Weblog.BassQ.nl

Source; http://blogs.technet.com/virtualization/archive/2009/12/10/Offline-Virtual-Machine-Servicing-Tool-v2.1-.aspx

Virtualization affects how we plan, build, deploy, operate, and service workloads. Customers are creating large libraries of virtual machines containing various configurations. The patch-state of these virtual machines are not always known. Ensuring that offline virtual machines are properly patched and won’t become vulnerable the instant they come online is critical.

I am therefore very pleased to state that the Offline Virtual Machine Servicing Tool v2.1 has now been released!

Congratulations to the Solution Accelerator team for this release!

The Offline Virtual Machine Servicing Tool 2.1 has free, tested guidance and automated tools to help customers keep their virtualized machines updated, without introducing vulnerabilities into their IT infrastructure.

The tool combines the Windows Workflow programming model with the Windows PowerShell interface to automatically bring groups of virtual machines online, service them with the latest security updates, and return them to an offline state.

What’s New?

Release 2.1 is a direct response to customer and Microsoft field requests to support the R2 wave. Offline Virtual Machine Servicing Tool 2.1 now supports the following products:
· Hyper-V-R2
· VMM 2008 R2
· SCCM 2007 SP2
· WSUS 3.0 SP2
· OVMST 2.1 also supports updates to Windows 7 and Windows Server 2008 R2 virtual machines.

Download here; Offline Virtual Machine Servicing Tool  2.1
More info; http://technet.microsoft.com/en-us/library/cc501231.aspx

The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.1.1 is a minor upgrade to add support for Windows 7 and Windows Server 2008 R2.

To easily assess the security state of machines in an environment, Microsoft offers the free Microsoft Baseline Security Analyzer (MBSA) scan tool. MBSA includes a graphical and command line interface that can perform local or remote scans of Microsoft Windows systems.

MBSA 2.1.1 builds on previous versions by adding support for Windows 7 and Windows Server 2008 R2. As with the previous MBSA 2.1 release, MBSA includes 64-bit installation, security update and vulnerability assessment (VA) checks, improved SQL Server 2005 checks, and support for the latest Windows Update Agent (WUA) and Microsoft Update technologies. More information on the capabilities of MBSA 2.1 and 2.1.1 is available on the MBSA Web site.

MBSA 2.1.1 runs on Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows 2000 systems and will scan for missing security updates, rollups and service packs using Microsoft Update technologies. MBSA will also scan for common security misconfigurations (also called Vulnerability Assessment checks) using a known list of less secure settings and configurations for all versions of Windows, Internet Information Server (IIS) 5.0, 6.0 and 6.1, SQL Server 2000 and 2005, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003 only.

To assess missing security updates, MBSA will only scan for missing security updates, update rollups and service packs available from Microsoft Update. MBSA will not scan or report missing non-security updates, tools or drivers.
Choose the appropriate download below for English (EN), German (DE), French (FR) and Japanese (JA) for x86 (32-bit) or x64 (64-bit) platforms.

Download details Microsoft Baseline Security Analyzer 2.1.1 (for IT Professionals)
Source: http://bink.nu/news/microsoft-baseline-security-analyzer-2-1-1.aspx

Windows Server Update Services 3.0 Service Pack 2 (WSUS 3.0 SP2) delivers updates to corporate environments from Microsoft Update. This release adds new features and fixes issues found since the release of the product.

WSUS 3.0 SP2 delivers important customer-requested management, stability, and performance improvements. Some of the features and improvements include the following:

• Integration with Windows Server 2008 R2.
• Support for the BranchCache feature in Windows Server 2008 R2.
• Support for Windows 7 and Windows Server 2008 R2 clients.
• Compliance Report
• Windows Update Agent (WUA) offers a collection of performance enhancements, user experience improvements, and bug fixes software updates.

WSUS 3.0 SP2 can be installed alone, or as an upgrade of WSUS 3.0 SP1.
This package installs both the WSUS 3.0 SP2 Server, WSUS 3.0 SP2 Administration Console components and WUA client for down-level operating system. You must install the server components on a computer that is running on Windows Server 2003 SP2 or later versions. You may install the Administration Console on a remote computer that is running one of the supported operating systems, see below the Supported Operating Systems section.
WSUS 3.0 SP2 Server Installation on Windows Small Business Server 2003
If you are installing the WSUS 3.0 SP2 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.

Download Here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=a206ae20-2695-436c-9578-3403a7d46e40#tm

If you manage a Windows Server Update Services (WSUS) server, you probably run the Server Cleanup Wizard every once and a while. It removes old and superseded updates and computers that haven’t reported their status for more than 30 days. Wouldn’t it be nice to schedule such a cleanup to run every month? Too bad there’s no command line tool I know of that can help you out with this. Powershell to the rescue!
Powershell can not only run the built-in commandlets or even those added by snapins. It can leverage the full power of the .NET Framework. Browse the MSDN Library if you want to find more cool things you can do with it.

Here’s a script that uses this information to run the cleanup wizard:  Cleanup-Wsus (rename to .ps1)

Here’s how to use powershell to “manually” synchronize your WSUS server, i.e. download the latest updates. Synchronize-Wsus (rename to .ps1)

Service Pack 2 for the 2007 Office System will be made available to Windows Server Update Services in April, classified as a service pack.
Service Pack 2 includes some significant work, including: built-in ability to save as ODF & PDF formats, improvements to Outlook’s performance and calendar reliability, significant bug fixes for charts in core Office applications, the ability for client service packs to be removed using an uninstall tool, and a host of customer-requested improvements to the Office Server products.

Of course it is also a rollup of all fixes that have previously been released for Office 2007 products.  Additional information will be posted to the Office Sustaining Engineering blog

Windows Server Update Services 3.0 Service Pack 1 delivers important customer-requested mangement, stability, and performance improvements, while incorporating further enhancements to local publishing of drivers and the Client Servicing API addition.

WSUS 3.0 SP1 delivers new features that enable administrators to more easily manage and deploy updates across the organization. This package installs both the WSUS 3.0 Server and WSUS 3.0 Administration Console components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1 client is included in all supported client platform languages. You must install the server components on a computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the Administration Console on a remote computer running Windows Vista, Windows Server 2008, Windows Server 2003 SP1, or Windows XP SP2.

WSUS 3.0 SP1 Server Installation on Windows Small Business Server 2003

If you are installing the WSUS 3.0 SP1 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.

Download Here

There are multiple ways updates can be deployed through WSUS to client machines (“client machines” mean clients of the WSUS server – the machines may be running either client or server operating systems). This posting describes these mechanisms and the way they can be controlled by the administrator in order to ensure unexpected changes do not occur.

·         Explicit approval. An administrator can explicitly approve an update for installation to a group of machines.

·         Auto-reapprove revisions. By default, when a new revision of an approved update is synchronized to the WSUS server we move the approval to the new revision. Normally this is what customers want, since new revisions never contain new binaries, just fixes to the metadata that describe how to automate the installation of the update. However we had one incident when a new revision of the Windows Desktop Search update changed the metadata so that the new revision was offered to *all* machines but the old revision was offered only to machines with older versions of Desktop Search installed, which caused it to be deployed more widely than expected for many customers (see http://blogs.technet.com/wsus/archive/2007/10/25/wds-revision-update-expanded-applicability-rules-auto-approve-revisions.aspx for details). Since then, we’ve added processes to ensure this type of change will not happen again. The administrator has direct control over this and can disable the option to auto-reapprove revisions.

o        Warning: turning off auto-reapprove revisions can create problems if the administrator has “definition updates” (signatures) in their synchronization options, because definition updates get created and expired fairly quickly and the expired ones won’t get auto-unapproved. As described in KB 938947, this can quickly lead to having too many updates approved which can cause problems for client-server communication. If auto-reapprove revisions is turned off, the administrator will need to manage revisions themselves; looking for older revisions that are approved and either unapproving them (if the new revision is marked “expired”) or move the approval to the new revision. We have provided a PowerShell sample script at http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvms09.mspx that can be used to manage revisions.

·         Auto-approve WSUS updates. Some updates are marked as “infrastructure” updates, which means they are needed by WSUS or WUA for proper detection and scanning for many updates. These updates include MSI 3.1. WSUS creates approval rules to these by default, since they are necessary for the update system to work properly. The administrator has direct control over this and can disable the option to auto-approve WSUS updates. If disabled, WSUS will notify the admin in the home page (TODO list) that there are unapproved WSUS updates, which can lead to infrastructure problems (e.g., if MSI 3.1 is not installed on client machines, then many updates including Office Updates, can’t be properly detected).

·         Auto-approval rules. Administrators can create custom rules to auto-approve updates (e.g., auto-approve all security updates to all computers, or auto-approve all updates to a test target group). The administrator has direct control over this and there are no auto-approval rules enabled by default.

·         Initial client self-update. When a WSUS client’s Windows Update Agent (WUA) first synchronizes  against a WSUS server, it checks if the server has a newer version of the agent available in the servers “self-update” tree. If a newer version is available, the agent will self-update before completing the synchronization. Although Automatic Updates will check for self-update on every synchronization, the self update will only occur on the first synchronization unless the admin explicitly applies an update to the WSUS servers self-update tree (the next scenario).

o        Note: Newer versions of WUA on a particular operating system are backwards-compatible with the older versions of WSUS that support that operating system.  So after WUA self-updates to the latest version, the client can later be managed by an  older WSUS server if desired. The agent never “self-downgrades” (it will stay on the latest version of WUA when talking to an older server).

·         Subsequent client self-updates. The WSUS team may provide an update to the WSUS server itself that modifies the client self-update tree on the server. As of this writing, only two such update have been released; WSUS 2 SP1 (which modified the WSUS 2 self-update tree) and KB 936301 (which modified the WSUS 2 SP1 self-update tree). Such updates flow to the WSUS server as normal updates. If the admin approves such an update for install on the WSUS server, then the WSUS server self-update tree will be updated and subsequently all clients that synchronize against the server will self-update. The administrator has direct control over this since clients will only perform this subsequent self-update if the administrator approves an update to the self-update tree.

·         Update from Microsoft Update. End users on client machines can go to Windows Update or Microsoft Update and install updates (and WUA self-updates) directly. The administrator has direct control over this since they can configure the Windows Update Agent to disallow end-user access to Windows Update and Microsoft Update.

WSUS and AU have log files that allow customers to understand when and why a given update was installed on a machine:

·         The Windows Update Agent has a log file “%windir%\WindowsUpdate.log” with verbose logging on updates that have been installed.

·         WSUS 3.0 has a log file “%Program Files%\Update Services\LogFiles\changes.log” that contains a record of all recent approvals and who made them. If the approval was created automatically (e.g., auto-reapprove revision, auto-approval rule, or auto-approve WSUS updates), the user in the log will be “WSUS Service”.

Microsoft just announced the public availability of WSUS 3.0 SP1 Release Candidate 1. Improvements include support for Windows Server 2008 and product bug fixes. More information is available on Microsoft Connect. Click the ‘Available Connections’ link and look for Windows Server Update Services 3.0 SP1 Release Candidate. Here’s a brief overview of the WSUS page on Connect:

“Thank you for joining the WSUS 3.0 Service Pack 1 Release Candidate Program and we welcome you to provide feedback on the Service Pack 1 through the channels listed below. By including you in our development process, we can ensure that our products meet the needs of our customers and are reliable.

WSUS 3.0 SP1 addresses a number of product fixes and includes the addition of support for forth coming Windows Server 2008 (code named Longhorn Server).  The release notes on this release can be downloaded along with the build which provides more details on the installation.”

Download Service Pack 1 and Documentation:
The downloads link on the left hand menu will take you to the download page for the following SP1 builds and documentation:
- WSUS 3.0 SP1 Beta x86 Build
- WSUS 3.0 SP1 Beta x64 Build
- WSUS 3.0 SP1 RC ReadMe
- WSUS 3.0 SP1 RC Pre Release License
- WSUS 3.0 Overview Document
- WSUS 3.0 Operations Guide
- WSUS 3.0 Step by Step Guide

Continue Here