WSUS Administration Best Practices Recommended to Ease System Center Endpoint Protection (and FEP/FCS) Deployment

WSUS Administration Best Practices Recommended to Ease System Center Endpoint Protection (and FEP/FCS) Deployment


Forefront Client Security and Endpoint Protection both use WSUS infrastructure in different ways. This, unless your Forefront update policy uses a network share to deploy the updates. The goal of this article is not to explain the relationship between Forefront and WSUS in details, but to provide best practices regarding WSUS management and administration, that will surely ease FCS/FEP deployment, and even avoid certain issues (eg: updating failures).

The key point to remember is that FCS and FEP may really rely a lot on the WUA's (Windows Updates Agent) health and performance, on the client computers. Below are a few points, role-based: clients, and Server-based (mostly WSUS), that are known to ease Forefront deployment and updating.

Please Note:

Please keep in mind that even if you decide to deploy the Forefront definition updates through SCCM, the WSUS server and agent will still be needed for detection logic on the clients!
Please also note that those best practices also apply by default to WSUS, even if you do not run Forefront antivirus (FCS/FEP/SCEP) on your machines.


Client-based FEP/WSUS best practices


MSI is used during WUA operations, and Forefront uses it to check for definitions updates, and depending on the settings, also download them. It’s a known performance issue when MSI 3 is scanning against a bunch of Microsoft updates, including Forefront definitions.

Recommendation: always use the latest MSI Agent. Here is the URL to download the version 4.5: http://support.microsoft.com/kb/942288

Proxy settings:  if you're following security best practices and filter HTTP traffic with a proxy, most of the time it is not appropriate that your clients computers contact their WSUS server though your internal proxy.

Recommendation: Check that the Windows Update service is able to contact your WSUS server (or even Microsoft Updates online).

Nowadays malware often embed defences against security solutions. Deploying SCEP/FEP/FCS on a compromised machine may be more complex than expected.

Recommendation: Deploy at least the Malicious Software Removal tool, for instance through WSUS (see: http://support.microsoft.com/kb/891716 ), that will do a first clean against high profile malwares. And if you really suspect machines to be already compromised, please consider deploying the Windows Defender Offline, through SCCM (see:  http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/launching-a-windows-defender-offline-scan-with-configuration-manager-2012-osd.aspx ).

WSUS server-based best practices


Amount of updates available on the WSUS Server:

This is a very important concept to understand. On the WSUS Server we have Updates which can have 3 states. DECLINED, NOT APPROVED, APPROVED. The client will parse APPROVED and NOT APPROVED Updates. This means that if updates are not specifically declined the Client needs to touch each update to check if it is applicable for him or not. This whole process takes time and computing power. For instance, if the WUA computes more than 80 updates, there will probably be a performance impact on the client, and even Forefront definitions updates failures. NB: This can be checked watching the windowsupdates.log file (located in the %windir% path).

Recommendation


  1. Decline all Superseded Updates, as long as the superseeding updates are available and approved for installation. Superseeded updates have newer updates that replace them, thus making them obsolete. This is the most important tweak. Pay special attention to Forefront Definition updates. There is a quite big number of these updates, which could be the primary source for bad client performance 
  2. Try to minimize the amount of Updates that have a NOT APPROVED state. Either decline them or approve them.

 

 WSUS Server maintenance: running monthly cleanup scripts will help eliminate expired updates and will also decline superseeded ones. Here are a few tools to help with the process:
  1. The clean-up wizard (cf. http://technet.microsoft.com/en-us/library/cc708578%28v=ws.10%29.aspx) in WSUS should be run at least once per month. This can be automated using scripts: WSUS 3.0: http://wsus.codeplex.com/releases/view/17612
  2. The related PowerShell script: http://www.peetersonline.nl/index.php/powershell/wsus-cleanup-with-powershell/
  3. Below is a reindexing script that will help WSUS search faster through the database (also ran once a month): http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvvb01.mspx?mfr=true
Based on this TechNet blog article, related to WSUS and Office updates: http://blogs.technet.com/b/roplatforms/archive/2010/10/04/svchost-exe-uses-100-cpu-when-windows-xp-updates-via-wsus.aspx.


Keep WSUS server up to date:
  1. Check you have SP2 of WSUS
  2. Install KB2734608: http://support.microsoft.com/kb/2734608?wa=wsignin1.0 
that will help in solving (among other things) digital certificates issues.

Appendix


You might be interested in reading how to do the same with System Center Configuration Manager 2012: http://blogs.technet.com/b/configmgrteam/archive/2012/04/12/software-update-content-cleanup-in-system-center-2012-configuration-manager.aspx?CommentPosted=true#commentmessage
  
Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Carsten Siemens edited Revision 20. Comment: Fixed misspelling

  • Philippe Vialle - MSFT edited Revision 19. Comment: added Server clean-up wizard link

  • Richard Mueller edited Revision 18. Comment: Removed (en-US) from title, added tags

  • Philippe Vialle - MSFT edited Revision 17. Comment: added update for WSUS (digital certificate issue)

  • Philippe Vialle - MSFT edited Revision 16. Comment: added ConfigManager 2012 how-to link

  • Philippe Vialle - MSFT edited Revision 15. Comment: typo

  • Philippe Vialle - MSFT edited Revision 14. Comment: SCEP, WDO additions

  • Ed Price - MSFT edited Revision 10. Comment: Great article! Changes: TOC, title guidelines, section headers, and fixed a typo

  • tomlinsorm edited Revision 9. Comment: Corrected URL for KB942288.

  • Keith W_ edited Revision 8. Comment: Formatting, typos and spelling mistakes

Page 1 of 1 (10 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Keith W_ edited Revision 8. Comment: Formatting, typos and spelling mistakes

  • tomlinsorm edited Revision 9. Comment: Corrected URL for KB942288.

  • Ed Price - MSFT edited Revision 10. Comment: Great article! Changes: TOC, title guidelines, section headers, and fixed a typo

  • Philippe Vialle - MSFT edited Revision 14. Comment: SCEP, WDO additions

  • Great advice, thanks! The automated script looks useful.

  • Philippe Vialle - MSFT edited Revision 15. Comment: typo

  • Philippe Vialle - MSFT edited Revision 16. Comment: added ConfigManager 2012 how-to link

  • Philippe Vialle - MSFT edited Revision 17. Comment: added update for WSUS (digital certificate issue)

  • Richard Mueller edited Revision 18. Comment: Removed (en-US) from title, added tags

  • Philippe Vialle - MSFT edited Revision 19. Comment: added Server clean-up wizard link

  • Carsten Siemens edited Revision 20. Comment: Fixed misspelling

Page 1 of 1 (11 items)