Updating operating systems has come a long way since SUS 1.0 was released back in the day. From HOTFIXES in Windows (NT) 3.x that were released “as is” with some times catastrophic results, to Windows Update Service being on and non-configurable in Windows 10.
Of course now we need to be able to patch systems without disturbing those pesky end-users… How to do that? How to not waste time doing that?
At MAX we’ve seen our fair share of patching go ‘sideways’ – it’s no surprise as there are so many possible situations that could present themselves. Honestly, with literally thousands of patches being released every year, there are bound to be some problems. So how do you make this system move as smoothly as possible? With enhancements in our Patch Management feature coming later this year and into next, we want to make sure you can have the best experience possible with the product. Sometimes this requires a little sleuthing outside the product. There have been several patches that haven’t behaved as they were supposed to, but may not have caused a directly observable problem.
Take for instance KB3013455 – this patch was a supposed kernel update and it had the fun side effect of making some text unreadable. For the most part something like that won’t go unnoticed because the evidence is literally in your face. But what about KB3004394 for better support on urgent Trusted Root updates? It was discovered that the patch caused serious issues on devices with Windows 7 SP1 or Windows 2008 SR2 SP1. This led to breakage in the Windows Updates Service & subsequent failure of the system to apply many or all following Windows patches.
Check that Windows Update works first.Since the MAX Patch Management feature leverages the Windows Update Service, patches would appear to Fail as a result. Patch Management pulled the patch from its database within 48 hours, and Microsoft released a fix to the issue if you experienced the error. However, they subsequently re-released KB3004394 as a patch that no longer has the problem. Because two patches now exist with the same ID, patch management systems everywhere have had trouble identifying devices that may truly be effected by the issue.
So how do we avoid pitfalls? There are few things you need to look for on systems you’re thinking of bringing into the PM system.
This sounds like a no-brainer, but items like 3004394 caused unseen stoppages that are below the radar. Or below the normal end-user’s radar at least. The service is still running, but when updates are attempted, the connection is rejected and Patch Management halts before it begins. From our dashboard, you won’t see that glaring at you. So run Windows Update one time on a device to make sure it goes out there and can do the proper download. From there, you can configure the service any way you like.
See how many outstanding patches are available
Ever come into an office that has NEVER patched a computer? It happens. Or, the new computer with Windows 7 pre-installed. Well, that OS came out a while ago, didn’t it? There have been a few releases since then … they’ll all show up the first time you open Windows Updates. The good thing about Windows Update is that it will “stop” on patches that are prerequesites to others, do the reboot then list the subsequent patches after reboot. OR, some of our partners have already thought about things like that and have built their own packages with that in mind. You can use those – we’re not hurt by it. We’ve always said we’ll sit side by side any other patching system if you want us to.
Look for manual updates or uninstall bad patches
Continuing with the example above, if the first 4394 is installed on a machine, the above steps won’t work. Windows Update will be FUBAR. Well, in this case there was another patch release (KB3024777) to take care of it. Or, if you’re smarter than your average bear, you could uninstall the offending patch. (Because that’s what 3024777 does.) In this case, you’ll be able to let the second4394 install and life will be roses.
Do a Windows Update Cleanup
If systems are patched, there will be a lot of “leftovers” on the machine. Removal of the rollbacks may help the system perform better. It got rolled into2008R2 and Win7 Disk Cleanup routines a while ago, so the interface can do it for you. and Win8 & 2012 have some automatic settings for it, but there still other options to increase what and when these OS’s are cleaned.
These are just a couple of things to do outside your dashboard Patch Management settings that will alleviate a lot of headaches. Of course, if you have a favorite routine you like to do, feel free to leave it as a comment below to share with others.