A while ago i have posted about how i plan to deal with big feature updates for Windows 10 via WSUS. Now the April 2018 Update (1803) is out. Nothing has changed about the issues with Cumulative Update after the upgrade. Windows 10 still can’t see the latest Cumulative Update on WSUS after the upgrade. I have searched on this topic and read at some site, that it was a known bug for 1607 version. I guess it will never be fixed..
Last time i have explained how i was going to work with feature updates for Windows 10 further, which would involve lots of manual checking and fixing. I was also hesitant to do scripting, as it was hard to make a good and error prone script. But i have finally decided to try it with scripting, because it would just be very time consuming to do the old way for hundreds of PCs twice a year.
So, the whole 1803 update process:
- 1803 update arrived to WSUS probably the same or next day it was made available for everyone in the world. I have assigned it to a few testing laptops i have at work.
- Same as with older updates, it shows Failed status in WSUS when a PC is preparing feature update on the machine (downloading, preparing, installing, etc.). It goes back to Needed status once the machine is restarted and update is installed.
- Microsoft went back to the old style popup for the April’s update. It is a blue popup which pops in the middle of the screen allowing you to postpone, remind later or straight away restart and install. For one thing, it gets users attention more than the Action Center notification from the last update (Fall Creators Update (1709)). But it also blocks access to everything on the background. You can’t close apps and then press Restart now. So, if a user is doing something important, he/she will most probably chose to postpone. Although, there are always Update and Restart and Update and Shutdown options available in the Power menu, so one can start the process from there. But i’ve decided not to include this option in my instructions to users. Just to have less instructions and because it sometimes didn’t work this way with the 1709 update (though in my test on one laptop it worked fine with Update and Restart).
- It takes around 10 minutes for the whole update (including 2-3 automatic reboots during the process and the finishing process after the login) – laptops with ~2 years old i3 CPU and SSD.
- It’s great that Pro version doesn’t show those 6 new Privacy options screens (geo tracking, voice recognition, etc.) that are shown to every home user after the 1803 update. Less distraction and instructions to corporate users.
- April’s update again tries to “sell” Edge to users and puts its shortcut on the desktop along with opening a page in Edge with “What’s new” after the first login. I have added a few new features with explanations in my instructions for the users, like Timeline (not sure yet if this will be truly helpful), setting to fix blurry apps after screen/dock reconnection, focus assist.
- Before i get back to WSUS, i must say that increasing users mobility is making things harder. Our WSUS is only available in an internal network. Users have to connect via VPN to access some internal services. When Windows Update service kicks in and tries to pull a huge feature update from WSUS it sometimes breaks VPN connection. Not to mention that some users have very weak internet at home (i had a case of a user trying to work via VPN with a 0.5 Mbps link..). Also users tend to postpone updates indefinitely, so some manual intervention could still be required.
- As i have mentioned, there is still an issue with pulling new CU update from WSUS after the upgrade. Although it can download all the rest updates just fine (say Flash player updates). And in my tests even after i have wiped out the SoftwareDistribution folder and then successfully installed 2018-05 update, it then sometimes failed to see the next 2018-06 CU update, so i had to wipe SoftDist again..
- I have decided to automate SoftDist deletion this time. At first i have tried to use the immediate scheduled task, as it has helped in another case, but after testing i have decided to use a simple startup GPO script. So, in Group Policy manager on my domain i have created a policy on my computers OU:
Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown) > Startup
and added a cmd script with such contents:
net stop wuauserv
RD /S /Q C:\Windows\SoftwareDistribution
net start wuauserv
I have also applied a WMI filter to this GPO, so it would only affect Windows 10 machines (we still have plenty of Windows 7). Filter’s code is:
select * from Win32_OperatingSystem where Version like “10.%”
So, this script is running on every Windows startup, tries to stop the Windows Update service, deletes the SoftwareDistribution folder and starts the service again. It can fail sometimes, but hopefully it will work on some of the startups.
- I have also changed the default Windows Update check for updates interval (also via GPO at Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency) to 6 hours. It means our PCs should check in every 4-6 hours instead of once per day, which should make information in WSUS more up to date and PCs to pull new updates faster.
I know this script is pretty dumb. But i was just tired dealing with this issue and decided it is still better than manual fixing. Yes, it will make our Windows 10 machines to redownload updates database every day (or when they are actually booted), updates history on PCs will be lost (not that i needed it that much). It can create a bit of traffic in the morning, but i haven’t noticed any huge spikes yet and it’s not a problem for the our internal network. It can be problematic for VPN users (although this script might not run at all until the machine is booted a few times in the LAN actually). So far i only had one such user out of 20 maybe. Had to remove it from the 1803 update group in WSUS and will have to install it manually at some point. Still haven’t decided whether to leave this script applied for good or disable it after 1803 is deployed everywhere. Wiping out SoftDist folder might fix some other problems with updates actually. Btw, this bug seems to be not isolated to WSUS. After updating my parents laptop to 1803 via regular Windows Update i have also ran into a problem it not seeing the latest CU update and had to wipe SoftDist to fix it. I wonder how many millions of PCs with Windows 10 are not actually getting security updates after the feature update out there.. It is still early to say how this works for us. Around 2 weeks since i started this process and applied 1803 to all ~30 PCs with Windows 10 we have so far (60 more coming soon). Last time i’ve checked, 5 of them were already reporting “no updates needed” status. Many of them still show 1-4 updates as needed. I suspect some of them were not rebooted for a long time or users working from home all the time and my script hasn’t had a chance to run yet. Will update this post if i find out anything useful.
UPDATE: small update really. After a few weeks i finally have all my ~30 PCs updated to 1803 this way. I had to remind one user not to postpone this update indefinitely and i will have to update one PC manually because of problems with VPN. But most are already updated. I had one case of 1803 update installing around an hour instead of 10 minutes. Maybe there were more such cases, but nobody reported that to me. Not sure what caused this. It is the same model as the rest and fairly new install (last year). It was running on the battery, so maybe there was some throttling enabled. My script is helping PCs to find newest CU updates on WSUS after the upgrade. So far everything seems fine.