WSUS vs Windows 7/ Windows 8.1 client issues

We’ve recently needed to be a bit more rigorous about using WSUS, so I started off on our servers and found out that if you go with “Scheduled Installs”, what this means is that any given server can reboot pretty much when it likes with up to 30 minutes grace.

This was no good at all, so I started using a PowerShell script to do the WSUS side of things, then used a server to run scheduled tasks against a group of servers at a time. This meant that we could reboot the servers when we liked, which is around 04:00.

This was all ticking along nicely, so we opened this out to a select number of clients- mix of Windows 7 Pro SP1 and Windows 8.1 Pro. Very little happened. PCs didn’t get patched, running WSUS through the GUI resulted in the progress bar looping, PowerShell didn’t work, the Event Viewer only displayed errors and WSUS itself complained the PCs hadn’t reported for a long time, or maybe not at all.

After a week of fiddling about with the Windows Update client, deleting registry keys, deleting WindowsUpdate.log etc etc, turns out it seems there are 2 KB articles- KB3138612 & KN3138615- that appear to be critical to getting WSUS working on clients. These KBs relate to “updates for Windows Update” dated March 2016.

The long and the short of it is that it appears the best way to get Windows 7 & 8.1 working is to start from scratch: reinstall Windows from a DVD and then immediately install the relevant KB .msu file.

I tried pointing freshly-built clients at WSUS (before installing the KB) and they either just looped (Windows 8.1) or told you to install an update to Windows Update (Windows 7). This build under Windows 8.1 wouldn’t even talk to WSUS until I’d installed the KB, and I assumed the Windows 7 Windows Update Client Update was the right KB article, although it didn’t say.

I now have 3 new Windows 8.1 images: the OS by itself, the OS with KB3138615 and the OS with all available updates from WSUS. I’m doing the same thing for Windows 7. Unfortunately, this means our existing SCCM images are “fine” in that they’re patched, but it looks like they can’t talk to WSUS so our choice is either to talk to Microsoft to fix this, or re-image all our PCs with the new images. This isn’t my call, but is seriously annoying to find out when we’ve just gone around using SCCM to apply images to PCs whic won’t actually update on a day-to-day basis.

Advertisements

Microsoft KB3124557: MS16-010: Security update in Microsoft Exchange Server to address spoofing: January 12, 2016

First thing to be aware of is that this update definitely does come down through WSUS, which was my first mistake (I’m so used to Exchange updates being full-blown CUxx-style, download-the-entire-ISO-again that I didn’t expect this to show up).

We have a 3-node DAG, and of course I hit “install all updates” on all 3 nodes. Meaning Exchange services got disabled (and I mean disabled. not just stopped) on all nodes. My thinking for this was that as Node 1 wasn’t managing any mailbox databases, I could patch it (not realising it had an Exchange update), reboot it, move some DBs, then reboot the other two nodes one at a time, juggling DBs as necessary.

Once I saw what was going on, I cancelled the update which is a bad idea, because it neither continued to install the patch nor rolled back the patch by re-enabling and starting Exchange services. So after cancellation, I had 3 nodes, none of which had the patch and all of which had Exchange disabled.

At this point, my “bads” were a) I should have checked whether the updates included anything for Exchange and b) not cancelled the update jobs.

To make matters worse, I’ve got 2 mailboxes but they’re both in the same mailbox database, and this database was on mounted on Node 3 which still had all of its services disabled. So when I logged on to ECP with my admin account, all I got was a blank screen.

After raising an incident, and then getting a phone call from Microsoft (http://support.microsoft.com/oas) it turns out that basically all I had to do was switch all the services to automatic on Node 3, and then start them. Suddenly, I could get to ECP, my mailboxes were accessible etc etc (and yes, I should have been using PowerShell, not ECP).

DNS entry problems on a DC with attached iSCSI

We’ve recently set up a new DC with some iSCSI storage attached- single site, so the DC is providing DC & file storage.

In DNS, the LAN and iSCSI entries were showing up which was annoying, as pinging generally didn’t work because it would try to find the iSCSI network.

In short, you don’t need to mess around with any network connections or fiddle about in the registry- use method 2 from

https://support.microsoft.com/en-gb/kb/275554

Just stop the DNS on the DC listening on any port other than the LAN- including an IPv6 interfaces (in our case at any rate).

Trawl AD for devices running Windows Server, pull out hardware details, list them in PowerShell window

This is pretty much identical to the other two scripts but it displays the output in PowerShell. It’s got a few bits of colouring to differentiate between servers that can/ can’t be ping’d.

—————————————————
[string]$serverList
[string]$serverNames
[string]$serverArray
[int]$xAxis
[int]$yAxis
[int]$responsiveCounter
[int]$unresponsiveCounter
[string]$detail00
[string]$detail01
[string]$detail02
[string]$detail03

$serverList = Get-ADComputer -LDAPFilter “(&(ObjectCategory=Computer)(OperatingSystem=*server*))” | Select-Object Name
$serverNames = $serverList.Name

$serverArray = New-Object ‘object[,]’ $serverList.Count,4
$xAxis = 0
$yAxis = 0
[int]$responsiveCounter = 0
[int]$unresponsiveCounter = 0

Clear-Host

ForEach ($server in $serverNames)
{
$isAlive = Test-Connection $server -Count 1 -Quiet

If($isAlive -eq $true)
{
$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_OperatingSystem -ComputerName $server | Select-Object CSName -ExpandProperty CSName
$detail00 = $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Manufacturer -ExpandProperty Manufacturer
$detail01 = $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Model -ExpandProperty Model
$detail02 = $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_SystemEnclosure -ComputerName $server | Select-Object SerialNumber -ExpandProperty SerialNumber
$detail03 = $serverArray[$xAxis,$yAxis]

$userInterface.ForegroundColor = “DarkGreen”
$userInterface.BackgroundColor = “DarkRed”

“{0, -20}”,”{1, -25}”,”{2, -20}”,”{3, -40}” -f $detail00, $detail01, $detail02, $detail03

$responsiveCounter++

}
ElseIf($isAlive -eq $false)
{
$userInterface.ForegroundColor = “Blue”
$userInterface.BackgroundColor = “Yellow”

$mergeDetails = “`n” + $server + ” is not responding so I can’t retrieve any data” + “`n”
$mergeDetails

$unresponsiveCounter++
}

$yAxis=0
$xAxis++
}

$userInterface.ForegroundColor = “DarkGreen”
$userInterface.BackgroundColor = “DarkRed”
Write-Host “`n`nThe total number of responsive servers is ” $responsiveCounter

$userInterface.ForegroundColor = “Blue”
$userInterface.BackgroundColor = “Yellow”
Write-Host “The total number of unresponsive servers is ” $unresponsiveCounter

$userInterface.BackgroundColor = “DarkGreen”
$userInterface.ForegroundColor = “Cyan”

Trawl AD for devices running Windows Server, pull out hardware details (Dell specific)

This is pretty much identical to the last script, but it filters the output to return only Dell servers. It’s just the extra chunk that starts “If($madeBy -eq “Dell Inc.”)”. This could be replaced with any manufacturer. I neede to send our live estate to our account manager.

Because WMI is a bit weird, this script has to pull data out of different classes so looks worse than it is. It has to use the NETBIOS name to get all this data. It’s based around an array that is created from the number of servers it find (“OperatingSystem=*server*”). The $mergeDetails looks complicated, but it’s the only way I could find of presenting the results neatly, so the details of each server is on a seperate line. It’s very easy to just output the array in a list format but is horrible to read.

The main “If” loop just determines whether the server is respoding- if not, it writes to the same file that it can’t retrieve any data.
————————————————–
Remove-Item .\Dell_Name_ST_Model.csv

[string]$serverList
[string]$serverNames
[string]$serverArray
[int]$xAxis
[int]$yAxis
[string]$mergeDetails

$serverList = Get-ADComputer -LDAPFilter “(&(ObjectCategory=Computer)(OperatingSystem=*server*))” | Select-Object Name | Sort-Object Name
$serverNames = $serverList.Name

$serverArray = New-Object ‘object[,]’ $serverList.Count,4
$xAxis = 0
$yAxis = 0

ForEach ($server in $serverNames)
{

$isAlive = Test-Connection $server -Count 1 -Quiet

If($isAlive -eq $true)
{
$madeBy = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server -ErrorAction ‘SilentlyContinue’ | Select-Object Manufacturer -ExpandProperty Manufacturer

If($madeBy -eq “Dell Inc.”)
{
$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_OperatingSystem -ComputerName $server | Select-Object CSName -ExpandProperty CSName
$mergeDetails = $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Manufacturer -ExpandProperty Manufacturer
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Model -ExpandProperty Model
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_SystemEnclosure -ComputerName $server | Select-Object SerialNumber -ExpandProperty SerialNumber
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$mergeDetails | Out-File .\Dell_Name_ST_Model.csv -Append
}
}
ElseIf($isAlive -eq $false)
{
$mergeDetails = $server + ” ,is not responding so I can’t retrieve any data” | Out-File .\Dell_Name_ST_Model.csv -Append
}

$yAxis=0
$xAxis++
}

Trawl AD for devices running Windows Server, pull out hardware details

Because WMI is a bit weird, this script has to pull data out of different classes so looks worse than it is. It has to use the NETBIOS name to get all this data. It’s based around an array that is created from the number of servers it find (“OperatingSystem=*server*”). The $mergeDetails looks complicated, but it’s the only way I could find of presenting the results neatly, so the details of each server is on a seperate line. It’s very easy to just output the array in a list format but is horrible to read.

The main “If” loop just determines whether the server is respoding- if not, it writes to the same file that it can’t retrieve any data.
———————————————–
Remove-Item .\allServers_Name_ST_Model.csv

[string]$serverList
[string]$serverNames
[string]$serverArray
[int]$xAxis
[int]$yAxis
[string]$mergeDetails

$serverList = Get-ADComputer -LDAPFilter “(&(ObjectCategory=Computer)(OperatingSystem=*server*))” | Select-Object Name | Sort-Object Name
$serverNames = $serverList.Name

$serverArray = New-Object ‘object[,]’ $serverList.Count,4
$xAxis = 0
$yAxis = 0

ForEach ($server in $serverNames)
{

$isAlive = Test-Connection $server -Count 1 -Quiet

If($isAlive -eq $true)
{
$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_OperatingSystem -ComputerName $server | Select-Object CSName -ExpandProperty CSName
$mergeDetails = $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Manufacturer -ExpandProperty Manufacturer
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_ComputerSystem -ComputerName $server | Select-Object Model -ExpandProperty Model
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$yAxis++

$serverArray[$xAxis,$yAxis] = Get-WMIObject -Class Win32_SystemEnclosure -ComputerName $server | Select-Object SerialNumber -ExpandProperty SerialNumber
$mergeDetails = $mergeDetails + “,” + $serverArray[$xAxis,$yAxis]
$mergeDetails | Out-File .\allServers_Name_ST_Model.csv -Append
}
ElseIf($isAlive -eq $false)
{
$mergeDetails = $server + ” ,is not responding so I can’t retrieve any data” | Out-File .\allServers_Name_ST_Model.csv -Append
}

$yAxis=0
$xAxis++
}

WP 8.1 error: “We can’t connect to OneDrive to back up”

A few weeks back, apparently my Lumia 930 stopped backing up with the above error- it’s looking like the OneDrive backup (OneDrive > Options > Device Backups) may have become correupted. I deleted the backup for the 930, ran a fresh backup and it failed, but during the failure it switched off settings backup on the phone. I switched it back on, and now the 930 is showing up as a backup device in OneDrive. It hasn’t finished yet, but there is a backup for that device showing up in OneDrive with todays timestamp on it…

UPDATE: backup still failed, but device and OneDrive think it backed up. ?

UPDATE 22/06/2016 @ 16:44: after chatting to Microsoft a lot of the day, it seems that the problem was having the official twitter app installed- ? They pointed me at:

http://answers.microsoft.com/en-us/mobiledevices/forum/mdlumia-mdsettings/wp-81-backup-error-there-was-a-problem/b6812384-cd70-41cd-a817-72cc8a361141?page=3&auth=1

And although I don’t have Live lockscreen beta, the official twitter app is horrbily slow and unresponsive so I thought maybe that was worth a go (also, the icon was going dark when charging- possibly when backing up- implying it was unusable at this time, which made me think there might be an issue with it). Uninstalled twitter (still have tweetium), and have now had two successfull backups work without a problem.