RE: Windows Update v5 issues and workaround

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 10 Sep 2004 09:30:38 -0500

Does that mean it works like bits of Greg? Scary...

:-)
Tom 

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Friday, September 10, 2004 8:55 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround

http://www.ISAserver.org

..it's that kind of detail that we need right now.
BTW, as of the latest WinHTTP and BITS updates, there is effectively no
difference between AU and WU.
(don't ask; it's too ugly for words, like Greg).

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Fri, 10 Sep 2004 06:43:28 -0400
 "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

I'll call them today. What I meant was that the error I receive seems to
be related to the SUS client 2.2 trying to initialize when the v5 page
makes the call to start the download window. As opposed to using the v5
activex control. Since that version of the client does not know about
the new download window it fails. I found a couple of references on
Google to the error code which seems to point to SUS. The connection
between the 2 was purely deductive on my part, if the error seems
related to SUS, but v5 web page is what should be making the call, then
they must be crossing wires somewhere. It is 100% reproducible in my
case.

This connects with an SUS "anomaly" I saw last week when I pushed out
the .NET Framework SP update. The SP2 machines acted like they received
it from normal AU instead of SUS. I had to click the update icon in the
sys tray instead of getting the dialog that says it is about to install
yes-no or just auto installing on a client with no logged on user. All
the pre-sp2 machines behaved normally.

I'm not entirely sure if it is related to SUS GPO and subsequent reg
entries on the client or actual file version conflicts. I see there are
some new entries for windows update in the GPO from SP2.

One thing I do know is that all was well when SP2 and v5 first went out
to IT, then they pushed out a second new client activex when SP2 went on
WU and that is when everything went south. V4 site still works fine and
can initiate the download, of course that is manual and when updating a
new machine or RIS image (which I must do often), that is a pain.

Best Regards, 

Dan Bartley

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Friday, September 10, 2004 01:32
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround

http://www.ISAserver.org

Not OT at all and you should absolutely add your voice to the clamor in
PSS right now.
We're fighting with the WU team about what's wrong and how to fix it and
the more folks come screaming to PSS, the more leverage we have.

I'm not clear on your statement about the "SUS client" vs. the WU
client.
They're one and the same; it's just a matter of where you direct them
for automatic updates.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Thu, 9 Sep 2004 21:27:26 -0400
 "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

I haven't called PSS myself. I didn't want to risk wasting a call since
numerous posters have said they aren't helping. 

I did however post the relevant log snippet from Windows Update.log to
an MS WU engineer in the MS newsgroup. It appears to be a problem on
that machine with the SUS 2.2 client. It seems the newest v5 client does
not like co-existing in an SUS environment. The error on the page and in
the log is 8007045A.

In my test environment where there is no SUS, v5 is still working.

Thanks for listening, clearly my issue is not ISA related, so this was
certainly OT. 

I originally replied because many of the v5 problems may not be related
to ISA at all. In a second test environment with no SUS and behind ISA
2004, I have had no problems with v5 and had to make no changes nor
apply any updates.

Best Regards, 

Dan Bartley

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, September 09, 2004 21:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround

http://www.ISAserver.org

Were you able to provide captures / detailed repro to PSS?
We're extremely interested in issues other than what we've already
identified...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message -----
From: "Peter W. Merner" <pmerner@xxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, September 09, 2004 17:32
Subject: [isalist] RE: Windows Update v5 issues and workaround


http://www.ISAserver.org

All my ISA2000 XP clients are no longer able to complete WU. I have
created
an issue with MS but none of the very detailed "suggestions" does the
trick.
Would love to go back to the V4 site but, alas, it is auto redirected to
V5.
So what URL are you using to access V4. Would love to do the same. None
of
the XP clients have sp2 installed. Am waiting for fixes from Symantec
before
even running tests.

-----Original Message-----
From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, September 09, 2004 8:08 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround

http://www.ISAserver.org

Just as an aside. The v5 WU problems may be a little more global than
just proxy issues. It is failing widespread, proxy, firewall or whatever
or not. Seems to have started with the second v5 update client they
pushed out last week (I think it was last week). Check the MS newsgroup
for WU and you'll see dozens of posts a day stating problems with v5
update hanging or returning an error page.

I know for me it worked fine through ISA 2004 and through another FW
elsewhere with the original v5 client, after the last update no work
anymore anywhere. In my case I can get all the way to the install page,
then it returns an error instead of firing up the new download dialog.

Manually going to v4 WU site works fine.

I have to admit I am extremely reluctant to install a pre-sp2 roll up
with the rather large list of items it replaces over a SP2 install.
BTW-the roll up was installed prior to SP2 on some machines. Although
this problem happens on machines upgraded to SP2 and machines clean
installed with slipstreamed SP2.

Best Regards, 

Dan Bartley

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, September 07, 2004 22:47
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Windows Update v5 issues and workaround

http://www.ISAserver.org

No, you're not forgotten.
The WU team is hard at it coming up with an answer to this issue.
We've also tested a few more scenarios and here is an updated workaround
for SIA 200x:

Synopsis:
There are two NTLM authentication issues affecting WU v5 when WU uses
web proxy requests to access Windows Update:
    NTLMSSP_AUTH responses may contain null credentials
    NTLMSSP_NEGOTIATE credentials may be sent on a half-closed
connection

We haven't heard any reports of WUv5 issues with non-NTLM (Basic,
Digest) authentication yet and we haven't specifically tested 
this.
We have been able to repro this with ISA Server 2000 and we have also
heard reports of WU failing through other NTLM-authenticating 
proxy servers (Proxy 2, Squid are two examples).
The cause of each problem is still being worked out, but a clear
workaround is available and it boils down to two things:
    - Disable authentication for Windows Update requests.
    - Disable authentication for HTTP and HTTPS protocols

ISA Server Note: you may have heard that the
"ReturnDeniedIfAuthenticated" registry setting explained in 
http://support.microsoft.com/?id=297324 is part of the problem.  While
applying this setting to ISA 2000 does help expose the WU 
authentication problems, it is not the cause. If you have applied this
setting to your ISA 2000 Server, you did so with good reason 
to solve a specific problem. You should not remove this setting if you
have applied it.  By the same token, if you are not 
experiencing the problem outlined in this KB article, you don't need to
and shouldn't apply it.  The above article applies only to 
ISA 2000; you should not apply any ISA 2000 registry settings to ISA
2004 unless the relevant KB article explicitly instructs you 
to.  Currently, none do.


Now let's get on with the workaround.
Per the WU team, there are four destinations that should be included for
creating anonymous Windows Update access policies:
            TABLE 1
    Item        FQDN
    1            *.download.microsoft.com
    2            *.windowupdate.com
    3            *.windowsupdate.microsoft.com
    4            windowsupdate.microsoft.com



For internal clients
    Download and apply this Internet Explorer update package to all
internal clients
        http://support.microsoft.com/?id=871260


For ISA 2000
    NOTE: Changes to ISA 2000 policies do not take effect immediately
and do not affect existing sessions.  See 
http://support.microsoft.com/?id=281985 for details.

    Create a destination set for Windows Update domains
    1.       Expand <ArrayName> and PolicyElements
    2.       R-click Destination Sets, select New, then Set
    3.       Enter WindowsUpdate in the Name field, click Next
    4.       Click Add
    5.       Enter *.download.microsoft.com in the Domain field
    6.       Leave the Path field blank
    7.       Click OK
    8.       Repeat steps 4 through 7 for each remaining entry in Table
1
    9.       Click OK

    Create an anonymous Site and Content rule for Windows Update
requests
    1.       Expand Access Policy
    2.       R-click Site and Content Rules, select New, then Rule
    3.       Enter Windows Update in the Name field, click Next
    4.       Select Allow, click Next
    5.       Select Allow access based on destination, click Next
    6.       In the Apply this rule to: drop-down list, select Specified
Destination Set
    7.       In the Name: drop-down list, select Windows Update
    8.       Click Next, then Finish

    NOTE: if your existing protocol rules require authentication (user
or group-limited), you'll have to create an anonymous 
protocol rule for HTTP and HTTPS as follows:
    Create an anonymous Protocol rule for HTTP and HTTPS
    1.       Right click Protocol Rules, select New, then Rule
    2.       Enter Windows Update in the Name field, click Next
    3.       Select Allow, click Next
    4.       In the Apply this rule to: drop-down list, select Selected
protocols
    5.       In the Protocols list, select HTTP and HTTPS, click Next
    6.       Click Next, Next, then Finish

For ISA 2004
NOTE: Changes to ISA 2004 policies do not affect existing sessions.  See
http://support.microsoft.com/?id=841140 for details.

    Create an anonymous Access Rule for Windows Update
    1.       In the left pane, R-click Firewall Policy and select New,
then Access Rule
    2.       Enter Windows Update in the Name field, click Next
    3.       Select Allow, click Next
    4.       In the This rule applies to: drop-down list, select
Selected Protocols
    5.       Click Add
    6.       In the Add Protocols dialog, expand Web
    7.       Select HTTP and click Add
    8.       Select HTTPS and click Add
    9.       Click Close, then Next
    10.   In the Access Rule Sources dialog, click Add
    11.   In the Add Network Entities dialog, expand Networks
    12.   Select Internal and click Add
    13.   For each network where clients may request access to Windows
Update, select that network object and click Add
    14.   Click Close, then Next
    15.   In the Access Rule Destinations window, click Add
    16.   In the Add Network Entities window menu bar, click New, then
Domain Name Set
    17.   In the New Domain Name Set Policy Element window, enter
Windows Update in the Name field
    18.   Click New
    19.   In the Domain names included in this set list, change the new
entry to *.download.microsoft.com
    20.   Repeat steps 19 and 20 for each remaining entry in Table 1
    21.   Click OK
    22.   In the New Domain Name Set Policy Element window, select
Windows Update, click Add, then Close
    23.   Click Next, Next, then Finish
    24.   In the top part of the middle pane, Apply and Discard buttons
will appear; click Apply
    25.   When Apply New Configuration dialog reports "Changes to the
configuration were successfully applied", click OK

    Make the Windows Update rule the first rule
    NOTE: If you prefer to list all of your deny rules first, then you
can make the Window Update rule the first rule following them
    1.       In the left pane, select Firewall Policy
    2.       If Windows Update is already the first rule in the list,
stop here
    3.       In the middle pane, select Windows Update
    4.       In the right pane select the Tasks tab
    5.       Click Move the selected rule up until Windows Update is the
first rule in the list
    6.       In the top part of the middle pane, Apply and Discard
buttons should appear; click Apply
    7.       When Apply New Configuration dialog reports "Changes to the
configuration were successfully applied", click OK

Look for a KB that details the WU side of the issue and cross-links to
an ISA KB with these instructions.


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!

----- Original Message ----- 
From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 07, 2004 11:18
Subject: [isalist] RE: Windows Update v5 issues and workaround (Roll Up)


http://www.ISAserver.org



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 06, 2004 2:17 PM
To: ISALists
Subject: [isalist] RE: Windows Update v5 issues and workaround


http://www.ISAserver.org

Nope; and I don't get why not, either.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 6 Sep 2004 20:02:53 +0200
 "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> wrote:
http://www.ISAserver.org

Hi Jim,

Is this fix already included in IE6-SP2 delivered with XP-SP2 (IE
version 6.0.2900.2180)?

Thanks,
Stefaan

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: maandag 6 september 2004 19:05
To: [ISAserver.org Discussion List]
Subject: Re: Windows Update v5 issues and workaround

http://www.ISAserver.org

Hi all,

We've located an existing fix that appears to alleviate WU issue #2:
    http://support.microsoft.com/?id=871260

Accordingly, the previous instructions are amended as follows (if you
previously had "global authentication" disabled, there is no reason to
enable it):

(add)
    For internal clients
    Download and apply this Internet Explorer update package to all
internal clients
        http://support.microsoft.com/?id=871260

For ISA 2000
(add)
    Note for ISA policy recommendations:  If you use an "allow all
destinations for selected users" rule, the following recommendations may
not work as expected because of the way ISA 2000 matches requests to
rules. Since it is not possible to define a "rule order" in ISA 2000,
you may wish to modify your "allow all destinations for selected users"
rule to be an "allow Windows Update for all users"

(delete)
    Disable "global" authentication for web proxy requests

For ISA 2004
(delete)
    Disable "global" authentication for web proxy requests


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
I have looked at the article, and don't see where you would download if
you already have IE6SP2.
What if you also have XP SP2 loaded?
Do you still need it?


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx




Other related posts: