WSUS

Rolling out new Windows Versions Concepts

Posted on by Adam Fowler

Windows 11 24H2 is slowly starting it’s rollout, and you might be wondering if you should update yet. Here’s some high level information to help you decide, control rollout, and be kept up to date with any issues. For those who haven’t needed to keep across how Windows Updates work, you might be wondering what would be difficult about it. Read on and learn :)

The starting point I’d recommend is https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information which will show you Windows Servicing channels:

This will show you what the current Generally Available (GA) version of Windows is (there’s sections for Windows 11, Windows 10, and Windows Server) along with relevant dates. 24H2 has only been GA for a few weeks, which is quite early in it’s cycle. If you’ve overseen the rollout of Windows Updates before, you want to understand and be across any potential issues before even piloting.

Although this has changed a few times over the last few years, right now we see an annual feature update which upgrades the Windows version released in the second half of the year. Each feature update/version has 3 years of support for Enterprise, and 2 years for Home/Pro as you can see in the table above.

To understand currently known issues in a feature update, you can use the same section of Microsoft Learn to jump to the Version 24H2 > Known issues and notifications which is kept up to date with statuses and details:

You can also see this same information in the Microsoft 365 admin center under Health > Windows release health:

The content is the same on both – but I’d suggest going to the Microsoft 365 admin center version to at least turn on ‘Send me email notifications about Windows release health’ which is under the ‘Preferences’ button in the above screenshot. Once enabling, you can decide which versions of Windows you want to be notified of, and to what email addresses it should be sent to.

This will keep you across any new issues that may arise which is always useful information to know when managing a Windows environment.

Assuming you’re now ready to start testing, the rollout process starts with what tool you’re currently using for update management. You could be using:

Native Windows Update unconfigured – this may make sense for small companies that don’t really have any management in place, and you’re at the mercy of when Microsoft’s services decide your devices should receive the update. Microsoft uses a lot of telemetry and device information to make that call, for example if a driver is detected on the device that has a known issue, Windows Update may block or hold back the install.

Feature update methods:

Windows Server Update Services (WSUS) – which despite getting some news lately, will still be around for probably 10+ years. This is the on-premises way of having a central point to download Windows Updates and has many inbuilt controls that let an administrator decide how they want to roll things out, which can either be automated or manual.

Servicing Channels – These options let you choose which channel a device sits in, which by default the General Availability channel. Unless you have a LTSC edition of Windows, your only other option is the Insider Program which will get feature updates ahead of general availability. Might be good to have a VM around enrolled in the Insider Program to get things early and have a play.

Windows Update for Business / Autopatch – these products have recently been joined together, to provide a cloud based way of controlling what updates go to a device.

Whichever path you use, you should be incorporating Update Rings to stagger any update rollout and avoid any big bang issues from your entire fleet updating overnight and hitting a business-stopping issue.

To find out how your feature update rollout is going, each method has it’s own way of reporting:

Intune has inbuilt reports for feature updates which is the same way Autopatch does it

Windows Update for Business also has it’s own reports which has a few options on how to present, including via the Microsoft 365 admin center Software Updates > Windows area. Alternatively, you can create an Azure workbook.

WSUS has inbuilt reporting options that can be built based on your requirements and can be exported, and supports using APIs if you want to roll your own solution there.

I’ve tried to give a high level overview of what’s involved and considerations on rolling out Windows versions, there’s a lot to it and many points depend on your approach.

Office365Concepts also has a great video on covering Feature Update Policies in Intune and how it fits in the larger picture of updates generally:

I’d also recommend these two articles on the deprecation of WSUS:

https://oofhours.com/2024/09/24/microsoft-deprecated-wsus-should-you-care/

https://www.theregister.com/2024/09/23/microsoft_wsus_deprecation

Windows Store Error 0x8024500c

Posted on by Adam Fowler

I was getting this error company wide when trying to install any app from the Windows Store on a domain joined computer. The store was fully navigational, but any app I tried to install would instantly error. Showing the details would reveal Error Code 0x8024500c.

This is a fairly standard error code and there’s a lot of reasons already posted online; but for me it was one simple Group Policy setting:

Do not connect to any Windows Update Internet locations

Help:

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store.

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working.

Note: This policy applies only when this PC is configured to connect to an intranet update service using the “Specify intranet Microsoft update service location” policy.

Back in the Windows 7 days, it makes sense to disable this if you want to force clients to only use your WSUS servers and control the experience. However, it completely breaks the Windows Store!

You can find this policy under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update.

Note that this doesn’t seem to break the private Business Store section if you have that configured up, which can be a nice way of controlling the apps your users see.

Update 14th December 2017

A friend pointed this out to me – before changing this setting, be aware that there’s a bug with Windows 10 Pro that is fixed in KB4053580: 

Security Quality Rollup Confusion – Windows Updates

Posted on by Adam Fowler

Since October 2016, Microsoft have updated their Windows Updates model (for Windows 7, 8.1, Server 2008 R2 SP1 and Server 2012 R2) to a more cumulative approach. To their credit, they had this communicated months before it started, and the word got around long before the first patch rolled out.

At the time I talked to Tom Walat who was reviewing what people thought of this model. There’s been a bit of confusion and changes in the model, including a new one for February 2017 where Internet Explorer will be seperated and have it’s own rollup. If you manage WSUS, you need to be across these changes.

There’s a great detailed blogpost on TechNet about the history and changes, as well as this really useful table:

Windows Updates for 7 and 8.1 table for Feb 2017 (source)

Here;s the TLDR version which is still long, sorry;

Since October 2016 to January 2017, there has been two main update rollups – a Security Monthly Quality Rollup which contains ‘all the patches’. In WSUS, this will have a name like “January, 2017 Security Monthly Quality Rollup for Windows 7”. There is a separate rollup for Windows 7, 8, Server 2008 R2 and 2012 R2. These are cumulative – each Rollup includes all previous rollup patches, but nothing that’s before October 2016. This is the recommended package.

There’s also the similarly named Security Only Quality Update which has just been ‘all the security patches’. This will have a very similar name, e.g. “January, 2017 Security Only Quality Update for Windows 7” again having a separate update for each OS. These are not cumulative, and each needs to be installed seperately. These updates are only required if you’re not doing the monthly rollup for some reason (e.g. one of the updates breaks something in the rollup).

Those both included Internet Explorer, but as of February 2017 that will be it’s own separate set of updates. The IE update set will be cumulative – including all older updates in each new package.

That separate IE set of patches is the Cumulative Security Update for Internet Explorer will be cumulative like the Rollups, where you only need the latest one.

These are big changes and it’s worth getting your head around it all – the end goal is to have only monthly updates for anything older than Windows 10.

There may be future changes as to how this model works, so make sure you keep up to date with what Microsoft is doing in this space.

KB3102429 Re-issued, still breaking things

Posted on by Adam Fowler

Things are getting a bit silly in the Microsoft patch world.

KB3102429 was originally released on November 17, 2015. It’s a very unexciting update for most people as it will “Update that supports Azerbaijani Manat and Georgian Lari currency symbols in Windows”. I’d be passing on that – but a lot of people have automatic approvals on any Windows Update relevant to their system. This is partly done because Microsoft used to be great at patching and testing; there was rarely an issue that made it’s way to the world. In the last year or so, that has definitely not rung true.

I’ve written about a few of these recently such as KB3114409 Causes Outlook 2010 to run in Safe Mode and Outlook Patch KB2956128 Breaks Profile Changing (and KB3054881) along with the apparent mismanagement of how these updates are handled from Microsoft. KB3102429 seems to be of a similar story.

When KB3102429 first came out, there were some weird problems that arose. The most common one was with Crystal Reports exporting to PDFs as well as some other programs, and other things broke too if you start digging around on Google with the KB3102429 search.

Stranger still, is that Microsoft have now re-relesaed the same KB on the 19th January 2016 with the generic expalantion of ‘Install this update to resolve issues in Windows.’ – something I’d hope all patches do :)

This now means that WSUS is aware of two patches with the same name – even more confusion!

kb3102429

I have had reports of weird Outlook visualisation problems on random computers, which has taken multiple reboots to clear. This was the only patch that was applied to the PC before the issue occured.

Without knowing what this patch does beyond the original November desription, and appearing to have no security impact – I’d suggest uninstalling. If you have any information to share on this, please do!