Replies

OscarCP wrote:

Thanks, by I am the sort that REALLY needs plain, simple and concise answers, not referral to documents whose applicability and relevance to my case might be (and who knows even then!) obvious to professional system administrators, no home users on foot, like me. So, still waiting here for an answer in plain English, concise and to the point. Oh Dear!

On your home network, do you connect to any non-Microsoft Windows-based file shares (such as a network attached storage device)? If so, you will need to check with the manufacturer of that box if they are SMBv2 capable/compliant. Or do you have a network attached scanner that sends files to your PC? Same thing, if the device can’t deal with SMBv2 shares, then you will have an issue.

Otherwise, if you just have a single PC, or two Windows PCs talking to each other (like a second home theatre PC’s share) you should be fine.

No matter where you go, there you are.

I released January to April in one hit last month after patches seemed to be stable.

The main problem seems to be that machines then showed up all over the place on which patches they needed.

I use Security Only via WSUS, the quality rollups are denied.

However, when trying to patch for the last four months, some workstations would just leave out one or two of the months randomly. January always seemed to get included, but then February and March showed up as being needed by about 25-30% of the servers (randomly), and just about all of them wanted April.

Now, the machines are reporting they don’t need any more patches, even when 2018-02 and/or 2018-03 were never applied. This is on a combination of servers running 2008R2, 2012 and 2012R2.

Even when I then let the servers scan against Microsoft’s update servers the extra patches don’t show up as needed.

No matter where you go, there you are.

On the plus side, less of the endless “Please upvote this post if it solved your problem” posts.

No matter where you go, there you are.

Things are getting weird in .NET territory.

Are we not getting group A and group B updates for .NET?

I haven’t seen this before, but this month for the first time, .NET updates now come in two flavours, “Security and Quality Rollup” AND “Security Only” Non-Rollup.

Did Microsoft announce that they are splitting out the .NET updates like this, like they had been doing for OS updates?

No matter where you go, there you are.

Curious behaviour continues when I approve the four 2018 Security Only updates.

After approving 4056897, 4074587, 4088878 and 4093108 (2018-01 to 2018-04) for my test fleet, these PCs only get offered (and installed) 4074587 and 4093108. 2018-01 and 2018-03 aren’t offered.

The WSUS console does not show those two updates being needed by PCs when they have received the other two patches.

However, when downloading 4088878 from the Update Catalog and running them manually on one of the test PCs, it still installs (if it was truly superceded, it would refuse, saying “this update is not applicable to this system).

So there is something very weird going on here.

(Having installed March after April, will this screw up the order of fixes or should they be independently working?)

No matter where you go, there you are.

ch100 wrote:

@perthmike Stop wasting time with details and approve all Monthly Rollups as they are offered. You can enable the supersedence column in WSUS and will show you what is superseded to avoid approving, only to save bandwidth and time in not downloading superseded updates. If you really want to get things simple you can approve Monthly Rollups AND Security Only updates and allow the Windows Update and CBS to sort out. This is a practice more common than you imagine. Approve only 2018-04 patches for now if you believe to be fully patched until December 2017. It is simple really, only people reading a lot of non-sense tend to make it more complicated than it is.

Nice “comment”, but you’re not helping. I patch for a government agency, and we have rules about not just patching the minute patches come out. We only patch critical updates, and only once the word is that the updates are working. And even then, we have to go through a rigorous regime of rolling patches out to test systems.

This whole saga of the January to March updates has shown that patching on the say-so of Microsoft is a bad idea, especially if it breaks things.

I am asking for technical help, not for the opinion of someone who believes in the gospel of St. Bill.

 

No matter where you go, there you are.

I fully agree and have held this view for a while now.

It’s also yet another avenue for Microsoft to get rid of older PCs with 7/8.x Windows and get them into the shiny new world of continuous revenue that is Windows As A Shafting (I mean, Service).

I’ve said it before, the ol’ 2952664 Free Windows campaign may be over in that form, but that doesn’t mean Microsoft isn’t trying to force people onto the new OS by other means. The dropoff rate of Windows 7 is so low that by the 2020 deadline, there’ll be so many boxes left in the corporate world, Microsoft will be forced to continue to provide updates or face a revolt. If, by hook or by crook, it can force these Windows 7/8.x installs to be broken by other means, Microsoft and chip/PC makers will do everything to encourage the buying of new PCs to ensure that.

No matter where you go, there you are.

2 users thanked author for this post.

Microfix, HiFlyer

You know things are <bleep> when you have to put in firewall rules to specifically block workstations from going direct to Microsoft servers despite all the settings you’ve put in place.

No matter where you go, there you are.

Quite aside from compromising system security, what bugs me is this concept of “unused processing power”. There is no such thing. I run low-power CPUs and GPUs for a reason, a) to reduce my power bill, b) keep my house cool in the hot Aussie summer, and c) to reduce the carbon footprint (I’m currently renting, so I can’t put solar panels on the roof). When I do use my PC at full power, it’s when I game, but that’s for an hour a day on average. In between that I try to be as energy conscious as possible.

I do subscribe ($) to some news sources I have faith in and want to support, but any others that want to gain access to my PC to earn some money off my processing power can b***** off.

No matter where you go, there you are.

2 users thanked author for this post.

OscarCP, Noel Carboni

Bill C. wrote:

Keep in mind as we on AskWoody are alarmed over these transgressions, the average user who is NOT using the home machine for work, is most likely oblivious, except for maybe waiting for the completion of the endless update/reboot cycles unless it actually makes the device unusable. Most home users turn off the PC when they are done.

Here in Australia home users, who may not have a landline/fibre connection at home and are using a pure mobile phone connection for all their internet, certainly ARE using, because a feature update may easily consume their whole monthly data allowance, resulting in either insanely slow internet for the rest of the month or excessive over-the-limit data fees per Mb.

Not sure about the US, but mobile phone plan users pay through the nose for small data allowances, but most people who do don’t have a choice as they cannot get a decent home internet connection. e.g. my pensioner neighbours across the street could not get any landline (even for phone) as the telco claimed that there was lead in their cables and there was nothing they could do (except put them on a SIM card data modem where the fees were about 10 times what a monthly landline fee would be for a small data allowance).

No matter where you go, there you are.

“Software that tries to trick you”? Oh, so it’ll also block any forced upgrades? (Yes, I’m being facetious, but obviously nobody at Microsoft the irony patch installed in their brains.)

No matter where you go, there you are.

And we all thought KB2952664 was a nightmare…

No matter where you go, there you are.

1 user thanked author for this post.

anita.yk

anonymous wrote:

There is always a way to block updates, we just need to find the right recipe to do it.

And they will find a way around those blocks. See the latest Upgrade to 1709 that didn’t come from Windows Update.

No matter where you go, there you are.

I think some of the more frequent changes is due to Microsoft changing the goal posts, re: this new chipset is not allowed to receive Updates any more, etc. Every time they add a new set of rules in there, I can see them having to make changes to the underlying update engine, which is d**n frustrating, because it’s all just in the drive to get more copies of Windows 10 out there, NOT to make the OS more stable/secure.

No matter where you go, there you are.

At this point I don’t even know why anyone would even use hibernation mode. On a tablet, maybe, but it’s never been reliable on a desktop or notebook, especially when joined to a corporate network.

First thing I do on any Windows 7 build is to run the powercfg command to get rid of the hibernation file and disable it all through policy.

No matter where you go, there you are.