How to Clean Microsoft WSUS Content Folder from Old and unneeded Products

Posted by Ahmed Nabil In , | 10 comments»
Microsoft WSUS administrators sometimes tend to select all given Products (Options - Products and Classifications) and by time the WSUS content folder grows dramatically till it fill all disk space. If the WSUS administrator tries to uncheck or deselect unneeded products later on, this won't save or minimize the current space.

So how do the WSUS updates gets downloaded/Propagated on the WSUS server ?


  1. WSUS server contacts the Microsoft Update servers and will only downloads the metadata (Not complete Full Update Package)
  2. The Binaries or the actual downloads are only downloaded when you approve them manually or if there is an Auto approval rule configured.

In order to clean the WSUS content folder from old/unneeded  or unused products you have to do the following:

  1. Under Options - Update Files and Languages, Remove the check box for download Express Installation files (This is optional recommendation depending on your environment).
  2. In the Options - Products and Classifications, select only the needed products.
  3. On WSUS console- decline all approved updated which were either installed or not applicable.
  4. Delete the WsusContent Folder.
  5. Navigate to the C:/program files/updates services/tools on the WSUS server
  6. Run WSUSutil.exe Reset


On the next download cycle it will download only the updates which have been listed in products and classifications and which have not been declined.

Also Its recommended to install all Latest WSUS updates and hotfixes.


Windows 7 UAG Direct Access Clients Cannot RDP Server 2012 Domain Controllers

Posted by Ahmed Nabil In | 2 comments»
After upgrading our domain Controllers, DNS and DHCP servers to the latest Windows Server 2012, I noticed that our Windows 7 UAG DirectAccess clients are not able to RDP (Remote Desktop/MSTSC) to the new Server 2012 Domain Controllers. The same client can ping the 2012 Domain Controller and 2012 DNS server without any problem however all RDP traffic fails.


The weird thing was that at the same time these clients (Windows 7 DirectAccess UAG clients) can ping and RDP/MSTSC any other Windows 2012 member server without any problem at all.

I did some intensive checks and research on the Internet but could not find anything regarding Server 2012 domain controllers issues with UAG based Direct Access, As per Microsoft Escalation team recommendation we did a full tracing scenario on both the UAG and Windows 7 client. 

I tried to reproduce the problem while turning simultaneous capture on both the client and the UAG server using the below Scenario


Netsh wfp capture start

netsh trace start scenario=directaccess capture=yes report=yes

Tried both RDP and Ping to the Problematic Windows server 2012 domain Controller

Netsh trace stop
Netsh wfp capture stop


After Analyzing the captured logs, it was noticed that the DA client is using an Expired Security Association when it cannot access the 2012 server. Tracing from UAG server showing the RDP traffic dropped on UAG Server due to the following error. 

“STATUS_IPSEC_WRONG_SA”

Resolution:

This problem was fixed by installing the hotfix for IKEEXT.dll on the UAG 2010 DA server and on the Windows 7 DA client. It should be noted that this fix is only for 2008R2 servers and Windows 7 Clients

2801453-Delay during IPsec renegotiation on a computer that is running Windows 7 or Windows Server 2008 R2


After installing this fix on both the UAG server and Windows 7 client, i was able to RDP/MSTSC the 2012 Domain Controller/DNS without any problems.



The Card Supplied Requires Drivers that are not present on this System

Posted by Ahmed Nabil | 1 comments»
I recently started getting the above mentioned Logon warning Message (Check below screen shot) while logging on my old 2003 and 2003R2 servers using Remote Desktop. I was using a fairly new Windows 8 Laptop.



This warning is mainly related to trying to redirect the smart card to the RDP session. This issue didn't occur with Server 2008 or 2008R2 because the driver store in 2008 and above is huge and incorporates a lot of drivers while mostly the 2003 system doesn't have the needed driver.

If you passed by this issue then you have three different options as follows:


  1. Disable this device on the laptop (If its not used) and it won't be redirected.
  2. Install the Smart Card driver on the 2003 server (You may face some problems for driver availability and compatibility).
  3. Uncheck the smart card box in the MSTSC settings before establishing the RDP session.

I picked option 3 which was the safest and convenient option by unchecking the Smart Card from the MSTSC settings - Show Options - Local Resources - Local Devices and Resources - More - Uncheck the Smart Card option.

After that you can RDP normally to any old 2003 server without getting this warning.


A new MVP is here from Egypt

Posted by Ahmed Nabil | 0 comments»
I am pleased to announce and share with you all that I have been awarded the prestigious Microsoft Most Valuable Professional (MVP) award in the Enterprise Security Area. It was a very exciting moment opening and going through the congratulations email.


Attached is the exact mail that I received.

Congratulations! We are pleased to present you with the 2013 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Enterprise Security technical communities during the past year.

I am really honored to be associated with a great group of technical people around the whole world.  I’ll be aiming to continue my efforts to support the IT community all over the world and especially in my country and region for the next coming years. 

Thanks to everyone who supported me for the last year. Thanks for all my Blog followers, readers, friends........etc. I won't have made it without your feedback and comments.

Thanks to Microsoft for their support to the IT community and for recognizing our efforts.

You may check my MVP Profile here.

Thanks again to everyone.