Update 1702 for System Center Configuration Manager current branch (ConfigMgr 1702) contains many changes that are intended to prevent issues and improve features. A list of these changes and fixes is available in the KB article below. Keep in mind that this list is not comprehensive, however it does include the items that the product development team believes are the most relevant to most customers. Many of these changes are in response to customer feedback about product issues and ideas for product improvement. For information about what has been fixed and/or updated, please see the following article:

4022075 – Summary of changes in System Center Configuration Manager current branch, version 1702 (https://support.microsoft.com/help/4022075)

ConfigMgr 1702 is available both as an in-console update to be installed at the top-most site in a hierarchy and as baseline media for new site installations. For more information about installing ConfigMgr 1702, see Checklist for installing update 1702 for System Center Configuration Manager.

NOTE: This information is now available in multiple languages in the Microsoft Knowledge Base article Configuration Manager SQL Server queries for compliance reporting related to MS17-010.

The following is shared by CSS Support Escalation Engineer Vinay Pamnani, to help give the IT Pro some sample queries that may assist them in their security update compliance reporting as it relates to ‘MS17-010’. It is provided as a sample and NOT to be taken as a definitive compliance posture information source. As with all Software Update compliance information, the queries below rely on current and accurate scan result information in the ConfigMgr database. The sample queries below have had limited testing against ConfigMgr version 1702 and SQL Server 2016.

Official Customer Guidance for WannaCrypt attacks:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

General information on ransomware:

https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Microsoft Malware Protection Center blog:

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

MS17-010 Security Update:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The simplest and most generally recommended approach is to deploy the latest CU to Windows 10 or Server 2016 systems, and to deploy the latest Monthly Rollup to pre-Windows 10 machines, and use the built-in ConfigMgr Compliance reports to determine overall compliance.

However, the following queries can also enable admins to report on MS17-010 compliance.

What do these queries do?

Pre-Windows 10 machines:

Windows 8.1 and Server 2012 R2 machines that do not report KB2919355 as installed will be returned by the query. This is because KB2919355 is required for the later KBs to be reported as applicable. So, these systems can be considered unpatched and require further investigation.

For the Windows Vista, Windows 7, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, Windows Server 2012, and Windows Server 2012 R2 queries below, the systems returned will be those that do not have either the March, April, or May monthly rollups installed -AND- are reporting the following specific ‘Security Only’ updates as ‘Required’:

Windows Vista and Server 2008 SP2: KB4012598
Windows 7 and Server 2008 R2 SP1: KB4012212
Windows Server 2012: KB4012214
Windows Server 2012 R2 and Windows 8.1: KB4012213

-- For Windows 7, Server 2008 R2 SP1, Windows Server 2012, Server 2012 R2 and Windows 8.1, Windows Vista and Server 2008 SP2
-- This query lists machines that are reporting any of the 'Security Only' updates as 'Required'.
-- If any machine has either March, April or May Monthly Rollup installed, then they wouldn't report March 'Security Only' update as 'Required', but look for the Monthly updates anyway.
-- Also include any Windows 8.1 and Server 2012 R2 machines which do not report ‘KB2919355’ as Installed.

DECLARE @MarchSecurityOnly TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchSecurityOnly VALUES ('4012212')
INSERT INTO @MarchSecurityOnly VALUES ('4012213')
INSERT INTO @MarchSecurityOnly VALUES ('4012214')
INSERT INTO @MarchSecurityOnly VALUES ('4012598')

DECLARE @MarchMonthly TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchMonthly VALUES ('4012215')
INSERT INTO @MarchMonthly VALUES ('4015549')
INSERT INTO @MarchMonthly VALUES ('4019264')
INSERT INTO @MarchMonthly VALUES ('4012216')
INSERT INTO @MarchMonthly VALUES ('4015550')
INSERT INTO @MarchMonthly VALUES ('4019215')
INSERT INTO @MarchMonthly VALUES ('4012217')
INSERT INTO @MarchMonthly VALUES ('4015551')
INSERT INTO @MarchMonthly VALUES ('4019216')

DECLARE @KB2919355 NVARCHAR(10) = '2919355'-- Pre-req

SELECT
       RS.Name0,
       UI.ArticleID as ArticleID,
       UI.BulletinID as BulletinID,
       UI.Title as Title,
       SN.StateDescription AS State,
       UCS.LastStatusCheckTime AS LastStateReceived,
       UCS.LastStatusChangeTime AS LastStateChanged,
       UI.CI_UniqueID AS UniqueUpdateID
FROM v_Update_ComplianceStatusReported UCS
JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=2 AND SN.StateID = UCS.Status
WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchSecurityOnly)
AND RS.Name0 NOT IN (
       -- Monthly is installed
       SELECT distinct RS.Name0
       FROM v_Update_ComplianceStatusReported UCS
       JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
       JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
       JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status
       WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchMonthly)
)
UNION
-- Windows 8.1 and Server 2012 R2 machines that do not report KB2919355 as Installed.
SELECT
       distinct RS.Name0,
       UI.ArticleID as ArticleID,
       UI.BulletinID as BulletinID,
       'KB2919355' as Title,     
       'Update is not Installed' AS State,
       NULL AS LastStateReceived,
       NULL AS LastStateChanged,
       'KB2919355' AS UniqueUpdateID
FROM v_Update_ComplianceStatusReported UCS
JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID = UCS.Status AND SN.StateID <> 3
JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = '9600' -- Windows 8.1 and Server 2012 R2
WHERE UI.ArticleID = @KB2919355

Windows 10 and Server 2016

For the Windows 10 and Server 2016 queries, there are 2 scenarios that may apply depending on an environment’s configuration on the expiry of superseded updates in ConfigMgr. For more information on this, see the Supersedence rules section on TechNet and this.

Scenario 1: Customers with Supersedence rule NOT set to ‘Immediately expire’:

If the superseded updates are not expired and therefore still available in ConfigMgr, you can use the following query to help identify Windows 10 and Windows Server 2016 systems that do not have the March CU or a subsequent CU installed. Please note that for the March CU data to be evaluated, the months to wait before an update is expired value in ConfigMgr must be set to a high enough value such that the March update was not expired. The same consideration applies to the subsequent updates. If this does not apply to your environment, the information in Scenario 2: Customers with Supersedence rule set to ‘Immediately expire’ (or not long enough) can be tried.

For the following Windows 10 and Server 2016, the query below returns systems that do not have any of the following monthly CUs, released in March or later (through the date of this post), installed:

Win10  RTM: KB4012606, KB4019474, KB4015221, KB4016637
Win10 1511: KB4013198, KB4015219, KB4016636, KB4019473
Win10 1607/Server 2016: KB4013429, KB4015217, KB4015438, KB4016635, KB4019472

-- Windows 10 machines that do not have the March (or any of the superseding updates) installed, and could be 'unpatched'.
-- These queries are OS dependent, since we are querying individual KB's, and need to compare those KB's against proper builds to prevent getting inaccurate results.

-- Windows 10 RTM
DECLARE @BuildNumberRTM INT = '10240'
DECLARE @MarchWin10 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin10 VALUES ('4012606') -- March Cumulative
INSERT INTO @MarchWin10 VALUES ('4019474')
INSERT INTO @MarchWin10 VALUES ('4015221')
INSERT INTO @MarchWin10 VALUES ('4016637')

-- Windows 10 1511
DECLARE @BuildNumber1511 INT = '10586'
DECLARE @MarchWin101511 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin101511 VALUES ('4013198') -- March Cumulative
INSERT INTO @MarchWin101511 VALUES ('4015219')
INSERT INTO @MarchWin101511 VALUES ('4016636')
INSERT INTO @MarchWin101511 VALUES ('4019473')

-- Windows 10 1607
DECLARE @BuildNumber1607 INT = '14393'
DECLARE @MarchWin101607 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin101607 VALUES ('4013429') -- March Cumulative
INSERT INTO @MarchWin101607 VALUES ('4015217')
INSERT INTO @MarchWin101607 VALUES ('4015438')
INSERT INTO @MarchWin101607 VALUES ('4016635')
INSERT INTO @MarchWin101607 VALUES ('4019472')

SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607
WHERE RS.Name0 NOT IN (
SELECT RS.Name0
FROM v_Update_ComplianceStatusReported UCS
JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607
WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin101607)
)
UNION
SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM
WHERE RS.Name0 NOT IN (
SELECT RS.Name0
FROM v_Update_ComplianceStatusReported UCS
JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM
WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin10)
)
UNION
SELECT RS.Name0, OS.BuildNumber0 FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON RS.ResourceID = OS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511
WHERE RS.Name0 NOT IN (
SELECT RS.Name0
FROM v_Update_ComplianceStatusReported UCS
JOIN v_UpdateInfo UI ON UCS.CI_ID = UI.CI_ID
JOIN v_R_System RS ON RS.ResourceType=5 AND RS.ResourceID = UCS.ResourceID
JOIN v_StateNames SN ON SN.TopicType=500 AND SN.StateID=3 AND SN.StateID = UCS.Status
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511
WHERE UI.ArticleID IN (SELECT ArticleID FROM @MarchWin101511)
)

Scenario 2: Customers with Supersedence rule set to ‘Immediately expire’ (or not long enough):

Since CUs are superseded each month, and expired due to the ConfigMgr Supersedence Rules option being set to ‘Immediately Expire’, compliance data is not available on the expired update – in this scenario, you will, however, have compliance data on the newest CU available, so the simplest path forward would be to deploy the latest CU and report against it.

Alternative options to the above, that may help determine ‘unpatched’ machines, by reporting on the expired CU, are as follows:

Alternate Options (for Windows 10 and Server 2016):

Extend Hardware Inventory to include Win32_QuickFixEngineering, and use this data to identify ‘unpatched’ machines. If any machine has neither March, April or May CU installed, they’re ‘unpatched. NOTE that if you do not have this already enabled and enable it now, you would need to wait for all the clients to report Hardware Inventory.

-- Customers with Win32_QuickFixEngineering class enabled for HINV can use these queries.
-- Windows 10 machines that do not have the March (or any of the superseding updates) installed and could be 'unpatched'.
-- These queries are OS dependent, since we are querying individual KB's, and need to compare those KB's against proper builds to prevent getting inaccurate results.
-- Query limits results for machines that have at least one row in v_GS_Quick_Fix_Engineering class to ensure there is some HINV data for the machine for this class.

-- Windows 10 RTM
DECLARE @BuildNumberRTM INT = '10240'
DECLARE @MarchWin10 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin10 VALUES ('4012606') -- March Cumulative
INSERT INTO @MarchWin10 VALUES ('4019474')
INSERT INTO @MarchWin10 VALUES ('4015221')
INSERT INTO @MarchWin10 VALUES ('4016637')

-- Windows 10 1511
DECLARE @BuildNumber1511 INT = '10586'
DECLARE @MarchWin101511 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin101511 VALUES ('4013198') -- March Cumulative
INSERT INTO @MarchWin101511 VALUES ('4015219')
INSERT INTO @MarchWin101511 VALUES ('4016636')
INSERT INTO @MarchWin101511 VALUES ('4019473')

-- Windows 10 1607
DECLARE @BuildNumber1607 INT = '14393'
DECLARE @MarchWin101607 TABLE (ArticleID NVARCHAR(20))
INSERT INTO @MarchWin101607 VALUES ('4013429') -- March Cumulative
INSERT INTO @MarchWin101607 VALUES ('4015217')
INSERT INTO @MarchWin101607 VALUES ('4015438')
INSERT INTO @MarchWin101607 VALUES ('4016635')
INSERT INTO @MarchWin101607 VALUES ('4019472')

SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumberRTM
JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID
LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin10)
WHERE QFE.HotFixID0 IS NULL
GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0
HAVING COUNT(QFEALL.HotFixID0) > 0
UNION
SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1511
JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID
LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin101511)
WHERE QFE.HotFixID0 IS NULL
GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0
HAVING COUNT(QFEALL.HotFixID0) > 0
UNION
SELECT RS.Name0, OS.BuildNumber0, QFE.HotFixID0, COUNT(QFEALL.HotFixID0) AS TotalHotfixes FROM v_R_System RS
JOIN v_GS_OPERATING_SYSTEM OS ON OS.ResourceID = RS.ResourceID AND OS.BuildNumber0 = @BuildNumber1607
JOIN v_GS_QUICK_FIX_ENGINEERING QFEALL ON QFEALL.ResourceID = RS.ResourceID
LEFT JOIN v_GS_QUICK_FIX_ENGINEERING QFE ON QFE.ResourceID = RS.ResourceID AND QFE.HotFixID0 IN (SELECT 'KB' + ArticleID FROM @MarchWin101607)
WHERE QFE.HotFixID0 IS NULL
GROUP BY RS.Name0, OS.BuildNumber0, QFE.HotFixID0
HAVING COUNT(QFEALL.HotFixID0) > 0

Alternate Options (for all Operating Systems):

Create a Configuration Item and Baseline which queries the March, April and May CU’s from Win32_QuickFixEngineering and reports Compliance.Here’s a sample PowerShell script written by Umair Khan that can be used in a DCM Baseline.

$InstalledKBList = Get-Wmiobject -class Win32_QuickFixEngineering -namespace "root\cimv2" | select-object -Property HotFixID | Out-String

[array]$MS17010VulnerabilityList =
"KB4012598",
"KB4012212",
"KB4012215",
"KB4012213",
"KB4012216",
"KB4012214",
"KB4012217",
"KB4012606",
"KB4013198",
"KB4013429",
"KB4015219",
"KB4015221",
"KB4016636",
"KB4015438",
"KB4015550",
"KB4015551",
"KB4016637",
"KB4019473",
"KB4016635",
"KB4018466",
"KB4015552",
"KB4019215",
"KB4019216",
"KB4019474",
"KB4019472",
"KB4019264"
　
$Compliant = 0;
foreach ($elem in $MS17010VulnerabilityList)
{　　　
　　　　if ($InstalledKBList -match $elem)
　　　　{
　　　　#Write-Output "$elem Found"
　　　 $Compliant = 1
　　　　break
　　　 }　
}

$Compliant

An update rollup for System Center Configuration Manager current branch, version 1702, is now available. This update is available for installation in the Updates and Servicing node of the Configuration Manager console. Please note that if the Service Connection Point is in offline mode, you must re-import the update so that it is listed in the Configuration Manager console. Refer to Updates for System Center Configuration Manager for details.

For complete details regarding the update rollup for ConfigMgr current branch v1702, including the list of issues that are fixed, please see the following:

4019926 – Update rollup for System Center Configuration Manager current branch, version 1702 (https://support.microsoft.com/help/4019926)

We are happy to let you know that update 1705 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. For information on this month’s new preview features, please see the following:

Update 1706 for Configuration Manager Technical Preview Branch – Available Now!

If you have the Update rollup for Configuration Manager current branch version 1702 installed and you try to create a new Cloud Management Gateway (CMG)  in the Configuration Manager console, the provisioning cannot be completed. The status in the console remains displayed as “Provisioning.” If you also check the cloud service status from the Azure Portal, you find that the service keeps being provisioned.

We have released a hotfix that resolves this issue. For the latest information about the issue as well as how to obtain and install the hotfix, please see the following:

4033015 – Provisioning not completed when creating a Cloud Management Gateway in System Center Configuration Manager version 1702 (https://support.microsoft.com/help/4033015)

We are happy to let you know that update 1707 for the Technical Preview Branch of System Center Configuration Manager has been released. Technical Preview Branch releases give you an opportunity to try out new Configuration Manager features in a test environment before they are made generally available. For information on this month’s new preview features, please see the following:

Update 1707 for Configuration Manager Technical Preview Branch – Available Now!

Hello Everyone, we have recently published the following Knowledge Base (KB) articles.

KB 4034393 Getting network captures from a task sequence in ConfigMgr

This is a how-to article about capturing a network trace in a Windows PE environment. For the step by step see https://support.microsoft.com/en-us/help/4034393.

KB 4035047 Configuration Manager 2007 client operations fail after you install a May 2017 security update for Windows Server 2008 or 2008 R2

This KB article describes client operations failures resulting from problems accessing the ConfigMgr 2007 server locator point after installation of one of the May 2017 security updates for Windows Server 2008 or 2008 R2. For more information and workarounds see http://support.microsoft.com/help/4035047.

Hello everyone,

Our colleague Umair Kahn has a helpful post on his blog where he and Sean Mahoney walk through adding a new secondary replica node to an existing SQL Server Always On availability group for a primary site server.

This process involves several steps

• Adding the new server as a secondary replica.
• Stopping the Configuration Manager site.
• Backing up and restoring the site database from the primary replica to the new secondary replica.
• Configuring each secondary replica.

Umair and Sean call out the issues that are specific to primary site servers. You’ll find the complete text for Umair’s post here:

ConfigMgr 1702: Adding a new node (Secondary Replica) to an existing SQL AO AG

Starting with System Center Configuration Manager, version 1702, unknown computers that are started from media or PXE may not find task sequences targeted to them. The SMSTS.log shows:

There are no task sequences available to this computer. Please ensure you have at least one task sequence advertised to this computer"
 Unspecified error (Error: 80004005; Source: Windows)

This issue may occur if the Previous button on the “Select a task sequence to run” page is selected on the unknown computer.

This is a known issue that is now fixed by applying Update rollup for System Center Configuration Manager current branch, version 1702.

On July 28^th we released version 1706 for the Current Branch of System Center Configuration Manager and made it available for customers to opt-in for early deployments. On August 8^th, we updated the 1706 package to address a few issues found during these initial deployments. We quickly noticed that we had a problem with both download and the package. We pulled it and replaced it with a fixed version as fast as we could but a small number of customers still managed to install it during this time window. We have already released a hotfix targeted to those customers to update them to the latest build. This hotfix will be available in the Updates and Servicing node of the Configuration Manager console. For more information, please see:

KB 4039380: Update for System Center Configuration Manager version 1706, first wave

Also, if you have installed the original version of the 1706 update, we will have a hotfix package for you in the coming weeks to bring you up to the latest build.

For assistance with the upgrade process please post your questions in the Site and Client Deployment forum. To provide feedback or report any issues with the functionality included in this release, please use Connect.

Thank you,

The System Center Configuration Manager team

Recently, we’ve seen an increase in the number of high CPU/High Memory usage problems with WSUS, including WSUS in a System Center Configuration Manager environment – these have mostly corresponded with Update Tuesdays.

Microsoft support has determined that the issue is driven primarily by the Windows 10 1607 updates, for example KB4022723, KB4022715, KB4025339, etc. See here for the list of Windows 10 1607 updates.

Microsoft is also aware of a known issue with KB4034658 that will cause Windows 10 1607 clients to run a full scan after install – Microsoft is investigating and the latest information is available here.

These updates have large metadata payloads for the dependent (child) packages because they roll up a large number of binaries. Windows 10, versions 1507 (Windows 10 RTM) and 1511 updates can also cause this, though to a lesser extent.  Windows 10, version 1703 is still recent enough that the metadata is not that large yet (but will continue to grow).

Symptom

The symptoms include

• High CPU on your WSUS server – 70-100% CPU in w3wp.exe hosting WsusPool
• High memory in the w3wp.exe process hosting the WsusPool – customers have reported memory usage approach 24GB
• Constant recycling of the W3wp.exe hosting the WsusPool (identifiable by the PID changing)
• Clients failing to scan with 8024401c (timeout) errors in the WindowsUpdate.log
• Mostly 500 errors for the /ClientWebService/Client.asmx requests in the IIS logs

Cause

Microsoft support has determined that the issue is driven primarily by the Windows 10 1607 updates, for example KB4022723, KB4022715, KB4025339, etc. See here for the list of Windows 10 1607 updates.

These updates have large metadata payloads for the dependent (child) packages because they roll up a large number of binaries. Windows 10, versions 1507 (Windows 10 RTM) and 1511 updates can also cause this, though to a lesser extent. Windows 10, version 1703 is still recent enough that the metadata is not that large yet (but will continue to grow).

How to determine if the 1607 Updates are the cause

To determine if WSUS is affected by this problem, decline the Windows 10 updates (including the latest cumulative update). If CPU and memory quickly drop back to normal, then the issue is likely the result of metadata size from the Windows 10 updates. They can be reapproved after you have determined if the updates are causing this issue, assuming you want to deploy them.

If declining the Windows 10 updates does not help, then the problem may be due to too many superseded updates in the WSUS server. Take the steps outlined in The Complete Guide to Microsoft WSUS and Configuration Manager SUP maintenance to decline the superseded updates. If, after doing this you are still having problems, read on.

This blog post may help alleviate some of these problems, but is not a magic bullet. After these changes are made, you will still see high CPU and memory until the system stabilizes as I explain further down.

WSUS Caching

WSUS has a caching mechanism whereby the first time update metadata is requested by any client WSUS will store it in memory. Further requests for the same update revision will retrieve the update metadata from memory instead of reading it from the database. Some of the metadata in the database is compressed, so not only must it be retrieved, it must be decompressed into memory, which is an expensive operation.

You can monitor the current number of updates stored in the cache via Performance Monitor with the counter WSUS: Client Web Service/Cache size and instance spgetcorexml. Keep in mind that this counter provides the number of cached items, not the amount of memory consumed by cached metadata. w3wp.exe process memory can be used as a proxy for the amount of space consumed by the metadata cache.

The Problem

For large metadata packages and many simultaneous requests, it can take longer than ASP.NET’s default timeout of 110 seconds to retrieve all of the metadata the client needs. When the timeout is hit, ASP.NET disconnects the client and aborts the thread doing the metadata retrieval. If you look at Program Files\Update Services\LogFiles\SoftwareDistribution.log, the abort looks like this:

System.Threading.ThreadAbortException: Thread was being aborted.
   at System.Buffer.__Memcpy(Byte* dest, Byte* src, Int32 len)
   at System.Buffer._Memcpy(Byte* dest, Byte* src, Int32 len)  
   at System.Buffer.Memcpy(Byte* dest, Byte* src, Int32 len)  
   at System.String.CtorCharPtrStartLength(Char* ptr, Int32 startIndex, Int32 length)   
   at Microsoft.UpdateServices.Internal.CabUtilities.ExpandMemoryCabToString(Byte[] src)   
   at Microsoft.UpdateServices.Internal.DataAccess.ExecuteSpGetCoreUpdateXml(Int32[] revisionIds)
   at Microsoft.UpdateServices.Internal.DataAccessCache.GetCoreUpdateXml(Int32[] revisionIds, DataAccess da, Int64 maxXmlPerRequest)
   at Microsoft.UpdateServices.Internal.ClientImplementation.GetSyncInfo(Version clientProtocolVersion, DataAccess dataAccess, Hashtable stateTable, Hashtable deploymentTable, Boolean haveGroupsChanged, Boolean driverSyncNeeded, Boolean doChunking)
   at Microsoft.UpdateServices.Internal.ClientImplementation.SoftwareSync(DataAccess dataAccess, UnencryptedCookieData cookieData, Int32[] installedNonLeafUpdateIds, Int32[] leafUpdateIds, Boolean haveGroupsChanged, Boolean expressQuery, Guid[] filterCategoryIds, Boolean needTwoGroupOutOfScopeUpdates)
   at Microsoft.UpdateServices.Internal.ClientImplementation.SyncUpdates(Cookie cookie, SyncUpdateParameters parameters)
   at Microsoft.UpdateServices.Internal.ClientImplementation.SyncUpdates(Cookie cookie, SyncUpdateParameters parameters)

Note: What you are looking for is a ThreadAbortException with ExecuteSpGetCoreUpdateXml on the stack (ThreadAbortExceptions could happen for other reasons as well – we are concerned with this specific scenario).

When the thread abort happens, all of the metadata that has been retrieved to that point is discarded and is not cached. As a result, WSUS enters a continuous cycle where the data isn’t cached, the clients can never complete the scan and continue to rescan.

Another issue that can occur is the WSUS application pool keeps recycling because it exceeds the private memory threshold (which it is very likely to do if the limit is still the default of 1843200). This recycles the app pool, and thus the cached updates, and forces WSUS to go back through retrieving updates from the database and caching them.

Solution

Configure IIS to stop recycling the App Pool

The goal is to stop the app pool recycling since a recycle clears the cache. The defaults in IIS for Private Memory limit of 1843200 will cause the pool to constantly recycle. We want to make sure it doesn’t recycle unless we intentionally restart the app pool.

• Open IIS Manager for the WSUS server
• Expand <Server name> and click Application Pools.
• Find WSUSPool > Right-click > Advanced Settings.
• Find the setting Private Memory Limit (KB) under Recyling and set it to 0.
  • Check and verify Virtual Memory Limit (KB) is set to 0 .
  • This will prevent IIS from recycling due to a memory limit.
• Find the setting Regular Time Interval (minutes) below the Private Memory limit and set to 0.
• Find the Ping Enabled setting and set it to False.
  • This will prevent IIS from recycling the pool if it gets too busy and doesn’t respond to the ping.
• Click OK.
• From an elevated command prompt, run IISReset to restart IIS.

Limit the number of inbound connections to WSUS

Reducing the number of allowed connections will cause clients to receive 503 errors (service not available), but they will retry. If the performance counter Web Services | Current Connections for the website on which WSUS is hosted has more than 1000 connections, complete this step:

• Open IIS Manager for the WSUS server.
• Expand <Server name> and then Sites.
• Select the site hosting WSUS.
  • If you aren’t sure, expand each site and look for the ClientWebService directory underneath it – that is the WSUS site the clients use.
• With the site selected, click the Limits link in the toolbar on the right side.
• Check the option Limit number of connections and change it to 1000 (or even smaller).
• Click Ok to save the changes.
• From an elevated command prompt, run IISReset to restart IIS.

Increase the ASP.NET timeout

• Make a copy of \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
• Open \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
• Find the element “<httpRunTime”. It will look like this (in an unmodified web.config):

<httpRuntime maxRequestLength="4096" />

• Modify httpRunTime by adding an executionTimeout attribute:

<httpRuntime maxRequestLength="4096" executionTimeout="3600" />

• Save the web.config to a different location and copy the modified one into the directory.
• From an elevated command prompt, run IISReset to restart IIS.

Monitor

Open Windows Performance monitor and add the following counters

• WSUS: Client Web Service | Cache Size counter for spgetcorexml instance.
• Process | Private Memory counters.
  • If there is more than one w3wp.exe, add them all – the one with the highest memory usage is probably the WSUSPool, but you can also add Process | ID Process to determine which worker process should be monitored.

Monitor the cache size counter – it should increase and eventually reach a peak value that does not change. This indicates all metadata that clients need is cached. It can take several hours for this to stabilize, so be patient.

Monitor the IIS logs and filter on ClientWebService/Client.asmx. The majority will be 500s, but as the cache increases, the number of 200s will increase with it. Once the cache is fully built, you should see mostly 200s.

If you see the cache size drop, then one of two things has happened:

1. The App pool was recycled (or it crashed), or
2. The cache was purged due to memory pressure

If the app pool process ID didn’t change and you didn’t make any changes to IIS config that would cause the app domain to unload (such as changing IIS connection limit), then you have most likely hit scenario #2. To get around this, you can force the cache to be a certain size before items will be trimmed from it. You can also make this change beforehand if you wish.

• Make a copy of \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
• Open \Program Files\Update Services\WebServices\ClientWebService\Web.Config.
• Find the element <system.web>.
• Immediately under it add a new element:

<caching>
          <cache privateBytesLimit = "8000000000"/>
</caching>

• The privateBytesLimit value can be changed to be larger. 8,000,000,000 is usually enough
• Save the web.config to someplace else, backup the old one, then copy the modified one into the directory.

• From an elevated command prompt, run IISReset to restart IIS.

Again monitor the cache size – if it continues to bounce around and the PID isn’t changing and memory is high ( > 8GB) then you probably need increase the privateBytesLimit further.

Administrators who opted-in to the first (early) wave deployment for System Center Configuration Manager current branch, version 1706, have an update available in the Updates and Servicing node of the Configuration Manager console. This update, made available on August 31, 2017, addresses important late-breaking issues that were discovered during the final release process for version 1706. 

For more information, including the issues fixed and the applicability of the update, please read:

4036267 : Update 2 for System Center Configuration Manager version 1706, first wave – https://support.microsoft.com/help/4036267

After you upgrade to Configuration Manager current branch version 1706, clients may not be able to download content from peer cache sources.  We have released a hotfix that resolves this issue.  This is a targeted hotfix and will be available in the Updates and Servicing node of the Configuration Manager console for sites that need it.

For the latest information about the issue and how to install the hotfix, please see the following:

4042345 – Clients cannot download peer cache content in Configuration Manager version 1706 (https://support.microsoft.com/help/4042345)

We have recently published or updated the following support content for Configuration Manager.

How-To or Troubleshooting

10082 Troubleshooting PXE boot issues in Configuration Manager

• Online Troubleshooting Guide that helps administrators diagnose and resolve PXE boot failures in System Center 2012 Configuration Manager (ConfigMgr 2012 or ConfigMgr 2012 R2) and later versions. Read More https://support.microsoft.com/help/10082.

4040243 How to enable TLS 1.2 for Configuration Manager

• This article describes how to enable TLS 1.2 for Microsoft System Center Configuration Manager. This description includes individual components, update requirements for commonly-used Configuration manager features, and high-level troubleshooting information for common problems.  Read More https://support.microsoft.com/help/4040243/.

Issue Resolution

4037828 Summary of changes in System Center Configuration Manager current branch, version 1706

• Release version 1706 of System Center Configuration Manager Current Branch contains many changes to help you avoid issues and many feature improvements. The “Issues that are fixed” list is not inclusive of all changes. Instead, it highlights the changes that the product development team believes are the most relevant to the broad customer base for Configuration Manager. Read More https://support.microsoft.com/help/4037828.

4036267 Update 2 for System Center Configuration Manager version 1706, first wave

• An update is available to administrators who opted in through a PowerShell script to the first wave (early update ring) deployment for System Center Configuration Manager current branch, version 1706. You can access the update in the Updates and Servicing node of the Configuration Manager console. This update addresses important late-breaking issues that were resolved after version 1706 became available globally. Read more https://support.microsoft.com/help/4036267.

4039380 Update for System Center Configuration Manager version 1706, first wave

• This update address important issues in the first wave (early update ring) deployment for Microsoft System Center Configuration Manager current branch, version 1706.This update is no longer available and has been replaced by update KB 4036267. Read more https://support.microsoft.com/help/4039380.

4041012 1702 clients do not get software updates from Configuration Manager

• After installing Configuration Manager version 1702, newly installed clients are unable to get updates from the Software Update Point. This can also occur if the Software Update Point is moved to a different server after installation of version 1702.  Read More https://support.microsoft.com/help/4041012.

4019125 FIX: System Center Configuration Manager replication process by using BCP APIs fails when there is a large value in an XML column. Read More https://support.microsoft.com/help/4019125.

4038659 Existing computer records are not updated when new information is imported in System Center Configuration Manager version 1702

• When new information for an existing computer is imported, either through the Configuration Manager console or the ImportMachineEntry method, a new record is created for that computer. This causes changes to the existing collection membership, discovery properties, and task sequence variables for that computer. Read More https://support.microsoft.com/help/4038659.

Twenty-five years ago, in the summer of 1992, planning for a new product began…

Read Brad Anderson’s post on the EMS blog and preview how we built it.

Important: Configuration Manager current branch version 1706 is needed for any ConfigMgr environment using WUfB deferral policies. ConfigMgr client version 1702 will periodically delete all WUfB deferral policies, if configured. This could lead to unintended results. 

As you are probably aware, Windows 10 version 1607 introduced new Dual Scan behavior for enterprises that wanted Windows Update (WU) to be their primary update source while Windows Server Update Services (WSUS) provided all other content.  In this scenario, the WU client automatically scans against both WSUS and WU, but it only accepts scan results for Windows content from WU. Stated another way, the Dual Scan enabled client ignores anything on WSUS from the “Windows” product family. If you configure a combination of Windows Update group policies (or their MDM equivalents, or the underlying registry keys corresponding to either set of policies), then Dual Scan will be automatically enabled. These policies are:

• Specify intranet Microsoft update service location (i.e. WSUS)

and

• Either of the “deferral” policies belonging to Windows Update for Business
  • Select when Feature Updates are received
  • Select when Quality Updates are received

To defer updates, many enterprise customers used the configuration above prior to 1607. For them, the new Dual Scan behavior was an unwelcomed change as it broke ConfigMgr software update deployments for any updates within the “Windows” product family. Demystifying “Dual Scan” provides details about Dual Scan as well as settings that enterprises can use to work around the new behavior.

The October cumulative update for 1703 includes new functionality and a new policy that allows Dual Scan to be disabled. The new policy, “Do not allow update deferral policies to cause scans against Windows Update”, when enabled, will disable Dual Scan. This allows enterprises that wish to configure deferral policies, the ability to do so without being concerned that Dual Scan will override administrator intent.

NOTE: You can only configure the new policy, “Do not allow update deferral policies to cause scans against Windows Update”, via local group policy for now. Updated administrator template files will be available later this fall that will allow you to configure this policy at a domain level.

It is important to understand the expected behavior as it relates to ConfigMgr.

• Windows Update for Business deferral policy configured and deployed via ConfigMgr (Windows 10 version 1703 and higher) – If you configure and deploy WUfB deferral policy via ConfigMgr, Dual Scan will be automatically enabled*. That is, “Do not allow update deferral policies to cause scans against Windows Update” will be set to disabled on any ConfigMgr client where the WUfB deferral policy is deployed. Even if you enable “Do not allow update deferral policies to cause scans against Windows Update” at the domain level, that setting will be periodically overwritten by the ConfigMgr client. *Assumes that the “Specify intranet Microsoft update service location” policy is set to Enabled.

• Windows Update for Business deferral policy and Dual Scan disable policy configured and deployed via GPO – If you configure WUfB deferral policy as well as disable Dual Scan (e.g. enable the new policy) via GPO, those settings will be preserved by the ConfigMgr client.

To summarize:

1. To use WUfB deferral policies while disabling Dual Scan, use GPO to configure all required settings.
2. To use Dual Scan with WUfB deferral policies, configure and deploy WUfB policy via ConfigMgr.
3. And if you’re still managing some Windows 10 version 1607 clients, the August cumulative update for 1607 also includes the new Dual Scan policy. You can use GPO to set deferral polices and disable Dual Scan when running ConfigMgr version 1706.