=====Microsoft - Windows - Updates=====
[[http://technet.microsoft.com/en-us/wsus/default.aspx|Microsoft Windows Server Update Services (WSUS) Home]] \\
[[http://support.microsoft.com/ph/6527|Microsoft Support - Support for Microsoft Update]] \\
[[https://technet.microsoft.com/en-us/library/cc720442%28v=ws.10%29.aspx|Microsoft TechNet - Appendix G: Windows Update Agent Result Codes]] \\
[[http://www.wsuswiki.com/|Windows Server Update Services Wiki]] \\
[[http://windowssecrets.com/category/patch-watch/|Windows Secrets - Patch Watch]] \\
Lists of updates: \\
[[http://xable.net/xp-sp2-update-pack-contents.php|XP SP2 Update Pack Contents]] All post-SP2 XP updates. \\
[[http://xable.net/xp-sp3-update-pack-contents.php|XP SP3 Update Pack Contents]] All post-SP3 XP updates. \\
[[http://www.davehildebrand.com/2009/01/18/wsus-selfupdate-virtual-directory/|Dave Hildebrand.com - WSUS 3.1 and the SelfUpdate Virtual Directory]] \\
[[http://technet.microsoft.com/en-us/library/cc706995%28v=ws.10%29.aspx|Microsoft TechNet - Windows Server Update Services (WSUS)]] For WSUS 2.0, and 3.0 SP1 & SP2.:
[[http://technet.microsoft.com/library/dd939904%28WS.10%29.aspx|Microsoft TechNet - Backup and Restore WSUS Data]] \\
[[http://technet.microsoft.com/en-us/library/dd939795%28v=ws.10%29.aspx|Microsoft TechNet - Reindex the WSUS Database]] \\
[[http://technet.microsoft.com/en-us/library/hh852345.aspx|Microsoft TechNet - Windows Server Update Services Overview]] Applies To: Windows Server 2012, Windows Server 2012 R2. \\
[[https://github.com/proxb/PoshWSUS|GitHub - proxb/PoshWSUS]] a PowerShell module to manage Windows Server Update Services (WSUS). [[https://poshwsus.codeplex.com/|Old versions]]. \\
=====Articles/Blogposts=====
[[http://www.raymond.cc/blog/archives/2008/11/16/safely-remove-windows-xp-update-backup-files-to-free-up-hard-disk-space/|Safely Remove Windows XP Update Backup Files to Free Up Hard Disk Space]] \\
[[http://users.beagle.com.au/alvian/remove_winupd_backup.html|How to remove Windows Update (Hotfix) backup files manually]] \\
[[http://social.technet.microsoft.com/Forums/windowsserver/en-US/d7192ba2-8faf-4555-9dc8-5cfdef3dabde/bug-halt-when-deleting-unneeded-update-files|Microsoft Windows Server Forums - Bug: halt when deleting unneeded update files]] \\
[[http://serverfault.com/questions/296429/how-to-roll-back-or-uninstall-microsoft-patch-using-wsus|serverfault - How to roll back or uninstall Microsoft patch using WSUS?]] \\
[[https://www.web-workers.ch/index.php/2021/11/21/how-to-speed-up-your-windows-update-server-wsus-database/|Web Workers - How to speed up your Windows Update Server (WSUS) database]] \\
=====Microsoft KB articles=====
[[https://support.microsoft.com/en-us/kb/2828185|An update for Windows Server Update Services 3.0 SP2 is available (KB2828185)]] includes updates [[https://support.microsoft.com/en-us/kb/2720211|KB2720211]] and [[https://support.microsoft.com/en-us/kb/2734608|KB2734608]]. \\
[[https://support.microsoft.com/en-us/kb/972493|Windows Server Update Services 3.0 SP2 Dynamic Installer for Server Manager]] \\
[[https://support.microsoft.com/en-us/kb/972455|Description of Windows Server Update Services 3.0 Service Pack 2]]
[[https://support.microsoft.com/en-us/kb/949104|How to update the Windows Update Agent to the latest version (949104)]] \\
[[http://support.microsoft.com/kb/971058/en-us|How do I reset Windows Update components? (KB971058)]] \\
[[https://support.microsoft.com/en-us/kb/2714434|Description of the Windows Update Troubleshooter (KB2714434)]] \\
[[https://support.microsoft.com/en-us/kb/947821|Fix Windows Update errors by using the DISM or System Update Readiness tool (KB947821)]] provides the dism.exe command for Windows 8+ and the System Update Readiness tool for Windows Vista/7/Server 2008 (R2).\\
[[https://support.microsoft.com/en-us/kb/3102810|Installing and searching for updates is slow and high CPU usage occurs in Windows 7 and Windows Server 2008 R2 (KB3102810)]] \\
[[http://support.microsoft.com/kb/296861/en-us|How to install multiple Windows updates or hotfixes with only one reboot (KB296861)]] \\
[[http://support.microsoft.com/kb/916258/en-us|Error message when you search for updates on the Windows Update Web site in Windows XP: "0xc80003fA" (KB916258)]] \\
[[http://support.microsoft.com/kb/934562/en-us|Windows Update error 0x80240029 occurs when you try to update Windows Defender (KB934562)]] \\
[[http://support.microsoft.com/kb/958046/en-us|Error code when you try to use Windows Update or Microsoft Update to install updates: "0X80248007" (KB958046)]] \\
[[http://support.microsoft.com/kb/974500/en-us|After you disable the "Download express installation files" option in Windows Server Update Services 3.0, client computers may be unable to receive new updates (KB974500)]] \\
[[http://support.microsoft.com/kb/323166/en-us|How to download updates that include drivers and hotfixes from the Windows Update Catalog]] \\
[[http://support.microsoft.com/kb/282784/en-us|Qfecheck.exe verifies the installation of Windows 2000 and Windows XP hotfixes]] \\
[[http://support.microsoft.com/kb/920659/en-us|The Microsoft Windows Server Update Services (WSUS) SelfUpdate service does not send automatic updates]] \\
[[http://support.microsoft.com/kb/900935/en-us|How the Windows Update client determines which proxy server to use to connect to the Windows Update Web site]] \\
[[https://support.microsoft.com/en-us/kb/903262/|A Windows 2000-based, Windows Server 2003-based, or Windows XP-based computer that was set up by using a Windows 2000, Windows Server 2003, or Windows XP image does not appear in the WSUS console]] see also [[https://gallery.technet.microsoft.com/scriptcenter/Reset-WSUS-Authorization-2e26d1b0|Script Center > Repository > Windows Update > Reset WSUS Authorization and get new WSUS SID]] \\
[[https://support.microsoft.com/en-us/kb/3080351|How to manage Windows 10 notification and upgrade options]] describes the "Turn off the upgrade to the latest version of Windows through Windows Update" GPO setting. The GPO setting requires at least [[https://support.microsoft.com/en-us/kb/3050267|Windows Update Client for Windows 8.1: June 2015]] or later.\\
[[https://support.microsoft.com/en-us/topic/summary-of-intel-microcode-updates-08c99af2-075a-4e16-1ef1-5f6e4d8637c4|Summary of Intel Microcode Updates]]
=====Force check for updates=====
Execute the following command in cmd.exe:
wuauclt /detectnow
//Resetauthorization Option//
//WSUS uses a cookie on client computers to store various types of information, including computer group membership when client-side targeting is used. By default, this cookie expires an hour after WSUS creates it. If you are using client-side targeting and change group membership, use this option in combination with detectnow to expire the cookie, initiate detection, and have WSUS update computer group membership.//
//Note that when combining parameters, you can use them only in the order specified as follows: //
wuauclt.exe /resetauthorization /detectnow
Source:[[http://technet2.microsoft.com/windowsserver/en/library/c518f079-b877-4832-9aeb-d42ed397ca1e1033.mspx?mfr=true|Manipulate Client Behavior Using Command-line Options]] \\
=====Command-line options for updates from Windows Update=====
Silent unattended installation:
WindowsXP-KB935843-x86-ENU.exe /quiet /norestart
^Standard switch|**Description of the switch**|**Versions of Update.exe that support this switch**|
|/help| Displays command-line help.| Version 5.3.24.3 and later versions support the /help switch. For compatibility with older versions, the /? switch can be used.|
|/passive| Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.| Version 5.3.24.3 and later versions support the /passive switch. For compatibility with older versions, the /u switch can be used.|
|/quiet| Quiet mode - same as unattended mode, but no status or error messages are displayed.| Version 5.3.24.3 and later versions support the /quiet switch. For compatibility with older versions, the /q switch can be used.|
|/norestart| Do not restart the computer when the installation is finished.| Version 5.3.24.3 and later versions support the /norestart switch. For compatibility with older versions, the /z switch can be used.|
|/warnrestart| Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (Default is 30 sec). Intended for use with either /quiet or /passive switches.| Version 6.1.22.0 and later versions support the /warnrestart switch.|
|/forcerestart| Restart the computer after installation and force other applications to close at shutdown without saving open files first.| Version 5.3.24.3 and later versions support the /forcerestart switch.|
|/promptrestart| Presents a dialog box to prompt user to restart if required. Intended for use with /quiet.| Version 6.1.22.0 and later versions support the /promptrestart switch.|
|/forceappsclose| Forces other programs to close when the computer shuts down.| Version 5.4.15.0 and later versions support the /forceappsclose switch. For compatibility with older versions, the /f switch can be used.|
|/nobackup| Do not back up files for uninstall.| Version 6.1.22.0 and later versions support the /nobackup switch. For compatibility with older versions, the /n switch can be used.|
|/overwriteoem| Overwrite OEM files without prompting.| Version 6.1.22.0 and later versions support the /overwriteoem switch. For compatibility with older versions, the /o switch can be used.|
|/integrate:path| Integrates the software updates into the Windows installation source files located at the path specified. Note that :path refers to the folder that contains the i386 folder.| Version 5.4.15.0 and later versions support the /integrate:path switch. For compatibility with older versions, the /s switch can be used.|
|/log:path| Allows user to specify where to create the log file.| Version 6.1.22.0 and later versions support the /log switch.|
|/ER| Enable extended error reporting.| All versions support the ER switch.|
|/verbose| Enable verbose logging. Creates %Windir%\CabBuild.log upon install that details files to be copied. Using this switch may cause the installation to occur much slower.| Version 5.3.24.3 and later versions support the /verbose switch. For compatibility with older versions, the /v switch can be used.|
|/d:path| Specifies a backup directory for Windows Service Pack installation. :path indicates the destination folder for the backup files. The default backup location is %Systemdrive%\$ntservicepackuninstall$.| This switch is not available for updates other than Service Packs and is available only in Installer versions 5.3.16.5 and later versions.|
|/extract[:path]| Extracts files without starting Setup. If ":path" is not included, you are prompted for the path of a destination folder to extract the files. If ":path" is used, the files are extracted to the specified destination folder.| Version 5.3.24.3 and later versions support the /extract switch. For compatibility with older versions, the /x switch can be used.|
|/hotpatch:disable| Disables hotpatching functionality, and installs the cold patch only.| This is only to be used for Windows Server 2003 packages that support hotpatching and is available in versions 6.1.22.0 and later. For more information on hotpatching, see the "References" section in this article for a link to the "Inside Update.exe" whitepaper.|
Source: [[http://support.microsoft.com/kb/262841/|Command-line switches for Windows software update packages]] \\
=====WSUS and high CPU usage by svchost.exe on Windows XP=====
After login the proces svchost.exe under which the Windows Automatic Update Client runs takes up a full CPU en during the scan the PC is unuseable. If you look at svchost.exe with Sysinternals' Process Explorer you see that "ntdll.dll!RtlAllocateHeap" is claiming all the CPU time. This problem seems to be connected to the installation of a Microsoft Office product for which it is scanning for updates and/or the use of Microsoft Update (updates check for all Microsoft products) instead of Windows Update (updates check for Windows only). This should be solved by the installation of KB927891 which replaces hotfix KB916089 and, together with WSUS 3.0 client build 0374, should be the solution for the frozen PC with svchost.exe consuming 100% CPU. The scan will still be executed and can consume one CPU, but the computer should stay responsive during the scan.\\
====Documentation from Microsoft====
[[http://support.microsoft.com/kb/932494/en-us|Microsoft Support - When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process]] \\
[[http://support.microsoft.com/kb/916089/en-us|Microsoft Support - FIX: When you run Windows Update to scan for updates that use Windows Installer, including Office updates, you may experience a memory leak, or you may receive an error message for the Svchost process]] KB916089, vervangen door 927891. \\
[[http://support.microsoft.com/kb/927891/en-us|Microsoft Support - You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update]] KB927891 \\
[[http://blogs.technet.com/wsus/archive/2007/04/28/update-on.aspx|WSUS Product Team Blog - Update on svchost/msi performance issue and 3.0 Client distribution plan]] \\
[[http://blogs.technet.com/wsus/archive/2007/05/15/srvhost-msi-issue-follow-up.aspx|WSUS Product Team Blog - Svchost /MSI issue follow up]] \\
====Articles/Blogposts====
[[http://swigartconsulting.blogs.com/tech_blender/2006/07/windows_update_.html|Tech Blender - Windows Update Broke My Machine (svchost.exe -- application error), and How to Fix It]] \\
[[http://www.bleepingcomputer.com/blogs/mowgreen/index.php?showentry=1071|The Clippings of Chairman Mow - The Infamous Svchost Issue]] \\
[[http://www.amset.info/windows/auto-updates.asp|amset.info - Automatic Updates]] troubleshooting. \\
[[http://ask-leo.com/how_do_i_fix_this_high_cpu_usage_svchost_virus_or_whatever_it_is.html|Ask Leo - How do I fix this high CPU usage svchost virus or whatever it is?]] \\
[[http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html|My Green Paste, Inc. - Troubleshooting Performance Issues with Automatic Updates]] \\
====Forumdiscussions=====
[[http://forum.sysinternals.com/forum_posts.asp?TID=9326|Windows Sysinternals forum - Help with svchost.exe]] 7 pages long. \\
[[http://www.dslreports.com/forum/r18187465-Why-MU-takes-so-long|DSLreports.com - Why MU takes so long?]] ""svchost.exe -k netsvcs" took around 100%, and particularly the thread: "ntdll.dll!RtlAllocateHeap" was consuming all CPU power."\\
[[http://forums.pcworld.com/message/24931|PCWorld forums - svchost.exe hogging 99% CPU]] \\
[[http://www.dslreports.com/forum/r18401254-XP-Home-Svchostexe-is-running-at-100-cpu-all-the-time|DSLReports.com - [XP Home] Svchost.exe is running at 100% cpu all the time]] \\
[[http://episteme.arstechnica.com/eve/forums/a/tpc/f/12009443/m/786004271831|ars technica openforum - XP Pro and svchost.exe high CPU utilization lately]] \\
[[http://gathering.tweakers.net/forum/list_messages/1157066|Gathering of Tweakers.net - [XP] svchost.exe pakt 100% cpu bij opstarten]] \\
=====Notes=====
====WSUS cleanup====
To make sure that the WSUS cleanup wizard deletes updates for product categories you no longer have selected under "Products and Classifications", you have to decline these updates before cleanup. \\
Source:[[http://msmvps.com/blogs/athif/archive/2005/10/27/Purge-Delete-the-downloaded-patches-on-WSUS-Server.aspx|PatchAholic...The WSUS Blog! - Purge / Delete corrupted or Un-needed patches on WSUS Server]] \\
[[http://wsus.codeplex.com/releases/view/17612|WSUS Cleanup]] This tool can automate the cleanup process within WSUS. \\
====Install WSUS on an RODC====
// Tested on a Windows Server 2012 R2 RODC. //
Installing WSUS on an RODC with the following command:
CD "C:\Program Files\Update Services\Tools"
WsusUtil.exe postinstall CONTENT_DIR=D:\WSUS
Will fail with the message:
Log file is located at C:\Users\\AppData\Local\Temp\tmpF64B.tmp
Post install is starting
Fatal Error: The request is not supported.
This occurs because wsusutil tries to create the following two local security groups, which it can't do on an RODC:
* WSUS Administrators
* WSUS Reporters
The solution is to create both groups in Active Directory as Domain Local Groups and force a replication on/to the RODC.
After this is done the wsusutil postinstall command should now work.
Source:[[http://social.technet.microsoft.com/Forums/windowsserver/en-US/0752819f-8895-40d4-962f-9391b24b305a/wsus-30-sp1-on-rodc?forum=winserverwsus|Microsoft Windows Server Forums - WSUS 3.0 SP1 on RODC]] \\
====Event ID 10012 - The permissions on directory %1 are incorrect.====
Example: "The permissions on directory D:\WSUS are incorrect."
Check that the Users account or at least the NT AUTHORITY\Network Service account has Read permissions on D:\ and D:\WSUS. If not, add these permissions. // This folder read-only is sufficient for permissions for Network Service on D:\. //
Restart the Update Services service and the event id 10012 should not return.
Source: [[https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=.NET+Framework&ProdVer=2.0.50727&EvtID=10012&EvtSrc=Windows+Server+Update+Services|Source: Windows Server Update Services Event ID: 10012]] \\
See also: [[https://social.technet.microsoft.com/Forums/windowsserver/en-US/5105842e-4f33-48f5-b545-084a1dc67372/event-id-10012-directory-icorrect?forum=winserverwsus|Windows Server Forum - Event ID 10012 Directory Icorrect]] \\
====Block updates====
[[https://support.microsoft.com/en-us/kb/3133990|How to temporarily block the installation of the .NET Framework 4.6.1]] \\
[[https://support.microsoft.com/en-us/kb/2971109|How to temporarily block the installation of the .NET Framework 4.5.2]] \\
[[https://support.microsoft.com/en-us/kb/2721187|How to temporarily block the installation of the .NET Framework 4.5.1 and its corresponding language packs]] \\
[[https://support.microsoft.com/en-us/kb/982320|How to temporarily block the installation of the .NET Framework 4 Client Profile on a computer that is running Windows Vista or Windows 7]] \\
[[https://support.microsoft.com/en-us/kb/949160|How to temporarily block the installation of the .NET Framework 2.0 Service Pack 1]] \\
[[https://support.microsoft.com/en-us/kb/2695147|How to block the automatic upgrade of Internet Explorer 9 or Internet Explorer 8]] \\
====Windows 10 offers Dual Scan====
Scans against WSUS *AND* Windows Update, but downloads the latest Windows updates from Windows Update. \\
This cause the client tot download newer updates for Windows than configured to in your WSUS server.
It is caused by the presence of update deferral settings.
If the output of the following shows IsDefaultAUService true for Windows Update and false for Windows Server Update Services, then that system will apply updates only from Windows Update and not from WSUS:
$ServiceManager = New-Object -ComObject "Microsoft.Update.ServiceManager"
$ServiceManager.Services | Select-Object Name,IsDefaultAUService
To disable Dual Scan: \\
For Windows 10 1607 and higher configure "Do not allow update deferral policies to cause scans against Windows Update" in a GPO if you want to use deferral setings with WSUS. \\
Also make sure DeferUpgrade is set to 0 or removed from HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\UX\Settings.
Sources:
- [[https://batchpatch.com/dual-scan-difficulties-with-windows-update-on-windows-10-versions-1607-anniversary-update-and-1703-creators-update|BatchPatch - “Dual Scan” Difficulties with Windows Update on Windows 10 versions 1607 ‘Anniversary update’ and 1703 ‘Creators update’]]
- [[https://batchpatch.com/deciphering-dual-scan-behavior-in-windows-10|BatchPatch -
Deciphering “Dual Scan” Behavior in Windows 10]]
- [[https://serverfault.com/questions/891295/windows-10-circumvents-wsus|Server Fault - Windows 10 circumvents WSUS]]
- [[https://docs.microsoft.com/en-us/archive/blogs/wsus/demystifying-dual-scan|Blog Archive - WSUS Team Blog - Demystifying "Dual Scan"]]
- [[https://docs.microsoft.com/en-us/archive/blogs/wsus/improving-dual-scan-on-1607|Blog Archive - WSUS Team Blog - Improving Dual Scan on 1607]]
- [[https://docs.microsoft.com/en-us/archive/blogs/swisspfe/win10-updates-store-gpos-dualscandisabled-sup-wsus|Blog Archive - All about SCCM, Windows 10 and Modern Management - Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed]]