• Patch Lady – Not all patches make it to WSUS

    WSUS – or Windows Server Update Services – is what many corporate/business patchers use to update machines.  Larger firms use SCCM – System Center configuration manager.  But recently many of us have noticed something unusual.  The updates that come out here:  Don’t always make it on this list:

    The second link is a master listing of what is released to the WSUS platform (which ultimately impacts SCCM as well).  And here’s the head scratcher…… recently updates like https://support.microsoft.com/en-us/help/4103714 – the second 1709 update released during May and https://support.microsoft.com/en-us/help/4103722 the second 1703 update released during May didn’t end up on WSUS.  Why?  I’m honestly not sure.  Granted they include no new security updates.  Granted they are just bug fixes, but clearly someone at Microsoft deems them not important enough to deliver them to the business patching platform.  If an administrator wants them you can manually import them from the catalog into WSUS BUTTTTTTTT make sure you also match up these updates with the corresponding Servicing stack update.

    1703 needs https://support.microsoft.com/en-us/help/4132649/servicing-stack-update-for-windows-10-1703-may-17-2018

    1709 needs https://support.microsoft.com/en-us/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018

    Windows 10 has to have the servicing stack update installed before the cumulative update.  When you update via windows update this is automatic.  When you patch via WSUS make sure your manual approval (or automatic approvals) includes approving both.  The Servicing stack update (or SSU) is deemed a critical update so if you have a rule set to approve critical updates, it will be approved accordingly.  Once you approve it, the operating system is smart enough to install the SSU first and then the Cumulative update (CU) second.

    But bottom line for those of you that patch with WSUS, if you are looking for certain bug fixes, they may not be up on your patching platform.

    P.S. and update – interestingly enough https://support.microsoft.com/en-us/help/4100403/windows-10-update-kb4100403 the second release for the month of May for 1803 IS in WSUS.  Still scratching my head as to why some of the second of the monthly updates are and are not in WSUS.  The SSUs of KB4132649 (1703) and KB4132650 (1709) are up in WSUS.  Man I have an itchy head.