Saturday 2 October 2010

Wizzy WSUS


Blog clearout! New start..

Want to get more out of WSUS? It's been a patchtastic few weeks, Adobe and MS both pushing out frequent updates that really must go out. If you've not got the budget for SMS you can leverage your WSUS to help out with non-Microsoft updates.

Local Update Publisher is an open source utility that will take an msi package, chuck it into the WSUS catalog and patch software on your workstations and servers alongside Microsoft Updates.

There's a couple of things you've got to know; the first is easy, WSUS will only ever show microsoft products in it's console, which means you're just going to have to check status of the other updates in LUP separately.



The second issue is a bit of a faff. Basically your workstations need to trust your WSUS server as a publisher for them to accept these new types of updates. To facilitate that you generate a certificate on the WSUS server using LUP, and sign the new update packages with it. The problem is getting this certificate out on the workstations to allow the updates to roll out. It's obviously less work to get Group Policy to distribute the certificate for you. Problem is, if you're using Windows XP consoles, Group Policy only contains one of the two certificate stores. So, you've either got to sort the second certificate store manually, or find a Windows 7 PC with the Server 2008 tools to do it from. The issues documented well on the LUP wiki.

The site and code seem to be actively maintained and supported by the author, go check it out.

Another thing I learned about WSUS this week was that disk cloning can break it, WSUS thinks both clones are the same PC and when one signs in, it knocks the other one out of the computers list. The fix is easy; just remove the SUS ID of the clone in the registry, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate, delete SUSClientID, and Windows Update will create a new one on it's next refresh. There's a quick script for this on the patchaholic blog that'll do that for you.