Based on a few last updates in this post i had to adjust my Windows 10 management via WSUS. It will involve manual checking and fixing, so if one has thousands of clients – tough luck. It is possible to make a script to do everything. A complex, error prone and hard to test. I don’t want to end up with some PCs running with WU service disabled for a prolonged period of time. If someone can come up with a sophisticated script for this (possible to do everything on a single run during a startup, with pauses, etc.) feel free to share, though sometimes it just doesn’t allow to delete SoftwareDistribution folder after stopping WU service and you must to reboot the system or even disable WU and then reboot. What other options there are? SCCM uses the same method and i think i’ve read comments about people having similar problems. Not to mention it costs a lot. Intune won’t let you manage updates the way WSUS does. It is just a set of policies you apply to your PCs. Just like Windows Update for Business. You set how and what updates should it get and hope it is working. There is no GUI or a list of PCs to see if they are updating or not. In the world of WannaCry outbreaks it is crucial to have a tool to make sure your network is updated. WSUS is outdated and has its own flaws, but it was working fine until Windows 10 came. Microsoft needs to do something about it.
- In WSUS i apply a feature update (1709 in this case) to a specific group, say Windows 10 Upgrade;
- Say on November 1 i put some PCs into that group;
- On November 2 i check that group to see if they still show some updates as needed and i also check if their last status update was on November 2. This means they already got information about updates deployed to Windows 10 Upgrade group;
- I then manually click on Needed updates link for every machine and check what it shows on the report page. If it shows Feature update 1709 with status Not Installed – then i have to wipe the SoftwareDistribution folder on this machine for it to see 1709 update. It should show the status Downloaded if everything is fine on the second day after the deployment. If it shows Downloaded status or maybe even Pending reboot, then you should wait until feature update is installed;
- Next day i check again to see if 1709 feature update is already installed and what is the status of cumulative updates for this version;
- Similarly to feature update i check for Not installed, Downloaded or Pending reboot status and act accordingly;
- When a machine is showing a status that it doesn’t need any update, i can move it back to the regular group and hopefully it won’t need additional manual intervention until the next feature update.
UPDATE: i hate doing these updates already. Things are getting worse. It looks like those machines which initially report status as “Downloaded” are not actually able to install the 1709 update. They show the popup, which does nothing if one presses Restart now. And if users try to do Update and Restart, it just restarts or hangs on restart. I sometimes even have to wipe SoftwareDistribution folder a few times before 1709 finally installs.. And then you have to do it a few more times for all the cumulative updates to install and then hope you won’t have to do this every month. Thanks, Microsoft, i now have a new position at my organization – Windows 10 Updater :/
UPDATE 2: users report that most of the time when an update pop up is shown, nothing happens if you press Restart now. Also it just restarts if you do Update and Restart or Update and Shutdown. I have found that going into Settings > Update & Security and pressing Restart now there works for 1709 install. It shows Restarting for 2-3 minutes, then actually starts installing. Takes about 10 minutes with 2-3 automatic reboots from that point (for a 1703 machine). Then it usually finds 3 latest updates and installs them, but after this it can’t find the latest update and deleting SoftwareDistribution fixes that.
UPDATE 3: recently i have posted a new article on my stuggles with Windows 10 and WSUS.