Tag: Windows Updates

Hardware Support for W2008 R2 Hyper-V Cluster and SP1?

One of the strengths of Hyper-V is one of its weaknesses: it supports a huge variety of hardware including hosts and storage.  Hyper-V clusters need to be treated like mainframes.  Any change, no matter how small you think it is, needs to be verified and tested (by somebody) before you apply it.  We typically advise people with a Hyper-V cluster not to update drivers, firmwares, etc, unless they have to.  And if they do, then they need to work with hardware vendors to ensure that they are tested with the build of Hyper-V and that the various updates are regression tested.  For example, blades with SAN cannot have just one firmware updated: an entire set of firmwares and drivers must be deployed.

And along comes SP1 for Windows Server 2008 R2.  All those integrated hotfixes and Dynamic Memory are really tempting, aren’t they?  Wouldn’t you just love to deploy it as a part of your standard host build?

Question: do your server and storage vendors support SP1 yet?  Are your drivers tested on SP1 by the h/w vendor?  Is your storage going to work if you deploy it?  Will your cluster validation (required for MS support) work after you install SP1?  Will you need firmware updates before you deploy the service pack?  Have you asked these questions yet?

Make sure that your storage and server vendors do support W2008 R2 SP1 and that your firmwares and drivers versions meet the requirements before you install the SP.  You don’t want to finish that last reboot and get a nasty surprise when you re-run the cluster validation or run a storage level backup of  your CSVs.

0xC0000034 with SP1 on OEM Windows 7 Installations

This morning I read about a crash issue with Service Pack 1 for Windows 7 on machines that came with the preinstalled OEM copy of Windows 7.  Nick Whittome posted a description and various workarounds on his Facebook page.

EDIT: there were some issues with the Facebook link so you can go to a post on TechNet instead.

Technorati Tags: ,

SP1 is Available Now

Service Pack 1 for Windows 7 and Windows Server 2008 R2 is available to volume license customers and MSDN/TechNet subscribers.  There’s not much more to say at the moment.  I’ve blogged it all before.

I’ll be coming back to Dynamic Memory when I get a chance.  I’m pretty tired right now after a day of assembling servers, and I’ve got 2 presentations to prepare for next week – a side benefit of that will be a lab where I can grab screenshots for a nice long blog post.

Reminder: Service Pack 1 for Windows 7 and Windows Server 2008 R2

This is a quick reminder that the release-to-web of SP1 for Win7 and W2008 R2 will be tomorrow for anyone on a volume licensing deal, or MSDN/TechNet.  I think most people won’t be in a mad rush to deploy it, but those of us doing Hyper-V virtualisation will be very keen to get our hands on it.  As blogged previously there are a few changes under the covers that’ll impact non-Hyper-V folks but most of them won’t notice any difference other than a build number.

I’d expect the download to appear at around midday Redmond time which is 20:00 GMT or 21:00 CET, or in the following hour.  That seems to be when most big releases happen.

Block Windows 7 and Windows Server 2008 R2 Service Pack 1

As usual, Microsoft is providing a way to prevent the download and install for a new service pack, this time it’s SP1 for Windows 7 and W2008 R2.

You can prevent the download/install if you use WSUS or ConfigMgr.  For example, you can choose if you want to download serivce packs (or not) and you can choose to approve (or not) the service pack for all machines or groups of machines.

But maybe you use Windows Update directly or maybe you have a one-size fits all policy and you want to blog the install for a few machines?  If so, you can use the blocker.

“A blocking tool is available for organizations that would like to temporarily prevent installation of Service Pack updates through Windows Update.
This tool can be used with:

  • Windows 7 Service Pack 1 (valid for 12 months following general availability of the service pack)
  • Windows Server 2008 R2 Service Pack 1 (valid for 12 months following general availability of the service pack)

This toolkit contains three components. All of them function primarily to set or clear a specific registry key that is used to detect and block download of Service Packs from Windows Update. You only need to use the component which best serves your organization’s computer management infrastructure.

  • A Microsoft-signed executable
  • A script
  • An ADM template
  1. The executable creates a registry key on the computer on which it is run that blocks or unblocks (depending on the command-line option used) the delivery of a Service Pack to that computer through Windows Update. The key used is HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate.
    When the ‘/B’ command line option is used, the key value name ‘DoNotAllowSP’ is created and its value set to 1. This value blocks delivery of a Service Pack to the computer through Automatic Update or Windows Update.
    When the ‘/U’ command line option is used, the previously created registry value that temporarily blocked the delivery of a Service Pack to the computer through Automatic Update or Windows Update is removed. If the value does not exist on the computer on which it is run, no action is taken.
  2. The script does the same thing as the executable, but allows you to specify the remote machine name on which to block or unblock delivery of Service Packs.
    Note that the executable and script have been tested only as a command-line tool and not in conjunction with other systems management tools or remote execution mechanisms.
  3. The ADM template allows administrators to import group policy settings to block or unblock delivery of Service Packs into their Group Policy environment. Administrators can then use Group Policy to centrally execute the action across systems in their environment.

Please note that this toolkit will not prevent the installation of the service pack from CD/DVD, or from the stand-alone download package. This simply prevents the service pack from being delivered over Windows Update.”

KB2264080: Hyper-V Rollup Update

Some eagle-eyed MVPs reported that Microsoft has issued a rollup-update for Windows Server 2008 R2 Hyper-V.  Microsoft is recommending the installation of the rollup update to avoid the described issues.  You’ll not that the affect CPUs in issue 1 and 3 are Intel CPUs.  The update rolls up 3 updates into one installer:

Issue 1 – KB975530
When a computer has one or more Intel CPUs code-named Nehalem installed, you receive the following Stop error message:

0x00000101 ( parameter1 , 0000000000000000, parameter3 , 000000000000000c) CLOCK_WATCHDOG_TIMEOUT
Note The Nehalem CPU for a server is from the Intel Xeon processor 5500 series and for a client computer is from the Intel Core-i processor series.

Issue 2 – KB974909
Consider the following scenario:

  • You run a virtual machine (VM) on the computer.
  • You use a network adapter on the VM to access a network.
  • You establish many concurrent network connections. Or, there is heavy outgoing network traffic.
  • In this scenario, the network connection on the VM may be lost. Additionally, the network adapter is disabled.
  • Note: You have to restart the VM to recover from this issue.

Issue 3 – KB981791
When a computer has an Intel Westmere processor, you receive an error message that resembles the following:

STOP: 0x0000001a ( Parameter1 , Parameter2 , Parameter3 , Parameter4 ) MEMORY_MANAGEMENT

Credit: Artem Pronichkin, MVP

Notable Changes in SP1 Beta for Win7 and W2008 R2

There are a number of notable changes in the Service Pack 1 beta for Windows 7 and Windows Server 2008 R2.  You might not have heard it, but they do go beyond Hyper-V.  There is a document you can read with all the details.  Here’s the highlights for the server OS:

  • Hyper-V Dynamic Memory
  • RemoteFX
  • A new IP address enforcement feature that is not in the beta release.
  • Enhancements to scalability and high availability when using DirectAccess
  • Support for Managed Service Accounts (MSAs) in perimeter networks
  • Support for increased volume of authentication traffic on domain controllers connected to high-latency networks
  • Enhancements to Failover Clustering with Storage

Here are the improvements for the desktop OS:

  • Additional support for communication with third-party federation services
  • Improved HDMI audio device performance
  • Corrected behaviour when printing mixed-orientation XPS documents

Both desktop and server:

  • Change to behaviour of “Restore previous folders at logon” functionality
  • Enhanced support for additional identities in RRAS and IPsec
  • Support for Advanced Vector Extensions (AVX)

Attack on Windows via Siemens Software

I just read about this attack.  It uses Siemens software to install a root kit.  The vulnerability starts with a static password that Siemens inserted. (I once worked in a bank where I am told MSBlaster got in via a Siemens phone engineer using the modem in their systems servers to dial out to the net).  The root kit then uses a stolen private certification key to pretend to be a RealTek driver so that it can install on 64-bit OS’s (Vista and later).  MS and RealTek have figured out a solution (requires your Windows Updates to be working.  Interesting stuff.

Technorati Tags: ,

KB976323 Wipes the SMTP Configuration

The Windows update MS10-24 for SMTP will wipe the SMTP configuration on Windows Server 2008.  I discovered this today when we found SMTP was no longer relaying email (or accepting local connections) on a couple of servers.  One server and I was scratching my head.  The second one and I knew there was only one common denominator.

It took me a couple of different search attempts to find the culprit.  Even then, I went to the official page for this update and I had to click through 3 pages to find a warning that there might be an issue (I linked the eventual page above).

The developer of this automatic update expects you to magically script a solution to run before the update and after it.  This will backup your SMTP configuration and restore it.  That’s even assuming that your crystal ball has warned you of a problem.  The next time I hear a MS security evangelist talk about instant approval and deployment of updates … …

I know the issue with this update is an exception.  But I am not impressed.  Believe me – I am holding back on how unimpressed I am.

*counting down from 10, 9, 8 …*

Microsoft’s Initial Response To MS10-015 / KB977165 Blue Screen of Death

Microsoft’s security operation have issued an initial response to the issue with machines blue screening and failing to reboot correctly after installing MS10-015.

While we work to address this issue, customers who choose not to install the update can implement the workaround outlined in the bulletin. CVE-2010-0232 was publicly disclosed and we previously issued Security Advisory 979682 in response. Customers can disable the NTVDM subsystem as a workaround and we have provided an automated method of doing that with a Microsoft Fix It that you can find here.

Customers who are experiencing issues after installing any of our security updates can get help resolving the issues by either going to this site or by calling 1-866-PCSafety (1-866-727-2338). International customers can find local support contact numbers here.

Technorati Tags: ,