Today, as part of Update Tuesday, we released eight security updates – one rated Critical and seven rated Important in severity, to address eight unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows.
We encourage you to apply...(read more)![]()
↧
January 2015 Updates
↧
Support Tip: Clients are unable to download 3rd party updates when the WSUS content is on a DFS share
~ Subbulakshmi Kumar | Support Engineer
I was recently working with a customer who found that he was unable to download third party updates from System Center 2012 Configuration Manager (ConfigMgr 2012) when the WSUS content was on a DFS share. The 3rd party updates could be successfully published to it via System Center Update Publisher (SCUP) but when he tried to download them it would fail.
He also found the following errors in patchdownloader.log:
HttpSendRequest failed HTTP_STATUS_NOT_FOUND Software Updates Patch Downloader
ERROR: DownloadContentFiles() failed with hr=0x80070194 Software Updates Patch Downloader
The reason this was happening was because the download was using the Network Service account for authentication, and the Network Service account does not have permissions to the DFS share (which is by design).
If you happen to come across the same problem, to work around this simply change the access authentication to a specific user (or group) on the DFS share in the content virtual directory of the WSUS site in IIS, then give permissions to that user (or group) on the DFS share. This allows the download to complete successfully.
Hope this helps!
Subbulakshmi Kumar | Support Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
↧
↧
February 2015 Updates
Today, as part of Update Tuesday, we released nine security bulletins – three rated Critical and six rated Important in severity, to address 56 unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Microsoft Office, Internet Explorer...(read more)![]()
↧
Security Advisory 3046015 released
Today, we released Security Advisory 3046015 to provide guidance to customers in response to the SSL/TLS issue referred to by researchers as “FREAK” (Factoring attack on RSA-EXPORT Keys).
Our investigation continues and we’ll take...(read more)![]()
↧
March 2015 Updates
Today, as part of Update Tuesday, we released 14 security bulletins to address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange, and Internet Explorer.
We encourage customers to apply all of these updates. For more information...(read more)![]()
↧
↧
Support Tip: WSUS sync in ConfigMgr 2012 fails with HTTP 503 errors
~ Eric Ellis | Senior Support Escalation Engineer
Here in product support we’ve seen a recent uptick in issues related to WSUS/ConfigMgr sync problems after the last Patch Tuesday, so I wanted to take a minute to mention the issue here, as well as how you can resolve it in case you happen to see it.
The typical scenario is that a customer is running System Center Configuration Manager 2007 (ConfigMgr 2007) or System Center 2012 Configuration Manager (ConfigMgr 2012 or ConfigMgr 2012 R2) and is unable to synchronize their Software Update Point with their WSUS server. A review of the component status messages for the SMS_WSUS_SYNC_MANAGER component on the primary site server reveals errors related to WSUS synchronization which are similar to the following:
Message ID: 6703
WSUS Synchronization failed.
Message: The request failed with HTTP status 503: Service Unavailable.
Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer.
When you attempt to open Update Services on the WSUS server you receive the following error:
Error: Connection Error
An error occurred trying to connect to the WSUS server. This error can happen for a number of reasons. Please contact your network administrator if the problem persists. Click the Reset Server Node to connect to the server again.
In addition to the above, attempts to access the URL for the WSUS Administration website (i.e., http://CM12CAS:8530) fails with the error:
HTTP Error 503. The service is unavailable
In this situation, the most likely cause is that the WsusPool Application Pool in IIS is in a stopped state, as shown below.
Also, the Private Memory Limit (KB) for the Application Pool is probably set to the default value of 1843200 KB.
If you encounter this problem, increase the Private Memory Limit to 4GB (4000000 KB) and restart the Application Pool. To increase the Private Memory Limit, select the WsusPool Application Pool and click Advanced Settings under Edit Application Pool. Then set the Private Memory Limit to 4GB (4000000 KB).
After the Application Pool has been restarted, monitor the SMS_WSUS_SYNC_MANAGER component status, wcm.log and wsyncmgr.log for failures. Please note that it may be necessary to increase the Private Memory Limit to 8GB (8000000 KB) or higher depending on the environment.
More Information
When encountering this issue, the WCM.log from the primary site server will contain numerous entries similar to the following:
3/17/2015 11:31:31 AM Attempting connection to WSUS server: serverName, port: 8530, useSSL: False
3/17/2015 11:31:31 AM System.Net.WebException: The request failed with HTTP status 503: Service Unavailable.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
3/17/2015 11:31:31 AM Remote configuration failed on WSUS Server.
3/17/2015 11:31:31 AM STATMSG: ID=6600 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_CONFIGURATION_MANAGER" SYS=serverName.contoso.com SITE=CAS PID=1884 TID=2920 GMTDATE=Tue Mar 17 16:31:31.602 2015 ISTR0="serverName" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
3/17/2015 11:31:31 AM Setting new configuration state to 3 (WSUS_CONFIG_FAILED)
Also, the wsyncmgr.log from the primary site server will contain numerous entries similar to the ones below:
3/17/2015 11:28:41 AM Synchronizing WSUS server serverName
3/17/2015 11:28:41 AM STATMSG: ID=6704 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=CM12TeamCAS.cm12Team.LC SITE=CAS PID=1884 TID=2636 GMTDATE=Tue Mar 17 16:28:41.645 2015 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
3/17/2015 11:28:43 AM Sync failed: The request failed with HTTP status 503: Service Unavailable. Source: Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer
3/17/2015 11:28:43 AM STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=serverName SITE=CAS PID=1884 TID=2636 GMTDATE=Tue Mar 17 16:28:43.021 2015 ISTR0="Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer" ISTR1="The request failed with HTTP status 503: Service Unavailable" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
3/17/2015 11:28:43 AM Sync failed. Will retry in 60 minutes
Eric Ellis | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
↧
Support Tip: High CPU utilization on Domain Controllers due to WSUS App Pool issue
~ Dennis Donahoe| Senior Support Escalation Engineer
Last week we mentioned an issue we’ve seen here in product support where System Center Configuration Manager 2007 (ConfigMgr 2007) or System Center 2012 Configuration Manager (ConfigMgr 2012 or ConfigMgr 2012 R2) is unable to synchronize the Software Update Point with the WSUS server. The details of that issue can be found here but I wanted to also mention another symptom you may see that is caused by the same problem.
If you’re experiencing the problem mentioned in our last post, you may find that the LSASS.exe process is taking up a lot of CPU cycles on the Domain Controller. You may also notice that users are experiencing a logon delay of up to 10 minutes.
If you see these symptoms, check and see if you’re also experiencing the symptoms described in the following post:
ConfigMgr 2012 Support Tip: WSUS sync fails with HTTP 503 errors
If so, the resolution for all of these symptoms is the same: Increase the Private Memory Limit of the WsusPool Application Pool in IIS and then restart the Application Pool. After the Application Pool has been restarted, monitor the SMS_WSUS_SYNC_MANAGER component status, wcm.log and wsyncmgr.log for failures. Note that it may be necessary to increase the Private Memory Limit to 8GB (8000000 KB) or higher depending on the environment.
Dennis Donahoe| Senior Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
↧
April 2015 Updates
Today, as part of Update Tuesday, we released 11 security bulletins .
We encourage customers to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI...(read more)![]()
↧
Microsoft Bounty Programs Expansion – Azure and Project Spartan
I am excited to announce significant expansions to the Microsoft Bounty Programs . We are evolving the 'Online Services Bug Bounty, launching a new bounty for Project Spartan, and updating the Mitigation Bypass Bounty.
This continued evolution...(read more)![]()
↧
↧
May 2015 Updates
Today, as part of Update Tuesday, we released 13 security bulletins .
We encourage customers to apply all of these updates. For more information about this month’s security updates, including a detailed view of the Exploitability Index (XI),...(read more)![]()
↧
Why Microsoft Security Bulletins MS15-049 and MS15-051 are listed as MS15-044 in Configuration Manager and WSUS
~ Meghan Stewart | Support Escalation Engineer
If you’ve reviewed the Security Bulletin Summary for May 2015, you may have noticed that some security bulletins appear to be missing from your WSUS or Configuration Manager console. If you open the Microsoft Update Catalog and put in all of the KB numbers that were published under those three bulletins, you will notice that they are all listed with MSRC Number MS15-044.
Example 1
3045171 is listed under both MS15-051 and MS15-044 but when you look the it in the Update Catalog you can see it was published under MS15-044.
Below is what you would see in your Configuration Manager console. WSUS would look similar as long as you added the MSRC Number column.
Example 2
3056819 is listed both under MS15-044 and MS15-049 but comes in as MS15-044, not MS15-049.
Why the overlap
There is a reason for this overlap. Basically, the fix was consolidated, and if you read the FAQ about the updates on each of the bulletins themselves you’ll see that they do state this:
https://technet.microsoft.com/library/security/MS15-044
Why some updates are also denoted in other bulletins released in May
Several of the update files listed in this bulletin are also denoted in other bulletins being released in May due to an overlap in the affected software. Although the different bulletins address separate security vulnerabilities, the security updates have been consolidated where possible and appropriate, hence the occurrence of some identical update files being present in multiple bulletins.
Note that identical update files shipping with multiple bulletins do not need to be installed more than once.
This update FAQ is also listed on https://technet.microsoft.com/library/security/MS15-051 and a similar one is noted in the FAQ here: https://technet.microsoft.com/en-us/library/security/ms15-049
The bottom line
So what’s the bottom line for all this? Deploy all of MS15-044 to be compliant for MS15-049 & MS15-051.
Meghan Stewart | Support Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news on FacebookandTwitter:
Main System Center blog: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/
Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/
Forefront TMG blog: http://blogs.technet.com/b/isablog/
Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Surface Team blog: http://blogs.technet.com/b/surface/
System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2
↧
New Windows Update Client for Microsoft Windows 7 Available
There is a new update to the Windows Update Client available that includes the following fixes:
- This update addresses an issue in which the Windows Update Client displays an out-of-memory error during the scan operation (0x8007000E) on systems that have small amounts of physical RAM.
- General improvements are made to support upgrades to a later version of Windows.
For complete details as well as information on how to obtain and install the update, please see the following:
3050265 - Windows Update Client for Windows 7: June 2015 (https://support.microsoft.com/en-us/kb/3050265)
J.C. Hornbeck| Solution Asset PM | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
↧
A few notes on the fix for the recent update scan failure issue
~ Larry Mosley | Senior Escalation Engineer
Hi everyone, in case you weren’t already aware, a fix has been released to address the issue with update scan failures causing incorrect compliance status.
The hotfix for this issue has been released under KB 3050265 (https://support.microsoft.com/en-us/kb/3050265) but there is some additional information I would like to address.
First, read the KB carefully! There is a lot in it, and here are some important points.
1. Windows Server Update Services (WSUS) servers servicing these clients must have the hardening patch installed (KB 2938066)
2. If you are using Configuration Manager to manage updates, ConfigMgr disables automatic updates of the Windows Update agent, so the Windows Agent hotfix in 3050265 will have to be deployed as a package, application, or as a software update from ConfigMgr. Thanks to Mike Johnson for the details below:
a) Deploy via Software Update Management: The update is published into the Microsoft Update Catalog under the “Updates” classification and will synchronize into your Configuration Manager’s top-level Software Update Point’s WSUS server that connects to Microsoft Update and can be deployed to your client machines via a software update assignment. However, if the client is in-state and getting the documented scan failure, the client will not be able to receive the deployment so you would need to use option B or C below.
b) Deploy via Software Distribution: You can download the standalone installers from the Microsoft Download Center links noted in the article and target affected client machines with an advertisement. We have the following document for previous Windows Update Agent releases here:
c) Deploy via Application Deployment: You would need to create deployment types to check for each version of Wuaueng.dll among affected clients (x86, x64, or IA-64) as a detection method to determine installation. For instance, for the x86 version of Wuaeng.dll, you would check if the file version is less than 7.6.7601.18847 as the noted version in the 3050265 article.
Finally, if you separated Windows Update Agent into it’s own svchost instance by following item 1 in the Workarounds section of my original post, you should configure Windows Update Agent to reside in a shared instance again using the following steps:
1.On the client, open an elevated Command Prompt and run sc config wuauserv type= share
2. Stop and then start wuauserv.
Larry Mosley | Senior Escalation Engineer | Microsoft GBS Management and Security Division
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
Data Protection Manager Team blog: http://blogs.technet.com/dpm/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
System Center 2012 Configuration Manager System Center 2012 R2 Configuration Manager ConfigMgr 2012 R2
↧
↧
June 2015 Updates
Today, as part of Update Tuesday, we released 8 security bulletins .
We encourage customers to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploitability Index (XI)...(read more)![]()
↧
July 2015 Security Updates
Today we released security updates for Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer.
As a best practice, we encourage customers to apply security updates as soon as they are released. For more information about this...(read more)![]()
↧
Out-of-band release for Security Bulletin MS15-078
Today, we released a security bulletin to provide an update for Microsoft Windows. Customers who have automatic updates enabled or apply the update, will be protected.
We recommend customers apply the update as soon as possible, following the directions...(read more)![]()
↧
Microsoft Bounty Programs Expansion - Bounty for Defense, Authentication Bonus, and RemoteApp
I am very pleased to be releasing additional expansions of the Microsoft Bounty Programs . Please stop by the Microsoft Networking Lounge at Black Hat, August 5-6, to learn more about these programs; or, visit https://aka.ms/BugBounty . We are raising...(read more)![]()
↧
↧
August 2015 Security Update Release Summary
Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.
More information about this month’s security updates and...(read more)![]()
↧
Security Update Solution Further Protects Customer Devices
On Tuesday, August 18, 2015, Microsoft released a security update solution to address a vulnerability . The update is for all supported versions of Internet Explorer.
We recommend customers to apply this update as soon as possible by following the...(read more)![]()
↧
September 2015 Security Update Release Summary
Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released.
More information about this month’s security updates and...(read more)![]()
↧