|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
So two interesting things about recent patching related topics: Thing one: Why is .NET installing differently than Windows 10. So we started to get
[See the full post at: Patch Lady – so why did I get that?]
Susan Bradley Patch Lady/Prudent patcher
That’s the .NET update behavior I talked about in the article this morning:
When I clicked “Resume updates,” I got the .NET patch. Boom. There was no “Download and install” offered.
I still don’t see the version 1909 cumulative update Preview being offered.
woody
checking for updates on my LTSC 2019 v1809 system and it automatically downloaded & installed the KB4567327 .NET update preview on there
ditto on my other machine but running v1909 – checking for updates seemed to automatically download & install the KB4562900 .NET update preview
looks like the recent .NET preview updates don’t seem to be “optional” to me when checking for updates
Here’s a new one that I haven’t seen mentioned (and cant find a reference to) anywhere else. It appears that cumulative Windows update for July 2020 KB4565483 breaks (or at least temporarily hobbles) the way local non admin-only group policy works in Windows 10 1909.
I have kind of a non-standard use case, which might explain why I haven’t heard anyone else talking about this.
I make use of local non admin-only group policies to manage access to public Windows 10 desktops that are not in a domain, and I use a lot of scripting over Openssh to manage it. It usually works really well. but KB4565483 has thrown a wrench into it.
Basically, once KB4565483 is applied, making a user a member of local administrators group via the command line, like…
net localgroup administrators lpublic /add
will no longer exempt them from the LG policy restrictions as it should. Even though user “lpublic” is a member of local group “Administrators” the restricting GP is still applied as if they’re not.
Removing KB4565483 makes it start working normally again.
The weird thing is that you can make the application of the GP start working again without uninstalling the update by making the user administrative via the control panel GUI from another administrative account, then logging out and back into the target account (in this case “lpublic”).
Once you do this, toggling it from an administrative command prompt via the “net” command will work again from that point forward. Unless you take that step though, regarding GPO, the account will be treated as non-administrative, whether they are really administrative or not.
The control panel thing works, but obviously it’s a big [pain] to log in and out multiple times with the GUI on a bunch of machines (close to 300).
I’m experiencing this behavior in Windows 10 Enterprise 1909. I have no idea what’s going on behind the scenes to make it behave this way, but I’ve spent the better part of the day verifying this on multiple machines and looking for the easiest possible way to work around it.
I’d be interested to see if anyone else can confirm this behavior.
FYI..I posted this comment regarding local group policy and KB4565483 before I’d created my account.
– .NET, Flash and cpu Microcode updates are pushed whenever you click “check for updates”, whether they are preview or security
because they are handled by the legacy WU agent
the new “click to install now” section is for feature and cumulative updates (and recently Edge Chromium), which are handlled by UUP agent
while that don’t explain you exerient, but i think auto scheduled scans can also detect the preview .NET updates
– Juste tested, deferring 254 days or higher on ver 1809 gives ver 1903
That explains the behavior… but, man, is it weird! Makes no sense at all.
I still don’t see the Preview for 1909 on my production machines….
Thanks for the double-check on the forced 1809-to-1903 upgrade. That’s unconscionable. After telling us that MS had deferred the end of service date by six months, they just started clawing back almost four months.
So much for the “helping IT cope with Corona” drivel.
I also don’t get the Cumulative Update Preview for Windows 10 Version 1909 (18363.997) except after joining Release Preview Channel or setting the TargetReleaseVersion policy/registry
same goes for Cumulative Update Preview for Windows 10 Version 1809 (17763.1369)
but a Week “C” Optional Cumulative Update Preview is in the same category as a Feature Update?
Yes, thus it’s affected by Feature Deferral
the “B” Security CU is affected by Quality Deferral
Nothing i’m aware of
Settings WU page always tend to be difficult
you could try these command to clear the queue
https://pastebin.com/Ec5SxTMg
after UsoClient.exe RefreshSettings, wait a few seconds before opening WU page and running UsoClient.exe StartScan
… feature and cumulative [preview] updates (and recently Edge Chromium), which are handlled by UUP agent
@abbodi86: I understand that version 2004 is a Feature Update and will have a “Download and install” button. Is it handled by the UUP agent? (and so not available for wushowhide to hide)??
My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button. If you click Check for Updates and 2004 decides it is ready for your system, 2004 is installed on your system.
Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 with a ‘Download and install’ button? What are the circumstances under which it appeared?
I am talking about a screen like this:
wushowhide can hide UUP updates too
but it cannot show or hide the new OptionalInstall updates (AKA the “Download and install” button)
@abbodi86: The Microsoft Windows Update Team video here shows a “Download and install” button.
So, can wushowhide hide the 2004 Feature Update? or not?
In this case, no it cannot
That’s the .NET update behavior I talked about in the article this morning:
When I clicked “Resume updates,” I got the .NET patch. Boom. There was no “Download and install” offered.
I still don’t see the version 1909 cumulative update Preview being offered.
As per my post this morning )https://www.askwoody.com/forums/topic/1909-2004-feature-update-notification-blocking-optional-updates-2/), this is exactly what I was reporting/asking about. I guess it is, at least, a cold comfort to know it’s nothing wonky with ‘my’ system!
Several folks have indicated that their 1809’s have recently been pushed to install 1903. Given that servicing doesn’t end right now in July, the only thing I can think of is that a whole bunch of folks did a 365 deferral right about now this time last year.
Windows 10 1809 Home here and starting this month’s Patch Tuesday my system went through a first attempt to install 1903 (avoided with wushowhide), suggesting that the push to 1903 is not necessarily the result of having Pro with a 365 deferral set this time last year.
“…the only thing I can think of is that a whole bunch of folks did a 365 deferral right about now this time last year.”
Still on 1809 Pro and got a push today to install 1903. But, I set deferral to 365 much earlier, during 2nd half of May 2019.
In this connection, are there any cons with updating from 1809 to 2009 directly? I’m happy with 1809 and don’t really want to do a two-step (e.g., via 1909) update. Thanks.
You mean directly upgrade 1809 to 1909?
I don’t see any harm in it. 1909 and 1903 have had the same bugs, and the same patches, for several months.
No, directly from 1809 to 2009 per Susan’s write-up (If you are in this same boat where your plans are to jump over a version or two or three and get to 2009 (20H2) …).
Do you really want 2009 when it first comes out?
Probably not. I used 2009 as a reference based on Susan’s posting. I don’t even know when 2009 will be offered or okay to install. Maybe better to go for 1809 to 1909 (or 2004). Any suggestions?
And if I install 1909 (I have the ISO), how long can I keep this version before being forced to update? By available “delay” settings in GP and elsewhere. Ditto for 2004.
Frankly, the world is in a mess .. and I really don’t need this constant worrying that W10 will be taking over the update stuff and tell me what to do.
Woody recommends v1909. It is good until May 2021 (See EOL factsheet).
V1909 is relatively stable. V2004 is not yet there.
If you have Pro, set the Feature deferral to 180 days should give you v1909 the next time Windows checks for updates. That will be a later Build than the ISO you have. Or use the ISO (run setup.exe from within v1809).
On my older Surface that still has 1903 (I think – I’ll need to double check tonight) it has the .net optional offering in the GUI even before you “check for updates”. On my 1909s it does not.
Susan Bradley Patch Lady/Prudent patcher
my bro’s new HP Spectre x360 15-df laptop also uses v1903, Susan
I have to check his HP laptop later today if the optional .net patches show up and whether if they automatically install or not
Big question for me is how “Pause updates” interacts with all of this.
I think some diagram from MS would be nice. I like diagrams. It brings me inner peace in this stochastic world.
Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise
HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29
PRUSA i3 MK3S+
Just curious if anyone has noticed that after the July .Net Preview is installed you are unable to launch Windows Security? I have only tested this on Server 2019, all logs make me feel like its applying the security policies but you cant launch the GUI… or is this just me?
Thanks, I really only noticed it because it seems to break Defender ATP reporting too. All of the 2019 Servers that installed it were reporting that they were missing basically every patch for .Net. After rolling back the patch, blocking it and just installing the GA July rollup patch manually the Windows Security GUI was restored and ATP began reporting that the Servers were up to date. I started a small thread in the Windows Defender ATP community here https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bd-p/MicrosoftDefenderATP One person says they have the same issue with the update. Maybe the reporting and GUI issue are linked and wont be an issue if you aren’t using ATP? Or maybe this always happens when using ATP and installing Preview patches, but I wouldn’t know that since we don’t usually install them.
This is what happens when we don’t follow the rules Microsoft 
Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 with a ‘Download and install’ button? What are the circumstances under which it appeared?
I am talking about a screen like this:
Pro version 1903
updated with August security updates (18362.1016), no deferrals, no TargetReleaseVersion, Appraiser and WaaSMedic tasks are disabled
i get version 1909 as optional feature update
i then enabled and ran “Microsoft Compatibility Appraiser” task
afterward, i get version 2004 as optional feature update
Run Task Scheduler taskschd.msc
Locate, enable and run task “Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser”
Keep refreshing task view until it report “operation completed successfully”
Reboot, then re-create WU scan queue using those commands
https://pastebin.com/Ec5SxTMg
I did not try to install either updates
but based on what is written under 2004 update, it seems to require installing pending updates first
My understanding is that while 2004 is a Feature update, it doesn’t have a Download and Install button.
Has anyone encountered a WU display for Feature Update to Windows 10, version 2004 without a ‘Download and install’ button? What are the circumstances under which it appeared?
if you set TargetReleaseVersion to 2004, you get it as regular update (no Download and install button)
likewise, if you set feature update deferral and the period is ended (e.g. 20 days)
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
