9 Replies Latest reply on Mar 26, 2012 3:37 AM by dmease729

    3100/2100 appliance Windows updates - query on KB73493

    dmease729

      Hi,

       

      As per KB51647, gpedit entry shows sus-update.foundstone.com, as expected, however KB73493 refers to KB52534 advising on changes to the Foundstone Update Service Proxy Service.  In order to receive Windows updates, surely KB73493 should be advising  on changes to the Automatic Updates service (same steps as per Foundstone service, above), as it is this service that downloads and applies the updates?  Note that user FS is part of the local Administrators group so I am guessing that it this user should have the rights to install the updates.  I need to test this though, as I have only just recently discovered that the Windows updates are failing.

       

      Saying that, the FS user isnt present on the 2100 appliances, so would we need to create a user to assign to the Automatic Updates service, or can the 3100 appliances push Windows updates to the 2100 appliances?

       

      cheers,

        • 1. Re: 3100/2100 appliance Windows updates - query on KB73493
          dmease729

          Sorry, just to confirm - all Internet access via a proxy :-)

          • 2. Re: 3100/2100 appliance Windows updates - query on KB73493

            Hi D.

             

            I will cross-check the 3 KBs, but short answer is that for an Authenticated Proxy you need to use the FS account since the Local System Account can't pass credentials over the network.  In this case KB52534 is your best resource.

             

            The Windows Updates are not pushed by the MVM3000's so the 2100's are going to need to be setup in a similar way.  I'm waiting for a 2100 to get here so I can test out these theories, but I expect you're going to need to create an account that is a member of Local Administrators to get it to work as well.

             

            I hope that helps!
            Cathy

            • 3. Re: 3100/2100 appliance Windows updates - query on KB73493
              dmease729

              Hey Cathy,

               

              Sorry - didnt make myself clear.  KB72493 states "If you are behind a proxy, see KB52534 for details about configuring the FSUpdate process to login to your proxy and perform the update." - for somebody who is unsure of what is actually happening, this implies that configuring the FSUpdate process to use the FS account credentials will fix the windows update issue - but as we know, it wont.  It should be reworded to advise that the same *process* in KB52534 needs to be followed, but instead of carrying out the change on the FSUpdate process, configure the credentials on the Automatic Updates service instead.

              Not meaning to be pedantic, but the current wording implies that the FSUpdate process actually carries out the windows updates - it may be confusing.

               

              I am waiting for change control at present, but I will be able to test out an account on the 2100s I have, and will confirm what happens.  Its a race :-D

              • 4. Re: 3100/2100 appliance Windows updates - query on KB73493
                dmease729

                Hi,

                 

                Just tried following the same process through for the Automatic Updates service, and receive the following error:

                 

                Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

                 

                Service name: wuauserv

                 

                Taking advice from: http://answers.microsoft.com/en-us/windows/forum/windows_vista-performance/error -1079-the-account-specified-for-this-service/d0f13130-f166-4524-a88e-9338963352a 9  :

                Browse to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                Double clicked value: netsvcs (the executable path for the wuauserv service is "C:\Windows\system32\svchost.exe -k netsvcs")

                 

                ...and in the multi-string list, wuauserv is listed.

                 

                From what I have read in this article, is it the case that the account used for this service to log in needs to be the same as that which is used

                for the other services in this multi-string list?  If this is the case, would it kill anything if I manually removed wuauserv from this list?  I

                appreciate this is technicall a MS question, but given the fact that McAfee have produced an official KB article, I am assuming that McAfee have

                had this working?

                 

                Quick update: Further down the same article, somebody advised that they started the BITS service with the same account when having issues with

                automatic updates.  Same error occurs with this service also (tried out of curiosity)

                 

                Anybody have any ideas?

                • 5. Re: 3100/2100 appliance Windows updates - query on KB73493
                  dmease729

                  Hi,

                   

                  Just tried following the same process through for the Automatic Updates service, and receive the following error:

                  Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

                  Service name: wuauserv

                   

                  Taking advice from: http://answers.microsoft.com/en-us/windows/forum/windows_vista-performance/error -1079-the-account-specified-for-this-service/d0f13130-f166-4524-a88e-9338963352a 9 :

                  Browse to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
                  Double clicked value: netsvcs (the executable path for the wuauserv service is "C:\Windows\system32\svchost.exe -k netsvcs") and in the multi-string list, wuauserv is listed.

                  From what I have read in this article, is it the case that the account used for this service to log in needs to be the same as that which is used for the other services in this multi-string list?  If this is the case, would it kill anything if I manually removed wuauserv from this list?  I appreciate this is technicall a MS question, but given the fact that McAfee have produced an official KB article, I am assuming that McAfee have

                  had this working?

                   

                  Quick update: Further down the same article, somebody advised that they started the BITS service with the same account when having issues with automatic updates.  Same error occurs with this service also (tried out of curiosity)

                   

                  From http://support.microsoft.com/kb/900935:

                  "The Microsoft Windows Update client program requires Microsoft Windows HTTP Services (WinHTTP) to scan for available updates. Additionally, the Windows Update client uses the Background Intelligent Transfer Service (BITS) to download these updates. Microsoft Windows HTTP Services and BITS run independently of Microsoft Internet Explorer. Both these services must be able to detect the proxy server or proxy servers that are available in your particular environment. This article describes the various proxy server detection methods that are available."

                   

                  Under 'The Automatic Updates service is configured to download and install updates from the Microsoft Windows Update Web site', it seems to imply that even if the Automatic Updates service runs in the context of the Local System account, it should be able to download using settings defined via proxycfg.exe or netsh (for newer OS). 

                   

                  As we are still currently on server 2003, http://support.microsoft.com/kb/289481 refers to proxycfg.exe usage

                   

                  Some notes:

                  1) If the BITS service is required, then this wont work to start with - on my 3100, this service is set to manual.
                  2) The only service I can find that refers to WinHTTP is 'WinHTTP Web Proxy Auto-Discovery Service'.  I have checked on my Win7 host, and the description of this service is as follows: "WinHTTP implements the client HTTP stack... ... In additioon, WinHTTP provides support for auto-discovering a proxy configuration via ... WPAD" which seems to imply this *is* WinHTTP.  The description on Win2k3, however, advises "implements WPAD *for* WinHTTP".  Further, running 'sc query winhttp' from cmd advises that this service does not exist as an installed service.  Anyhoo, http://www.blackviper.com/windows-services/winhttp-web-proxy-auto-discovery-serv ice/#General_Information also seems to point that this service is essentially the winhttp service referred to by the MS KB...
                  3) If the service noted in 2), above, is required, it is actually disabled on my 3100 appliance.
                  4) I dont think I have mentioned, but this access is required through a proxy that does not require authentication, so essentially I just need the OS to know what proxy settings to use.  If all of the above *is* required in order to use the local system service, then I wouldnt know where to begin to get this setup to use a proxy that expects authentication!  (All of this is of course moot should there be an easy workaround for the error I have experienced above...)

                   

                  Given the number of articles I have seen today that seem to indicate that this appears to be a standard query, I am going to give proxycfg a try and see what happens.  Not holding much hope, so it would be greatly appreciated if:

                   

                  A) anybody could confirm if they actually have a working implementation of this, therefore I need to look into why it isnt working in my case
                  B) anybody at McAfee to confirm that this has been proven to work

                  • 6. Re: 3100/2100 appliance Windows updates - query on KB73493
                    dmease729

                    http://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs.85).aspx

                    The proxy configuration utility sets the default authentication policy. Because you should not perform NTLM authentication with untrusted hosts, by default, NTLM authentication only occurs automatically with hosts on the proxy bypass list. If there is no proxy, you can still use ProxyCfg.exe to specify a bypass list of hosts that you trust to perform NTLM authentication. A proxy name is required when using ProxyCfg.exe for this purpose, but you can use any valid string in place of a real proxy name.


                    I dont *think* this will affect the scans as they are run by the FS scan service, which I doubt will use the default authentication policy.  Going to tread carefully here, however - would appreciate McAfees feedback on this!

                    • 7. Re: 3100/2100 appliance Windows updates - query on KB73493
                      jhaynes

                      Cathy asked me to read through this and now my head hurts.   Thanks Cathy.

                       

                      From what I can tell the issue stems around the KBs which have pointed you in the wrong direction. Basically FSUpdate, which is used for MVM product updates and WSUS, which is used for Windows updates are being linked together by our KB system when they shouldn't be. That is why you are confused and this isn't working. I've asked Cathy to reach out to you directly so we can get this sorted out.

                       

                      I apologies for this and we will get you up and working as quickly as possible. In parallel we are fixing the KB's.

                       

                      Jeff Haynes

                      Manager WW Tier 3 Support

                      • 9. Re: 3100/2100 appliance Windows updates - query on KB73493
                        dmease729

                        Cheers Cathy,

                         

                        Just to confirm - proxycfg works a treat