Patching Terminal Services Servers

[Guest lozza]

Guys,

 

I have some rather basic question here I think.... any help is very much

appreciated:

 

1) When patching TS Servers (Microsoft Patches, Hotfixes, Application

specific patches etc etc) should the TS server be manually put into INSTALL

MODE?

 

2) If INSTALL MODE should be initiated before patching, then how is this

done at the enterprise level when using patch management tools such as WSUS?

Are admins expected to log on to the TS servers and put them into INSTALL

MODE before allowing WSUS to go ahead and patch the machines?

 

3) When doing any kind of patching, or installation of any new software

(reboot required or not) should all user sessions be terminated first and not

be allowed to log back in until INSTALL MODE is initiated, software/patch is

installed and then server is put back into EXECUTION MODE? or is it okay to

hop between INSTALL MODE and EXECUTE MODE whilst users sessions are active?

 

Many Thanks

Lozza

[Guest Vera Noest [MVP]]

Re: Patching Terminal Services Servers

 

Microsoft security patches don't have user-specific settings, so

you don't have to put the TS into install mode before applying

those.

 

Software upgrades must installed while the server is in install

mode, and then you should *not* have any users on the system, until

the upgrade is complete, the server has been rebooted (if

necessary) and put back into execute mode again.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21

jan 2008:

> Guys,

>

> I have some rather basic question here I think.... any help is

> very much appreciated:

>

> 1) When patching TS Servers (Microsoft Patches, Hotfixes,

> Application specific patches etc etc) should the TS server be

> manually put into INSTALL MODE?

>

> 2) If INSTALL MODE should be initiated before patching, then how

> is this done at the enterprise level when using patch management

> tools such as WSUS? Are admins expected to log on to the TS

> servers and put them into INSTALL MODE before allowing WSUS to

> go ahead and patch the machines?

>

> 3) When doing any kind of patching, or installation of any new

> software (reboot required or not) should all user sessions be

> terminated first and not be allowed to log back in until INSTALL

> MODE is initiated, software/patch is installed and then server

> is put back into EXECUTION MODE? or is it okay to hop between

> INSTALL MODE and EXECUTE MODE whilst users sessions are active?

>

> Many Thanks

> Lozza

[Guest lozza]

Re: Patching Terminal Services Servers

 

Hi Vera,

 

Thanks much for the response. Just to further, our admins don't ensure users

have logged off the system when installing software that doesn't require a

reboot. For example the other day 10-15 users where logged in with sessions,

and an admin put the TS server into INSTALL MODE... installed GPMC and some

cisco related tools and then put the server into EXECUTE MODE again... surely

this cant be right?

 

Can you advise me how I can convince them this should be controlled under

change management, and that whenever installing any software (or updating)

all users should be logged out and then the task carried out?

 

Is their any MS Docs out there that highlight the importance of this, with

examples as to what could go wrong if some users remain logged on while doing

the INSTALL MODE, update/install software, EXECUTION MODE cycle?

 

Thanks

Loz

 

"Vera Noest [MVP]" wrote:

> Microsoft security patches don't have user-specific settings, so

> you don't have to put the TS into install mode before applying

> those.

>

> Software upgrades must installed while the server is in install

> mode, and then you should *not* have any users on the system, until

> the upgrade is complete, the server has been rebooted (if

> necessary) and put back into execute mode again.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> *----------- Please reply in newsgroup -------------*

>

> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21

> jan 2008:

>

> > Guys,

> >

> > I have some rather basic question here I think.... any help is

> > very much appreciated:

> >

> > 1) When patching TS Servers (Microsoft Patches, Hotfixes,

> > Application specific patches etc etc) should the TS server be

> > manually put into INSTALL MODE?

> >

> > 2) If INSTALL MODE should be initiated before patching, then how

> > is this done at the enterprise level when using patch management

> > tools such as WSUS? Are admins expected to log on to the TS

> > servers and put them into INSTALL MODE before allowing WSUS to

> > go ahead and patch the machines?

> >

> > 3) When doing any kind of patching, or installation of any new

> > software (reboot required or not) should all user sessions be

> > terminated first and not be allowed to log back in until INSTALL

> > MODE is initiated, software/patch is installed and then server

> > is put back into EXECUTION MODE? or is it okay to hop between

> > INSTALL MODE and EXECUTE MODE whilst users sessions are active?

> >

> > Many Thanks

> > Lozza

>

[Guest Vera Noest [MVP]]

Re: Patching Terminal Services Servers

 

The examples you mention (GPMC and Cisco tools) are example of

applications which do *not* demand multi-user functionality,

correct? They sound like administrative tools. So you do *not* have

to put the server into install mode while installing these tools

(it's not a problem when you do it anyway, just to be sure, but

it's not necessary).

The key thing is user-specific settings. If an application doesn't

have any user-specific registry keys or ini files, install mode

won't accomplish anything at all.

 

Read up about install mode, and it will be more clear to you which

applications (both installation and upgrade) will need install

mode, and which don't.

 

Here's a good description:

 

186498 - Terminal Server Application Integration Information

http://support.microsoft.com/?kbid=186498

 

And make a habit of inspecting and exporting the shadow area of the

registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion

\Terminal Server\Install) before and after installing software.

When you see for yourself which changes have been made to the

shadow area, you'll get a better understanding of when install mode

is necessary and exactly what it does.

 

And yes, when you put a TS in install mode, all users should be off

the system and not allowed in before it's in execute mode again.

Personally, I make sure that there are no users on the system even

when I install tools which don't need install mode, just because

you can never be 100% sure that you won't stumble upon a problem

which demands that there are no users logged on.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21

jan 2008 in microsoft.public.windows.terminal_services:

> Hi Vera,

>

> Thanks much for the response. Just to further, our admins don't

> ensure users have logged off the system when installing software

> that doesn't require a reboot. For example the other day 10-15

> users where logged in with sessions, and an admin put the TS

> server into INSTALL MODE... installed GPMC and some cisco

> related tools and then put the server into EXECUTE MODE again...

> surely this cant be right?

>

> Can you advise me how I can convince them this should be

> controlled under change management, and that whenever installing

> any software (or updating) all users should be logged out and

> then the task carried out?

>

> Is their any MS Docs out there that highlight the importance of

> this, with examples as to what could go wrong if some users

> remain logged on while doing the INSTALL MODE, update/install

> software, EXECUTION MODE cycle?

>

> Thanks

> Loz

>

> "Vera Noest [MVP]" wrote:

>

>> Microsoft security patches don't have user-specific settings,

>> so you don't have to put the TS into install mode before

>> applying those.

>>

>> Software upgrades must installed while the server is in install

>> mode, and then you should *not* have any users on the system,

>> until the upgrade is complete, the server has been rebooted (if

>> necessary) and put back into execute mode again.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> *----------- Please reply in newsgroup -------------*

>>

>> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on

>> 21 jan 2008:

>>

>> > Guys,

>> >

>> > I have some rather basic question here I think.... any help

>> > is very much appreciated:

>> >

>> > 1) When patching TS Servers (Microsoft Patches, Hotfixes,

>> > Application specific patches etc etc) should the TS server be

>> > manually put into INSTALL MODE?

>> >

>> > 2) If INSTALL MODE should be initiated before patching, then

>> > how is this done at the enterprise level when using patch

>> > management tools such as WSUS? Are admins expected to log on

>> > to the TS servers and put them into INSTALL MODE before

>> > allowing WSUS to go ahead and patch the machines?

>> >

>> > 3) When doing any kind of patching, or installation of any

>> > new software (reboot required or not) should all user

>> > sessions be terminated first and not be allowed to log back

>> > in until INSTALL MODE is initiated, software/patch is

>> > installed and then server is put back into EXECUTION MODE? or

>> > is it okay to hop between INSTALL MODE and EXECUTE MODE

>> > whilst users sessions are active?

>> >

>> > Many Thanks

>> > Lozza

[Guest lozza]

Re: Patching Terminal Services Servers

 

Hi Vera,

 

Thank you so much for the detailed response. It is much appreciated.

 

I will keep my eye on that area for every install that will take place from

now onwards to get a better understanding. Thanks for pointing this out to me

 

:)

 

lozza

 

"lozza" wrote:

> Hi Vera,

>

> Thanks much for the response. Just to further, our admins don't ensure users

> have logged off the system when installing software that doesn't require a

> reboot. For example the other day 10-15 users where logged in with sessions,

> and an admin put the TS server into INSTALL MODE... installed GPMC and some

> cisco related tools and then put the server into EXECUTE MODE again... surely

> this cant be right?

>

> Can you advise me how I can convince them this should be controlled under

> change management, and that whenever installing any software (or updating)

> all users should be logged out and then the task carried out?

>

> Is their any MS Docs out there that highlight the importance of this, with

> examples as to what could go wrong if some users remain logged on while doing

> the INSTALL MODE, update/install software, EXECUTION MODE cycle?

>

> Thanks

> Loz

>

> "Vera Noest [MVP]" wrote:

>

> > Microsoft security patches don't have user-specific settings, so

> > you don't have to put the TS into install mode before applying

> > those.

> >

> > Software upgrades must installed while the server is in install

> > mode, and then you should *not* have any users on the system, until

> > the upgrade is complete, the server has been rebooted (if

> > necessary) and put back into execute mode again.

> > _________________________________________________________

> > Vera Noest

> > MCSE, CCEA, Microsoft MVP - Terminal Server

> > TS troubleshooting: http://ts.veranoest.net

> > *----------- Please reply in newsgroup -------------*

> >

> > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21

> > jan 2008:

> >

> > > Guys,

> > >

> > > I have some rather basic question here I think.... any help is

> > > very much appreciated:

> > >

> > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,

> > > Application specific patches etc etc) should the TS server be

> > > manually put into INSTALL MODE?

> > >

> > > 2) If INSTALL MODE should be initiated before patching, then how

> > > is this done at the enterprise level when using patch management

> > > tools such as WSUS? Are admins expected to log on to the TS

> > > servers and put them into INSTALL MODE before allowing WSUS to

> > > go ahead and patch the machines?

> > >

> > > 3) When doing any kind of patching, or installation of any new

> > > software (reboot required or not) should all user sessions be

> > > terminated first and not be allowed to log back in until INSTALL

> > > MODE is initiated, software/patch is installed and then server

> > > is put back into EXECUTION MODE? or is it okay to hop between

> > > INSTALL MODE and EXECUTE MODE whilst users sessions are active?

> > >

> > > Many Thanks

> > > Lozza

> >

[Guest lozza]

Re: Patching Terminal Services Servers

 

Hi Vera,

 

One more question around this if you dont mind....

 

What are your thoughts on Installing Application on TS Servers via remote

deployment to machines, allowing us to capture the whole farm at once when

new software needs to be deployed?

 

Is it safer to just stick to the manual method by deploying to each server

ensuring INSTALL MODE is invoked?

 

Loz...

 

"lozza" wrote:

> Hi Vera,

>

> Thank you so much for the detailed response. It is much appreciated.

>

> I will keep my eye on that area for every install that will take place from

> now onwards to get a better understanding. Thanks for pointing this out to me

>

> :)

>

> lozza

>

> "lozza" wrote:

>

> > Hi Vera,

> >

> > Thanks much for the response. Just to further, our admins don't ensure users

> > have logged off the system when installing software that doesn't require a

> > reboot. For example the other day 10-15 users where logged in with sessions,

> > and an admin put the TS server into INSTALL MODE... installed GPMC and some

> > cisco related tools and then put the server into EXECUTE MODE again... surely

> > this cant be right?

> >

> > Can you advise me how I can convince them this should be controlled under

> > change management, and that whenever installing any software (or updating)

> > all users should be logged out and then the task carried out?

> >

> > Is their any MS Docs out there that highlight the importance of this, with

> > examples as to what could go wrong if some users remain logged on while doing

> > the INSTALL MODE, update/install software, EXECUTION MODE cycle?

> >

> > Thanks

> > Loz

> >

> > "Vera Noest [MVP]" wrote:

> >

> > > Microsoft security patches don't have user-specific settings, so

> > > you don't have to put the TS into install mode before applying

> > > those.

> > >

> > > Software upgrades must installed while the server is in install

> > > mode, and then you should *not* have any users on the system, until

> > > the upgrade is complete, the server has been rebooted (if

> > > necessary) and put back into execute mode again.

> > > _________________________________________________________

> > > Vera Noest

> > > MCSE, CCEA, Microsoft MVP - Terminal Server

> > > TS troubleshooting: http://ts.veranoest.net

> > > *----------- Please reply in newsgroup -------------*

> > >

> > > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21

> > > jan 2008:

> > >

> > > > Guys,

> > > >

> > > > I have some rather basic question here I think.... any help is

> > > > very much appreciated:

> > > >

> > > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,

> > > > Application specific patches etc etc) should the TS server be

> > > > manually put into INSTALL MODE?

> > > >

> > > > 2) If INSTALL MODE should be initiated before patching, then how

> > > > is this done at the enterprise level when using patch management

> > > > tools such as WSUS? Are admins expected to log on to the TS

> > > > servers and put them into INSTALL MODE before allowing WSUS to

> > > > go ahead and patch the machines?

> > > >

> > > > 3) When doing any kind of patching, or installation of any new

> > > > software (reboot required or not) should all user sessions be

> > > > terminated first and not be allowed to log back in until INSTALL

> > > > MODE is initiated, software/patch is installed and then server

> > > > is put back into EXECUTION MODE? or is it okay to hop between

> > > > INSTALL MODE and EXECUTE MODE whilst users sessions are active?

> > > >

> > > > Many Thanks

> > > > Lozza

> > >

[Guest Vera Noest [MVP]]

Re: Patching Terminal Services Servers

 

I have so far always installed manually on every server in my farm.

If you are considering assigning software to your farm through

remote deployment, you will have to perform thorough testing first

to ensure that the TS will be in install mode during installation.

That is a *must*. And even then, you will have to test every

installation (also manual installations), because some software

demand that you start it once as administrator, while the server is

still in install mode, because some applications perform their

final configuration on the first launch.

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 23

jan 2008 in microsoft.public.windows.terminal_services:

> Hi Vera,

>

> One more question around this if you dont mind....

>

> What are your thoughts on Installing Application on TS Servers

> via remote deployment to machines, allowing us to capture the

> whole farm at once when new software needs to be deployed?

>

> Is it safer to just stick to the manual method by deploying to

> each server ensuring INSTALL MODE is invoked?

>

> Loz...

>

> "lozza" wrote:

>

>> Hi Vera,

>>

>> Thank you so much for the detailed response. It is much

>> appreciated.

>>

>> I will keep my eye on that area for every install that will

>> take place from now onwards to get a better understanding.

>> Thanks for pointing this out to me

>>

>> :)

>>

>> lozza

>>

>> "lozza" wrote:

>>

>> > Hi Vera,

>> >

>> > Thanks much for the response. Just to further, our admins

>> > don't ensure users have logged off the system when installing

>> > software that doesn't require a reboot. For example the other

>> > day 10-15 users where logged in with sessions, and an admin

>> > put the TS server into INSTALL MODE... installed GPMC and

>> > some cisco related tools and then put the server into EXECUTE

>> > MODE again... surely this cant be right?

>> >

>> > Can you advise me how I can convince them this should be

>> > controlled under change management, and that whenever

>> > installing any software (or updating) all users should be

>> > logged out and then the task carried out?

>> >

>> > Is their any MS Docs out there that highlight the importance

>> > of this, with examples as to what could go wrong if some

>> > users remain logged on while doing the INSTALL MODE,

>> > update/install software, EXECUTION MODE cycle?

>> >

>> > Thanks

>> > Loz

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> > > Microsoft security patches don't have user-specific

>> > > settings, so you don't have to put the TS into install mode

>> > > before applying those.

>> > >

>> > > Software upgrades must installed while the server is in

>> > > install mode, and then you should *not* have any users on

>> > > the system, until the upgrade is complete, the server has

>> > > been rebooted (if necessary) and put back into execute mode

>> > > again.

>> > > _________________________________________________________

>> > > Vera Noest

>> > > MCSE, CCEA, Microsoft MVP - Terminal Server

>> > > TS troubleshooting: http://ts.veranoest.net

>> > > *----------- Please reply in newsgroup -------------*

>> > >

>> > > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com>

>> > > wrote on 21 jan 2008:

>> > >

>> > > > Guys,

>> > > >

>> > > > I have some rather basic question here I think.... any

>> > > > help is very much appreciated:

>> > > >

>> > > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,

>> > > > Application specific patches etc etc) should the TS

>> > > > server be manually put into INSTALL MODE?

>> > > >

>> > > > 2) If INSTALL MODE should be initiated before patching,

>> > > > then how is this done at the enterprise level when using

>> > > > patch management tools such as WSUS? Are admins expected

>> > > > to log on to the TS servers and put them into INSTALL

>> > > > MODE before allowing WSUS to go ahead and patch the

>> > > > machines?

>> > > >

>> > > > 3) When doing any kind of patching, or installation of

>> > > > any new software (reboot required or not) should all user

>> > > > sessions be terminated first and not be allowed to log

>> > > > back in until INSTALL MODE is initiated, software/patch

>> > > > is installed and then server is put back into EXECUTION

>> > > > MODE? or is it okay to hop between INSTALL MODE and

>> > > > EXECUTE MODE whilst users sessions are active?

>> > > >

>> > > > Many Thanks

>> > > > Lozza