported to provide a more reliable installation. I discuss it in more detail later in the article.
For Patch Manager customers, this update also presented some minor complications, because it does not detect as installable on WSUS console-only installations. (I asked the WSUS product team about this behavior, and they told me it was “by design”. I told them that I thought it was a bad design, but it is what it is.) So, be sure to install KB2720211 on your WSUS console systems, as well, most notably all of your Patch Manager servers, which also have WSUS console installations. More on this is available in KB4054 and KB4328.
- If you have WSUS and Patch Manager installed on the same system, you will also encounter an Access Denied failure in the Patch Manager console after installing KB2720211. We discuss this scenario in KB4014.
- There was some confusion regarding the About->Help dialog in the MMC console after upgrading WSUS or Patch Manager from/to any version. KB4107 discusses this scenario.
- After installing KB2720211, if you are using local publishing in WSUS to deploy third-party updates, you must create a new publishing certificate, distribute it to all systems, and re-sign all update packages that are needed by client systems. Details on this procedure are available in KB4100. Also there is a minor anomaly that impacts the Server Publication Verification Wizard, which we discuss in KB4127.
Patch Manager v1.73
Patch Manager v1.73 was released, in response to the forthcoming digital certificate changes announced in the July 10 SRD blog posting. I wrote about the proposed Microsoft certificate update in the Product Blog (July 25).
The Patch Manager v1.73 update has some stringent requirements for how it is deployed in environments with more than one Patch Manager server. If you’re still running Patch Manager v1.72, please read the notes in KB4099 and KB4138 very carefully. If you’re still running an older EminentWare Extension Pack, see KB4118 for additional guidance.
KB2661254 was published, as announced earlier, but only to the Microsoft Download Center, providing a big break to Patch Manager customers. An announcement that the update would be released to WU/WSUS in October was posted to the MSRC Blog.
KB2661254 will break all Local Publishing functionality on a WSUS server that does not have KB2720211 installed, so you need to perform all of the required actions for KB2720211 prior to installing KB2661254 on the WSUS server. This is discussed in greater detail in KB4110.
KB2734608 was published, but only to the Microsoft Download Center. This update will not be distributed via MU/WSUS because of the complex requirements for its installation. There are two items noteworthy about this update:
- It provides the ability to patch Windows 8 and Windows Server 2012 systems from a WSUS v3 server by adding SHA256 hashes to the WSUS content, which is required by the WUAgent v7.8 installed on Win8/Win2012.
- It rolls up all of the updates contained in KB2720211.
This is an optional update for WSUS! If you don’t need to patch Win8/Win2012 systems yet, I recommend you bypass this update (assuming KB2720211 is already installed). If you choose to install this update, please read the detailed deployment guidance provided in the KB article.
- full capabilities for patching and managing Windows 8 and Windows Server 2012,
- managing WSUS v6 installed on Windows Server 2012, and
- installing Patch Manager on a SQL Server 2012 instance.