Patch Lady – so why did I get that?

[Susan Bradley]

So two interesting things about recent patching related topics: Thing one:  Why is .NET installing differently than Windows 10.  So we started to get
[See the full post at: Patch Lady – so why did I get that?]

Susan Bradley Patch Lady

7 users thanked author for this post.

lmacri, CBA, GreatAndPowerfulTech, howardagoldberg, abbodi86, woody, Elly

Reply | Quote

[woody]

That’s the .NET update behavior I talked about in the article this morning:

https://www.computerworld.com/article/3567816/microsoft-releases-some-optional-non-security-cd-week-win10-patches-avoid-them.html

When I clicked “Resume updates,” I got the .NET patch. Boom. There was no “Download and install” offered.

I still don’t see the version 1909 cumulative update Preview being offered.

2 users thanked author for this post.

GreatAndPowerfulTech, howardagoldberg

Reply | Quote

[EP]

woody

checking for updates on my LTSC 2019 v1809 system and it automatically downloaded & installed the KB4567327 .NET update preview on there

ditto on my other machine but running v1909 – checking for updates seemed to automatically download & install the KB4562900 .NET update preview

looks like the recent .NET preview updates don’t seem to be “optional” to me when checking for updates

• This reply was modified 7 months, 1 week ago by EP.

1 user thanked author for this post.

woody

Reply | Quote

[anonymous]

Here’s a new one that I haven’t seen mentioned (and cant find a reference to) anywhere else. It appears that cumulative Windows update for July 2020 KB4565483 breaks (or at least temporarily hobbles) the way local non admin-only group policy works in Windows 10 1909.

I have kind of a non-standard use case, which might explain why I haven’t heard anyone else talking about this.

I make use of local non admin-only group policies to manage access to public Windows 10 desktops that are not in a domain, and I use a lot of scripting over Openssh to manage it. It usually works really well. but KB4565483 has thrown a wrench into it.

Basically, once KB4565483 is applied, making a user a member of local administrators group via the command line, like…

net localgroup administrators lpublic /add

will no longer exempt them from the LG policy restrictions as it should. Even though user “lpublic” is a member of local group “Administrators” the restricting GP is still applied as if they’re not.

Removing KB4565483 makes it start working normally again.

The weird thing is that you can make the application of the GP start working again without uninstalling the update by making the user administrative via the control panel GUI from another administrative account, then logging out and back into the target account (in this case “lpublic”).

Once you do this, toggling it from an administrative command prompt via the “net” command will work again from that point forward. Unless you take that step though, regarding GPO, the account will be treated as non-administrative, whether they are really administrative or not.

The control panel thing works, but obviously it’s a big [pain] to log in and out multiple times with the GUI on a bunch of machines (close to 300).

I’m experiencing this behavior in Windows 10 Enterprise 1909. I have no idea what’s going on behind the scenes to make it behave this way, but I’ve spent the better part of the day verifying this on multiple machines and looking for the easiest possible way to work around it.

I’d be interested to see if anyone else can confirm this behavior.

 

3 users thanked author for this post.

Great Lake Bunyip, wavy, woody

Reply | Quote

[Paradroyd]

FYI..I posted this comment regarding local group policy and KB4565483 before I’d created my account.

1 user thanked author for this post.

woody

Reply | Quote

[woody]

Welcome to the group!

Reply | Quote

[Paradroyd]

Thanks.

It occurs to me that maybe I should have posted that somewhere else, but I don’t quite know my way around here yet. Feel free to move it to someplace that makes more sense if you want to.

Reply | Quote

[abbodi86]

– .NET, Flash and cpu Microcode updates are pushed whenever you click “check for updates”, whether they are preview or security
because they are handled by the legacy WU agent

the new “click to install now” section is for feature and cumulative updates (and recently Edge Chromium), which are handlled by UUP agent

while that don’t explain you exerient, but i think auto scheduled scans can also detect the preview .NET updates

– Juste tested, deferring 254 days or higher on ver 1809 gives ver 1903

6 users thanked author for this post.

Elly, Alex5723, woody, geekdom, PKCano

Reply | Quote

[woody]

That explains the behavior… but, man, is it weird! Makes no sense at all.

I still don’t see the Preview for 1909 on my production machines….

Thanks for the double-check on the forced 1809-to-1903 upgrade. That’s unconscionable. After telling us that MS had deferred the end of service date by six months, they just started clawing back almost four months.

So much for the “helping IT cope with Corona” drivel.

2 users thanked author for this post.

doriel, GreatAndPowerfulTech

Reply | Quote

[abbodi86]

I also don’t get the Cumulative Update Preview for Windows 10 Version 1909 (18363.997) except after joining Release Preview Channel or setting the TargetReleaseVersion policy/registry

same goes for Cumulative Update Preview for Windows 10 Version 1809 (17763.1369)

3 users thanked author for this post.

woody, howardagoldberg

Reply | Quote

[WCHS]

I’m Win10/Pro, version 1909 and have Feature Deferral set to 365 days (intended to put off version 2004). I also have GPE for Windows Update set to ‘2’ notify download/install. I use wushowhide to hide the current month’s updates until MS-DEFCON=3+.

The July 21 Week “C” Optional CU Preview KB4559004 did not show up in the WU queue for me to hide it. It looks like this is because it’s not in the legacy WU queue. And furthermore, it won’t become available anytime soon for “download and install now” because Feature Deferral is set to 365 days.

But, as I am reading this now, I just realized that says Cumulative Updates, Optional or not. So, does this “bifurcated mess” mean that the upcoming August 11 Patch Tuesday CU will not appear in the WU queue either (and thus, it will not be available to be hidden until MS-DEFCON reaches 3+)? And that instead, it will remain deferred for 365 days?

If so, that’s not what I want– I don’t want 2004 anytime soon, but I will want the August CU before the release of the Sept CU!!

Reply | Quote

[PKCano]

The August CU is a Quality Update, not  a Feature update. The 365 days applies to Feature updates (v2004) not Quality updates (CUs).

I may be wrong, but I don’t believe the .NET updates fit in either category.

• This reply was modified 7 months ago by PKCano.

Reply | Quote

[WCHS]

OK.  I remember that now — Patch Tuesday CU = Quality Update.

but a Week “C” Optional Cumulative Update Preview is in the same category as a Feature Update?

Reply | Quote

[abbodi86]

but a Week “C” Optional Cumulative Update Preview is in the same category as a Feature Update?

Yes, thus it’s affected by Feature Deferral

the “B” Security CU is affected by Quality Deferral

2 users thanked author for this post.

Coldheart9020, PKCano

Reply | Quote

[PKCano]

OK, I have never been offered the “Preview” C/D/E week patches with Feature deferral set at 365 days. And I have found I am now unable to clear the update queue after I have hidden .NET patches (CUs, not marked Preview) with wushowhide (AKB2000013 procedure to clear queue). Has something changed in the update mechanism

Reply | Quote

[abbodi86]

Nothing i’m aware of
Settings WU page always tend to be difficult
you could try these command to clear the queue
https://pastebin.com/Ec5SxTMg

after UsoClient.exe RefreshSettings, wait a few seconds before opening WU page and running UsoClient.exe StartScan

1 user thanked author for this post.

PKCano

Reply | Quote

[WCHS]

PKCano wrote:

I may be wrong, but I don’t believe the .NET updates fit in either category.

Speaking of .NET updates, when KB4565633 (2020-07) Cumulative Update for .NET became available July 14, I hid it.  I checked wushowhide a number of times afterwards to make sure it was hidden.  Then, on July 21, KB4562900 (2020-07) Cumulative Update Preview for .NET was released and I hid it, too.

Now, KB4565633, released July 14, no longer shows up in wushowhide.  Only KB562900 shows up (hidden).  Is this because the latter superceded the former (i.e, a later preview update can supercede an earlier Patch Tuesday (non-preview) update)?

Reply | Quote

[PKCano]

Exactly correct. With a cumulative update, the one before is included in the current. So including the earlier one would be redundant.

Reply | Quote

[WCHS]

abbodi86 wrote:

… feature and cumulative [preview] updates (and recently Edge Chromium), which are handlled by UUP agent

@abbodi86: I understand that version 2004 is a Feature Update and will have a “Download and install” button. Is it handled by the UUP agent? (and so not available for wushowhide to hide)??

Attachments:

You must be logged in to access attached files.

Reply | Quote

[geekdom]

My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button. If you click Check for Updates and 2004 decides it is ready for your system, 2004 is installed on your system.

On Hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr

• This reply was modified 6 months ago by geekdom.
• This reply was modified 6 months ago by geekdom.

Reply | Quote

[WCHS]

geekdom wrote:

My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button.

Interesting … the screenshot showing a “Download and install button” came from a Microsoft Windows Update Team video at How to get the Windows 10 May 2020 Update version 2004

Reply | Quote

[WCHS]

Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 with a ‘Download and install’ button? What are the circumstances under which it appeared?

I am talking about a screen like this:

Attachments:

You must be logged in to access attached files.

Reply | Quote

[WCHS]

geekdom wrote:

My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button.

Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 without a ‘Download and install’ button? What are the circumstances under which it appeared?

Reply | Quote

[abbodi86]

wushowhide can hide UUP updates too
but it cannot show or hide the new OptionalInstall updates (AKA the “Download and install” button)

Reply | Quote

[WCHS]

abbodi86 wrote:

wushowhide can hide UUP updates too
but it cannot show or hide the new OptionalInstall updates (AKA the “Download and install” button)

@abbodi86: The Microsoft Windows Update Team video here shows a “Download and install” button.

So, can wushowhide hide the 2004 Feature Update? or not?

1 user thanked author for this post.

jburk07

Reply | Quote

[abbodi86]

In this case, no it cannot

2 users thanked author for this post.

jburk07

Reply | Quote

[howardagoldberg]

woody wrote:

That’s the .NET update behavior I talked about in the article this morning:

https://www.computerworld.com/article/3567816/microsoft-releases-some-optional-non-security-cd-week-win10-patches-avoid-them.html

When I clicked “Resume updates,” I got the .NET patch. Boom. There was no “Download and install” offered.

I still don’t see the version 1909 cumulative update Preview being offered.

As per my post this morning )https://www.askwoody.com/forums/topic/1909-2004-feature-update-notification-blocking-optional-updates-2/), this is exactly what I was reporting/asking about. I guess it is, at least, a cold comfort to know it’s nothing wonky with ‘my’ system!

1 user thanked author for this post.

woody

Reply | Quote

[Berserker79]

Several folks have indicated that their 1809’s have recently been pushed to install 1903.  Given that servicing doesn’t end right now in July, the only thing I can think of is that a whole bunch of folks did a 365 deferral right about now this time last year.

Windows 10 1809 Home here and starting this month’s Patch Tuesday my system went through a first attempt to install 1903 (avoided with wushowhide), suggesting that the push to 1903 is not necessarily the result of having Pro with a 365 deferral set this time last year.

1 user thanked author for this post.

woody

Reply | Quote

[CBA]

“…the only thing I can think of is that a whole bunch of folks did a 365 deferral right about now this time last year.”

Still on 1809 Pro and got a push today to install 1903.  But, I set deferral to 365 much earlier, during 2nd half of May 2019.

In this connection, are there any cons with updating from 1809 to 2009 directly?  I’m happy with 1809 and don’t really want to do a two-step (e.g., via 1909) update.  Thanks.

1 user thanked author for this post.

woody

Reply | Quote

[woody]

You mean directly upgrade 1809 to 1909?

I don’t see any harm in it. 1909 and 1903 have had the same bugs, and the same patches, for several months.

Reply | Quote

[CBA]

woody wrote:

You mean directly upgrade 1809 to 1909?

I don’t see any harm in it. 1909 and 1903 have had the same bugs, and the same patches, for several months.

No, directly from 1809 to 2009 per Susan’s write-up (If you are in this same boat where your plans are to jump over a version or two or three and get to 2009 (20H2) …).

1 user thanked author for this post.

woody

Reply | Quote

[PKCano]

Do you really want 2009 when it first comes out?

Reply | Quote

[woody]

Ach. I understand.

I’ve become accustomed to the new-new-new numbering scheme:

• 1803
• 1809
• 1903
• 1909
• 2004
• 20H2
• 21H1

Which may or may not come to fruition.

Until they change it again….

Reply | Quote

[CBA]

PKCano wrote:

Do you really want 2009 when it first comes out?

Probably not.  I used 2009 as a reference based on Susan’s posting.  I don’t even know when 2009 will be offered or okay to install.  Maybe better to go for 1809 to 1909 (or 2004).  Any suggestions?

And if I install 1909 (I have the ISO), how long can I keep this version before being forced to update?  By available “delay” settings in GP and elsewhere.  Ditto for 2004.

Frankly, the world is in a mess .. and I really don’t need this constant worrying that W10 will be taking over the update stuff and tell me what to do.

1 user thanked author for this post.

woody

Reply | Quote

[PKCano]

Woody recommends v1909. It is good until May 2021 (See EOL factsheet).
V1909 is relatively stable. V2004 is not yet there.
If you have Pro, set the Feature deferral to 180 days should give you v1909 the next time Windows checks for updates. That will be a later Build than the ISO you have. Or use the ISO (run setup.exe from within v1809).

1 user thanked author for this post.

Coldheart9020

Reply | Quote

[CBA]

Thanks.  I know Woody recommends 1909 .. he has for some time.  I probably won’t do anything before early autumn and by that time 2004 may be “there” (with EOL December 14, 2021).

Reply | Quote

[Susan Bradley]

On my older Surface that still has 1903 (I think – I’ll need to double check tonight) it has the .net optional offering in the GUI even before you “check for updates”.  On my 1909s it does not.

Susan Bradley Patch Lady

1 user thanked author for this post.

woody

Reply | Quote

[EP]

my bro’s new HP Spectre x360 15-df laptop also uses v1903, Susan
I have to check his HP laptop later today if the optional .net patches show up and whether if they automatically install or not

• This reply was modified 7 months, 1 week ago by EP.

1 user thanked author for this post.

woody

Reply | Quote

[woody]

Big question for me is how “Pause updates” interacts with all of this.

1 user thanked author for this post.

doriel

Reply | Quote

[doriel]

I think some diagram from MS would be nice. I like diagrams. It brings me inner peace in this stochastic world.

Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

4 users thanked author for this post.

Myst, wavy, woody

Reply | Quote

[abbodi86]

FYI, the .NET KB4562900 article (and other Preview .NET updates) had been modified and corrected
the “In the Optional updates available area, you’ll find the link to download and install the update.” part is removed

3 users thanked author for this post.

Elly, Microfix, woody

Reply | Quote

[Just Another Geek]

Hi folks,

I installed the v2004 ADMX policies to gain access to the “Select the target Feature Update version” option.

Does anyone know the abilities/limitations of this?  I’d love to be able to enter a target version of 2050 for effectively manual control, if this truly works for all versions since 1803.

Reply | Quote

[Just Another Geek]

I want to stay on a specific version

If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the Select the target Feature Update version setting instead of using the Specify when Preview Builds and Feature Updates are received setting for feature update deferrals. When you use this policy, specify the version that you want your device(s) to use. If you don’t update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.

Other sources confirm this… So if I want to stay on 1909 until I choose otherwise (or July 10, 2022, whichever comes first), I should use 1909 as the version parameter. If I’m understanding correctly.

Reply | Quote

[anonymous]

Just curious if anyone has noticed that after the July .Net Preview is installed you are unable to launch Windows Security? I have only tested this on Server 2019, all logs make me feel like its applying the security policies but you cant launch the GUI… or is this just me?

1 user thanked author for this post.

woody

Reply | Quote

[woody]

I haven’t heard of the problem, and can’t find it listed anywhere.

But of course that’s far from definitive.

Reply | Quote

[anonymous]

Thanks, I really only noticed it because it seems to break Defender ATP reporting too. All of the 2019 Servers that installed it were reporting that they were missing basically every patch for .Net. After rolling back the patch, blocking it and just installing the GA July rollup patch manually the Windows Security GUI was restored and ATP began reporting that the Servers were up to date. I started a small thread in the Windows Defender ATP community here https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bd-p/MicrosoftDefenderATP One person says they have the same issue with the update. Maybe the reporting and GUI issue are linked and wont be an issue if you aren’t using ATP? Or maybe this always happens when using ATP and installing Preview patches, but I wouldn’t know that since we don’t usually install them.

This is what happens when we don’t follow the rules Microsoft 🙁

Reply | Quote

[Susan Bradley]

The issue in ATP’s detection was fixed earlier this week.  Can you check to see if you are still seeing this?

Susan Bradley Patch Lady

Reply | Quote

[abbodi86]

WCHS wrote:

Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 with a ‘Download and install’ button? What are the circumstances under which it appeared?

I am talking about a screen like this:

Pro version 1903
updated with August security updates (18362.1016), no deferrals, no TargetReleaseVersion, Appraiser and WaaSMedic tasks are disabled

i get version 1909 as optional feature update

i then enabled and ran “Microsoft Compatibility Appraiser” task
afterward, i get version 2004 as optional feature update

1 user thanked author for this post.

Reply | Quote

[WCHS]

abbodi86 wrote:

i then enabled and ran “Microsoft Compatibility Appraiser” task
afterward, i get version 2004 as optional feature update

Tell me more about Microsoft Compatibiity Appraiser. I find instructions for disabling/enabling it Method 2: Disable (/enable) CompatTelRunner.exe via Task Scheduler. Is this what you did (enable, not disable)? And then what is the run command to run it?

So then, running it brought up the WU screen for Feature Update to Windows 10, version 2004> with its “download and install” link?

Were you forced to run the CU Preview dotNET first before you could download and install 2004? Or were able to skip over the Download button for that and move on to the “download and install” link for 2004?

Reply | Quote

[abbodi86]

Run Task Scheduler taskschd.msc
Locate, enable and run task “Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
Keep refreshing task view until it report “operation completed successfully”

Reboot, then re-create WU scan queue using those commands
https://pastebin.com/Ec5SxTMg

I did not try to install either updates
but based on what is written under 2004 update, it seems to require installing pending updates first

WCHS wrote:

geekdom wrote:

My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button.

Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 without a ‘Download and install’ button? What are the circumstances under which it appeared?

if you set TargetReleaseVersion to 2004, you get it as regular update (no Download and install button)

likewise, if you set feature update deferral and the period is ended (e.g. 20 days)

3 users thanked author for this post.

Perq, geekdom

Reply | Quote

[WCHS]

abbodi86 wrote:

if you set TargetReleaseVersion to 2004, you get it as regular update (no Download and install button)

likewise, if you set feature update deferral and the period is ended (e.g. 20 days)

And then in these two cases, since there is no ‘Download and install’ button, will it show up in wushowhide and you can hide it? (Say you’ve changed your mind and you don’t want it yet).

Reply | Quote

[abbodi86]

Yes, if you set TargetReleaseVersion to 2004, it will show up in wushowhide

2 users thanked author for this post.

Perq, jburk07

Reply | Quote

[Author]

Posts