Windows 10 21H2 Patch Strategy

Topic

New Reply

I like to have alternative ways of doing things and I’m wondering if it will cause problems to download individual patches from the MS catalog and install each one separately without using Windows Update. While downloading/installing from the MS catalog I would have Windows Update paused. After I’m done I would unpause, give WU a chance to check for updates and then pause again.

I used to patch from the MS catalog with Win 7 and 8.1 without causing any problems, but MS seems to exert undue control over WU in Win 10 so I’m wondering if there’s something about this proposed method that would cause WU to have the computing equivalent of a conniption fit.

3 users thanked author for this post.

analogkid, Sueska, Fred

Reply | Quote

Replies

The whole point of Update Orchestrator (which underpins Windows Update) is to download then determine the correct order in which to apply updates when there is more than one of them.

IMO you therefore run a risk installing updates manually without any knowledge of MS’ background rationale, e.g. dependencies.

(Note: My comment doesn’t apply to Defender updates. They piggy-back on Update Orchestrator by default but failback to using BITS as a download mechanism as there’s no specific order to installing them.)

Hope this helps…

3 users thanked author for this post.

oldfry, Alex5723, DrBonzo

Reply | Quote

Thanks. That’s the sort of thing I was wondering about. It never seemed to make any difference with W7 or 8.1. Usually there was a .NET that I installed first and then the Rollup, and all seemed well (not arguing, just noting my observation). Maybe I was just lucky!

Reply | Quote

Earlier versions of Windows didn’t make as much use of the WinSxS (side-by-side_ methodology of managing conflicting dependencies as WinSxS was still in its infancy.

Update Orchestrator sends info back to MS servers for the best installation order to be determined that won’t upset your local OS ecosystem.

1 user thanked author for this post.

DrBonzo

Reply | Quote

Interesting. If there are 4 patches offered, but one of them is deferred/hidden with something like Wushowhide, then are the remaining 3 ordered by Update Orchestrator? Does the ordering only consider the 3 patches that aren’t hidden, or does the Orchestrator know one of the 4 is missing and account for that when ordering the other 3?

1 user thanked author for this post.

Fred

Reply | Quote

Cumulative update

.NET update

Office updates

Drivers

Occasional update that gets offered up to consumers

I’ve not seen four patches offered up that really care about the order to the best of my knowledge.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

DrBonzo

Reply | Quote

The simple solution is to use WUmgr and control updates (hide/install).
On Windows 10 Pro you should just set only 1 setting : ‘Notify..= 2’
(You can add blocking Diriers install, Previews install..)
On Windows home use ‘metered’..

https://www.askwoody.com/forums/topic/60002-guide-to-using-wumgr-for-windows-10-updates/

https://www.askwoody.com/forums/topic/2000016-guide-for-windows-update-settings-for-windows-10/

1 user thanked author for this post.

DrBonzo

Reply | Quote

Thanks Alex. I’m really just wondering if there are other ways to install patches without relying on a program like WUmgr, which as I understand it still does rely on Windows Update. My opinion is that unless I run the risk of doing something inadvertently harmful to my system, I am better off having as much direct control over patching as possible.

Reply | Quote

DrBonzo wrote:

Interesting. If there are 4 patches offered, but one of them is deferred/hidden with something like Wushowhide, then are the remaining 3 ordered by Update Orchestrator? Does the ordering only consider the 3 patches that aren’t hidden, or does the Orchestrator know one of the 4 is missing and account for that when ordering the other 3?

The simple answer is that I don’t know. You’re asking about a “pick’n’choose” method which I have never used, so I have no knowledge or experience with which to answer.

The ‘patch strategy’ I use is to pause *all* updates until a time that’s convenient for me then take a backup image, unpause Windows Update and let Update Orchestrator do its thing.

My thinking is that I won’t allow Microsoft to fiddle with its OS on *my* devices when it chooses. However, when I allow the Windows Update mechanism access, I’ll rely on Microsoft’s (hopefully) much greater knowledge that it knows what it’s doing. (Yeah, I know… that last part is sometimes a bit of a stretch. 🙂 )

We all have to choose what works best for us. I’m basically lazy and not much interested in spending any more time on Windows Updates than I absolutely have to (hence why I never post in any of the topics here or elsewhere about individual updates… it’s just not my thing).

Hope this helps…

1 user thanked author for this post.

DrBonzo

Reply | Quote

I also use your strategy and so far it’s worked fine. Sometimes, though, when I unpause and there are 3 or 4 updates, it seems a bit of a log jam is created, with all 4 updates downloading/installing at the same time. There are plenty of times when it would be more convenient to patch in a piecemeal fashion to better fit my schedule. And, I like to have as much direct control as possible over patching (as little reliance on programs like Wushowhide, etc.)

Reply | Quote

I also update this way on my Win 10 Home pc.

However with all four of my former Win 8.1’s I was strictly “Group B” for years only installing the monthly security updates and SSU’s along with .NET updates.

It took me a long time to get used to the Win 10 OS and way of patching after I bought the new pc 3 years ago. I  pause updates  until the askwoody DEFCON changes and use wushowhide to defer mainly driver updates. So far I’ve had few problems (knock on wood)

Now that I updated all of the Win 8.1’s to Win 10 machines last month I will go ahead and use this same method.

 

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Win 8.1 desktop & two 8.1 laptops (just updated to Win 10)

Win 10 Dell desktop

and two very old home built Win XP desktops (offline for use with an old Epsom Photo scanner)

1 user thanked author for this post.

DrBonzo

Reply | Quote

DrBonzo wrote:

Sometimes, though, when I unpause and there are 3 or 4 updates, it seems a bit of a log jam is created, with all 4 updates downloading/installing at the same time.

Yep, it’s multi-threaded designed to download Windows Updates (and Defender updates – both engine and definitions) down as quickly and conveniently as possible to a staging area (%windir%\SoftwareDistribution) on your device before Update Orchestrator‘s ‘arbiter’ service takes over to make the decision about which order to install them.

Have a read of How Windows Update works. Once I saw how much thought had gone into creating a logical and organised decision-based ‘flow’, I decided not to interrupt it or fiddle with it… just delay it until a time that was more convenient for me.

(Note that ‘metered connection’ download restraints will be ignored if Microsoft deem a threat is significant.)

Hope this helps…

1 user thanked author for this post.

DrBonzo

Reply | Quote

DrBonzo wrote:

without relying on a program like WUmgr, which as I understand it still does rely on Windows Update.

WUmgr just displays the list of available updates so you get to select what and when to hide / install. Every update hidden can be unhidden and installed.
When you select to hide updates doesn’t download so it is no different from downloading from the catalog and you gain catalog search time…

1 user thanked author for this post.

DrBonzo

Reply | Quote

Another concern is “Are you getting the necessary patches?”

In WU, you see the Monthly Cumulative Update listed. But have you ever seen in WU the SSU listed? That is certainly a necessary patch, as it is the update for the Windows Update mechanism itself. The SSU has to be installed uniquely (by itself) and cannot be a part of another update. In WU, it is not listed, but it is bundled with the CU. Have you seen it listed in WU or the Catalog?

3 users thanked author for this post.

DrBonzo, Alex5723, geekdom

Reply | Quote

Yes, that is part of my concern/question.

In Win 8.1 I can (and do) download the SSU from the Catalog and install it by itself. In Win 10, the support pages for the CUs say that the latest SSU is bundled and installed with the CU. So I think I’m covered regarding the SSU. Then the question is whether other patches are bundled with a CU with no statement from MS that they are.

What’s really driving my question is that in my experience with MS, things are going to break. It’s not if, but rather when. When the when happens I like to have alternative ways of getting things done, that are quick and relatively easy and straightforward, rather than jumping into a rabbit hole with no idea when I will come out.

Reply | Quote

As far as I know, the SSU is bundled with the CU only in WU.
If you look at the Download of the CU, there is only one file.

1 user thanked author for this post.

DrBonzo

Reply | Quote

I wonder how this statement should be interpreted (seems a bit obtuse to me, but then I don’t have an advanced degree in Microsoftese):

“Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog.”

which came from

https://learn.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates

Reply | Quote

Try downloading the CU and installing it manually. Look in installed updates and see if a new SSU is there.

1 user thanked author for this post.

DrBonzo

Reply | Quote

@DrBonzo (DrB)-

What I’ve done since the late days of Windows XP and on is use Windows Update (WU) to download and install the patches one at a time and in numerical order unless the KB article for an update says that it needs another patch that was released at the same time to be installed first.

I’ve done this because of having helped a friend get his machine that needed several months’ worth of patches get updated once and seeing WU make a mess of things (so bad that the machine’s drive had to be formatted and XP installed from scratch). And that still didn’t fix all of it, but the machine was usable enough to buy him some time to buy a new machine. In all fairness, my friend and I contributed to the mess because since the downloading was taking a long time, we decided to let WU finish downloading and installing the patches on its own without our watchful eyes to keep tabs on things.

Back to the present. I currently have Windows 10 Pro x64 build 19044.2251, so I’m fully updated to include the November patches. What I’ve always done with Windows 10 is to use wushowhide to hide the month’s updates when they are released and then unhide them one at a time when Susan gives the all clear to install them.

For example, this month, I first unhid MSRT (KB890830) and “installed” it with Windows Update, letting it run to completion, verifying that it didn’t find anything afterwards by looking at its’ log in \Windows\debug\mrt.log and scrolling to the bottom for the latest entry. Then, I unhid this month’s cumulative update (KB5019959) and allowed WU to install that, rebooting after the “Reboot now” button appeared in WU. After letting the machine sit a bit after rebooting to make sure that all the “housekeeping” was completed, I then unhid the .net patch for this month (KB5020687) and let it run to completion. I have two machines that are nearly identically configured, and on one of them WU requested a reboot after installing the patch and on the other it did not. I rebooted in BOTH cases, just to be sure, and allowed each machine to sit to allow the “housekeeping” to finish.

So, I’ve been using WU to install each month’s patches individually (mostly in numerical order) for many years with no ill effects (unless I didn’t pay attention to any prerequisites).

As far as the Servicing Stack Update (SSU) goes, since MS started bundling them with the month’s updates, I’ve consistently noticed that WU will begin d/l’ing the month’s patch and will get to 100% downloaded, but the network activity will still be going on for a while longer. What I believe is happening is that WU is first d/l’ing the SSU and then d/l’ing the month’s actual patch (or the deltas if MS still releases those). After the downloading is complete, as evidenced by the lack of network activity, WU then installs the SSU, whose progress goes from zero to 100% fairly quickly. After installing the SSU, WU then proceeds to install the monthly patch, whose progress is much slower towards 100% than the SSU. Most every time, the monthly patch’s installation pauses for a bit (maybe one minute or a bit longer) at 73 or 74%, then proceeds to completion. I haven’t noticed that behavior with the SSU installation.

This method isn’t the quickest by far. In fact, it is probably the SLOWEST way to do the monthly updates from MS. BUT, if there are multiple updates in a month and one of them causes issues immediately after installation, I know just which one to uninstall with no guesswork. However, in today’s Windows 10 world, WU is much better at automatically uninstalling errant/miscreant patches with no intervention needed by the user.

I hope this helps your non Linux side a bit!

1 user thanked author for this post.

DrBonzo

Reply | Quote

On W8.1 I do what you describe above. I install any required SSU from the Catalog, then use WU to install the ,NET by itself, and then WU to install a Rollup by itself, restarting after each if required. I don’t pay attention to numerical order of KB numbers. This method is what got me to wondering if a similar thing would work on W10.

I’ve noticed the same behavior you describe in your 6th paragraph on a W10 Home and a W10 Pro. I’ve got a test machine with Pro on it and I’ll try dl/installing the November CU on it from the catalog and seeing if an SSU shows up in Installed Updates as per @PKCano’s suggestion above.

Reply | Quote

Per PK’s description, I gotta feeling you’ll see it in the list of Installed Updates once you install the monthly update you d/l from the Catalog.

I don’t do that, though, and very rarely have. I’ve mostly always let WU do the d/l’ing and installing. Only updates (Windows 7 or 10) that I’ve ever gotten from the Catalog are ones that I’ve needed that haven’t been released to the WU channel, like a few out of band updates.

Reply | Quote

@DrBonzo I happened to download from the catalog this month and did a manual install of 2022-11 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5019959). When I select View Update history, I see KB5019959 installed on 11-11-22. When I select the Uninstall Updates link I see both KB5019959 and an SS 10.0.19041.2180 listed for 11-11-22. This implies to me that the SSU was included in the cumulative update. Hopefully you can confirm the same thing. The reason I installed manually was because sometimes it takes several hours to complete an update. My system can hang on downloading updates zero percent left for up to an hour. The manual download from the catalog was so much quicker.

2 users thanked author for this post.

Fred, DrBonzo

Reply | Quote

Thanks for letting me know. My recollection of installations from the Catalog are that they are much faster. And I’ve just installed the CU, KB5019959, from the Catalog on my test machine. The CU and the SSU both show when I look at Uninstall Updates.

2 users thanked author for this post.

Sueska, Fred

Reply | Quote

DrBonzo wrote:

The CU and the SSU both show when I look at Uninstall Updates.

If you watch the update progress you will notice that there is an update reaching 100% (SSU) than another update starts and reaches 100% (CU).

1 user thanked author for this post.

DrBonzo

Reply | Quote

Yes, that’s what happens when you install using Windows Update. But when you install from the Catalog, the progress indicator bar reaches 100% only one time. It doesn’t appear to be a 2 step process even though it apparently is.

Reply | Quote

I stopped using WU directly and use only WUmgr.

Reply | Quote