Monday, November 25, 2013

Monthly MS Patches Available Offline

Stumbled on KB article 913086 from MS. It is a DVD ISO of patches released. Really good thing to know about if you have to patch a system offline. This KB will be kept up to date with current month as well as point you to previous months. I've used WSUSOffline in the past for this function but this is good to know about as well!


DOS Script to Reset Windows Update Agent

There comes a time when a workstation or server is not getting updates. Doesn't matter if its via Microsoft Update, WSUS, or even SUP. This is one of those things, that its better to use the broadsword approach, then spend a lot of time to diagnose and fix a minor issue. You can also run into issues if you are using an Advanced Format drive supporting 4096 (4K) sectors or the hybrid 512e sector formats as the local Update database is Window Jet Database engine based. You'll need to address that first via Service Packs or hotfixes in supported Operating Systems.

I wrote this script a while back that will do several things to faciliate a reset. It was put together from allot of reading and experience in my large environment and smaller ones I help out on. I have had no need to re-register the Update DLLs so its not in here. It performs the following high level items.
  • Stops relevant services
  • Backs up settings
  • Resets WUA
  • Starts relevent services
Some things of note, if you use ConfigMgr for updates via SUP, then you can uncomment out two sections to stop and start that service. Also if you do NOT set WSUS via GPO, you can comment the GPO update section.

This script is provided as-is, no warranty is provided or implied.The author is NOT responsible for any damages or data loss that may occur through the use of this script.  Always test, test, test before rolling anything into a production environment.

Download Script

Thursday, November 14, 2013

OSD Unfriendly Patches

Last year I was having a devil of a time doing a Build and Capture Task Sequence (TS) as it kept rebooting outside the task sequence and causing it to fail. It was related to the SUP steps, however I could not figure it out as we immediately transitioned from ConfigMgr 2007 to 2012 (yay!). Recently however, after adding the October 2013 Microsoft Patches, we started experiencing this same issue on the production Windows 7 TS. It was immediately after this change, so we removed the SUP advertisement and all was well. In working on a solution, our ConfigMgr Admin Cory Becht (of right click tools fame) found KB2894518 covering the problem. Turns out there are a few Microsoft patches that reboot a system multiple times. This causes havok for a Task Sequence as it must be what restarts the PC during the deployment, not something outside of it like a patch. How nice of MS to release patches that have several restarts, they can mitigate this problem.

     NOTE: This KB will be kept up to date with patches known to require multiple restarts.

To address it we made several changes to our process.
  1. Each month we visit that KB to see if new ones show up.
  2. These OSD unfriendly patches were moved to a focused Software Update Group called 'OSD Excluded Updates'
  3. 'OSD Excluded Updates' are advertised to all systems and not the 'Unknown Computers' Collection used by Deployments.
  4. Inject these troublesome updates via DISM to quarterly WIM.
For #4 I found a nice Powershell script (written by BenP) at the Microsoft Script Center that simplifies it. You just pass it the path to the WIM, mount folder, patches, and it does the rest. So after creating a WIM via a Build and Capture TS, I inject the patches that apply and then import the WIM into SCCM for use. Currently this is just KB2862330 and KB2545698 for Windows 7.

For obtaining the patches, the Microsoft Update Catalog is the best place as you just enter the KB and download .MSU files for the relevant Operating System, nothing to extract. It will download each update to a sub folder so if you use the above script you'll need to put all the relevant updates in the same folder, 'Windows 7 X86' for example.

While at the Update Catalog site, if you click on the update and select the 'Package Details' tab and it will tell you what that patch replaces or is replaced by it. Or check via ConfigMgr.. Basically, each of these troublesome patches will be replaced eventually by another one and you may not have to use DISM to inject it and instead let the SUP step(s) install it. I like to have the deployment to include everything vs letting production advertisements apply it after handing the asset to a user so we chose to inject it to our quarterly WIM.


Tuesday, November 12, 2013

8dot3name Short File Name settings not enabled via ADK Partition Disk step in SCCM OSD 2012 SP1



We updated our SCCM 2012 environment to SP1 back in late January of 2013. About 6-8 weeks later I was escalated a problem that some Design software was not installing nor working correctly and they were blaming the image. Primarily, it was several Bentley apps such as ProjectWise. In digging into it we found that 8dot3name (SFN) were no longer enabled for the file system and these applications were installing or calling the executable via SFN.

As part of the SP1 upgrade, it changes from using AIK (windows 7 base) to ADK (windows 8 base) for OSD deployments and Windows 8 does not enable 8dot3name by default. So when you deploy a system, the Partition Disk step creates the volume with no SFN support. Microsoft added native LFN support in the Windows 95/NT4 days via VFAT so in their defense it’s been many many years, so is a good time to remove it as they gave well over a decade for vendors to catch up. My issue is they did not tell anyone of this change, none that I can certainly find. So how did we fix it? I made a few TS changes.

I normally create an updated WIM quarterly so after we upgraded to SP1 I created a new WIM via a Build and Capture TS along with PE media. This WIM contains the OS, .NET Frameworks, Visual Studio Tools, and all applicable patches. Then the deployment TS deals with drivers, apps A-Z and what not. I was in the middle of this cycle when this problem arose and since it takes a while to send out an updated WIM to several hundred DPs so I had to do a break/fix in the mean time to get our users productive again. Since I sent out a new WIM built with ADK it did not have SFN in it so I had to enable SFN on the affected folders.

Production TS
After much trial and error down other roads, I kept coming back to FSUTIL.EXE. I did a lot of comparison using this tool to pre SP1 deployments trying to figure it out before discovering that the Partition Disk step ran via ADK does not enable SFN from this post over at scug.be.

After the Apply Operating System steps (my production TS has both 32-Bit and 64-Bit in it), we had to use FSUTIL to enable SFN and create the SFN for the affected folders. In the Deployment TS, I created a group with the following items as Run Command Line steps.

As everyone knows, MS had to strip stuff out so that PE can be small and agile. They took out obvious stuff like ACPI, games, etc.,  however they also took out FSUTIL. This EXE allows you to mess with the file system, really it should be in PE. Since ADK is Windows 8 based, I went to my W8 media and pulled out FSUTIL and tried to run it. It failed with some weird errors. Turns out I needed the MUI as well to get correct error messages. That failed and got different errors. Turns out while experimenting more that FSUTIL must be ran from %WINDIR%\System32. So the first two entries are to get FSUTIL over to the PE ramdrive from a package.

 CMD /C COPY fsutil.exe.mui %WINDIR%\System32\en-US  

 CMD /C COPY fsutil.exe %WINDIR%\System32  

To turn it on was a simple endeavor via FSUTIL and anything created this point forward will get SFN created. NOTE that during my Partition Disk step I save that partition letter as the variable OSDISK.

 %WINDIR%\System32\FSUTIL.EXE 8dot3name set %OSDISK% 0  

Since the source WIM did not have SFN enabled, I created SFN for the affected folders. Since the TS has both X86 and X64 arches (chosen via HTA),  it will handle both deployment scenarios.
32-Bit Only.

 %WINDIR%\System32\FSUTIL.EXE file setshortname "%OSDISK%\Program Files" progra~1  


 %WINDIR%\System32\FSUTIL.EXE file setshortname "%OSDISK%\Program Files\Common Files" common~1  

Additionally if the OS being deployed is 64-Bit it will enable SFN for the Program Files (X86) folders as well.

 %WINDIR%\System32\FSUTIL.EXE file setshortname "%OSDISK%\Program Files (x86)" progra~2  

 %WINDIR%\System32\FSUTIL.EXE file setshortname "%OSDISK%\Program Files (x86)\Common Files" common~1  

While I had to push out a small package for FSUTIL it definitely shows how quickly a change can be made if you do your entire deployment via Task Sequence and keep your WIM thin.

Build and Capture TS

To fix it in the B&C is a lot simpler as you just do the first three steps between the Partition Disk step and Apply OS step. When the OS is installed, it will create the SFN and you have a WIM captured with SFN enabled and all created. Once I deployed the updated WIM the above was removed from the Production TS.
Also as a change in SP1 is the move from Installation source to using the install.wim for the Apply OS step, so I no longer have to maintain a separate 64-BIT PE instance to do the B&C. All deployments are done via 32-Bit PE.

I wonder what changes 2012 R2 and ADK 8.1 hold for OSD.

Update

While not as fun as mine, a quick and dirty way is to do another format with a switch. Do this right after built in Partition Disk step. The /s switch is what your after.

 cmd /c format %OSDISK% /fs:ntfs /q /v:SYSTEM /s:enable /y  

Saturday, November 9, 2013

MDT Centralized Log Cleanup

I helped a friend a while back setup an MDT 2012 instance for a client of his. They are a small shop with a single IT person. Shortly after MDT became stable, their IT person left, leaving the office manager to set up machines. Lets just say MDT made her a happy camper until they got another IT person. In helping my friend diagnose the occasional problem I would ask him for logs and in some cases, it was hard for him to obtain them as the systems ran off to the field and whatnot. Luckily MDT has a feature to handle this by putting one of these two lines in your customsettings.ini etc. The first will copy the logs to a network location when the system is deployed and the second will do it live during the image process.

 SLShare=\\servername\share\  
 SLShareDynamicLogging=\\servername\share  

I put them under MDT$/Logs (I use this share name vs the default DeploymentShare$ share) but they can go to any UNC path on the network that the MDT account can access. It will create a subfolder and put BDD.Log etc in it. Andrew Barnes has a great article on it.

As we quickly found, the folder started filling up so I gave him this simple shell script to keep it clean. Its ran as a scheduled task at 5AM each day to delete any logs older than 60 days. Change /P to the local path of the logs and /D to the days to delete, note the negative number. Then remove the 'echo' so it has teeth. Otherwise, it just outputs what it wants to do.

 ::Written by Kevin Fason  
 :: This simple script will clean the MDT Logs folder of logs older then 60 days.  
 :: V1.0  
 ::  04.09.2013  
 @ECHO OFF  
 ForFiles /P "D:\MDT\DeploymentShare\Logs" /D -60 /C "CMD /C if @ISDIR==TRUE echo RD /Q @FILE &RD /Q /S @FILE"  

It can be run directly within the scheduled task but I did it in a shell script so its easier to update. To use for other stuff such as deleting just files you can change the cmd/c to soemthing like '"CMD /C DEL @FILE"'.

WSUS Maintenance Automation

Update: 06.26.2017 - Created one for Server 2012 R2 here.

While I use SUP via SCCM 2012 to manage my work fleet, I still play with and help others with their WSUS installs. WSUS is great for small and even large organizations to update their fleet systems. I directly support a WSUS instance (as well as MDT) at my dads, my playground really. He has everything from 98 SE to 8.1 running around on site and is the "computer guy" for his neighborhood and family/friends so he fixes many different Windows OS'. WSUS saves him a great deal of time and effort when he fixes a system or refreshes it with MDT.

With that said, no matter the environment, WSUS needs regular care and feeding and I handle this need automatically with scripts others have wrote and shared. Over the years I've found many ways to do it and have settled on the following process monthly which keeps WSUS happy with little break/fix issue and even keeps the WSUS MMC snappy.
  • Decline Itanium Updates
  • Cleanup Wizard
  • Re-Index Database
The first two are handled by Powershell scripts written by Mark and the third is by the Scripting Guys.  All three can be found over on the Microsoft Gallery Script Center. Very handy site.

Since WSUS does not distinguish between Wintel or Itanium you can get unneeded Itanium patches taking up space and being processed, especially true with any auto-approve rules. Both of these scripts are ran against the parent server only. I run the Itanium at 7PM and the Cleanup at 10PM on the first of each month. You can find the Decline Itanium Updates here and the Cleanup Wizard Script here. Be sure to modify them for your environment (as shown in the links) and the email function is pretty handy as shown below so enable it if you want it.


For the scheduled task it took a little bit to get working the way I like due to PS security. I run them as a Domain user that is in the local admin group. So whatever works in your environment.


 powershell.exe -ExecutionPolicy Unrestricted -nologo -NoProfile -File "PATHTOSCRIPT\WSUS_Decline_Itanium_Updates.ps1"  

 powershell.exe -ExecutionPolicy Unrestricted -nologo -NoProfile -File "PATHTOSCRIPT\WSUS_Cleanup_All_Servers.ps1"  

You can find the WsusDBMaintenance script here, however doing a Re-Index is a bit more complex and needs to be ran on each WSUS server from the parent on down. If you use Windows Internal Database (default for WSUS) then this applies. If you use another flavor of MS SQL, then I vote to let the DBA deal with it... :)

Firstly, you have to install some prereqs as the sqlcmd called in the re-index script needs to be present. Microsoft provides it separately so you do not have to install a full edition of MS SQL to get it. Install MS SQL Server Native Client and then install the sqlcmd tool to your server. Below are links for 32-Bit and 64-Bit and there are Itanium ones out there as well. Install with defaults.

32-Bit MS SQL Server Native Client
32-Bit MS 2005 SQLCMD

64-Bit MS SQL Server Native Client
64-Bit MS 2005 SQLCMD

I wanted it to also email results to me so I grabbed blat. Great tool. Put blat and the WsusDBMaintenance script in the same folder along with the batch file below. Blat will attach the sqlcmd output as a file. Modify the setup shop variables to your environment. The scheduled task calls the batch file and runs as local administrator. Be sure to check the 'run with highest privileges' on the general tab of the scheduled task otherwise you will experience an access denied error. This is not needed on the above two powershells. I run it at 7 PM on the 2nd day of each month.

 @ECHO OFF
 :: This script will run the WSUSDBMaintenance and email its output
 :: Written by Kevin Fason
 :: 09.12.2012
 :: v1.0
 
 
 :: Setup Shop
 SET LOGFILE=%TEMP%\WSUS_DB_reindex.txt
 SET EXEPATH=C:\Program Files\Microsoft SQL Server\90\Tools\binn\sqlcmd.exe
 SET SCRIPTPATH=PATHTOYOURSCRIPT
 SET WSUSSERVER=WSUSSERVERNAME
 SET [email protected]
 SET [email protected]
 SET SMTPSMARTHOST=SMTPHOST.DOMAIN.COM
 
 :: Delete previous log
 ECHO.
 ECHO Deleting previous log if it exists
 IF EXIST %LOGFILE% DEL %LOGFILE%
 
 :: Run WSUSDBMaintenence SQL Script
 ECHO.
 ECHO Starting WSUS DB Maintenence Script
 "%EXEPATH%" -I -i "%SCRIPTPATH%\wsusdbmaintenance.sql" -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query > %LOGFILE%
 
 
 :: Email the SQL Script output
 ECHO.
 ECHO Emailing results
 "%SCRIPTPATH%\blat.exe" -body "WSUS Database Maintenance Results attached. Please review. see you next time!" -to %SMTPTO% -f %SMTPFROM% -s "WSUS: DB Maintenence Results for %WSUSServer%" -server %SMTPSMARTHOST% -attach %LOGFILE%

I suppose you could have a script call all three parts sequentially but I do it separately to work around backup windows, and really as long as you do it regularly its very beneficial. I've also thought of doing it closer to Patch Tuesday or maybe first Monday and Tuesday of the month for example. So do you do something more?

Updated (02.25.2016)


Marks scripts do not work on more recent releases of WSUS within 2012 and 2012 R2. I found a couple great ones to use however.

First is SMSAgent wrote a PS1 that performs the same Cleanup Wizard as above and emails it to you.

Second is Jason's configmgrftw has Decline-OtherUpdates and expands ALOT on the process as a whole. His focuses on declining Itanium and other miscellaneous updates.

Additionally Microsoft has a TechNet article on it.

-Kevin Fason

Wednesday, November 6, 2013

And so it begins...

I've had several peers tell me that I should start blogging as I have a wealth of cool neat solutions to wacky problems. So here I am. If there's something you want me to start on please let me know! I have a few ideas lined up from presentations at MEMUG already.

Why Kevinisms? This was branded by an old Manager of mine, Will, in reference to the strange things I ramble about. A small sampling:

"I just twitch from time to time"
"Propecia, That'd be a good name for a drug"
"They don't know I'm interesting"
"I will be world dictator before I die"
"I don't like lumps in my pocket"
     + 7/21/03 4:43 pm
     + Referring to Kyocera 7135 Phone
"I guess gear & geargear was taken"
     + window sticker on a car at Microcenter for geargeargear.com
     + 1/8/04 9:19 am

So who am I? I'm Kevin Fason and I've been in technology all my life. Grew up with my dad working for the likes of StorageTek and bringing stuff home for me and my brother to mess with. I always wonder what trouble I'd be in if I grew up today. Was big in the Atari and Amiga world growing up in the demo scene, running BBS' etc. Hanging out at the CO's, all the fun stuff. We used to help him repair Atari computers and Game systems for the local shops.

So in short, this apple didn't fall far from the tree, even my brother is in technology. I consider myself a dying breed, technology is more then a job to me. I do what work wants from 8-5 and will come home and do what I want from 5-8.

Currently I am the End User Computing Architect for a large Engineering firm in Denver. Had various roles over the years here, from Communications (PBX, Voicemail) , Administration, even IT Global Manager. I'll create a more formal bio about me shortly. Deployment is a big part of my mindset (OSD, MDT, going back to dd) so I have come across lots of scenarios and issues working for a firm that's on all the continents and zillions of countries (I have to exaggerate counts..)