Patching Terminal Services Servers

[lozza]

Guys,

I have some rather basic question here I think.... any help is very much
appreciated:

1) When patching TS Servers (Microsoft Patches, Hotfixes, Application
specific patches etc etc) should the TS server be manually put into INSTALL
MODE?

2) If INSTALL MODE should be initiated before patching, then how is this
done at the enterprise level when using patch management tools such as WSUS?
Are admins expected to log on to the TS servers and put them into INSTALL
MODE before allowing WSUS to go ahead and patch the machines?

3) When doing any kind of patching, or installation of any new software
(reboot required or not) should all user sessions be terminated first and not
be allowed to log back in until INSTALL MODE is initiated, software/patch is
installed and then server is put back into EXECUTION MODE? or is it okay to
hop between INSTALL MODE and EXECUTE MODE whilst users sessions are active?

Many Thanks
Lozza

 

[Vera Noest [MVP]]

Re: Patching Terminal Services Servers

Microsoft security patches don't have user-specific settings, so
you don't have to put the TS into install mode before applying
those.

Software upgrades must installed while the server is in install
mode, and then you should *not* have any users on the system, until
the upgrade is complete, the server has been rebooted (if
necessary) and put back into execute mode again.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21
jan 2008:

> Guys,
>
> I have some rather basic question here I think.... any help is
> very much appreciated:
>
> 1) When patching TS Servers (Microsoft Patches, Hotfixes,
> Application specific patches etc etc) should the TS server be
> manually put into INSTALL MODE?
>
> 2) If INSTALL MODE should be initiated before patching, then how
> is this done at the enterprise level when using patch management
> tools such as WSUS? Are admins expected to log on to the TS
> servers and put them into INSTALL MODE before allowing WSUS to
> go ahead and patch the machines?
>
> 3) When doing any kind of patching, or installation of any new
> software (reboot required or not) should all user sessions be
> terminated first and not be allowed to log back in until INSTALL
> MODE is initiated, software/patch is installed and then server
> is put back into EXECUTION MODE? or is it okay to hop between
> INSTALL MODE and EXECUTE MODE whilst users sessions are active?
>
> Many Thanks
> Lozza

 

[lozza]

Re: Patching Terminal Services Servers

Hi Vera,

Thanks much for the response. Just to further, our admins don't ensure users
have logged off the system when installing software that doesn't require a
reboot. For example the other day 10-15 users where logged in with sessions,
and an admin put the TS server into INSTALL MODE... installed GPMC and some
cisco related tools and then put the server into EXECUTE MODE again... surely
this cant be right?

Can you advise me how I can convince them this should be controlled under
change management, and that whenever installing any software (or updating)
all users should be logged out and then the task carried out?

Is their any MS Docs out there that highlight the importance of this, with
examples as to what could go wrong if some users remain logged on while doing
the INSTALL MODE, update/install software, EXECUTION MODE cycle?

Thanks
Loz

"Vera Noest [MVP]" wrote:

> Microsoft security patches don't have user-specific settings, so
> you don't have to put the TS into install mode before applying
> those.
>
> Software upgrades must installed while the server is in install
> mode, and then you should *not* have any users on the system, until
> the upgrade is complete, the server has been rebooted (if
> necessary) and put back into execute mode again.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> *----------- Please reply in newsgroup -------------*
>
> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21
> jan 2008:
>
> > Guys,
> >
> > I have some rather basic question here I think.... any help is
> > very much appreciated:
> >
> > 1) When patching TS Servers (Microsoft Patches, Hotfixes,
> > Application specific patches etc etc) should the TS server be
> > manually put into INSTALL MODE?
> >
> > 2) If INSTALL MODE should be initiated before patching, then how
> > is this done at the enterprise level when using patch management
> > tools such as WSUS? Are admins expected to log on to the TS
> > servers and put them into INSTALL MODE before allowing WSUS to
> > go ahead and patch the machines?
> >
> > 3) When doing any kind of patching, or installation of any new
> > software (reboot required or not) should all user sessions be
> > terminated first and not be allowed to log back in until INSTALL
> > MODE is initiated, software/patch is installed and then server
> > is put back into EXECUTION MODE? or is it okay to hop between
> > INSTALL MODE and EXECUTE MODE whilst users sessions are active?
> >
> > Many Thanks
> > Lozza
>

 

[Vera Noest [MVP]]

Re: Patching Terminal Services Servers

The examples you mention (GPMC and Cisco tools) are example of
applications which do *not* demand multi-user functionality,
correct? They sound like administrative tools. So you do *not* have
to put the server into install mode while installing these tools
(it's not a problem when you do it anyway, just to be sure, but
it's not necessary).
The key thing is user-specific settings. If an application doesn't
have any user-specific registry keys or ini files, install mode
won't accomplish anything at all.

Read up about install mode, and it will be more clear to you which
applications (both installation and upgrade) will need install
mode, and which don't.

Here's a good description:

186498 - Terminal Server Application Integration Information
http://support.microsoft.com/?kbid=186498

And make a habit of inspecting and exporting the shadow area of the
registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion
\Terminal Server\Install) before and after installing software.
When you see for yourself which changes have been made to the
shadow area, you'll get a better understanding of when install mode
is necessary and exactly what it does.

And yes, when you put a TS in install mode, all users should be off
the system and not allowed in before it's in execute mode again.
Personally, I make sure that there are no users on the system even
when I install tools which don't need install mode, just because
you can never be 100% sure that you won't stumble upon a problem
which demands that there are no users logged on.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21
jan 2008 in microsoft.public.windows.terminal_services:

> Hi Vera,
>
> Thanks much for the response. Just to further, our admins don't
> ensure users have logged off the system when installing software
> that doesn't require a reboot. For example the other day 10-15
> users where logged in with sessions, and an admin put the TS
> server into INSTALL MODE... installed GPMC and some cisco
> related tools and then put the server into EXECUTE MODE again...
> surely this cant be right?
>
> Can you advise me how I can convince them this should be
> controlled under change management, and that whenever installing
> any software (or updating) all users should be logged out and
> then the task carried out?
>
> Is their any MS Docs out there that highlight the importance of
> this, with examples as to what could go wrong if some users
> remain logged on while doing the INSTALL MODE, update/install
> software, EXECUTION MODE cycle?
>
> Thanks
> Loz
>
> "Vera Noest [MVP]" wrote:
>
>> Microsoft security patches don't have user-specific settings,
>> so you don't have to put the TS into install mode before
>> applying those.
>>
>> Software upgrades must installed while the server is in install
>> mode, and then you should *not* have any users on the system,
>> until the upgrade is complete, the server has been rebooted (if
>> necessary) and put back into execute mode again.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> *----------- Please reply in newsgroup -------------*
>>
>> =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on
>> 21 jan 2008:
>>
>> > Guys,
>> >
>> > I have some rather basic question here I think.... any help
>> > is very much appreciated:
>> >
>> > 1) When patching TS Servers (Microsoft Patches, Hotfixes,
>> > Application specific patches etc etc) should the TS server be
>> > manually put into INSTALL MODE?
>> >
>> > 2) If INSTALL MODE should be initiated before patching, then
>> > how is this done at the enterprise level when using patch
>> > management tools such as WSUS? Are admins expected to log on
>> > to the TS servers and put them into INSTALL MODE before
>> > allowing WSUS to go ahead and patch the machines?
>> >
>> > 3) When doing any kind of patching, or installation of any
>> > new software (reboot required or not) should all user
>> > sessions be terminated first and not be allowed to log back
>> > in until INSTALL MODE is initiated, software/patch is
>> > installed and then server is put back into EXECUTION MODE? or
>> > is it okay to hop between INSTALL MODE and EXECUTE MODE
>> > whilst users sessions are active?
>> >
>> > Many Thanks
>> > Lozza

 

[lozza]

Re: Patching Terminal Services Servers

Hi Vera,

Thank you so much for the detailed response. It is much appreciated.

I will keep my eye on that area for every install that will take place from
now onwards to get a better understanding. Thanks for pointing this out to me



lozza

"lozza" wrote:

> Hi Vera,
>
> Thanks much for the response. Just to further, our admins don't ensure users
> have logged off the system when installing software that doesn't require a
> reboot. For example the other day 10-15 users where logged in with sessions,
> and an admin put the TS server into INSTALL MODE... installed GPMC and some
> cisco related tools and then put the server into EXECUTE MODE again... surely
> this cant be right?
>
> Can you advise me how I can convince them this should be controlled under
> change management, and that whenever installing any software (or updating)
> all users should be logged out and then the task carried out?
>
> Is their any MS Docs out there that highlight the importance of this, with
> examples as to what could go wrong if some users remain logged on while doing
> the INSTALL MODE, update/install software, EXECUTION MODE cycle?
>
> Thanks
> Loz
>
> "Vera Noest [MVP]" wrote:
>
> > Microsoft security patches don't have user-specific settings, so
> > you don't have to put the TS into install mode before applying
> > those.
> >
> > Software upgrades must installed while the server is in install
> > mode, and then you should *not* have any users on the system, until
> > the upgrade is complete, the server has been rebooted (if
> > necessary) and put back into execute mode again.
> > _________________________________________________________
> > Vera Noest
> > MCSE, CCEA, Microsoft MVP - Terminal Server
> > TS troubleshooting: http://ts.veranoest.net
> > *----------- Please reply in newsgroup -------------*
> >
> > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21
> > jan 2008:
> >
> > > Guys,
> > >
> > > I have some rather basic question here I think.... any help is
> > > very much appreciated:
> > >
> > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,
> > > Application specific patches etc etc) should the TS server be
> > > manually put into INSTALL MODE?
> > >
> > > 2) If INSTALL MODE should be initiated before patching, then how
> > > is this done at the enterprise level when using patch management
> > > tools such as WSUS? Are admins expected to log on to the TS
> > > servers and put them into INSTALL MODE before allowing WSUS to
> > > go ahead and patch the machines?
> > >
> > > 3) When doing any kind of patching, or installation of any new
> > > software (reboot required or not) should all user sessions be
> > > terminated first and not be allowed to log back in until INSTALL
> > > MODE is initiated, software/patch is installed and then server
> > > is put back into EXECUTION MODE? or is it okay to hop between
> > > INSTALL MODE and EXECUTE MODE whilst users sessions are active?
> > >
> > > Many Thanks
> > > Lozza
> >

 

[lozza]

Re: Patching Terminal Services Servers

Hi Vera,

One more question around this if you dont mind....

What are your thoughts on Installing Application on TS Servers via remote
deployment to machines, allowing us to capture the whole farm at once when
new software needs to be deployed?

Is it safer to just stick to the manual method by deploying to each server
ensuring INSTALL MODE is invoked?

Loz...

"lozza" wrote:

> Hi Vera,
>
> Thank you so much for the detailed response. It is much appreciated.
>
> I will keep my eye on that area for every install that will take place from
> now onwards to get a better understanding. Thanks for pointing this out to me
>
>
>
> lozza
>
> "lozza" wrote:
>
> > Hi Vera,
> >
> > Thanks much for the response. Just to further, our admins don't ensure users
> > have logged off the system when installing software that doesn't require a
> > reboot. For example the other day 10-15 users where logged in with sessions,
> > and an admin put the TS server into INSTALL MODE... installed GPMC and some
> > cisco related tools and then put the server into EXECUTE MODE again... surely
> > this cant be right?
> >
> > Can you advise me how I can convince them this should be controlled under
> > change management, and that whenever installing any software (or updating)
> > all users should be logged out and then the task carried out?
> >
> > Is their any MS Docs out there that highlight the importance of this, with
> > examples as to what could go wrong if some users remain logged on while doing
> > the INSTALL MODE, update/install software, EXECUTION MODE cycle?
> >
> > Thanks
> > Loz
> >
> > "Vera Noest [MVP]" wrote:
> >
> > > Microsoft security patches don't have user-specific settings, so
> > > you don't have to put the TS into install mode before applying
> > > those.
> > >
> > > Software upgrades must installed while the server is in install
> > > mode, and then you should *not* have any users on the system, until
> > > the upgrade is complete, the server has been rebooted (if
> > > necessary) and put back into execute mode again.
> > > _________________________________________________________
> > > Vera Noest
> > > MCSE, CCEA, Microsoft MVP - Terminal Server
> > > TS troubleshooting: http://ts.veranoest.net
> > > *----------- Please reply in newsgroup -------------*
> > >
> > > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 21
> > > jan 2008:
> > >
> > > > Guys,
> > > >
> > > > I have some rather basic question here I think.... any help is
> > > > very much appreciated:
> > > >
> > > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,
> > > > Application specific patches etc etc) should the TS server be
> > > > manually put into INSTALL MODE?
> > > >
> > > > 2) If INSTALL MODE should be initiated before patching, then how
> > > > is this done at the enterprise level when using patch management
> > > > tools such as WSUS? Are admins expected to log on to the TS
> > > > servers and put them into INSTALL MODE before allowing WSUS to
> > > > go ahead and patch the machines?
> > > >
> > > > 3) When doing any kind of patching, or installation of any new
> > > > software (reboot required or not) should all user sessions be
> > > > terminated first and not be allowed to log back in until INSTALL
> > > > MODE is initiated, software/patch is installed and then server
> > > > is put back into EXECUTION MODE? or is it okay to hop between
> > > > INSTALL MODE and EXECUTE MODE whilst users sessions are active?
> > > >
> > > > Many Thanks
> > > > Lozza
> > >

 

[Vera Noest [MVP]]

Re: Patching Terminal Services Servers

I have so far always installed manually on every server in my farm.
If you are considering assigning software to your farm through
remote deployment, you will have to perform thorough testing first
to ensure that the TS will be in install mode during installation.
That is a *must*. And even then, you will have to test every
installation (also manual installations), because some software
demand that you start it once as administrator, while the server is
still in install mode, because some applications perform their
final configuration on the first launch.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com> wrote on 23
jan 2008 in microsoft.public.windows.terminal_services:

> Hi Vera,
>
> One more question around this if you dont mind....
>
> What are your thoughts on Installing Application on TS Servers
> via remote deployment to machines, allowing us to capture the
> whole farm at once when new software needs to be deployed?
>
> Is it safer to just stick to the manual method by deploying to
> each server ensuring INSTALL MODE is invoked?
>
> Loz...
>
> "lozza" wrote:
>
>> Hi Vera,
>>
>> Thank you so much for the detailed response. It is much
>> appreciated.
>>
>> I will keep my eye on that area for every install that will
>> take place from now onwards to get a better understanding.
>> Thanks for pointing this out to me
>>
>>
>>
>> lozza
>>
>> "lozza" wrote:
>>
>> > Hi Vera,
>> >
>> > Thanks much for the response. Just to further, our admins
>> > don't ensure users have logged off the system when installing
>> > software that doesn't require a reboot. For example the other
>> > day 10-15 users where logged in with sessions, and an admin
>> > put the TS server into INSTALL MODE... installed GPMC and
>> > some cisco related tools and then put the server into EXECUTE
>> > MODE again... surely this cant be right?
>> >
>> > Can you advise me how I can convince them this should be
>> > controlled under change management, and that whenever
>> > installing any software (or updating) all users should be
>> > logged out and then the task carried out?
>> >
>> > Is their any MS Docs out there that highlight the importance
>> > of this, with examples as to what could go wrong if some
>> > users remain logged on while doing the INSTALL MODE,
>> > update/install software, EXECUTION MODE cycle?
>> >
>> > Thanks
>> > Loz
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> > > Microsoft security patches don't have user-specific
>> > > settings, so you don't have to put the TS into install mode
>> > > before applying those.
>> > >
>> > > Software upgrades must installed while the server is in
>> > > install mode, and then you should *not* have any users on
>> > > the system, until the upgrade is complete, the server has
>> > > been rebooted (if necessary) and put back into execute mode
>> > > again.
>> > > _________________________________________________________
>> > > Vera Noest
>> > > MCSE, CCEA, Microsoft MVP - Terminal Server
>> > > TS troubleshooting: http://ts.veranoest.net
>> > > *----------- Please reply in newsgroup -------------*
>> > >
>> > > =?Utf-8?B?bG96emE=?= <lozza@discussions.microsoft.com>
>> > > wrote on 21 jan 2008:
>> > >
>> > > > Guys,
>> > > >
>> > > > I have some rather basic question here I think.... any
>> > > > help is very much appreciated:
>> > > >
>> > > > 1) When patching TS Servers (Microsoft Patches, Hotfixes,
>> > > > Application specific patches etc etc) should the TS
>> > > > server be manually put into INSTALL MODE?
>> > > >
>> > > > 2) If INSTALL MODE should be initiated before patching,
>> > > > then how is this done at the enterprise level when using
>> > > > patch management tools such as WSUS? Are admins expected
>> > > > to log on to the TS servers and put them into INSTALL
>> > > > MODE before allowing WSUS to go ahead and patch the
>> > > > machines?
>> > > >
>> > > > 3) When doing any kind of patching, or installation of
>> > > > any new software (reboot required or not) should all user
>> > > > sessions be terminated first and not be allowed to log
>> > > > back in until INSTALL MODE is initiated, software/patch
>> > > > is installed and then server is put back into EXECUTION
>> > > > MODE? or is it okay to hop between INSTALL MODE and
>> > > > EXECUTE MODE whilst users sessions are active?
>> > > >
>> > > > Many Thanks
>> > > > Lozza