Been using WSUS for so many years and never learned this. Partly because on my old job we always were using one version of Windows 10 (or Windows 7) and there was no need to know the exact versions or builds. Now when i have to manage 4-5 different versions of Windows 10, Version column in WSUS became essential. It shows full Windows version with build number and last CU update version, e.g. 10.0.18362.449 for 1903 version. You can see the same information on a local machine in systeminfo or using winver command. But there is a catch which i’ve only noticed after installing 1909 Enablement Package update on one test 1903 machine. It still shows 18362 build in WSUS console, although it should be 18363. And even CU number after the dot is not up to date. I’ve been told that WSUS is actually checking Windows Update agent’s version (wuaueng.dll) to determine Windows build. And in 1909, this agent hasn’t been updated and stayed the same as in 1903 version (because 1909 is just a CU update of 1903 disguised as a “feature update”). Moreover CU updates also not always change WU agent’s version, so version after the last dot might also be stale. It seems that ConfigMgr has another column for that – Operating System Build, which shows correct version of a system. This is probably a result of WSUS being a legacy tool, not originally designed to work with such dynamic changes to build versions and it never was updated properly to work better with Windows 10 (and never will). This also shows in “failed” status while a machine downloads a feature update and some other quirks requiring a mandatory wiping of SoftwareDistribution folder as PCs just stop reporting status to WSUS properly. With 1909 update Microsoft is trying to optimize their updates and new features delivery process going away from a huge feature update rewriting all system files, requiring huge installation package and multiple restarts. Now they release new features with regular CU updates, but features stay disabled until an Enablement Package is installed at some point. It seems that MS is delivering on a promise of a Windows as a Service and maybe in a few years we won’t have big versions like 1809, 1903 and such. There will be one version for good and new features will be released monthly with regular CU updates along with fixes and security patches. Well, some businesses still will require LTSC version, so it probably won’t go away.
Microsoft has posted on their Windows IT Pro blog about a new temporary requirement related to Windows 10 1903. This new Windows 10 version will have changes to UUP (Unified Update Platform), which require to introduce new product in the list of Windows – Windows 10, version 1903 and later. Administrators will have to enable that product along with regular Windows 10 product to be able to sync updates for 1903 version (once they have upgraded their machines). This is a temporary requirement and there will be no similar product for 1909 version and newer. Once you upgrade to 1909 you should be able to uncheck this product and leave only regular Windows 10 selected. This applies both to WSUS and Config Manager (SCCM). But ConfigMgr also has to be updated to at least 1902 version to support this new product. Even if your older ConfigMgr is showing 1903 upgrade as available. This requirement is about updates that will come out later for 1903 version and not related to upgrade itself.
NOTE: after a few comments on MS blog it seems that maybe this new category will be used not temporary, but for all next feature updates going forward. And then old “Windows 10” category won’t be needed. Still waiting on clarification from Microsoft.
I have started this blog in September of 2015 by installing WordPress on my hosted domain (which i had for 7 years then and only used for email, sharing files and occasionally trying some stuff like web RSS client). I’ve used my providers (IV) Installatron service to install and configure everything. At first i wasn’t very interested in statistics, wasn’t expecting to get many visitors. So only about a year after i’ve decided to hook my site to Google Analytics, which i have used a bit at work. I have also installed Google Analytics Dashboard for WP plugin in WordPress and added a widget to my Dashboard. It is nice. Minimal, but has a lot of views and slices. Sometimes can be buggy and show you two days old information as one day old. But it is convenient to quickly glance at the stats when going into WP dashboard. Maybe once in a month i would also go to Google Analytics page and view more graphs and details.
I already did an overview of basic features and possible issues of AWS and Azure offerings for a free tier or trial. This is not an in-depth and detailed review and comparison of platforms. Just a first look from a completely new to this thing person’s view. I’m not sure why i have skipped Google’s option at that point. Maybe i thought there is no free or trial tier. It appears there is. If you are signed in into your Google account, you can go to https://cloud.google.com/ and press the “Get started for free” button. Google gives you 300$ credit for 12 months and tells you a few times, that it won’t automatically convert you into a paying customer and charge you suddenly.
After quitting my job i didn’t have a chance to manage WSUS again. But i was curious how Windows 10 updates were handled in the recent months. So, i have spun up a Windows Server 2019 VM and installed WSUS. In the image above you can see all 1809 versions (Fall 2018 Update) currently available. 1809 first was released in the beginning of October and i was annoyed by the fact that by the end of that month there were still no separate install packages for x86 and x64 (which were introduced for previous versions to cut the size of install). It shows that separate x64 packages were released on November 27th. So it took Microsoft almost 2 months to do this. By that time i would usually already have all my PCs updated to the latest version. Ideally i would like to have separate packages be available at the same release date. Or we don’t even need combined packages. Anyway, turned out 1809 was a mess, so nobody hurried to install it. You can see that there was another build release in 2019 March (2019-03B), which probably had fixes for all 1809 nasty issues included. Interestingly, this time they released just separate packages for x86 and x64 at the same time and no combined one. Maybe they will keep this procedure. Will keep this VM around to check later. Obviously, there is no 1903 packages yet in the general Windows 10 product category (it is still in testing and wide release is planned for a second half of May). Although i saw “Windows 10 1903 and later” category in the list, but haven’t tried to sync it. This can be handy though. If your network only has PCs with say 1809, you don’t have to sync older updates, if you are setting up new WSUS service. Just pick the 1809 and later category and get only relevant ones.
Today i have enabled SSL for my blog, which is based on WordPress installed locally on my domain. I was postponing this task for a while now coping with browser warnings, because i always thought this would be a very complex thing, would involve lots of manual config tweaking and so on. But after some brief reading it actually took me 10 minutes in total probably. Partly because of the existence of Let’s Encrypt. This free and automated Certificate Authority is serving millions of pages with automatically renewing certificates at no charge. Many hosting providers already have tools to use this CA. So, i went to my domain provider’s (Interneto vizija) DirectAdmin panel, SSL Certificates menu. Enabled Secure SSL option and selected the option to use Let’s Encrypt’s service. After pressing Save it has generated SSL certificate for my domain and stored it on the server. Then i went to Plugins menu in WordPress admin panel and installed Really Simple SSL plugin. Activated it and pressed a button to activate SSL for my site. That’s it. My website started using https and old links pointing to http are now redirected to https. Of course, i could probably do this manually. But why bother if i can just click a button 🙂 There are also a few more additional settings and even more in a Premium version of this plugin. Actually there was another thing to do that i have read in that blog post earlier. Went to my Google Analytics page > Admin > Property Settings and changed Default URL to https. Now, let’s see if my certificate actually renews automatically in 3 months.
I’ve heard and read a lot about Microsoft’s and Amazon’s cloud services, but never really had to look into them. On my previous job we only just have started using local provider’s cloud services and Azure was only on our minds. So, being a complete noob in this area i have decided to give it a try, especially as i have found out they have a temporary free tier or trial modes. I also needed to run a few tests on recent Windows Server versions for www.igniterealtime.org products (Openfire) and i didn’t want to pirate just to be able to install into my virtual machine. This won’t be a helpful read for seasoned cloud users, but might be insightful for those thinking to dip their toes into this. Especially on the “free” matter. Read More
Microsoft is planning to stop using SHA-1 algorithm when signing their updates (to prove they were not tampered with). Based on support article though it seems it only affects older, stand alone version of WSUS (3.0 SP2). If you are using WSUS as a role on Windows Server 2012 or higher, it should be 4.0 version and probably already supporting SHA-2. Anyway, there is still time before the switch. Microsoft should release SHA-2 support for 3.0 version of WSUS and older operating systems (Windows 7, Windows Server 2008/R2) in March/April of 2019 as security updates and the switch to use only SHA-2 signing will be executed on June 18, 2019.
UPDATE: i saw someone coming to this article with a search query “how to test SHA-2 support”. Well, you can’t, i think. Because Microsoft should stop signing updates with SHA-1 after June 18. I’m not sure how you can get an update signed only with SHA-2 until that point. So, you should install all security and critical updates for affected OSes, install that WSUS update and hope that everything works past that date.
After watching similar video on Youtube recently i’ve decided to also post such thing 🙂 There won’t be many apps though. I never was big apps user with my last devices. But with my latest purchase of Google Pixel XL (1st gen) i’ve even decided to go past that. Less changes from standard behavior, more usage of Google’s intended features and less apps (just what i absolutely need). So it might look a bit too ascetic. Read More