Short post this time. After all the mess that happened after the Spectre and Meltdown vulnerabilities disclosure and a frenzy of patching (i think Microsoft has released updates 5-6 times in January) a few machines in our network have stopped updating their status in WSUS. Although, they were still able to check for updates. It happened after a failed installation of KB4056892 update. Which then installed correctly, but since then no status updates were sent. The solution is as per usual: stop the Windows Update service, wipe C:\Windows\SoftwareDistribution folder, start the service and run the check for updates.
Based on a few last updates in this post i had to adjust my Windows 10 management via WSUS. It will involve manual checking and fixing, so if one has thousands of clients – tough luck. It is possible to make a script to do everything. A complex, error prone and hard to test. I don’t want to end up with some PCs running with WU service disabled for a prolonged period of time. If someone can come up with a sophisticated script for this (possible to do everything on a single run during a startup, with pauses, etc.) feel free to share, though sometimes it just doesn’t allow to delete SoftwareDistribution folder after stopping WU service and you must to reboot the system or even disable WU and then reboot. What other options there are? SCCM uses the same method and i think i’ve read comments about people having similar problems. Not to mention it costs a lot. Intune won’t let you manage updates the way WSUS does. It is just a set of policies you apply to your PCs. Just like Windows Update for Business. You set how and what updates should it get and hope it is working. There is no GUI or a list of PCs to see if they are updating or not. In the world of WannaCry outbreaks it is crucial to have a tool to make sure your network is updated. WSUS is outdated and has its own flaws, but it was working fine until Windows 10 came. Microsoft needs to do something about it. Read More
After posting about my experience updating Windows 10 to Creators Update via WSUS earlier this year i thought updating to Fall Creators Update should be a breeze. Well, not exactly. There are some issues and quirks i had to deal with.
First of all, our WSUS has successfully pulled Fall Creators Update (1709 version) from Microsoft servers sometime around October 17 and started reporting Needed status for Windows 10 PCs in our network. So i went and declined an upgrade for Windows 7 and 8.1 machines as we are not doing such upgrades. And then approved en_us and en_gb updates for a special group, which i will be putting PCs in to update. We have two versions as there are a few computers in the network using en_gb version (that was a mistake, but now we don’t really want to reinstall them; i wish there were only one EN version..). Then i have added a few testing PCs to that group. When doing Check for updates it pulled the update from WSUS and started preparing it for installation. While PC was showing “Preparing” status, WSUS was showing Failed status for this machine (quirk No.1, but very minor one). After the update installation it still shows Needed status for some time, until it gets new info from PCs. Once PC has prepared Fall Creators Update (FCU or 1709) it shows a popup as shown above. It is different from what was shown last time and this popup is the usual Action Center popup. Although i would like not to have human faces in there as i have to prepare instructions with screenshots and this looks weird. Quirks No.2 and 3 – pressing Restart Now in this popup did nothing on one of my testing machines. I have waited 5 minutes, tried pressing it again, restarting the machine and pressing again. Nothing. The second PC haven’t even showed it at all for some reason. One should hope MS will fix this for the next update (actually, it should be fixed in the FCU already for it to work for the next update). So, i had to use Start > Power button > Update and Restart. This worked fine and FCU install went smoothly on both machines. It took around 10-15 minutes until seeing your desktop (with multiple reboots and waiting for it to finish once you login). As MS is now doing updates with only differences, not overwriting the whole system, it takes almost 2 times less time. This is great.
Šiandien perskaičiau vienam puslapyje, kad paskutiniame Insider build’e atsirado galimybė riboti atnaujinimų parsiuntimo greitį (ir išsiuntimo, jei yra paliktas nustatymas atnaujinimais “peer-to-peer” principu dalintis su kitais interneto naudotojais). Tiesa, naujovių sąraše nepaminėta, todėl neaišku ar jau veikia. Bei paslėpta labai gerai 🙂 Update & Security > Windows Update > Advanced options > Delivery Optimization > Advanced options. Reikės išbandyt, nes paleidžiant siuntimui virtualioj mašinoj naują build’ą galima pamiršt apie interneto naršymą tam laikui. Suvalgo srautą visiškai 🙂
Based on the previous post about dealing with Windows 10 updates our WSUS is already prepared to serve Feature Updates. To enable this you have to open your WSUS console, go to Options, Products & Classifications and enable the Upgrades category (not the Updates). This will automatically create the Upgrades view on the left in the Updates branch. Then you have to go to the home page and run the synchronization. After this the Upgrades view should be populated with all the possible upgrade options. Among them the Creators Update for Windows 10. You will also see upgrade options for Windows 7 and 8.1 (we will not cover them in this article). Be sure not to approve them, if you are not planning to upgrade your existing older installations to Windows 10. To be sure, you can even decline them, so your clients won’t be showing in the list as if they are missing some update. There is also a distinction by the language used to install Windows 10. We currently have only two laptops with Windows 10. They came with a retail UK version of Windows 10 on DVDs (laptops came with pre-installed Ubuntu on them, so no OEM Windows). I had to approve Feature Update to Windows 10 Pro, versijon 1703, en-gb, Retail update option for them. There is also Feature Update to Windows 10 Pro, versijon 1703, en-us, which should cover regular OEM US installations. Enabling this upgrade wasn’t enough though. Read More
Windows Update fails is quite a common issue at my work. Usually it is enough to press Check for Updates one more time (especially when first check for updates is running after a fresh installation of Windows and WU service needs to download a huge amount of updates information). Sometimes a simple Windows reboot is enough. Or various other simple solutions. But recently i had a really nasty issue. Most probably PC was forcefully turned off while installing updates (or downloading them) and the Windows Servicing system got corrupted. While searching for a fix (because reinstalling a machine is always the last choice) i had to try various suggestions and tools. In the end i have stumbled upon this Microsoft article, which helped me to solve the problem and around which i have compiled this short instruction. But first i will provide the quicker and simplier solutions, which work most of the time.
First you can try stopping the Windows Update service and deleting the %Windir%\SoftwareDistribution\ directory. Then run the service again and do a check for updates.
Sometimes it is also helpful to do sfc /scannow and let it fix system files.
You can also try System Restore and restore the system to a point you believe everything was fine.
If nothing from above works, then try this procedure:
- Download and install the System Update Readiness Tool update (e.g. for Windows 7 64-bit). It will take 10-15 minutes.
- Then check this tool’s log at %Windir%\Logs\CBS\CheckSUR.persist.log or CheckSUR.log. Look for Unavailable repair files list (usually at the bottom). It should list .manifest, .mum and .cat files.
- From a healthy PC’s %Windir%\Winsxs\Manifests\ directory copy the healthy .manifest files which are listed in the log and put them into corrupted PC’s %Windir%\Temp\CheckSUR\manifests\ directory.
- Again, from a healthy PC’s %Windir%\servicing\packages\ directory copy .mum and .cat files into corrupted PC’s %Windir%\Temp\CheckSUR\servicing packages\ directory.
- Run the System Update Readiness Tool update again and wait till it finishes (it is run by installing it again). Should take 10-15 minutes again.
- Try to run the update’s installation which was causing 80073712 error again. This time it should install normally.
At some point in 2015 computers running Windows 7 or Windows Vista started having an issue with a very long updates check. It is probably affecting Windows 8/8.1 as well. Freshly installed Windows 7 machine can spend many hours or even days to complete a check, when it was just a few minutes normally. Machines with less resources wouldn’t be able to complete a check even when doing this non-stop for days. CPU usage would stay abnormally high during the check.
I have finally found a fix for this and already tried it both at work on hundreds of PCs and on my brothers older PC, which couldn’t check for updates at all.
First, you need to go to Services (services.msc) and stop the Windows Update service.
Then install this update – Windows6.1-KB3172605-x86 (or Windows6.1-KB3172605-x64). If this update is not installing, install this one first – Windows6.1-KB3020369-x86 (ar Windows6.1-KB3020369-x64). Then reboot your PC and run the check for updates. It should now take just a few minutes.
You can download these updates here:
https://support.microsoft.com/en-us/kb/3172605 (update rollup 2016 July)
https://support.microsoft.com/en-us/kb/3020369 (servicing update 2015 April)
Vakar MS vėl parašė apie UUP (Unified Update Platform), apie patobulinimus Windows Update sistemoje, apie kuriuos užsiminė dar 2016 lapkritį. Iš esmės noria pakeisti dabartinę build’ų teikimo sistemą. Vietoj pilno build’o platinimo naudoti atnaujinimus turinčius tik pakitusius failus, kas padėtų sumažinti build’o parsiuntimo dydį (iki 35%). Ką supratau iš šio straipsnio.
- Insider programos dalyviams nieko ypatingai nepasikeis ir jie toliau siųsis didžiulius build’us. Nes skirtuminis (“differential”) pasisiuntimo dydis skaičiuojamas tik tam tikro senesnio buildo atžvilgiu (“baseline”), o Insider’iai (ypač Fast rate) visada naudoja paskutinius, naujausius build’us. Taigi jų atveju pokyčiai nebus skaičiuojami ir nebus siūlomi mažesni atnaujinimai. Tai yra logiška, nes kai build’ai atsiranda vos ne kelis kartus į savaitę, sunku bus kas kart apskaičiuot ir paruošt pakaitinius variantus. O dar reikėtų juos laikyt visiems įmanomiems atnaujinimo scenarijams (Petras naudoja 15046, Onutė – 15042, o Albinas – 15031 ir kiekvienam reik pagaminti skirtuminį variantą).
- Bet įprastieji vartotojai, kurie dabar naudoja Anniversary Update versiją, balandį turbūt vis tiek gaus gana didelį siuntinį iš Windows Update ir tas build’as diegsis taip pat lėtai kaip ir kiti prieš tai. Nes pokyčių tiesiog bus per daug, kad būtų galima daug sutaupyti su skirtuminiu build’u.
- Deja, nepaminėta ar tai paliest įprastus mėnesinius atnaujinimus (“cumulative updates”). Kurie mūsų WSUS sistemoje siekia ir 1.5 GB.. Čia būtų galbūt didžiausias privalumas naujos sistemos.
At the end of 2016 i had a chance to update our WSUS system. We’ve been using WSUS 3 version for almost 6 years on a rather old Windows Server 2008 platform. WSUS was installed as a separate service back then. And now we have used a new Windows Server 2012 R2 as a basis for it (of course, after the release of 2016 it can be considered as outdated already). WSUS 4 is now being deployed as a standard role (Server Role). All other requirements and features are selected and installed automatically. Although WSUS 4 itself both visually and in its functions hasn’t changed much. WSUS 4 deployment and configuration was a breeze and haven’t caused any problems, especially as it is so standartized and simplified in this case. But at the same time we have decided to launch a Windows 10 pilot (2 new PCs). So Windows 10 category and its updates have been enabled in our new WSUS system. And then the hell broke loose..
First of all, if you want to manage and deploy Windows 10 updates via WSUS, you have to provide a lot more storage space. Because one Cumulative update can take 1-1.5 GB 😯 Yes, i can’t wait for a time when MS will introduce their improved Windows 10 updates with a new Windows Update system, which should take less space (it should probably be revealed with the Creators Update in the Spring of 2017). The other thing to keep in mind – Feature Updates or Upgrades (how they are called in WSUS). These are not security or critical updates, but the new builds (just like SR1 – 1511 or Anniversary Update – 1607). WSUS 4 can’t normally deal with them without a few special hotfixes. So enabling this category without them can break your WSUS 4 system. We haven’t even tried this yet, as we are installing the newest build to this day – 1607. I might post about nuances of updating to the newer build via WSUS after the Creators Update arrives next year. But if you are installing WSUS 4, you can prepare for it in advance by installing those hotfixes and doing other required changes (more on this later). Read More
2016 metų gale man teko atnaujinti mūsų WSUS sistemą. Iki tol apie 6 metus naudojom WSUS 3 versiją įdiegta jau gana senoje Windows Server 2008 platformoje. Tuo metu WSUS buvo diegiamas kaip atskiras servisas. Dabar gi kaip pagrindas buvo panaudotas naujas Windows Server 2012 R2 (aišku, neseniai pasirodžiusi 2016 serverio versija padarė ir 2012 R2 pasenusiu produktu). WSUS 4 jau yra diegiamas kaip viena iš standartiniu rolių (Server Role). Automatiškai parenkami visi kiti reikalavimai ir papildiniai (requirements, features). Nors vizualiai ir funkcionaliai WSUS 4 neatrodo labai pakitęs. Pats WSUS 4 diegimas ir konfigūravimas nesukėlė jokių problemų, juolab, kad dabar procesas yra toks standartizuotas ir supaprastintas. Bet tuo pačiu metu buvo nuspręsta paleisti ir Windows 10 pilotą (2 nauji kompiuteriai). Todėl naujoje WSUS sistemoje buvo iškart įjungti ir Windows 10 šaka ir atnaujinimai. Ir prasidėjo smagumai..
Pirmiausiai, norint kontroliuot ir platint Windows 10 atnaujinimus WSUS sistemoje, reikia numatyt daug daugiau talpos. Nes vienas Cumulative atnaujinimas gali sverti 1-1,5 GB 😯 Taip, laukiu nesulaukiu kada MS įvykdys pažadą sumažint Windows 10 atnaujinimų dydį su nauja Windows Update sistema (tikriausiai turėtų pasirodyti kartu su Creators Update 2017 pavasarį). Kitas dalykas – Feature Updates arba Upgrades (kaip ši šaka vadinama WSUS). Tai yra ne saugumo ar kritiniai atnaujinimai, o būtent nauji build’ai (kaip SR1 – 1511 ar Anniversary Update – 1607). WSUS 4 negali normaliai atpažinti tokių atnaujinimų be kelių specialių hotfix’ų. Todėl šios šakos įjungimas be šių pataisymų gali sugadinti jūsų WSUS 4 sistemą. Mes kol kas net nebandėm šio dalyko, kadangi kompiuteriuose buvo iškart diegiamas naujausias šiai dienai build’as – 1607. Apie niuansus su Upgrades galbūt parašysiu pavasarį, kai pasirodys Creators Update. Bet diegiant WSUS 4 sistemą galima iš anksto pasiruošti tam ir įrašyti pataisymus bei atlikti kitus reikalingus veiksmus (apie tai žemiau). Read More