Discussion:
Needing advice about citrix servers updating
(too old to reply)
Novoselik
2010-02-19 08:50:01 UTC
Permalink
Hello,

our environment: Windows 2003 WSUS SP2 on Windows 2003 Native AD.

We patch servers with option 2 GPO and a scheduled script that download,
install patches and send us a mail requiring one manual reboot (if it's
necessary).
The system works fine except with the citrix servers.

The problem with citrix is : meanwhile we receive the mail requiring the
reboot and plan the reboot of the server the users who are connected recive
the pop ups requiring a reboot (they are not administrators and the reboot
button is in grey).

Obviusly "Allow non-administrators to receive update notifications policy"
is disabled.

Thanks a lot!!
Lawrence Garvin [MVP]
2010-02-19 17:56:14 UTC
Permalink
Post by Novoselik
Hello,
The system works fine except with the citrix servers.
The problem with citrix is : meanwhile we receive the mail requiring the
reboot and plan the reboot of the server the users who are connected recive
the pop ups requiring a reboot (they are not administrators and the reboot
button is in grey).
Terminal Servers require *special* handling for installation of updates.

As a preliminary step to installing updates on a TS server you need to:

1. Ensure all TS client systems are LOGGED OFF.
2. Disable TS connectivity until the end of the maintenance window.

Then you can successfully install updates without unnecessarily interfering
with logged on users.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Novoselik
2010-02-22 09:41:01 UTC
Permalink
Is there any possibility only disable messages to the users? or some kind of
automation the patching of this servers?

thanks
Post by Lawrence Garvin [MVP]
Post by Novoselik
Hello,
The system works fine except with the citrix servers.
The problem with citrix is : meanwhile we receive the mail requiring the
reboot and plan the reboot of the server the users who are connected recive
the pop ups requiring a reboot (they are not administrators and the reboot
button is in grey).
Terminal Servers require *special* handling for installation of updates.
1. Ensure all TS client systems are LOGGED OFF.
2. Disable TS connectivity until the end of the maintenance window.
Then you can successfully install updates without unnecessarily interfering
with logged on users.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)
My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Lawrence Garvin [MVP]
2010-02-22 16:51:07 UTC
Permalink
Post by Novoselik
Is there any possibility only disable messages to the users?
If the security permissions are set correctly, the users should not be
getting any messages on a terminal server,
but the fundamental defect here is in the process -- you should *not* be
updating a terminal server with active users... Period.
Post by Novoselik
or some kind of automation the patching of this servers?
Absolutely not. A terminal server *needs* to be patched and rebooted in
SINGLE-USER mode.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Dave Mills
2010-02-24 04:29:30 UTC
Permalink
On Mon, 22 Feb 2010 10:51:07 -0600, "Lawrence Garvin [MVP]"
Post by Lawrence Garvin [MVP]
Post by Novoselik
Is there any possibility only disable messages to the users?
If the security permissions are set correctly, the users should not be
getting any messages on a terminal server,
but the fundamental defect here is in the process -- you should *not* be
updating a terminal server with active users... Period.
Post by Novoselik
or some kind of automation the patching of this servers?
Absolutely not. A terminal server *needs* to be patched and rebooted in
SINGLE-USER mode.
This is quite easy to get wrong. When you are working down a list of servers
installing updates it is all too simple to get out of step and install the
updates before switching to single user mode. I assume from your answer that
wuauclt does not sort this out automatically. It should at least warn that
updates should not be installed because the server is not in Install Mode.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Harry Johnston [MVP]
2010-02-24 19:30:53 UTC
Permalink
I thought install mode was for legacy applications? Surely it isn't needed for
OS updates?

I agree unconditionally that updates shouldn't be installed when more than one
user is logged on. Personally, I recommend disabling end-user logon and
rebooting before installing updates, to make sure the system is in a clean
state. But I wouldn't have thought the server needed to be into install mode.

Harry.
Post by Dave Mills
On Mon, 22 Feb 2010 10:51:07 -0600, "Lawrence Garvin [MVP]"
Post by Lawrence Garvin [MVP]
Post by Novoselik
Is there any possibility only disable messages to the users?
If the security permissions are set correctly, the users should not be
getting any messages on a terminal server,
but the fundamental defect here is in the process -- you should *not* be
updating a terminal server with active users... Period.
Post by Novoselik
or some kind of automation the patching of this servers?
Absolutely not. A terminal server *needs* to be patched and rebooted in
SINGLE-USER mode.
This is quite easy to get wrong. When you are working down a list of servers
installing updates it is all too simple to get out of step and install the
updates before switching to single user mode. I assume from your answer that
wuauclt does not sort this out automatically. It should at least warn that
updates should not be installed because the server is not in Install Mode.
--
Harry Johnston
http://harryjohnston.wordpress.com
Dave Mills
2010-02-26 04:42:10 UTC
Permalink
On Thu, 25 Feb 2010 08:30:53 +1300, "Harry Johnston [MVP]"
Post by Harry Johnston [MVP]
I thought install mode was for legacy applications? Surely it isn't needed for
OS updates?
I agree unconditionally that updates shouldn't be installed when more than one
user is logged on. Personally, I recommend disabling end-user logon and
rebooting before installing updates, to make sure the system is in a clean
state. But I wouldn't have thought the server needed to be into install mode.
That is what I would have hoped for but Lawrence is saying use Single user mode.
I have never seen anything in the docs about this though so we are all guessing
a bit. Certainly switching to single user mode and rebooting first would make
sure there were not going to be issues but is it really necessary. What are the
risks if one forgets to do this.

We have all discussed to issues with installing update and not rebooting and
know that failing to reboot can make the system unstable until the reboot is
done but I have no idea what the MS recommended procedure is for Terminal
Servers nor what may go wrong if you don't do it right. Clearly installing
updates via a RDP session is OK in admin mode but a Terminal Server does not
have a admin mode as such.
Post by Harry Johnston [MVP]
Harry.
Post by Dave Mills
On Mon, 22 Feb 2010 10:51:07 -0600, "Lawrence Garvin [MVP]"
Post by Lawrence Garvin [MVP]
Post by Novoselik
Is there any possibility only disable messages to the users?
If the security permissions are set correctly, the users should not be
getting any messages on a terminal server,
but the fundamental defect here is in the process -- you should *not* be
updating a terminal server with active users... Period.
Post by Novoselik
or some kind of automation the patching of this servers?
Absolutely not. A terminal server *needs* to be patched and rebooted in
SINGLE-USER mode.
This is quite easy to get wrong. When you are working down a list of servers
installing updates it is all too simple to get out of step and install the
updates before switching to single user mode. I assume from your answer that
wuauclt does not sort this out automatically. It should at least warn that
updates should not be installed because the server is not in Install Mode.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Lawrence Garvin [MVP]
2010-02-26 15:17:19 UTC
Permalink
Post by Dave Mills
On Thu, 25 Feb 2010 08:30:53 +1300, "Harry Johnston [MVP]"
Post by Harry Johnston [MVP]
I thought install mode was for legacy applications? Surely it isn't needed for
OS updates?
That is what I would have hoped for but Lawrence is saying use Single user mode.
I'm saying this in a philosophical sense, not in any consideration of a
specific operational mode of Terminal Services. To my knowledge there's no
specific setting required on the TS itself; the only intent is to have =no
users= logged onto sessions of the TS when the updates are installed, and so
that the TS can be immediately restarted after installation completes. The
challenge is to ensure nobody logs back onto the server while the
installations are being executed, or after the system restart before they've
been verified. To that point, Single User mode may be an advantage to
protect the process, but I don't believe it's an operational necessity of
actually installing updates.
Post by Dave Mills
Certainly switching to single user mode and rebooting first would make
sure there were not going to be issues but is it really necessary. What are the
risks if one forgets to do this.
I agree, it would be an ideal operational practice . . . but unless one is
installing service packs or major application suites (like Office), I doubt
that this is necessary. Simply terminating all user sessions and keeping
users off the machine should be sufficient for standard security and
critical updates.
Post by Dave Mills
We have all discussed to issues with installing update and not rebooting and
know that failing to reboot can make the system unstable until the reboot is
done but I have no idea what the MS recommended procedure is for Terminal
Servers nor what may go wrong if you don't do it right.
Sadly, I've never seen any guidance from the TS group.
--
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2010)

My Blog: http://onsitechsolutions.spaces.live.com
Microsoft WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Dave Mills
2010-02-27 18:29:33 UTC
Permalink
On Fri, 26 Feb 2010 09:17:19 -0600, "Lawrence Garvin [MVP]"
Post by Lawrence Garvin [MVP]
Post by Dave Mills
On Thu, 25 Feb 2010 08:30:53 +1300, "Harry Johnston [MVP]"
Post by Harry Johnston [MVP]
I thought install mode was for legacy applications? Surely it isn't needed for
OS updates?
That is what I would have hoped for but Lawrence is saying use Single user mode.
I'm saying this in a philosophical sense, not in any consideration of a
specific operational mode of Terminal Services. To my knowledge there's no
specific setting required on the TS itself; the only intent is to have =no
users= logged onto sessions of the TS when the updates are installed, and so
that the TS can be immediately restarted after installation completes. The
challenge is to ensure nobody logs back onto the server while the
installations are being executed, or after the system restart before they've
been verified. To that point, Single User mode may be an advantage to
protect the process, but I don't believe it's an operational necessity of
actually installing updates.
Post by Dave Mills
Certainly switching to single user mode and rebooting first would make
sure there were not going to be issues but is it really necessary. What are the
risks if one forgets to do this.
I agree, it would be an ideal operational practice . . . but unless one is
installing service packs or major application suites (like Office), I doubt
that this is necessary. Simply terminating all user sessions and keeping
users off the machine should be sufficient for standard security and
critical updates.
Post by Dave Mills
We have all discussed to issues with installing update and not rebooting and
know that failing to reboot can make the system unstable until the reboot is
done but I have no idea what the MS recommended procedure is for Terminal
Servers nor what may go wrong if you don't do it right.
Sadly, I've never seen any guidance from the TS group.
Still I feel a bit clearer after this little chat.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Harry Johnston [MVP]
2010-02-23 03:27:27 UTC
Permalink
The user group policy setting “Remove access to use all Windows Update features”
should suppress the messages. However, I entirely agree with what Lawrence
said: you should not install updates while users are logged in.

In fact, I'll go a step further: best practice is to only install updates once
you are ready to reboot the server. That is, there shouldn't be more than, say,
half an hour between when the updates are installed and when the server is rebooted.

Harry.
Post by Novoselik
Hello,
our environment: Windows 2003 WSUS SP2 on Windows 2003 Native AD.
We patch servers with option 2 GPO and a scheduled script that download,
install patches and send us a mail requiring one manual reboot (if it's
necessary).
The system works fine except with the citrix servers.
The problem with citrix is : meanwhile we receive the mail requiring the
reboot and plan the reboot of the server the users who are connected recive
the pop ups requiring a reboot (they are not administrators and the reboot
button is in grey).
Obviusly "Allow non-administrators to receive update notifications policy"
is disabled.
Thanks a lot!!
Loading...