Policy WSUS: “Automatically download updates and install them on the schedule specified below” don’t work…!!!?!

So I configure a “configure automatic updates” policy for testing purposes but the auto update and install won’t work. The main cause….? Lack of patience 😉

How this Policy works (source):

The Windows Update Agent periodically checks the WSUS server for updates. Updates it finds, it reports state for: Installed, Not Installed, Not Applicable. If a “Not Installed” update is approved and available, the WUA queues the installation files for download if the Configure Automatic Updates policy is set to AUOption ‘3’ or ‘4’.

The download occurs via Background Intelligent Transfer Service (BITS) subsequent to the WUA finding the update as available for download.

When the download of the update is completed, the WUA does one of two things:

  • If the Configure Automatic Updates policy is set to AUOption ‘4’, then the WUA will schedule the update for installation at the scheduled time. This scheduled installation does NOT require access to the WSUS server to be conducted.
  • If the Configure Automatic Updates policy is not set to AUOption ‘4’, then the update will be retained on the client computer until a user launches the Windows Update applet from Control Panel and initiates the installation.

So bottom line; the updates must first be downloaded on the client and ONLY then will Windows apply the “Automatically download updates and install them on the schedule specified” action

To force a client (source):

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Start-sleep -seconds 10
wuauclt /detectnow
wuauclt /reportnow
c:\windows\system32\UsoClient.exe startscan

After this commands BITS will download the updates and prepare the installation. When you start Windows update you can see the available update

The default of the WSUS communication check-in (report and detect) is 22 hours. If you don’t want to wait so long you can change the “automatic updates detection frequency” to every hour (do not to this every hour on production policies!)

And now wait till the magic happens 🙂

Last but now least. When you change setting in the “configure automatic updates” policy you can trigger the client with powershell so you don’t have to reboot the client

gpupdate /force
net stop wuauserv
net start wuauserv
(new-object -Comobject Microsoft.Update.AutoUpdate).Detectnow()

You get get more information about Windows update log with the command.

Get-WindowsUpdateLog

Happy updating!

Move a window when you don’t have any focus

Method #1
Won’t work with a maximized Window.

  • Alt-Tab or Click On the Window
  • Press “Alt & Space”
  • Press “M”
  • Use your arrow keys to move the Window
  • Press Enter to exit

Method #2
Will move your Window to the right or left half of the screen in the same manner as dragging a window to the right or left of the screen will.

  • Press the Windows Key & Right Arrow or Left Arrow
  • Move a Window with the Keyboard-right

Method #3
will move your Window one display to the right or left.

  • Press the Windows Key & Shift & Right Arrow or Left Arrow

This is an copy paste from a website. All credits to: http://www.sevenforums.com/tutorials/77361-move-window-keyboard.html

Create a strong self-signed certificate for multiple years

If you follow these steps you can create a self signed certificate with the following specifications:

  • Wildcard certificate
  • SHA256 hash
  • 10 years
  • 2048 bits public key
  • Client and server verification
  • Sha1 fingerprint

Be aware that self-signed certificates can manipulate by a man-in-the-middle. You should not use this in critical production environments.

Please use windows 10 powershell in admin mode. Otherwise you will get errors

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.domain.local -NotBefore $([datetime]::now.AddDays(-15)) -NotAfter $([datetime]::now.AddDays(3560))

Now export the certificates. Before you copy/paste change the thumbprint with the thumbprint you get from the above command.

$CertPassword = ConvertTo-SecureString -String "YourPassword" -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919  -FilePath C:\test.pfx -Password $CertPassword
Export-Certificate -Cert Cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919 -FilePath C:\tstcert.cer

Now you can import the PFX with IIS and bind the certificate in IIS.
And import the *.CER in your MMC > Certificates > Computer account > trusted root Certification authority > Certificates

Have fun with your certificate the next 10 years 😀

command-prompt-powershell

Inspiration

BSOD Domain Controller STOP: c00002e2 Directory Services could not start

Today our domain controller had a very bad day and had a bootloop after a reboot. I used recording software to capture the blue screen error: STOP: c00002e2 Directory Services could not start

Then we found a nice article to fix this issue. We had a second working domain controller so if you have the same setup you can use this how to, to fix this problem also. All the credits go to dbutch1976

  1. Restart the server and press F8 key, select Directory Services restore mode.
  2. Log in with the local administrator username and password (hope you remember what you set it to!).
  3. Type cd \windows\system32
  4. type NTDSUTIL
  5. type activate instance NTDS
  6. type files
  7. If you encounter an error stating that the Jet engine could not be initialized exit out of ntdsutil.
  8. type cd\
  9. type md backupad
  10. type cd \windows\ntds
  11. type copy ntds.dit c:\backupad
  12. type cd \windows\system32
  13. type esentutl /g c:\windows\ntds\ntds.dit
  14. This will perform an integrity check, (the results indicate that the jet database is corrupt)
  15. Type esentutl /p   c:\windows\ntds\ntds.dit
  16. Agree with the prompt
  17. type cd \windows\ntds
  18. type move *.log c:\backupad   (or just delete the log files)

This should complete the repair.  To verify that the repair has worked successfully:

  1. type cd \windows\system32
  2. type ntdsutil
  3. type activate instance ntds
  4. type files        (you should no longer get an error when you do this)
  5. type info       (file info should now appear correctly)

Source: https://social.technet.microsoft.com/Forums/windowsserver/en-US/771b97ad-4e1c-4e7c-8617-91601224dd7f/server-core-2008-r2-blue-screen?forum=winserverManagement

Windows IOPS and MB/s benchmarking

You have bought een new system and the first thing what you want to do is check the disk performance (ehhh that’s always the first thing I want to know 😛 )

There  is one tool I always use: ATTO Disk Benchmark

disk-benchmark

This is a very nice tool to quickly see how fast your troughput is of your new system.

But sometimes you want to check your IOPS. Then you can use another nice microsoft commandline benchmark tool DiskSpd

You can use this parameter to benchmark:

diskspd -b8K -d30 -o4 -t8 -h -r -w25 -L -Z1G -c20G testfile.dat

This example command line will run a 30 second random I/O test using a 20GB test file located on the T: drive, with a 25% write and 75% read ratio, with an 8K block size. It will use eight worker threads, each with four outstanding I/Os and a write entropy value seed of 1GB. It will save the results of the test to a text file called DiskSpeedResults.txt. This is a pretty good set of parameters for a SQL Server OLTP workload.

Example:

diskspd
Orginal article

If you get errors like:

Results for timespan 1:
*******************************************************************************
The test was interrupted before the measurements began. No results are displayed.
Error generating I/O requests

Or file creation errors like “Error opening file: testfile.dat” please try to replace the minus “-” characters with your keyboard. Sometimes your browser copy the wrong character.

Happy benchmarking 😀

Remove Windows 2008 r2 WinSXS “Windows Update” files

copy C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe to %systemroot%\System32

copy C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b9cb6194b257cc63\cleanmgr.exe.mui to %systemroot%\System32\en-Us

Run cmd > cleanmgr and remove all the nasty update files!

After I cleaned up the server I had to stop the windows installer service (trustedinstaller.exe) to remove the c:\windows\logs\cbs\CBS.log (6GB file) manually. Maybe a restart of the server do the same but I cannot test it on a production environment.

Have fun!

Source: https://support.appliedi.net/kb/a110/how-to-enable-the-disk-cleanup-tool-on-windows-server-2008-r2.aspx

Windows update is looping forever

On my windows 2008 r2 server, Windows update was running forever 🙁

Windows update - Fix - 2

I tried a lot of things but fixing the problem was really simple:

  1. Go to https://support.microsoft.com/en-us/kb/971058
  2. Download the fixit
  3. Run the fixit and follow the wizard

Then your problem will be fixed automatically 🙂

Still problems? Try this post: http://superuser.com/questions/951960/windows-7-sp1-windows-update-stuck-checking-for-updates

Note: If you have a WSUS server and you still have problems to find windows updates you can try to temporary disable the WSUS client to change the registry key UseWUServer to dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000000

Windows update - Fix