How to keep up with Windows patches in your enterprise

Home Forums General Chat MJF Chat How to keep up with Windows patches in your enterprise

This topic contains 7 replies, has 5 voices, and was last updated by Avatar tamid88 8 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
  • Mary Jo Foley
    Mary Jo Foley

    Our next MJFChat, scheduled for Monday, July 8, is between me and Bryan Dam, Software Engineer at Recast Software and the major domo of the “Dam Good Admin” blog. We’re going to talk all about patching Windows in your enterprise.

    Dam has lots of advice for folks struggling with how to keep ahead of the regular Windows 10 feature updates, bug fixes and updates which Microsoft continues to churn out monthly. He can help with everything from WSUS, Intune and Configuration Manager, to higher-level strategy and policy questions.

    What questions do you have for Bryan about patching Windows in your enterprise? No question is too big or too trivial. I’ll be chatting with him on July 8, and will ask some of your best questions directly to him. Just add your questions below and maybe you’ll be mentioned during our next audio chat.


    what’s his recommendation for remote monitoring of client systems for patches?

    Scenario: I maintain lots of SMB PCs remotely and visit on-site when needed – curious if he has any reccomendations besides WSUS


    And the dreaded Preview updates. A lot of people decline them as they are intended for further testing. However, when synchronised with WSUS they are automatically approved. There are third-party tools available to deal with this, but considering it’s such an important technology it would be great if there was an automated way to deal with these within WSUS itself. Has Bryan come across any solutions to this?

    Brad Sams
    Brad Sams

    You can find the audio version of the interview, here.

    Mary Jo Foley: 00:00 Hi, you’re listening to’s MJFChat show. I Am Mary Jo Foley, Aka your community magnet. And I’m here to interview industry experts about various topics that you, our readers and listeners want to know about. So today’s MJFChat is all about keeping up with windows patches in your enterprise. And my guest is Brian Dam, software engineer at Recast Software and the force of nature behind the Dam Good Admin blog. Thanks for joining me Brian.

    Bryan Dam: 00:40 Oh, thanks for having me. It’s absolutely my pleasure.

    Mary Jo Foley: 00:43 Especially thanks because I know you just emerged from a disconnected vacation in the woods and you know that kind of made me wonder is isn’t there some kind of metaphor involving emerging from the woods and cutting through the underbrush of patch management?

    Bryan Dam: 01:03 I don’t know if it takes a similar mind, but let me tell you, doing patch management definitely makes you want to go run into the woods every once in a while.

    Mary Jo Foley: 01:11 I can believe that.

    Bryan Dam: 01:15 I came back just in time for patch Tuesday.

    Mary Jo Foley: 01:20 Ready? Rested, ready and all set for patch Tuesday. We’re going to talk about b week and c week. In fact, that’s actually where I wanted to start. I was thinking, you know, the nomenclature of patches as part of, I think what makes it feel so complicated and is, makes it so complicated for many people. So now that SACT has been sacked as you put in one of your blog posts recently, how do we, how do we keep up with all these ever-changing names? There’s things like b week, c week, LTSC, sac, blah, blah, blah.How do you yourself try to keep up with all this?

    Bryan Dam: 02:10 It’s kind of frustrating to say the least. I get that frustration from, from people that are asking me questions. Right? And so it’s how do you keep up with it? Patch Tuesdays still is a thing. I guess that’s what we’re all used to. We all know that on the second Tuesday of the month at 10:00 AM Pacific Standard Time is when patches are released. We’re just so used to that. We’ve kind of almost been lulled into, let’s say, a false sense of security. That’s what patching is. That was really always for security patches. There was a reason for doing that for, and we could talk a whole hour about why they chose to do that, but they did.

    Bryan Dam: 02:58 And whether you agree with it or not, kind of slightly irrelevant, but the point is that that’s what we all sort of thought that, oh, it’s just okay. We know exactly when patches are released. Microsoft always kind of said, well, that’s, you know, that’s just, our security patches. It never really committed to that being the only time that they released, but in a practical manner, they really didn’t break that rule. And then they really, really kind of start half, I won’t say break the rule, but I think people are now waking up to the fact that, oh okay, patches aren’t only being released on patch Tuesday.But I really think that monthly cadence still works, right? It is still true that security updates are released, I wouldn’t say exclusively, but that’s what they’re targeting. The targeting patch Tuesday is when security updates are released.

    Bryan Dam: 03:50 And so I still think despite everything else that they’ve changed, you can still viably have a monthly patch cycle if that’s what works for your organization.

    Mary Jo Foley: 03:59 And that is B week?

    Bryan Dam: 03:59 Yes, that is, that is B. So I mean if people are confused, the thing to understand is that still is true. And part of the things that are confusing about that is they’ve done some good work, which is they’ve created these nice pages that lists the builds, right? Cause now with Windows 10 and even Windows 7, now that they’ve gone to the fully cumulative update model, it’s really about a build, right? This is just a build they put out and the confusing part right now is that they’re putting out builds not once a month, right? They’re putting builds out two maybe three times a month. The website that you can go to that lists all the builds for particular version of Windows 10 right?

    Bryan Dam: 04:42 Whether it’s 1809 or 1803 or 1709, whatever it is that you’re seeing builds on this website more frequently than once a month. And that’s kind of freaking people out. And that’s where the b, c and d come in. So, so the B week and the seaweed and the t week, those are just, those are just the weeks that Microsoft will try and target a release. But the thing I want people to come away with is targeting week B, which is patch Tuesday and doing a monthly cycle is as valid as it’s as I would say it’s ever been. The upside is, is that they’re releasing on the other weeks they, they will release quality updates. So if you have a known issue, right, if you’re experiencing an issue, and I don’t know if you want to talk an hour about patch quality, but we could talk.

    Mary Jo Foley: 05:28 I mean I was going to ask you that as the opener, but I am like that is too cruel to ask.

    Bryan Dam: 05:34 We could, we could talk about patch quality, but those other weeks, do you have to push those out?

    Bryan Dam: 05:41 And I would say no. But it’s useful to know that they’re there. And again, the nice part about having that these websites is they are doing a better job of being a little more transparent about, hey, yeah, we have this problem. It’s a known issue. And if you have an issue, then there’s a chance there’s a chance, the smallest chance that they might actually fix it in the next non security release. And so maybe you do want to deploy that, but maybe not. Right? It’s difficult to know what to do with those things and it’s kinda freaked people out.

    Mary Jo Foley: 06:22 I like your point though, that the north star of patch Tuesday is still there. And I think some people have forgotten that because now it feels like we get patches every day.

    Bryan Dam: 06:33 Exactly. Yeah. No, it’s exactly that. When I look into it, if you look at some of the release dates for some of the, non windows Os Apps, Office 365, they’re releasing patches entirely outside of that cycle. And that’s fine. You have to look at your organization say, okay, well does the monthly cycles still make sense? And I think for most people the answer is yes. But what I tell people is, is if you’re not doing testing right, if you’re not doing any patch testing other than what we just push it out and see what happens, it takes as much time to do zero testing four times a month or five, you know, five times as it does once a month. So if you’re just kind of spraying and praying anyways, then maybe, sure.

    Bryan Dam: 07:23 Go for a weekly cycle, if that makes sense for you. I just don’t think the majority of people that make sense for, and so in which case stick with the monthly. I mean if you don’t like to the patch, well wait a week before you, you push a patch out, but a patch Tuesday is still when the very important security up security stuff comes out. The only caveat to that is when they do an out of band release, I’m okay not automating or planning for that. Right. It’s rare. It happens and usually there’s a big stink made about it. I mean, unless you are completely disconnected from the Internet, like you were going to know some way somehow that something has gone horribly wrong and you like and you and you need to do something about it.

    Bryan Dam: 08:13 And even then at one of my previous organizations that came out and we went to the security team and said, okay, Microsoft put out this, this, you know, this out of band patch and it, it looks bad. And they, they looked at it and they were reasonable about it. He said, well, they looked at it, they looked at what the vulnerability was and said, yeah, we’re not too worried about that. We don’t have that particular problem we don’t use or we have another, mitigate way of mitigating it. And so we’re actually, okay, not just putting, pushing what we called the big red button, which said, you know, just shoot. Who cares about testing? Right. So I’m fine still thinking of patch Tuesday, like you said, it’s the north star and stick with it. Okay, cool.

    Mary Jo Foley: 08:56 So we have a related question from one of our readers blood and he’s asking you about preview updates. So I think this is one of those other weeks, like d week maybe, or maybe it’s not that. So here’s his question. He said a lot of people decline these preview updates as they’re intended for further testing. However, when synchronized with WSUS they are automatically approved. There are third party tools to deal with this. He says, but considering it’s such important technology, it would be great if there was an automated way to deal with it within WSUS itself is there a solution to this?

    Bryan Dam: 09:39 This is one of the questions you want to ask questions. So one thing to talk about the preview, right? So and and so you mentioned preview, I want to talk about that because it actually pertains to the last question. Which is with Windows 7 when they went to the cumulative update model, the updates themselves were labeled preview, right? So the non be released, the Non Patch Tuesdays, they were named free view of monthly quality updates. I forget exactly what it was called, but it was like it was right there in the title and you just knew this was a preview update and that’s part of what when people started moving to Windows 10 they don’t do that. Right. The non B week updates, it makes me want to go check right now, but I’m, I’m 99% sure they’re going to be wrong, but I’m 99% sure they’re just labeled whatever .

    Bryan Dam: 10:28 There’s no freaky moniker. That was part of the confusion because people were used to, Hey, we saw these Windows 7, they’re called “preview” on Windows 10. Wait a minute, where’s the preview? I’m just seeing these other updates. So that word “preview” was part of the problem because people got used to it seeing in Windows 7 and then it was gone in Windows 10. So now to get to the question as a whole, I’m not aware that WSUS would automatically approve preview updates. I think what he means is that in WSUS, you can have automatic automated approval rules , but they’re basic. A lot of my experience recently is with config manager and you get very, very granular with what kinds of software updates, what kind of software updates you can choose to release as we’re in WSUS.

    Bryan Dam: 11:27 It’s less granular and I think what he’s saying here is that it doesn’t give us the ability to, to exclude these non security released. That’s an interesting question. I actually have a script and it’s on my blog that I think maybe he’s talking about, but you can proactively decline them. Remember how we talked about it? I want like 10 seconds to think of my answer. This is actually one of those I’m like, I’m thinking through, cause there’s not a great solution to it cause he’s right. I don’t know of a great thing to do proactively to say, hey, how do we not ever approve these? Because the way that WSUS works, which is I do the sync and then that kicks off the automated approval rules.

    Bryan Dam: 12:20 I’d want to go back and look and see if there’s any time in between there where you could proactively decline those and get those updates declined before the automated approval rules run. I just don’t remember off the top of my head if you can, how tied together those are in wcs. But yeah, he’s right. It’s not a great, not a great situation.

    Mary Jo Foley: 12:44 If you do have something, we can always add them to the notes and have a thing saying here there is a solution and here it is. It sounds like it’s not, not really built that way.

    Mary Jo Foley: 12:56 Yeah. Yeah. I mean this is where I could, I could talk a long time for WSUS, WSUS is the architecture, and this foundational technology that was architected, you know, way back in the early 2003 or so.

    Bryan Dam: 13:09 The thing we’re dealing with right now, the architecture and the last time anybody really, in my opinion, and I want to be clear, I’m not an MVP, I don’t, I don’t have any inside baseball on this. From my external experience, nobody’s done anything meaningful with WSUS since, 3.0 I think service pack two, which was in architected back in 2003 and later. Like the base architecture hasn’t been touched and I think this is one of those things where yeah, I mean when somebody put this thing together, nobody thought, hey, in 10, 15 years we might have these preview updates that we might want to not do.

    Mary Jo Foley: 13:47 Yup, things have changed, right? They way that the patches were originally conceived as so different now from how patches are handled.

    Bryan Dam: 13:56 Exactly. Exactly. Yeah. In the cumulative update model was, was a huge change for that. Right out of the bat, I was a huge fan of the cumulative update model was like, yes, this is what everyone else does.

    Bryan Dam: 14:08 And , I’m a huge fan of it, in part for political reasons because it gave me the opportunity to say, listen, we install a patch , and I don’t have a choice, right. Microsoft I can, I don’t have a choice as a system administrator whether to choose this patch or not chooses patch. If you tell me your application has a problem and I can’t install this patch, what that means is we can never ever install patches again because next month is going to have the same thing and that’s a powerful political tool. I hate having to say that.

    Mary Jo Foley: 14:44 I feel like admins, it’s not just doing the tech work that’s part of your job. It’s the political work too. Right?

    Bryan Dam: 14:53 Exactly. And what really worked for me at my organization, when they, when they mentioned that to first time, the first thing I did with them was go to security and talk about this and explain, if Microsoft is really, going to do this, if we’re going to go to the cumulative update model, these, these are the things I think it means.

    Bryan Dam: 15:13 What it means is we can’t really uninstall. If we uninstall a patch, it means we uninstall all the patches. We’re not even sure if the uninstaller will work. If we don’t do a patch, then we can’t do next month’s patch cause it’s cumulative and that’s how it works. So I got security on my side and that was a huge win. We did have times when a patch, again going back to past quality of patch, created a problem with an app and we had to discuss him, well, security said you have a month, I’ll give you one month and you need to figure this out because I can’t have that system vulnerable. So it was beautiful. I was out of the discussion.

    Bryan Dam: 15:55 It’s not me. It’s like, hey, you’re talking to security. If security is okay with not patching that box, great. I want that in writing and I’m going to print that out and I’m going to put it into a folder when something happens, I’m going to pull it out and say, hey, you said we’re not going to ever patch that box again until they fix their problem and that that made so many conversations go away of like, well, can we just do this? Like, nope, we can’t. You can fix your problem or we can not patch. Those are the binary choices.

    Mary Jo Foley: 16:32 I’m going to give you another reader question. This is looking for some advice. Greg Alto says, does Bryan have a recommendation for remote monitoring of claim systems for patches? Here’s my scenario. I maintain a lot of SMB PCs remotely and visit on site when needed. Do you have any recommendations besides WSUS?

    Bryan Dam: 16:55 Yeah, so here again we go with WSUS wasn’t thinking of an organization where 90% of your people are using laptops. Right? And maybe working from home. I 100% work from home. I almost never go to the office. And so how do you deal with that, especially as a small business? You mentioned monitoring. So the monitoring sort of the knife in my back on that one because what I would tell you is the simplest thing to do is just use Windows update, right? Don’t use WSUS. Take those that subset of devices and say, we’ll just point them at windows update, but you lose reporting. Right? So he specifically asked about, well, how would you monitor this? You could apply patches by just using group policy and say, well point windows update, but that’s the spray pray and don’t really validate method and that’s not that great.

    Bryan Dam: 17:50 So there are other options outside of WSUS. The one that I like to start with in these kinds of conversations is always on VPN. So historically VPN has been the solution for on prem in as well. You’re out of the network, so you use a VPN, you get on the network. The problem there is, is that was usually tied to, well they need access to a folder, right? Or a file share somewhere, so when they need something, they’re going to connect to the VPN. And maybe if we get lucky, there’s enough connection time for some of the scans and all the software updates stuff happening. But now that we’ve moved, you know, to One Drive and other solutions where there’s less and less of a reliance on VPN, a user isn’t of their own accord and say, Hey, I’m going to connect to the VPN and put in my password and do all that stuff.

    Bryan Dam: 18:45 So that’s where, so that stopped kind of working for people. It’s like, Hey, I have people that have VPN, but unless they actually go and take action, nothing’s happening and that’s a problem. And that’s where always on VPN comes in. Now that’s when I say always on VPN. That’s also now a sort of branded Microsoft solution. I’m talking in a more generic thing. If you have a VPN solution or you don’t get one and consider, do they have an always on option where it’s just, if that machine is running and connected to the internet, it will automatically create a connection into your environment. So that I think is the simplest thing. And the reason I’d like to like that solution and why I tend tend to start with it is because you probably have some other stuff that’s not just patching that would also benefit from having, um, that, that, that connectivity, whether it’s some sort of remote support tool, whether it’s some remote, some third party anti virus software or whatever.

    Bryan Dam: 19:46 Um, or some other security tool where you need connected connectivity of the box. If you do an always on VPN, you’ve solved your patching problem and you possibly solve a whole bunch of other stuff. Outside of that, the other two is, the big one from me is Intune, Intune to me is like the perfect small business solution. The feeling I get from the marketing is, you know, I want huge enterprise and Microsoft thinks huge enterprise should all go to Intune. My first Gig as a system administrator was at a very small shop. It was 150 people at two different offices in two different states. The minute Intune was a thing I would have went there because I had nothing else. Right.

    Bryan Dam: 20:35 That’s where I cut my teeth. That’s why I set up WSUS and all these other things. But his exact problem of how do I deal with remote users, but there was no good solution. There was no cloud back in 2000. Well, I shouldn’t say that. That’s not true. The whole Intune and cloud based management for sure it wasn’t a thing back in 2005, but it is now. Right. And so if you’re a small business and you’re using, especially if you’re using Office 365 or you know, what do you want to call it, EMS or the app now, the 365 Stack or whatever. I would seriously look into, if you’re a small business, I would actually look at Intune for doing your management. I think it’s almost purpose built for small businesses, small and medium businesses.

    Bryan Dam: 21:24 Because it’s a matter of it’s just enough administration, right? You don’t have any infrastructure that’s, and that’s the problem with the small business, right? It’s like, well, I can set up WSUS because that in theory that doesn’t take a lot. But setting up something like config manager, which is near and dear to my heart, doesn’t make sense to me in small businesses. Right. The amount of infrastructure and experience and just, it’s a big chunk of infrastructure for a small business. So I think that’s really where Intune shines. So those are my three options. Windows updates if you don’t care about reporting. But he very specifically said, I care about reporting. So always on VPN if you can swing it. And none of that I think really in tune. I think that’s, where Intune comes in.

    Mary Jo Foley: 22:07 Nice. Okay. I don’t know if you, if you heard this while you were out in the woods avoiding bears, but 19h2 is coming and it’s going to be at basically like a cumulative update for people who are already on 1903 and will be a minor update for everyone else.

    Bryan Dam: 22:31 I had not heard that. Wow. They’re not going to call it a service back, are they?

    Mary Jo Foley: 22:31 No, they’re not going to call it a service pack.

    Bryan Dam: 22:42 Would you like to scribble why they’re not going to do that?

    Mary Jo Foley: 22:48 I believe they want to continue to call these feature updates and in fact it will have some features, but I keep hearing the features will be turned off by default. And so if you want some of the new features that are in 19h2 when it comes out in the fall, you will be turning those features on as an app.

    Bryan Dam: 23:06 Okay. So that’s good. That’s good news. My quick aside on the service back thing is cause that extends the support. If you release it right, according to Microsoft, if they released the service pack then it extends the support life cycle. Right. They don’t want to do that.

    Mary Jo Foley: 23:21 If it is a cumulative update, I haven’t gotten this part clarified yet, but if it is a cumulative update, you can’t defer it forever. I think you could have maybe 30 days.

    Bryan Dam: 23:34 If you’re using a windows update or Intune, correct. I think it’s 35. Exactly.

    Mary Jo Foley: 23:46 Now now that you’ve heard the big news, um, yeah, we don’t know if this is a forever thing or just a onetime reprieve. We don’t, we don’t know when they haven’t really said. So my question to you is, do you think this would be a good thing if it became the new normal? If the H2 updates are basically service packs though, they won’t call them service packs. Do you think that’s a good way to go or do you think that admins really just have to suck it up and and start figuring out that feature updates are coming twice a year and you get to find a way to make it work.

    Bryan Dam: 24:23 Yeah, I need 10 seconds.

    Mary Jo Foley: 24:26 So I didn’t know I was going to give you this big like bomb. Now you’re going to go write a blog post right after I’m done. Right?

    Bryan Dam: 24:32 There goes to the whole rest of my day Mary. The whole rest of my day, right?

    Mary Jo Foley: 24:39 I know there’s so many things that go through your head all sudden, right? Like, oh wait, this is gonna change the whole way this happens. But again, we don’t know. We don’t know if this is a forever thing or just a onetime.

    Bryan Dam: 24:54 So aspirationally, yeah, I agree with where Microsoft wants to go. Right? Which is the feature updates are just no big deal and you just push them out. I don’t want to have to do a bunch of planning and a bunch of naval gazing , and I don’t want to have to get all uptight about it. I just want to work. And so my initial reaction is if it just works great, I don’t care. If what you’re telling me is, is more frequently in smaller chunks, we will update the base OS and then you can optionally at your leisure enable new features. I mean, my initial reaction to that is that’s great. Long as it works, right. If, if, if as long as it works and it doesn’t take an hour or two hours to actually apply and it doesn’t impact, you know, which is to say it doesn’t impact the business and it just works.

    Bryan Dam: 25:49 I’m fine with that. My sort of thing about the whole, the whole cadence of Windows 10 feature updates, it’s just, it’s a carton horse situation. A really, to me, it was a a spaceship and ended up pushing a cart, an old buggy, which is to say you wanted us to move fast but you didn’t build the trust, right. I need to do in place updates or whatever. This whatever H2 is and it needs to be a nonevent for me and then fine, let’s just do it right. Then I don’t have to worry about it, but we’ve not been able to string together totally problem free releases. Right.

    Mary Jo Foley: 26:39 And put it mildly. Yeah, exactly.

    Bryan Dam: 26:44 It’s like they kind of came out of the gate saying you’re going to do this and you know you’re going to do it every once, twice a year and that’s okay as long as it worked without any hassle. And I think everyone including Microsoft can agree that didn’t happen. And so as long as whatever they’re doing now works, and doesn’t impact the business, it sounds to me, it sounds like a a great idea. But the proof is in the pudding. Exactly. In what I want to talk key out specifically is that they’re not, they’re not allowing you to not enable these new features. I think that makes a lot of sense, especially in this scenario. To me it’s following something that the convict manager, again, that’s a product I, I follow very closely, but the convict manager group has been doing that.

    Bryan Dam: 27:40 They do these releases, these monthly releases and then three times a year, they will put out a release and, they’ll have preview features, right? You can optionally go enable them and eventually they might change slightly, but then eventually they get into, into the bigger products. So I think that would be a smart thing for the Windows 10 product team to grab onto and say, Hey, well we have this cool new feature. Let’s get it out there and let’s see if some people try it and get some feedback. And then when we actually hit, you know, production if you will, uh, when we put it into an actual full blown release and force it on people, it’s actually been out there and we’ve had some feedback and I know they have like internal rings, right?

    Bryan Dam: 28:21 They have the fast all that stuff but to get it out into a larger ring.

    Mary Jo Foley: 28:27 Yeah it makes sense cause that’s basically how this would work is my understanding is that this would give the H2 release extra time to bake because it would already be out in the H1 timeframe for people who wanted to adopt it then. But it would give them six months more basically a real world testing before going out to people who deployed the H2.

    Bryan Dam: 28:53 Exactly. And they’re doing this kind of the same thing though which is we shouldn’t be learning about this when they release it. If you follow this stuff a little closer I think than I do. Like did we know this was coming and if we didn’t, why or when is the release date? See again, I don’t know. What are they actually pushing this out?

    Mary Jo Foley: 29:13 Yeah, so we think it’s going to be 1909. So September, October time.

    Bryan Dam: 29:17 Okay. Okay. So good. So they’re getting ahead of the ball here.

    Mary Jo Foley: 29:27 One last thing I want to close on because this is another topic near and dear to your patching heart. Servicing stack updates.

    Bryan Dam: 29:38 *Laughs

    Mary Jo Foley: 29:38 Yeah, he laughs evilly. I remember you wrote back, I think it was last year about the whole mess that is servicing stack updates. And I wonder if you could give us a quick breakdown of what these things are and are things getting better there or no.

    Bryan Dam: 29:58 Oh, what’s the quick rundown? So servicing stack updates, the surfacing stack is the thing that updates the operating system. So, so that’s the updater kind of, you got it. Patch, patch or patch thyself. That’s exactly what a servicing stack update is. If you go back to, let’s say, go back to the Windows 7 world, what that is is you have something called the windows update agent, right? So that’s the every version of Windows 7, has a surface that’s sitting there in the windows update agent and , occasionally Microsoft would release an update to that windows update agent. People knew this, it was really relatively infrequent. There were a few months where they were clearly trying to squash a bug and they came out with like a new version for like three months in a row. But historically speaking of the life, the life cycle of Windows 7, it was somewhat rare.

    Bryan Dam: 30:52 It was something you needed to make sure of, or be aware of, and you need to make sure that you are running a recent windows update agent cause it solved a bunch of quality problems, but it was really infrequent. Searching stack uptakes is the Windows 10 equivalent of the windows update agent or a way of saying as a windows update agent is a subset of the whole servicing stack and the servicing stack gets into a whole bunch of things that I’m not even sure I fully aware of, but definitely the in place upgrade, all that stuff is part of it. The surfacing stack is what does it, and so Microsoft has been releasing new versions of the servicing stack update and that’s probably a good thing, right? In theory, they’re fixing quality issues with the process of applying updates. What to date still confuses me as why there’s so many of them. I do not understand. What changed between Windows 7, where it’s like, oh, okay, we found a bug in the updating process and so on. Some sort of rare, you know, it was a rare event with Windows Tenets. I think we can say now pretty officially, It’s not a rare event. It’s something every single month you’re going to have to go be like, oh, did they do a servicing stack update or not this month? I think it really became a problem for organizations is that servicing stack updates are not security updates. If you look at their release dates, maybe it’s on a c or d week, maybe it’s patch Tuesday, but they, they aren’t really releasing them on patch Tuesday.

    Bryan Dam: 32:37 And what Microsoft has done a couple of times is, let’s say, they release a new surface stack update in the middle of June. It’s outside of any normal cycle. They recently in June and now we get to July updates and the July update has a prerequisite for the latest servicing stack update. The shortest way I can explain it is updates have a metadata and that tells your device, you know, is this update applicable to this device? Is it already installed? And all sorts of kinds of things about it. It’s the metadata and then there’s the actual update the content itself. In that what they’re doing is if in July , they put in that Metadata, Hey, we need the servicing stack update from June. We need that installed first before this update, the security update is applicable.

    Bryan Dam: 33:33 And the problem is, and this goes actually back to your first question where we talked about monthly, the monthly cycle. If they released something out of band, let’s say it right just whenever they want for the circuit, in June, you get to July and you go push out your updates, you’re going to, hopefully you’re going to grab that one, you’re going to grab that servicing stack update. But when you push it out, if it’s a prerequisite, your new security updates that justgot released are not applicable. They won’t even show up as needed until that servicing status update has been installed. Where this is a big promise on servers and the problem is your device is going to scan and say, okay, what updates are applied or applicable, what updates do I need?

    Bryan Dam: 34:20 And all it’s going to pick up is that servicing stack update and it’s going to install that servicing stack update. And it’s gonna say, you know, maybe there’s some other patches but it will not pick up July’s security update and it’s gonna install it and it’s gonna say I’m done. Now what happens then is the question and, in the config manager space as it currently stands, because if there’s no reboot, if that device doesn’t reboot itself, it’s never going to go and scan again and say, Hey, do I have other updates that need to be installed? And on a server where you might have a maintenance window of a couple of hours that won’t happen. And so you’re going to miss patches. And that’s, that’s the problem with that. That’s the big kerfuffle with servicing stack updates only when they make it a prerequisite.

    Bryan Dam: 35:08 But that has been kind of rare and that’s one thing. So this servicing updates themselves are not rare. What really makes it a kerfuffle? Something that you actually need to plan around is when they make the latest cumulative update have a prerequisite at dependency upon the last, a particular services stack update. Then you need to make sure in your organization that you’ve installed that surfacing stack update with enough time so the device can now pick up that the security update that it depends on is detected as needed, installed in whatever sort of maintenance window or whatever sort of cycle and that you want. That’s the tricky part because the service tech updates themselves because they are updating that servicing stack. They tend not to have a filed in use problem, right. That they don’t need, which means they don’t need a reboot.

    Bryan Dam: 36:06 They tend not to require rebates. So they don’t need a reboot. But you might need a reboot or you, you need time for the device to say, oh, hey, now this update that previously, you know, the cumulative update, the security update that previously wasn’t apply now does apply. And that’s, that’s the big kerfuffle. Anyone who wants to take Microsoft to task for doing that, I think is that you have my blessing. Just wait a month, release it in June. That’s fine. And make it requisite in August or September. Yeah, that’s okay.

    Mary Jo Foley: 36:39 But not close to the date of the patch itself.

    Bryan Dam: 36:42 That’s, that’s correct. If you’re thinking of a monthly cycle, the biggest problem really comes out is if within a single monthly cycle they put out a cumulative update that depends on a serving stack update released in that same cycle.

    Bryan Dam: 36:58 That’s the biggest problem. Now there’s some debate about, well, these things fixed quality problems. So it’s ideally you would install the latest serving stack update to fix whatever quality problem that exists so that your cumulative update has a higher chance of installing. And I’ve only seen that answer anecdotally. Now again, I’m not a a high paid consultant that talks to a hundreds of organizations every week. But I have talked to a lot of people and I don’t know too many people that have had problems installing them not in a particular order when it’s not a prerequisite. When we did it in the right order it seemed to work better and okay. So that I just haven’t, I haven’t seen anyone scream about it.

    Mary Jo Foley: 37:52 Okay. Good to know. Well, we are out of time unfortunately, but I want to say thank you very much for doing this chat, Brian. That was great.

    Bryan Dam: 38:00 Oh, my pleasure. I could talk patching for hours.

    Mary Jo Foley: 38:03 I know we could, we could go on and on. Maybe, maybe one day I’ll have you back on if your game.

    Bryan Dam: 38:09 Oh yeah. Very cool.

    Mary Jo Foley: 38:12 All right, so for all, all of you regular listeners here, we’re going to be back in a couple of weeks with our next guest, so be sure you watch for that. I’ll post the information on and that will be your signal listeners to send in your questions. All you have to do is go to the MJFChat area in the forums on and submit your questions there in regard to this chat with Brian, look for the audio and the transcript of it, as with all of our chats in the next few days. Thank you again.

    • This reply was modified 9 months ago by Brad Sams Brad Sams.

    This is unreadable.

    Mary Jo Foley
    Mary Jo Foley

    Hi, Blood. We did our best to add punctuation, etc. But this chat was kind of a stream of consciousness. Not sure how to make it more readable. Maybe this is just one that’s better to listen to than read…

    If you have ideas how we can make it more readable, let us know. Thanks!


    It is immediately apparent that anyone will struggle to read this. It may be better to do away with the conversion to text and just have the audio.


    Very Helpful

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.