News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Not all patches make it to WSUS

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – Not all patches make it to WSUS

    This topic contains 32 replies, has 12 voices, and was last updated by

     Neil Gascoigne 1 year ago.

    • Author
      Posts
    • #196148 Reply

      Susan Bradley
      AskWoody MVP

      WSUS – or Windows Server Update Services – is what many corporate/business patchers use to update machines.  Larger firms use SCCM – System Center con
      [See the full post at: Patch Lady – Not all patches make it to WSUS]

      Susan Bradley Patch Lady

      6 users thanked author for this post.
    • #196153 Reply

      AlexN
      AskWoody Lounger

      Not only does Micro$oft keep altering the deal further and further but also they apparently have different deals for different patching platforms.

      It’s enough to make even the techies’ heads start spinning like an owl’s.

      Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
      A weatherman that can code

    • #196172 Reply

      anonymous

      Susan thanks for confirming what I’ve been observing with WSUS. I’m wondering if this could be a precursor for Microsoft requiring Dual Scan (which I disable to control what gets installed and when) or requiring businesses who use WSUS to use the Enterprise SKU of Windows 10 instead of OEM Professional.

      Edit to remove HTML

      • #196263 Reply

        ch100
        AskWoody_MVP

        Like it or not, managed computers in business should always use Enterprise versions.
        Pro is for the tiniest of businesses who do not have their computers managed by a sysadmin or home power users.

    • #196173 Reply

      anonymous

      I called them “Seeker updates”. Updates that are installed only if you click on the “Check for updates” button. They are not installed automatically. “Seeker updates” do not appear in WSUS.

      As far as I can tell, “Seeker updates” appeared for the first time in march. They replaced updates that had to be manually downloaded from the catalog.

      Francis

      1 user thanked author for this post.
    • #196201 Reply

      Mr. Natural
      AskWoody Plus

      My take would be that I have noticed sometimes in WSUS that not all patches for a particular issue or versions of Windows don’t always come out at the same time. Sometimes more show up the following day.

      With the way things are running there now my guess is someone forgot to push these out. There’s no truth to the rumor that these shenanigans began after the state of Washington legalized marijuana.  🙂

      Red Ruffnsore reporting from the front lines.

      1 user thanked author for this post.
      • #196264 Reply

        ch100
        AskWoody_MVP

        If you synchronize few times a day, you will notice that some updates arrive not much longer later than the other ones. You can synchronize hourly on a schedule or manually at anytime.
        One possible reason is that the updates released later required more work or testing before their release.

        • #196272 Reply

          Mr. Natural
          AskWoody Plus

          Our WSUS server is set to synchronize once a day and I set it to check as late in the day as possible. (11:59PM) Sometimes I catch my boss setting it into the early morning hours. The reason being is that I’ve been bit in the rear before by having WSUS sync late afternoon hours. Really bad patches sometimes get pulled within the same day and it’s best to wait.

          Red Ruffnsore reporting from the front lines.

          • #196277 Reply

            ch100
            AskWoody_MVP

            You don’t have to approve and install if you synchronize, unless you use the default setting under which all Critical Updates are automatically applied. This is not common practice though.
            Wait at least until the end of the week before approving new patches, especially for non-personal machines.

            1 user thanked author for this post.
            • #196280 Reply

              Mr. Natural
              AskWoody Plus

              I agree!

              Red Ruffnsore reporting from the front lines.

    • #196200 Reply

      anonymous

      Windows update still has not offered me KB4100403 on either of my Windows 10 version 1803 build xxxxx.48 machines (but I have Windows 10 Home). Microsoft auto-updated both machines from version 1709 in the middle of last month, about a week apart (first the laptop that has a SanDisk 128 Gb SSD and an intel core i7 7770, and a week later the desktop that has an intel core i7 4770 Haswell chipset and no SSD). I never click on “check for updates” because I have found that to be a prescription for a failed update. So I just wait and let windows update automatically do whatever it wants to me. They seem to like that.

    • #196221 Reply

      CADesertRat
      AskWoody Plus

      I’m a bit confused. I’m still on 1709 with all the settings to hold off 1803 including Metered.

      I have an HP ProBook 450 G2 laptop and on 5/26/18 I went to MS update catalog and D/L the KB 4103714 and installed it with no problems bringing me up to bld. 16299.461. So far I have seen no detrimental effects.

      From Susan’s article I get the feeling that there is a Servicing Stack KB 4132650 that should have been D/L first, before installing KB 4103714, is this correct?

      Don't take yourself so seriously, no one else does 🙂
      4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

      • #196222 Reply

        PKCano
        Da Boss

        Yes, that is correct. The servicing stack needs to be installed before the CU. It contains the update for the updating mechanism.

        1 user thanked author for this post.
        • #196224 Reply

          CADesertRat
          AskWoody Plus

          Thanks for the quick response PKCano.

          So I assume that I need to uninstall KB 4103714 then go get BOTH KB 4132650 and KB 4103714 from the catalog, installing the Servicing Stack first and then re-installing the WU?

          Don't take yourself so seriously, no one else does 🙂
          4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

          • #196226 Reply

            PKCano
            Da Boss

            It seems that MS is putting out a SSU with each CU these days, so watch for it every time.

            • #196235 Reply

              CADesertRat
              AskWoody Plus

              Looks like uninstalling KB 4103714 will take a loooooong time. Evidently windows doesn’t want to turn loose of installed updates very easily. LOL

              Don't take yourself so seriously, no one else does 🙂
              4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

            • #196252 Reply

              Susan Bradley
              AskWoody MVP

              Windows update does the SSU’s for you.  You only need to worry about SSU’s if you

               

              a. patch manually (i.e. go to the catalog site)

               

              b. patch via WSUS/SCCM or other third party

               

              Susan Bradley Patch Lady

              1 user thanked author for this post.
          • #196250 Reply

            Susan Bradley
            AskWoody MVP

            Nope.  The SSU silently gets installed.  If you WU, the ONLY way you see that a SSU has been installed is doing a dism command.  It does not show that the SSU has been installed via the gui “view update history”.

             

            Don’t uninstall anything if you get your updates via Windows update.  You are fine.

             

            Susan Bradley Patch Lady

            1 user thanked author for this post.
            • #196253 Reply

              PKCano
              Da Boss

              I went to MS update catalog and D/L the KB 4103714 and installed it with no problems bringing me up to bld

              He did a manual install.

            • #196257 Reply

              CADesertRat
              AskWoody Plus

              As PKCano pointed out, I updated originally from the catalog so I am now going through the loooong process of uninstalling the KB 4103714 that I originally installed so that I can do the SSU and then re-install KB 4103714.

              The uninstall has been going for well over an hour now and is nowhere near finished 🙁

              Don't take yourself so seriously, no one else does 🙂
              4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

            • #196290 Reply

              CADesertRat
              AskWoody Plus

              I’m not sure that KB 4103714 is actually going to uninstall. It’s been going for about 3 hrs. now and the bar is no further than it was.

              I cancelled it. I guess the only way to do this is to go to my cloned drive from before the update and start all over again with a clean slate.

              UPDATE: After cancelling the Uninstall window ( which just sat there not moving for over 3 hrs. ), I decided to run sfc /scannow and it said that there was a repair in progress and it needed a reboot. I rebooted and it evidently finished the Uninstall because I am now back to 16299.371.

              There was no reboot called for after all that time, I guess your just supposed to guess when it’s ready for a reboot to Uninstall. MS sure has improved windows LOL.

              Don't take yourself so seriously, no one else does 🙂
              4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

              2 users thanked author for this post.
            • #196388 Reply

              CADesertRat
              AskWoody Plus

              OK, this morning installed the SSU 1st and then KB 4103714 so I should be good to go. I ran chkdsk /f before starting the installs just to clean up any problems if they were present.

              Thanks for all the help & advice. I guess I will have to keep a close eye on the SSU’s from now on. It’s such a shame that Nadella decided to remove all trust and simplicity in Windows use and updating.

              Don't take yourself so seriously, no one else does 🙂
              4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

    • #196261 Reply

      ch100
      AskWoody_MVP

      The second update for Windows 10 in each month is the loose equivalent of the Preview updates for Windows 7/8.1 and their server variants.
      This means that the second update is production ready (whatever that meaning is currently), but not mandatory.
      The only difference may be that occasionally the Windows 10 “preview” contains security updates but this is not necessary a rule.

      Most users here should be concerned with Windows Update only for their machines and not the multitude of the other options, except for analysis and debate.

      2 users thanked author for this post.
      • #196278 Reply

        Susan Bradley
        AskWoody MVP

        When Windows 10 used to settle down to stable cadence, only one update a month came out.  The experience of the two updates – even on the semi-annual channels is honestly “new”.

        Susan Bradley Patch Lady

        2 users thanked author for this post.
        • #196279 Reply

          ch100
          AskWoody_MVP

          It is all very fluid and it is not only Microsoft affected.
          It seems that they all caught a disease called “cloud-itis”.

          1 user thanked author for this post.
    • #196315 Reply

      Jim VS
      AskWoody Plus

      Susan – as a follower of yours for several years I can only say thank you for all your work in these trying times.

      I’m not a business user, but your efforts over the years have spilled into our world of jousting with the Micrometer’s  fiddling with our small biz users.

      I’m glad to see you affiliated with Wood Land, and I hope that you and we will learn and serve to make the last years of W7 and it’s brethren a useful launching pad for a future that may in fact help us to still be online and actually spending our time and efforts in a useful way.

      jimzdoats

      2 users thanked author for this post.
      • #196316 Reply

        ch100
        AskWoody_MVP

        Totally with you on this. Highly useful to businesses of all sizes and non-business users.

        • #196323 Reply

          anonymous

          Thx ch100.

    • #196331 Reply

      anonymous

      Just came back from my doctor, and he was complaining his Win 10 had upgraded, again. And now his home group was gone. He said he was so d*** tired of Windows now. Every single time it updates something breaks and he has to call support. At home he’s switched to Mac, at work he can’t because of some piece of software.

      I think Microsoft is seriously underestimating how sick and tired people are of their update games. I’m glad I personally switched mostly to Linux, and what still runs on Windows can crash for all I care, it’s not critical.

      Time to buy Apple stock. I think they can profit handsomely of this situation.

    • #196349 Reply

      MrJimPhelps
      AskWoody_MVP

      If an administrator wants them you can manually import them from the catalog into WSUS BUTTTTTTTT make sure you also match up these updates with the corresponding Servicing stack update.

      I’m simply not willing to go through all of this hassle. A person has to do WAY too much detective work just to properly keep up with it all. Either that, or simply cave to installing whatever updates Microsoft wants to feed to your computers.

      Not to be repetitive, but my time would be far better spent in making Linux work than in keeping up with all of the Windows foolishness.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      3 users thanked author for this post.
    • #196356 Reply

      Jan K.
      AskWoody Lounger

      And here’s the head scratcher…… recently updates like https://support.microsoft.com/en-us/help/4103714 – the second 1709 update released during May and https://support.microsoft.com/en-us/help/4103722 the second 1703 update released during May didn’t end up on WSUS. Why? I’m honestly not sure. Granted they include no new security updates. Granted they are just bug fixes, but clearly someone at Microsoft deems them not important enough to deliver them to the business patching platform.

      Have you thought of the incidental factor?

      Still scratching my head as to why some of the second of the monthly updates are and are not in WSUS. The SSUs of KB4132649 (1703) and KB4132650 (1709) are up in WSUS. Man I have an itchy head.

      See?!

      Since their upload selection procedure isn’t following any consistent pattern, that only support my “it’s coincidental”-theory…

      So no need for any head scratching anymore, as there’s really nothing to try to understand. 😀

    • #196592 Reply

      Sueska
      AskWoody Plus

      Several of my systems tend to get seriously out of date and I occasionally use WSUS offline to update them. My Win 8.1 system was last updated in Oct 2017 and ~ March 2017 for the .NET framework. This is what I did to bring it up to date. The WSUS options were checked to include Defender definitions, C++ runtime libs.and .NET framework, Service Packs, and Use Security Only Updates instead of Rollups.

      The following updates were installed.

      kb4014562 April 2017 Security Only .NET Framework 4.52 for Win 8.1

      kb4014595 May 2017 Security Only .NET Framework 4.52 for Win 8.1

      kb4040958 Sept 2017 Security Only .NET Framework 4.52 for Win 8.1

      kb4048961 Nov 2017 Security Only Quality Update for Win 8.1

      kb4054170 Jan 2018 Security Only .NET Framework 4.5.2 for Win 8.1

      kb4054522 Dec 2017 Security Only Quality Update for Win 8.1

      kb4056898 Jan 2018 Security Only Quality Update for Win 8.1

      kb4074597 Feb 2018 Security Only Quality Update for Win 8.1

      kb4088879 March 2018 Security Only Quality Update for Win 8.1

      kb4093115 April 2018 Security Only Quality Update for Win 8.1

      kb4095517 May 2018 Security Only .NET Framework 4.5.2 for Win 8.1

      4103715 May 2018 Security Only Quality Update for Win 8.1

      4103768 May 2018 Cumulative Security Update for IE 11 for Win 8.1

      Flash

      Defender

    • #197577 Reply

      Neil Gascoigne
      AskWoody Lounger

      Hi

      First post and un-lurking.

      Reviewing the June updates today via AskWoody, I see on the referred ghacks post a need for a May servicing stack update (SSU).  Which made me think, yup, probably not yet deployed within my WSUS server.  I take the cautious route for only releasing security, rather than functional, updates so SSUs are classified within the “Updates” class.

      I think Susan must have been thinking about this recently because via a search, this pretty much came within the first few results:

      https://partnersupport.microsoft.com/en-us/par_clientsol/forum/par_win/question-about-servicing-stack-updates/48fbc36e-625f-45a6-9c21-840a0a6cb061

      Seemingly didn’t get very far?  If only WSUS had a regex filter… 🙂

      I’ll just add a +me too because missing these SSUs is annoying and means you have to keep reading resources like here (thanks Team Woody) like a hawk.

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – Not all patches make it to WSUS

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.