Patch Lady – no it’s not WSUS’s fault

Topic

New Reply

I saw this email come into my inbox blaming the forced upgrades to feature updates on WSUS. The email said: “For the third time in the last few months
[See the full post at: Patch Lady – no it’s not WSUS’s fault]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

NetDef, abbodi86, cesmart4125, woody

Reply | Quote

Replies

Just to clarify … I say there’s no advance warning when the Branch changes from Semi-Annual (Targeted) to just plain Semi-Annual. I should’ve elaborated a bit.

Microsoft (so far) has made blog posts saying the new version is “ready for broad deployment” or some such, generally three to four months after the new version ships. That’s accompanied by various changes in some sites that show the new version has been switched to the Semi-Annual channel.

What I should’ve said is that the change occurs abruptly — there’s no advance warning that the change is going to happen on some specific date.

Reply | Quote

woody wrote:

Just to clarify … I say there’s no advance warning when the Branch changes from Semi-Annual (Targeted) to just plain Semi-Annual. I should’ve elaborated a bit.

Microsoft (so far) has made blog posts saying the new version is “ready for broad deployment” or some such, generally three to four months after the new version ships. That’s accompanied by various changes in some sites that show the new version has been switched to the Semi-Annual channel.

What I should’ve said is that the change occurs abruptly — there’s no advance warning that the change is going to happen on some specific date.

There was a one-week warning for 1709 being released to Semi-Annual Channel:

Microsoft today [Jan 11, 2018] told enterprises that Windows 10’s second feature upgrade of last year, October’s “Fall Creators Update,” had been sufficiently tested and is ready to deploy across their organizations.
…
Windows 10 Pro- and Windows 10 Enterprise-powered systems that rely on the consumer-grade Windows Update for servicing will be automatically offered 1709 beginning Jan. 18.

https://www.computerworld.com/article/3247864/microsoft-windows/microsoft-stamps-octobers-windows-10-feature-upgrade-as-enterprise-worthy.html

(The article you quoted here the following day. But it was in the middle of much ado about Meltdown/Spectre.)

Jan. 18 is also the listed availability date of the current “Microsoft recommends” at http://aka.ms/w10info

1 user thanked author for this post.

MrBrian

Reply | Quote

“b” said, … There was a one-week warning for 1709 being released to Semi-Annual Channel: …

FYI, Woody was referring to the abrupt blog post announcement for the designation of the Semi-Annual Channel or CBB, well before 3 months after the 1st release of Version 1709 on 17 Oct 2017, when it was used to be about 4 months previously, eg …
http://www.itprotoday.com/windows-10/windows-10-anniversary-update-designated-current-branch-business-cbb
___ Maybe, next, it will be an abrupt 2 months for the designation of Version 1803 as SAC/CBB. Later. it may be an abrupt 1 month. IOW, there was no warning from M$ about this abrupt change from 4 months to 3 months and to less than 3 months. Many were expecting M$ to stick to 4 months, hence the abruptness.

Woody was not referring to the “one-week warning” when Version 1709 would be deployed to Win 10 Pro & Ent Version 1607 or 1703 computers which have Windows Update set to Automatic or 0-day deferral from 18 Jan 2018 onward.

For those running Win 10 Pro & Ent 1607 and 1703 with WU set to the maximum deferral of 365 days for feature updates or upgrades, their computers weren’t upgraded to Version 1709 on 18 Jan 2018. Unfortunately, in March 2018, M$ sneakily auto-upgraded them via CU KB4023057(= windows10upgraderapp.exe) which ignored their WU deferral settings of 365 days. …
https://www.computerworld.com/article/3261969/microsoft-windows/microsoft-again-forced-upgrades-on-win10-machines-specifically-set-to-block-updates.html

Reply | Quote

anonymous wrote:

Woody was not referring to the “one-week warning” when Version 1709 would be deployed to Win 10 Pro & Ent Version 1607 or 1703 computers which have Windows Update set to Automatic or 0-day deferral from 18 Jan 2018 onward.

No, he referred to the absence of such.

Reply | Quote

Post from January 2018: ‘Last week, Microsoft noted the “full availability” of Windows 10 update 1709, but that phrase is just an attempt to prod awareness. The full availability release is the same thing as the semiannual channel release. Microsoft was just giving advance notice.’

1 user thanked author for this post.

b

Reply | Quote

It gets back to that Microsoft deems you are ready, not that you are actually ready problem that I have with how they are doing it.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

And here I only *just* got v1709 back to where it updates itself again. Sigh.

Sure seems like they’re having a lot of trouble keeping Windows serviceable, doesn’t it?

Bottom line get ready for 1803.

Microsoft can’t make the 6 month cadence happen in the same month as the number is supposed to imply (March, 2018). That implies that it’s hard to do. No surprise there , right?

Hey Microsoft, please just go ahead and release new versions every 2 years instead – and honest, we won’t hold it against you if it’s late up to a year.

-Noel

4 users thanked author for this post.

Elly, sheldon, BobbyB, geekdom

Reply | Quote

I don’t quite understand “Do not allow update deferral policies to cause scans against Windows Update.” It sounds like it’s a policy that says, “No really, I mean it, obey the other policy.”

How does that behave in a non-WSUS environment where everything is coming from Windows Update?

Reply | Quote

You only want it/need it when you are behind WSUS.  And yes, it really is a policy that is just there to say “Yes, follow what I told you to do”.  I honestly haven’t tried it in a non WSUS setting to see what it would do

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Found this:

https://blogs.technet.microsoft.com/wsus/2017/08/04/improving-dual-scan-on-1607/

It confirms that the policy has no effect without WSUS.

It also says: While the new policy (dubbed “Disable Dual Scan”) is enabled, any deferral policies configured for that client will apply only to ad hoc scans against Windows Update, which are triggered by clicking “Check online for updates from Microsoft Update.”

I take that to mean if you are using WSUS and you enable this policy, if you release the a feature upgrade through WSUS, it’s happening now, not after any deferral defined in group policy. Deferrals don’t apply to WSUS-ordered upgrades. However, when this policy is enabled, users will not be able to bypass WSUS and bypass deferral policies to get an upgrade directly from Windows Update.

Reply | Quote

What was happening was that one would select a Windows update for business policy and use WSUS at the same time.  They would not approve the feature release in WSUS, but would find that machined would get it installed.  They typically did not have lengthy deferrals on the feature release (as you can set it to be when they declare semi-annual plus X number of days) The root cause was that the machine was going out to Microsoft update, getting the feature release even though WSUS admin had not approved it.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Elly

Reply | Quote

The pushy and erratic behavior of Windows 10 regarding updates and (largely unwanted) ‘feature’ updates is one of the main reasons I left Windows after about 25 years. It became unworkable and way too time consuming. There is no other OS or company that behaves so disrespectful towards its customers. Happy to have left it for sure, saved me huge amounts of time.

Reply | Quote

They bash WSUS for the sake of promoting their product? so mature

Reply | Quote

Ms. Susan,

In your post today, April 9, you stated, “In fact WSUS is quite honestly not the greatest way to install the feature releases. It works fine to service them however. I don’t use WSUS in fact to deploy feature releases, I use a script to install the feature release when I want to.”

How does one utilize a script to install the feature release when one wants to.  Please explain this as simply as possible since I was born BC (before computers).  Am I correct in thinking the best version of Win 10 (in terms of updating) for my stand-alone computer is Win 10 Pro?

In spite of not growing up with computers, being born BC is not all bad.  I can write intelligible sentences, even paragraphs.  I can and do swim a mile 4 or 5 times a week.  And I don’t regret the loss of my memory–this prevents me from remembering that young “forty somethings” don’t call me any more.

Thank you for answering my question as simply as possible.  Hope your week has started off well.
Charles

Reply | Quote

We’ve seen issues with v1607 devices getting v1709 thru WU as well. It’s like the system decides to ignore and null out the value of our SCCM Server in the local GPO for CM.  Anyone else experienced this?

Reply | Quote

We’re running WSUS but I’m not seeing the 1803 update in WSUS to approve (I can force my own PC to go out to Wnidows to get it, however). Is my WSUS broken and in need of some hotfix?

Reply | Quote