Need help with getting monthly updates

Topic

New Reply

I use a third-party RMM product that is supposed to handle the Windows 10 monthly updates.  It seems not to be doing that for a large portion of my fleet.

One site hasn’t received updates since January 2020.  Two others, since April 2020.

I have been in email discussions with the third-party’s NOC technicians.  Their latest response is this:  If the patch is offered in Windows Update on the machine, then the RMM product will proceed to download and install the patch.

I’ve manually launched Windows Update on a half dozen of those last-updated-in-April  machines, and all Windows Update offered was an upgrade to Win 10 2004.  There was no monthly update for October (which was current at the time).

I then went through the following steps to ensure that I could get a monthly update:

> Stopped WUAUSERV and BITS

> Renamed the SoftwareDistribution folder

> Started WUAUSERV and BITS

> Ran SFC /SCANNOW followed by DISM with /checkhealth and /scanhealth

Then manually launched Windows Update

After that there is no monthly update being offered.  So I upgraded those 6 machines to 2004.

And now, there’s still no monthly update being offered.  I just checked after November’s update was released.

I am pretty exhausted dealing with the NOC, but right now, I really and truly need to know what Windows settings, GPO settings – and especially Registry settings – I should be investigating to ensure that all these machines get patched properly.

Thanks in advance!

Reply | Quote

Replies

There is information about Windows Update settings in v2004 in AKB2000016. Sections 1-3 are general discussions. Section 5 is specifically about v2004.
It covers both the Registry settings and the Group Policy settings.
There are screenshots below the text to show where the settings are locaated.

Hope this helps.

Reply | Quote

Have you checked that updates are not installed?
Open a Command Prompt.
Type: wmic qfe list

cheers, Paul

Reply | Quote

@Paul, yes, I have run that command, collated the data and it confirms that updates are being offered and applied (.Net and Adobe) but not the monthly Windows updates.

@PKCano – I read through your documentation and I’ve written a PowerShell script to pull specific key data from the registry.

Leave it to Microsoft to refer to values in the Policy State folder as

QualityUpdatesDeferralInDays : 30
FeatureUpdatesDeferralInDays : 365

And in UX\Settings they are

DeferFeatureUpdatesPeriodInDays : 365
DeferQualityUpdatesPeriodInDays : 30

Still researching….

Reply | Quote

(I’m grasping at straws based on my knowledge of that area of GP and Registry)

There is a Group Policy setting that turns off updates. Don’t remember off-hand where, but somewhere in the associated area. The screenshots are pretty detailed.

Have you set TargetReleaseVersion in Group Policy on any of the machines? The values are 2004 and 2010 (not 20H2). Have you tried this method to get the upgrade? I think you need to turn off deferrals to make TRV work for version changes.
The MS documentation states:

When you set the target version policy, if you specify a feature update version that is older than your current version or set a value that isn’t valid, the device will not receive any feature updates until the policy is updated. When you specify target version policy, feature update deferrals will not be in effect.

Just a couple of ideas, not being able to see it myself.

Reply | Quote

Larry,

Your defer quality is set to 30 days; November is out only 8 days. To get November updates, change defer to 5 days or anything less than 8.  It’s the quality setting under business.  see reply 2311861

Reply | Quote

Actually, I think I may have found the problem.  According to your doc, “If updates are Paused, Deferred, or hidden, they will not show up in Windows Update.”

For one site I’m finding these settings:

Policy State for defer is 1
Policy State days is 30
UX Settings days is 30

We know Microsoft supersedes the prior month’s update when it issues each new one, thus it is no longer “automatically” available.  According to my reading of the deferral of 30 days, it basically says:

In September I’ll wait until October to pull down the update.  Now it is October, and the device reaches out and there is, well, nothing to do.  No update available.  It is two days too late.   And running Windows Update, because defer is set, won’t find anything.

Ad infinitum these machines won’t get patched.

Please – someone – anyone – correct me if I’m wrong.

 

Reply | Quote

You are spot on. If you are going to use deferrals, they have to make sense. Deferrals automatically pick up the day of release (as opposed to Pause, which has to be manually reset every time it runs out).

Set your Quality deferrals at, say 21 days. By then you will know if there are any major problems, and if there are, you can reset them. The same applies to Feature deferrals – you have to be aware of what version you are on and when the next ones are released. This is why Susan prefers TRV for enterprise machines – you can change them all at the same time and you don’t have to sit on them like the consumer does.

Read through AKB2000016 again and understand which settings control which other settings. The information is there with screenshot references.

Reply | Quote

Oh, and it you use Group Policy, you don’t need the GUI equivalent settings, b/c GP overrides GUI settings anyway.

Reply | Quote

Larry wrote:

We know Microsoft supersedes the prior month’s update when it issues each new one, thus it is no longer “automatically” available.  According to my reading of the deferral of 30 days, it basically says:

In September I’ll wait until October to pull down the update.  Now it is October, and the device reaches out and there is, well, nothing to do.  No update available.  It is two days too late.   And running Windows Update, because defer is set, won’t find anything.

Ad infinitum these machines won’t get patched.

Please – someone – anyone – correct me if I’m wrong.

That’s not how it works (or rather, doesn’t!).

With Defer set to 30 days you should get the September update in October.

Although monthly quality updates are cumulative, in that you only need and expect the latest one, they aren’t superseded by the next one (and remain available in the Microsoft Update Catalog).

Woody used to recommend deferring monthly quality updates by 30 days, and he didn’t intend that to mean that updates would never be applied:

“You don’t have to accept Windows 10 updates as soon as they roll out. Here’s how to take control”

Woody’s Win10Tip: Block forced Windows updates

“Setting the “Delay updates” value to 30 days effectively puts you a month behind the general population.”

How to take control of Windows 10 updates and upgrades (even if you don’t own a business)

Reply | Quote

That would be fine if I wasn’t using an RMM product to control updates.

I’ve been waiting more than a week for them to tell me exactly which entries their product modifies.

I do not use the Windows Update screen nor GPO to control Windows Update because the RMM is supposed to handle it.

And yet, the Registry entries I’m seeing across my fleet are completely messed up – there is no consistency whatsoever.

If there was some way of removing the RMM patching code and resetting Windows Update Registry settings back to OOB, I’d do it in a heartbeat…

 

Reply | Quote

Any special reason you seem loathe to tell us which RMM product it is?

If you’re paying for support on it, shouldn’t they be making it work?

Reply | Quote

Yes, I simply don’t want the conversation to divert into vendor bashing and thread hijacking.

As for support, they have done analysis of various logs and such and have come up pretty empty handed.  “If a monthly patch isn’t being offered by Microsoft Update, we can’t do anything about it.”

Their most recent and last suggestion was to call Microsoft support – as if having an OEM PC permitted me to do that.  And I don’t doubt that the minute I said I was using a third-party product for patching, the CSR would want me to uninstall it and set things back to “normal.”  Only I don’t know if that would happen – because I’m still waiting to find out all of the changes the product makes…

Catching-22!

 

Reply | Quote

Woody nor I never EVER want to recommend NOT patching.  It’s a matter of timing.  Look at what happened yesterday/still happening:  We are now getting these extra updates because of a Business patching problem with the November updates.  Look at the date on the calendar.  It’s a week past Patch Tuesday.  Microsoft takes about a week or two to identify issues and start making it known there are issues.  Thus the sweet spot for updating is about at the two to three week mark. Sufficiently enough AFTER the release of patches on Tuesday to be aware of side effects but before the release of the next patch Tuesday.  Does that make sense?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I didn’t understand why you said, about yesterday’s update for 1809;

“(uh no that’s not an out of band patch for security the way I define out of band…)”

Because this is a fix for a fix?

Note: This out-of-band update will be available for additional Windows 10 versions in the near term.

https://docs.microsoft.com/en-us/windows/release-information/windows-message-center

Reply | Quote

Susan, the RMM vendor’s NOC takes 2 weeks to review the standard Tuesday patches before giving them a Go/No-Go decision.

In other words, for my managed clients, I’d be letting them out on the fourth week of the month.

But the problem is – there are clients who haven’t gotten patches since January 2020 and others who haven’t since April 2020.

I’m trying to track down the best mechanism for identifying what I need to change to allow them all to get back on a standard monthly cycle.

Unfortunately the RMM vendor’s NOC has not been very cooperative in terms of providing information to help me get through this.

 

Reply | Quote

Once I get the monthly settings squared away – first on the small businesses, then on the home users, I’ll work on the Feature Update.

Especially after reading this news over breakfast today: https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903

To keep you protected and productive, we will soon begin updating devices running Windows 10, version 1903 to Windows 10, version 1909. This update will install like a monthly update, resulting in a far faster update experience.

Gonna keep me jumping, that’s for sure.

I appreciate your help and feedback!

Reply | Quote

1903 to 1909 is an EXTREMELY fast update.  It’s the 2004 that takes longer.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Larry wrote:

Gonna keep me jumping, that’s for sure.

In order to block Microsoft’s forced Feature updates use TargetReleaseVersion via GP in Pro versions, registry hack in Home versions.

Reply | Quote

Let’s ask some new questions for those in the know.

A computer has the following:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions with a value of 1

And

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions with a value of 3

Which takes precedence?

Which should be eliminated?

Thanks!

Reply | Quote

You should look at the screenshots at #2177509 and the post below that. The Registry settings represent settings in Group Policy.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions with a value of 1
Implies that Auto Updates is enabled.

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions with a value of 3
3 = Auto download and notify for install (there are other values possible)

I’m going to say AGAIN, you should read through AKB2000016, especially Sections 1 and 3-5. There are screenshots below to show where each of the settings are located. When you make settings in Group Policy, they are automatically represented by equivalent settings in the Registry. If the Registry values represent Group Policy settings, you should not make the changes in the Registry, but in GP. You should go to each of the locations in Group Policy so you know/understand what the options represent. You need to understand the relationship between GP and Registry before you decide what should be eliminated.

Making changes in the Registry can make your computer non-operable. You should not change the settings without first understanding what you are doing.

Reply | Quote

Look, I understand what you are saying.  I get it, really I do.  However, Group Policy is NOT being used on any of these computers to control Windows Updates. Period.  End of story.   We are specifically told NOT to use those GPOs with this product.

I believe that when the RMM agent is installed it creates the first setting (above) And I suspect – but have no proof – that if the RMM patching policy is either removed or altered, the latter setting is created (without adjusting, and/or simply leaving, the former).

I have not gotten an answer from the RMM NOC about my questions.  They continue to say they are waiting for their development team.

So finding conflicting values about how Windows is supposed to update the computer is getting me more upset about how messed up my clients’ machines are.

Sorry if I’m appearing dense and not following directions…

Reply | Quote

It will not hurt you to learn something no matter what RMM does.
You want answers without knowing what you are asking about. You do not have to change anything, but if you do not know what you are asking, how can the answers mean anything.

Reply | Quote

May I ask a rather simple question raised in an earlier post?

I’ve been successfully using AKB2000016, to defer monthly CU’s, .NET, other updates since last May and it’s been working perfectly (thank you @Woody,  @PKCano, @Alex5723, @Susan Bradley, and many others).

While using WUSH to install October and hide November, I noticed on one of my rigs that I still have September CU deferred in WUSH.

I also was under the impression the October CU supercedes the September CU, therefore September was no longer necessary was no longer necessary.

From what I’ve read above it seems I should go ahead, release September from WUSH and install.  Is this correct or am I completely misunderstanding something?

As always your help is appreciated.  Thank you.

ASUS TUF SABERTOOTH Z170s Motherboard, Intel i7-6700k CPU, Corsair 32GB DDR4-3200 RAM, ASUS ROG STRIX GeForce GTX-1070 Video Card, 1x BPX M.2 240GB NVMe SSD, 1x Samsung 850 EVO 1TB SSD, 2x WD Black 6TB HDD, Windows 10 Pro 64bit v1909

Reply | Quote

Once the October CU is installed and wushowhide is again run, the September CU should disappear. In any case, it shouldn’t install unless MS has messed up the metadata because the Oct CU contains the Sept CU. (Be sure you are not seeing a .NET CU)

Reply | Quote