Category Archives: Deployment

WSUS – Not half bad

Client Machines

Implementing WSUS lately. Took some time but most of it was “one of those things”. After making the appropriate GP changes I couldn’t get the clients to register in the console. Eventually I found a script called “WUAUFix.cmd” that modified the ACLs on the WUService. Installed in the STARTUP script (users are not local administrators) it worked perfectly. I’m not real sure but I think the permissions are stuffed up during GHOST imaging – we have just deployed a new desktop. Once this script ran then “bingo” – reporting now functional.

 <—- Begin Script  WUAUFix.cmd ———>

%Windir%\system32\net.exe stop bits
%Windir%\system32\net.exe stop wuauserv
 
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v AccountDomainSid /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v PingID /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientId /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /v SusClientValidation /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v LastWaitTimeout /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v DetectionStartTime /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v NextDetectionTime /f
 
if exist %Windir%\system32\atl.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\atl.dll 
if exist %Windir%\system32\jscript.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\jscript.dll
if exist %Windir%\system32\softpub.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\softpub.dll 
if exist %Windir%\system32\wuapi.dll %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuapi.dll
if exist %Windir%\system32\wuaueng.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng.dll 
if exist %Windir%\system32\wuaueng1.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuaueng1.dll 
if exist %Windir%\system32\wucltui.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wucltui.dll 
if exist %Windir%\system32\wups.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups.dll 
if exist %Windir%\system32\wups2.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wups2.dll 
if exist %Windir%\system32\wuweb.dll  %Windir%\system32\regsvr32.exe /s %Windir%\system32\wuweb.dll 
if exist %windir%\system32\iuengine.dll %windir%\system32\regsvr32.exe /s iuengine.dll
if exist %windir%\system32\wuauserv.dll %windir%\system32\regsvr32.exe /s wuauserv.dll
if exist %windir%\system32\cdm.dll %windir%\system32\regsvr32.exe /s cdm.dll
if exist %windir%\system32\msxml2r.dll %windir%\system32\regsvr32.exe /s msxml2r.dll
if exist %windir%\system32\msxml3r.dll %windir%\system32\regsvr32.exe /s msxml3r.dll
if exist %windir%\system32\msxml.dll  %windir%\system32\regsvr32.exe /s msxml.dll
if exist %windir%\system32\msxml3.dll %windir%\system32\regsvr32.exe /s msxml3.dll
if exist %windir%\system32\msxmlr.dll %windir%\system32\regsvr32.exe /s msxmlr.dll
if exist %windir%\system32\msxml2.dll %windir%\system32\regsvr32.exe /s msxml2.dll
if exist %windir%\system32\qmgr.dll %windir%\system32\regsvr32.exe /s qmgr.dll
if exist %windir%\system32\qmgrprxy.dll %windir%\system32\regsvr32.exe /s qmgrprxy.dll
if exist %windir%\system32\iuctl.dll %windir%\system32\regsvr32.exe /s iuctl.dll
 
del C:\Windows\WindowsUpdate.log /S /Q
rd /s /q %windir%\softwareDistribution
ping 127.0.0.1 -n 2 -w 1000 > nul
ping 127.0.0.1 -n %1% -w 1000> nul
 
%Windir%\system32\net.exe start bits
%Windir%\system32\net.exe start wuauserv 
  
sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
sc sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
 
wuauclt.exe /resetauthorization
wuauclt.exe /detectnow
wuauclt.exe /reportnow
 
exit /B 0

<———- End Script

Not sure if all this script is required but “hey” who cares – it works well.

Group Policy

On the subject of GP and WSUS – make sure you have the latest ADM files. There are a couple of WSUS related items that have been added – especially if you want to suppress the “reboot now” prompts after installing updates.

Disconnected Networks

Couple of tips about “disconnected WSUS Networks” aka your test and development net.

– There is no concept of “syncronisation” with a disconnected net. Don’t bother about fiddling with the sync settings – leave it on Manual and don’t goof around with them
– WSUS is a bit like MS Exchange. Things take time to update. Change you settings and then go away and let it do its work.
– If the administrator of the connected net has not approved a patch and they have set “do not download unless approved” then nothing you can do will make the patch appear on the disconnected net. You are at the mercy of the external admin. This also explains the “updates waiting for files” entry in the server status page. You have approved an update the external admin has not. The files will never arrive!

I have found ROBOCOPY to be the best at syncing the disconnected to the connected. The /MIR option is perfect.

Finally Lawrence Garvin on the MS WSUS forum is a GURU at this. He knows this product.

Now I’m ready to push the button and start updating all the client computers at work…. Spooky

Altiris Error 1326

One of those beautifully informative error codes. I must be getting slow, this one took an hour to figure out….

I have changed all the jobs on a customers site to use a UNC for the sofitware source. The customer has a disaster recovery site with full functionality so it was logical to replicate all the software source there (and keep it in sync with DFS-R). This source is also a share on the Altiris DS deployment share.

Right – time to create a new package. I’m probably a bit old fashioned but I copy the source files from the share to the target and then execute an install. Like most admins, my workstation is the usual “guinea pig” for most jobs but I kept getting “Error 1326”. About an hour later, after trawling the net – here was the answer.

I use a special account to execute the install job but I already had a connection to the deployment server. Once the job began, the special account tried to connect and failed, with Error 1326. You can’t have 2 different accounts connecting to the same target from the one workstation. Basic you say… basic enough to get me!

As soon as I took the blinkers of and executed somewhere else then BINGO! job executes.

Altiris – DOS client won’t connect

Hmm… One of those days. Trying to boot a dos client from a Altiris PXE server (DS 5.9). everything this is OK but client keeps returning error 53 “network name not found”. Ran through the Client Builder about 10 times wondering why

“net use i: \\server\share”

no longer works.

After about an hours goofing around I found the solution. On the DS server, someone had clicked the “Disable NetBIOS over TCP/IP” checkbox on the WINS tab in the network properties.

Problem solved – DOS doesn’t understand CIFS/SMB over 445. Its NetBIOS or nothing.

Hope this helps someone