I was trying to setup New Configuration Manager 2012 SP1 build on Windows server 2012 with SQL Server 2012 SP1 installed .Everything went fine except Windows server update services .It keeps saying error with restart needed.Here is what i get every time when i install WSUS after Restart needed.

“The request to add or remove features on the specified server failed. the operation cannot be completed because the server that you specified requires a restart.”

Why does it fail every time though server is restarted as stated from above screen ?

Go to event viewer ,windows logs-system ,you see below error message:

The MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICE\MSSQL$MICROSOFT##WID
This service account does not have the required user right "Log on as a service."

User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.

How do i fix this ?

You need to Assign the Log on as a service user right to NT SERVICE\ALL SERVICES.

This can be implemented via GPO.

Go to your group policy management console,edit default domain policy

Computer Configuration—>Policies—>Windows Settings—>Security Settings—>Local Policies—>User Rights Assignment

Note: It is not mandatory to edit the default domain Policy to enable this setting.You can also create new GPO and ensure to have Enforced (running on Server 2012) option is selected which can not be overwritten by Default Domain Controller.

Go to properties of Logon as Service,click on Add user or Group,Enter NT SERVICE\ALL SERVICES ,click ok.

Now move onto the server,open command prompt and type gpupdate /Force to apply the GPO settings.

To check if the settings are applied or not,you can run rsop.msc from the run command and see the changes applied or not.

Once you confirmed the settings are applied,Start the installation of WSUS role again,this time It should be okay.

Hope it Helps!

Recap about Deployment Re-evaluation Though name indicates what it does but still clearing questions if any.

Re-evaluation on Software Updates Client Agent reevaluates(Recheck) software updates for installation status helps when Computers offline/Added newly to collection or removed patches from computers.

Scenario: You have created A deployment with List of patches (100) and deployed to collection consists of 100 machines with deadline date 1 week from current date.

computers which are online and performs below actions based on the settings you choose before they get the updates like how many are required(missing) ,not required ,installed etc.

Software Updates Scan Cycle: Scans for software updates compliance for updates that are new since the last scan. This action does not evaluate deployment policies as the Software Updates Deployment Evaluation Cycle does. This is a forced online scan and requires that the WSUS server is available for this action to succeed

Software Updates Deployment Evaluation Cycle: Evaluates the state of new and existing deployments and their associated software updates. This includes scanning for software updates compliance, but may not always catch scan results for the latest updates. This is a forced online scan and requires that the WSUS server is available for this action to succeed.

Once the scan is done  and policy arrives,Computer pass the time until the deadline(mandatory) is reached .When the deadline reaches,computers will start installing the required patches and reboot if necessary what you choose.

What happens to Computers which are offline/Newly Added/Updates Removed after the Deadline Expiration?

When computers (offline/New/Removed) come online and will perform Software Updates Deployment Evaluation Cycle,they see what is missed from the existing deployment and get them installed as mandatory.

For more information about Software Update Deployment Re-evaluation and how to Configure it,Read http://technet.microsoft.com/en-us/library/bb693813.aspx

Software Updates client agent settings http://technet.microsoft.com/en-us/library/bb632393.aspx

Software update point Role will fail to Install if you just install WSUS 3.0 SP2 without 2 patches.

The minimum Supported Version for Software update Point Role is Min WSUS 3.0 SP2+KB2720211+KB2734608

Microsoft has released an update for Windows Server Update Services (WSUS) 3.0 Service Pack 2 (SP2). This article includes information about the contents of the update and how to obtain the update.

Issues that are fixed :

This update lets servers that are running Windows Server Update Services (WSUS) 3.0 SP2 provide updates to computers that are running Windows 8 or Windows Server 2012.

This update fixes the following issues:

• Installation of update 2720211 may fail if Service Pack 2 was previously uninstalled and then reinstalled.
• After you install update 2720221, health monitoring may fail if the WSUS server is configured to use SSL.

Additionally, this update includes the following fixes:

• 2530678 System Center Update Publisher does not publish customized updates to a computer if WSUS 3.0 SP2 and the .NET Framework 4 are installed
• 2530709 “Metadata only” updates cannot be expired or revised in WSUS 3.0 SP2
• 2720211 An update for Windows Server Update Services 3.0 Service Pack 2 is available

More information about patch and download info ,read http://support.microsoft.com/kb/2734608.

Hi Everyone,

This is our first post in a long while, we’ve had our heads down ramping up on System Center 2012 and helping the first wave of early adopters. As part of some of the work we’ve done, we found one common scenario where customers are looking to migrate their server patching from WSUS to System Center 2012 Configuration Manager.  For desktop migrations, customer are usually happy to take all updates or the majority of updates and just start fresh.  For servers, they want to be sure that they only thing they pull across is whatever was approved by change and release management.

To this end, I’ve written up a couple of sample scripts that help with this migration.  The first script dumps a list of all approvals to all software update groups.  The second script takes this list and create Software Update Groups (or Update Lists if you’re using 2007) for each computer group with an update per approval.  The reason these steps were split was to allow for manual review of the exported list.  We found certain updates need clean up prior to importing into WSUS…and some simple Excel clean up does the trick (look for blank fields – these are usually software update titles that have wrapped).

The first script will output the list to console, so you’ll need to pipe the script output into another file (powershell.exe script.ps1 > output.csv).  The second script will show a progress bar as it imports, and uses a combination of T-SQL to get CI_IDs from the database and WMI via the provide to create the software update group and add the updates to the group.

For complete Post ,please Read http://blogs.technet.com/b/manageabilityguys/archive/2012/08/25/migrating-from-wsus-to-configuration-manager.aspx

This is continuation to the post avilable here on http://eskonr.com/2010/03/monthly-patch-statistics-reports-to-show-up-to-the-management-in-a-simplified-manner/

Report posted on the above link doesnt give you the required information what it gives in SMS 2003 since some of the columns in have been changed i.e product has blank value from v_GS_patchstausEX view etc in sccm 2007.

Below is the modified report that works in SCCM environment.

1) Patch Management summary:

select summ.ID,summ.QNumbers as ‘Q Number’,
COUNT(distinct ps.ResourceID) as ‘Requested’,
COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End)  as ‘Installed’,
ROUND(100.0*COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End)
/count(distinct ps.ResourceID),2) as ‘Success %’
from v_GS_PatchStatusEx ps
join v_ApplicableUpdatesSummaryEx summ on
   ps.UpdateID=summ.UpdateID
 where (summ.ID=’MS11-075′) and
         (summ.Type=’Microsoft Update’)
group by summ.ID,summ.QNumbers

order by summ.ID

PS: Please correct the quotes used in this query ,if you do copy paste,might give you error like “Incorrect Syntax error ” so type the quotes again by removing the exisinting ones.

I will post other quiries in the mean time what is avilable in SMS 2003 environment.

Attached is MOF file which you can directly import into your configmgr 2007 environment rather copy /paste.Patch_complilance_report.MOF (remove the txt extension,you will get MOF file).

Here is another patch statistics report for SCCM 2007 environment with summary of patches that are deployed within month (30 days) with different column.

select ‘Total number of active patches within 30days:’, COUNT(distinct Title) AS ‘Count’
FROM v_GS_PatchStatusEx
WHERE (DATEDIFF(Day, LastStatusTime, GETDATE())) <=30
UNION
select ‘Percent sucessfully installed’, round(100.0*COUNT( case when LastState=107 or LastState=105 then ResourceID else NULL end)/COUNT(ResourceID),1) as ‘Procent succesful’ 
FROM v_GS_PatchStatusEx
WHERE (DATEDIFF(Day, LastStatusTime, GETDATE())) <=30

select ps.ID, ps.QNumbers, ps.Title,
    round(100.0*COUNT(distinct case when ps.LastState=107 or ps.LastState=105 then ps.ResourceID else NULL end)/COUNT(distinct ps.ResourceID),1) as ‘Procent succesful’ ,
       COUNT(distinct case when ps.LastState=107 or ps.LastState=105 then ps.ResourceID else NULL end) as ‘Distribution Successful’,
       COUNT(distinct case when ps.LastState=101 then ps.ResourceID else NULL end) as ‘Distribution Failed’,
       COUNT(distinct case when ps.LastState not in (107,105,101) then ps.ResourceID else NULL end) as ‘Distribution Incomplete’,
       COUNT(distinct ps.ResourceID) as ‘In Distribution Scope’,
‘SMS00001′ as ‘CollectionID’,
‘Microsoft Update’ as ‘Type’,
inf.InfoPath
from v_GS_PatchStatusEx ps
join v_FullCollectionMembership fcm on ps.ResourceID=fcm.ResourceID
join v_ApplicableUpdatesSummaryEx inf on
  ps.UpdateID=inf.UpdateID
where fcm.CollectionID= ‘SMS00001′ and
         inf.Type = ‘Microsoft Update’
         
 AND (DATEDIFF(Day, ps.LastStatusTime, GETDATE())) <=30     
group by ps.ID, ps.QNumbers, ps.Title, inf.InfoPath

This VB script might help you in initiating the communication between WindowsUpdateAgent(Client) and WindowsUpdateServer(Server) for windows updates.

‘ —————START CODE—————

strComputer = inputbox(“Enter a computer name to run WUA detectnow”,”Invoke detectnow”)

if strComputer = “” then wscript.quit
on error goto 0
Set autoUpdateClient = CreateObject(“Microsoft.Update.AutoUpdate”,strComputer)
AutoUpdateClient.detectnow()
wscript.echo “Client Communication initiated with WSUS Server.”

‘ —————-END CODE—————–

Long back created a report for the monthly Patch statistics which can be found in http://www.windows-noob.com/forums/index.php?/topic/1764-patch-management-report-in-sms-2003/#entry6281

Below all the reports have been created using the last state messages.Even you can create different type of quiries based on this.

I was referring to the Patch process and found an image which gives the statistics for the listed patches in a good viewable way.so thought of creating such a report and can be linked to other report to get preferable colums which are necessary.May be i can show it to the management team for the patch activity on monthly basis.This basically requries to create 3 reports( like 1,2,3 ) out of which 3 is linked to 2 and 2 is linked 1.It is just simple that you can run only one report which is linked to other reports which gives u a report like below for the given bulletin ID’s.

Note:The below report is filterd with language swedish,if you want to get status for English/other language patches,you can customise it.The below report is called 1)Patch Management summary

To Build this report and to link to other reports ,you will have to create 3 reports which i named it like :1)Patch Management summary 2)Status of Each bulletin ID 3)Status of each bulletin ID with distribution status

Create new reports for each with the below query.

3)Status of particular bulletin ID with selected distribution status:

select distinct sys.Netbios_Name0, sys.User_Domain0, sys.User_Name0, fcm.SiteCode, ws.LastHWScan,
DATEADD(ss,@__timezoneoffset,ps.LastStatusTime) as LastStatusTime, PSX.TimeApplied0,ps.LastStatusMessageIDName, ps.LastExecutionResult
from v_R_System sys
join v_FullCollectionMembership fcm on sys.ResourceID=fcm.ResourceID
join v_GS_WORKSTATION_STATUS ws on sys.ResourceID=ws.ResourceID
join v_GS_PatchStatusEx ps on sys.ResourceID=ps.ResourceID
join v_GS_PATCHSTATEEX PSX on PSX.ResourceID=ps.ResourceID
join v_ApplicableUpdatesSummaryEx summ on
       ps.UpdateID=summ.UpdateID
where (ps.LastStateName=@status and summ.ID=@Title) and
(summ.Type = ‘Microsoft Update’) and (summ.product NOT LIKE ‘Windows Server 2003′)
group by Netbios_Name0, user_Domain0,user_Name0,SiteCode,LastHWScan,LastStatusTime,LastStatusMessageIDName,TimeApplied0,LastExecutionResult
order by Netbios_Name0

Click on the “Prompts Button”
Create a new prompt with the following Name: “status”
Give it a prompt text for ex: Select the Status
 Provide the following sql statement to the prompt for status with the given syntax

  select distinct LastStateName from v_GS_PatchStatusEx

Create another prompt value for Title with the sytax query :

  Select Title,ID,Product from v_GS_PatchStatusEx

Create report 2 called Status of Each bulletin ID

declare @n float

select @n = count(distinct ps.ResourceID)
from v_GS_PatchStatusEx ps
join v_FullCollectionMembership fcm on ps.ResourceID=fcm.ResourceID
join v_ApplicableUpdatesSummaryEx summ on
       ps.UpdateID=summ.UpdateID
where (ps.ID=@Title or ps.QNumbers=@Title or ps.Title=@Title) and
       (summ.Type =’Microsoft update’) and (summ.product NOT LIKE ‘Windows Server 2003′)

if IsNULL(@n,0) = 0 return

select @Title as Title, ps.LastStateName, count(distinct ps.ResourceID) as ‘Totals’,
 ROUND(100.0 * count(distinct ps.ResourceID)/@n,2) as ‘Percentage %’

from v_GS_PatchStatusEx ps
join v_FullCollectionMembership fcm on ps.ResourceID=fcm.ResourceID
join v_ApplicableUpdatesSummaryEx summ on ps.UpdateID=summ.UpdateID
where (ps.ID=@Title or ps.QNumbers=@Title or ps.Title=@Title)
       and (summ.Type = ‘Microsoft update’ ) and (summ.product NOT LIKE ‘Windows Server 2003′)
group by ps.LastStateName

Prompt for Title:   select Title,ID,QNumbers from v_GS_PatchStatusEx

Once you create the report,just right click on the report  and choose properties ,Choose the “Links” tab , Choose link Type: “link to another report“choose the report the one which you created above(report 3 in this case). make sure you have selected the correct columns which are marked in red circle

almost we come to an end by creating last report called  1) Patch Management summary

select summ.ID,summ.QNumbers as ‘Q Number’,
COUNT(distinct ps.ResourceID) as ‘Requested’,
COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End)  as ‘Installed’,
ROUND(100.0*COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End) /count(distinct ps.ResourceID),2) as ‘Success %’
from v_GS_PatchStatusEx ps
join v_ApplicableUpdatesSummaryEx summ on ps.UpdateID=summ.UpdateID
where (summ.ID=’MS10-006′ or summ.ID=’MS10-007′ or summ.ID=’MS10-008′ or summ.ID=’MS10-013′) and (summ.Type=’Microsoft Update’) and (summ.product NOT LIKE ‘Windows Server 2003′) and (summ.language=’Swedish’)
group by summ.ID,summ.QNumbers
order by summ.ID

If you want to get the information from particular collection,then you can limit the Above report on a specified collection ,here is the one to go.

select summ.ID,summ.QNumbers as ‘Q Number’,
COUNT(distinct ps.ResourceID) as ‘Requested’,
COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End)  as ‘Installed’,
 ROUND(100.0*COUNT(distinct case when ps.LastState=107 or ps.laststate=102 or ps.laststate=105 then ps.ResourceID else NULL End)
 /count(distinct ps.ResourceID),2) as ‘Success %’
 from v_GS_PatchStatusEx ps
JOIN v_FullCollectionMembership fcm on ps.ResourceID=fcm.ResourceID
join v_ApplicableUpdatesSummaryEx summ on
   ps.UpdateID=summ.UpdateID
    where (summ.QNumbers=’975562′ or summ.QNumbers=’978695′ or summ.QNumbers=’979482′ or summ.QNumbers=’980195′ or summ.QNumbers=’982381′) and
            (summ.Type=’Microsoft Update’) and (summ.product NOT LIKE ‘Windows Server 2003′) and(fcm.CollectionID =@collID)
group by summ.ID,summ.QNumbers

order by summ.ID

You would need to create promot collId given below:

begin
 if (@__filterwildcard = ”)
  select CollectionID, Name from v_Collection order by Name
 else
  select CollectionID, Name from v_Collection
  WHERE CollectionID like @__filterwildcard
  order by Name
end
The above report will generate status for specific bulletin ID’s for swedish language in brief.If you want to generate report for other languages or you want to get patch status irrespective of Laguage,you can simply delete it.

Once you create this report,right click and select properties.Choose the “Links” tab,Choose link Type: “link to another report” ,choose the report that you have created above(report 2 inthis case).ensure you have the correct columns fields like below otherwise you will mislead the report.

 you have done now,reports are ready for you.

Report for Particular Bulletin ID ,click on MS10-007

click on failed status,which gives you all machines

Hope it helps you insome way.The same reports are still work in SCCM in similar way but before doing it SCCM,change the bulletin ID numbers and language(in mycase it is Swedish)

Note: when you copy and paste the quiries to your SMS/SCCM server ,you might see some errors because of copy and paste.All these quiries are present in notepad attached here  Status report quiries

All the reports are working well in SCCM environment but you will have to remove a part of syntax called “and (summ.product NOT LIKE ‘Windows Server 2003′)” from the reports which you use since in SCCM,the product value is NULL.If you use the above quiries without modifying,you may see blank report.

Issue:  

 Client PC’s would not communicate to WSUS 3.0 SP1

 Solution:

 1. Delete the PC from the WSUS console (Client PC’s – The PC will likely have a red X)

 2. At the client PC – Select Start – Run – type CMD

 3. At the command prompt type net stop wuauserv

 4. Navigate to the Windows Directory

 5. Delete the ‘Software Distribution’ Folder

 6. Run Microsoft Update from the Start menu (This will ensure the update software is up to date)

 7. Restart the PC

 8. Select Start – Run – type in the run box http://WSUSServerName/iuident.cab (wsus server name is the name of your server)

 9. You should be prompted to download or open iuident.cab. This confirms network connectivity.

 10. Select Start – Run

 11. type in the run dialog box wuauclt.exe /resetauthorization /detectnow

 12. Wait 10 minuites +/-. The PC should connect to WSUS and begin downloading updates.