Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
kwilke

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #1 

Hello all,
Just wondering if Microsoft is ever going to fix the updates on Windows 10.
What I mean is that in previous version (not counting 8 or 8.1 here) you could select when to do your updates and select which updates to do.
Not so in Windows 10.  
Don't like this and I have two cases where this is bad.
1)  One of my clients is a medical facility that has 50 computers and using EMR.  One of the updates that came out for Windows 7 last year, when installed on the PCs, tablets, or laptops, rendered the EMR (using a fat client here) inoperable.  Had to uninstall that update and then hide it from installing, which then the EMR worked correctly.  It took the manufacturer of the EMR over three months to fix this issue.  Windows 10 wouldn't work correctly in this scenario.
2)  I was doing an in depth scan on an external hard drive on my laptop that has Windows 10 on it.  Supposedly it will not update and reboot when it is in use.  Well, after 8 hours of this process going on (and it was only 80% of the way done) at 4:15 pm the PC rebooted.  Yes it did a Windows update and the update took over 45 minutes to run.
With these two instances I am extremely hesitant to have my clients upgrade to Windows 10.
Any thoughts?

Thanks,
Kelly W.

0
jwillis84

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 14
Reply with quote  #2 

The only workable option I could see would be to "block" Microsoft update servers as "malware" servers in your perimeter traffic flow routers.. firewall ect..

Then patch on a semiregular basis using a Third Party patch tool like http://www.wsusoffline.net or http://www.windowsupdatesdownloader.com there are several.

It's very unprofessional.. but if/until they get the Business ring of "Deferral" going.. which they may not.. you kind of have to take your own life in your hands.

The only problem with that approach is the persistent "threat" that Microsoft is going to do-away with KB notes and standalone updates for admins entirely.. as "good for you".. less liability for us.

There are some definite philosophical holes in thinking in redmond these days.

Its just my "opinion" but I think whats driving it isn't liability so much as reducing the size of the development team and scaling way back on the cost of support. For years Windows unwritten rule and customer advantage has been "free support" and "back porting" of security fixes .. as the cost of doing business. But someone had to pay for all that code writing and then back-testing to make sure it worked.. then everyone got it for free in a monthly update.

Trimming off a single edition of windows support must be a huge cost savings.. but customers then loose a generation of tools and software that is not supported or no longer being updated, terminating those programs along with the support for that operating system version.

Going to "one Windows 10 forever" more won't change that, the api's and libraries will continue to evolve and like "service packs" became "secret code names" library sets will become the new "operating system editions" all the same problems will continue.

About the only thing that would work would be a "planned senescence" or "old folks home" model.. where they support older operating system versions in "sandboxes" and "virtualization".. that was vmwares original brilliance.. you wrap them in the "Russian doll" or "Matryoshka" model so they go off into a lesser powerful world like "fading ghosts".. even maybe to the "Clouds".. but unless they adopt all devices can be virtualized over a network bus model.. something will always eventually break.
0
kwilke

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #3 
Well that is definitely something I would not like to do.
How would one of these Microsoft engineers like to be in the process of seeing their physician, who relies on an EMR, and be told, "Sorry, we can't access your medical record because there was a Windows update and now the EMR is down.  Also any pharmacy prescriptions you need, you will have to come back in a day or two when we can access the EMR fax software."

0
Mark

Hacked Mark's Facebook Account
Registered:
Posts: 273
Reply with quote  #4 
Well, remember that LTSB is always an alternative. It's really a lot like the pre-10 world.
__________________
May I ask that everyone please populate the first name and last name in your user account profile.  Thanks!
0
Wes

Senior Member
Registered:
Posts: 233
Reply with quote  #5 
Yeah, you sound like an LTSB candidate.
0
kwilke

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #6 
Might have to look into that...have not ventured into that arena yet.
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #7 
I'm a little confused here.

With respect to #1, are you using a Pro/Enterprise/Education version of Win 10? They patch the same way as 8.1, in that you can control WHICH patches deploy with WSUS.

The WHEN is a little trickier in that no matter what you do, 8 and newer (including the server OSs) refuse to consistently reboot after patching. We just started using WUInstall - https://wuinstall.com/ - which is a command line utility that gives you finer grained control over Windows updates, including forcing reboots after installing updates. We pushed out a scheduled task to run the utility when we want patches installed. It's a little bit of a kludge, and yes I wish MS would go back to the Win 7 behavior, but this is a viable workaround.

James
0
kwilke

Still Checking the Forum Out
Registered:
Posts: 6
Reply with quote  #8 
Am using Pro...am not using WSUS.
Some of my clients do not have servers so WSUS is a no go for them.
0
Wes

Senior Member
Registered:
Posts: 233
Reply with quote  #9 
No servers as in no active directory?  WSUS is not necessary but without AD/GPOs it's going to be tough to exert much control over 10's WU behavior...
0
lady_mcse

Avatar / Picture

Senior Member
Registered:
Posts: 120
Reply with quote  #10 
Quote:
The only problem with that approach is the persistent "threat" that Microsoft is going to do-away with KB notes and standalone updates for admins entirely.. as "good for you".. less liability for us.


I have already noticed this!  It's like they are taking a flame thrower to the KB articles and forums ... links I have to older articles no longer work, or ones that are still up look like they've been sanitized or pared down to essential info, with a notice at the top about how this isn't the current version. 
0
MichaelB

Master of all Exchange
Registered:
Posts: 15
Reply with quote  #11 
This is an ongoing argument among a number of MVPs and with Microsoft.

Microsoft is of the opinion that the rapid cadence of their deployments makes such disclosures irrelevant. That those people who really care will be on the LTSB and doing the detailed testing required to validate each individual patch dump.

MVPs are of the opinion that such detail is required just so people know "WTF" is going on.

Enterprise clients can purchase this information as part of their EA, just as we used to see in the monthly bulletins.

It seems to me that it is primary a revenue opportunity for MSFT.

Regards,
Michael B.
0
nick

Avatar / Picture

Still Famous
Registered:
Posts: 91
Reply with quote  #12 
Quote:
MVPs are of the opinion that such detail is required just so people know "WTF" is going on.


So are us Ex-MVP's [wink]

__________________
Nick Whittome | NTES Limited | Personal Blog | New to the forum? Read this
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #13 
Assuming you have access to an appropriate server, why not publish WSUS via SSL over the internet and point your client's PCs to that common WSUS server? You don't need AD to do so, and that would give you a nice central point of control.
0
JuliusPIV

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #14 
RE: Blocking Windows Updates
I would agree with others that standing up a WSUS server and forcing clients to get their updates from that box would give you granular control over what machines get what updates and when.  Seeing as you have one client with 50+ machines, leveraging WSUS (heck, even creating a domain) seems like a no brainer.  Once the SUS is in place, point the clients to the SUS and put them into appropriate Target Groups and then YOU (or some other admin) manage the updates.  (But that's only half the story - see next main point below.)

However, that requires a bit of time and effort not to mention a server you can use for this.  In the mean time, two possible workarounds: 
  1. Leverage the "Show or hide updates" troubleshooter package to hide the updates you want to hide.  You can find more details here: https://support.microsoft.com/en-us/kb/3073930
  2. Set the network connection as metered, but unless this can be done via netsh, this only works for Wi-Fi and not Ethernet: Settings > Network & Internet > Wi-Fi > Advanced Options > Metered ON

RE: Automatic Restarting of the PC
Under Settings > Update & Security > Windows Update > Advanced Options I set the 'Choose how updates are installed' option to 'Notify to schedule restart' and I don't believe my machine has ever restarted without my knowing.

Because you have a bunch of machines you're dealing with, just set the GPO-equivalent registry keys to configure Windows Updates:
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
  • HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Pre-configre a machine, using this and gpedit.msc as your guide, export the key then import on all systems.  Obviously having these machines connected to a domain helps tremendously with something like this as it could easily be centrally managed.
0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 175
Reply with quote  #15 
Just in case folks don't know all about the Windows 10 update story, I talked to Richard Campbell about this a few weeks ago.  Here's the link:

http://runasradio.com/Shows/Show/453
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.