Jump to content

Windows 10 - CU Monitor for when Windows Update Only Reports Feature Updates


Recommended Posts

THE PROBLEM:

Windows Update stops reporting the monthly security Cumulative Update and instead only reports the Feature Update to the latest OS release. Automate relies on Windows Update to report that there are available security updates, so it treats it as "Everything is great, no missing updates!" when in fact the system is missing potentially critical Cumulative Updates. I used PSWindowsUpdate to test and confirm the behavior on a number of computers. As of yet, I have not found a way to get around this wonderful "feature" (presumably it works differently if you are using Enterprise or running WSUS), nor identify what triggers it. I had computers running the same OS, same update level, and one reports the latest CU while the other reports the Feature Update. Manual installation of the CU works without issues.

TESTING SOLUTION:

I have a trio of internal RAWSQL monitors for each Windows 10 build (x86, x64, and ARM64). I will include examples below. Breakdown of the monitor and the autofix solution:

  1. Set variable of the hotfixId for the latest Cumulative Update in the hotfixdata table where the Title matches OS version and architecture AND the os_build matches
  2. Return the hotfixId as the TestValue with the computerId of any system matching the OS build and architecture that does not report that hotfixId
  3. Run script that inserts the missing hotfixId and associated information into the hotfix table for that computerId, which allows the normal Automate approval and install policies to run against the machine and push the update

EXAMPLES:

Windows 10 1903 x64

CREATE TEMPORARY TABLE IF NOT EXISTS Tcomp (INDEX (Computerid)) SELECT computerid FROM computers WHERE ComputerID NOT IN (SELECT ComputerID FROM AgentIgnore WHERE AgentID={INSERT UNIQUE ID HERE});

SET @current = (SELECT DISTINCT(hotfixID) FROM hotfixdata WHERE title LIKE '% Cumulative Update for Windows 10 Version 1903% for x64-based Systems%' AND os_build = '10.0.18362' ORDER BY Date_Added DESC LIMIT 1);

SELECT DISTINCT 
@current AS TestValue, 
Computers.Name AS IdentityField, 
computers.computerid, 
Computers.Version AS `OS Build`,
hotfixdata.Title AS `Missing Update`,
locations.locationid, 
locations.name AS locationname,
clients.Clientid, 
clients.name AS clientname,
agentcomputerdata.NoAlerts,
AgentComputerData.UpTimeStart,
AgentComputerData.UpTimeEnd 
FROM ((Computers 
JOIN Locations ON Locations.LocationID=Computers.Locationid)
JOIN Clients ON Clients.ClientID=Computers.clientid)
JOIN AgentComputerData ON Computers.ComputerID=AgentComputerData.ComputerID
JOIN `inv_processor` p ON p.computerID=Computers.ComputerID
LEFT JOIN hotfix ON hotfix.computerId = computers.computerId AND hotfix.hotfixId = @current
JOIN hotfixdata ON hotfixdata.hotfixid = @current
WHERE 
computers.version = '10.0.18362' AND 
computers.OS LIKE 'Microsoft Windows 10%x64' AND
p.Manufacturer NOT LIKE 'Qualcomm%'
AND computers.computerId NOT IN (SELECT computerId FROM hotfix WHERE hotfixId = @current )
AND Computers.ComputerID IN (SELECT ComputerID FROM TComp)

For ARM64, change a couple of lines:

SET @current = (SELECT DISTINCT(hotfixID) FROM hotfixdata WHERE title LIKE '% Cumulative Update for Windows 10 Version 1903% for ARM64-based Systems%' AND os_build = '10.0.18362' ORDER BY Date_Added DESC LIMIT 1);

-- AND --

WHERE 
computers.version = '10.0.18362' AND 
computers.OS NOT LIKE 'Microsoft Windows 10%x64' AND
p.Manufacturer LIKE 'Qualcomm%'

For x86:

SET @current = (SELECT DISTINCT(hotfixID) FROM hotfixdata WHERE title LIKE '% Cumulative Update for Windows 10 Version 1903% for x86-based Systems%' AND os_build = '10.0.18362' ORDER BY Date_Added DESC LIMIT 1);

-- AND --

WHERE 
computers.version = '10.0.18362' AND 
computers.OS NOT LIKE 'Microsoft Windows 10%x64' AND
p.Manufacturer NOT LIKE 'Qualcomm%'

AUTOFIX SCRIPT:

The script is literally two lines. First logs that we are adding hotfixID @result@, second executes the following SQL command:

INSERT INTO hotfix (SELECT @computerid@, hotfixId, 0, approved, 0, NOW(), NOW(), 0, 0, '0000-00-00 00:00:00', '0000-00-00 00:00:00', 0, InstallType, OS, Stage, `Version`, `Action`, `InstalledVersion`, CvssScore FROM hotfix WHERE hotfixId='@result@' LIMIT 1)

I have had this running for about two weeks, and have had a number of systems that were on 1903/1909 that had stopped reporting CU's -- some as far back as March, June, etc. -- that successfully patched up to the 2020-10 CU.

CAVEATS:

This makes a couple of assumptions:

  • You are keeping your servicing stack updated
  • The only ARM64 devices you have are Qualcomm (we have a few Surface X tablets in the wild, so that was the only ARM64 reference I have)
Link to post
Share on other sites

re: the initial question...If Win10 detects an FU it will not show the CU.  I guess, no sense installing a CU if you also will be completely replacing it.

In the past this meant that unless FUs were blocked (via deferral, etc.) the FU would be detected. A year ago MS changed their approach from "we'll push it out in the first few months" to "we'll wait until 3ish months before EOL for a version before we install the next.  So, in Feb. 2020, 1809 is expiring, so it prompts the user to install FU 1909.  In early spring 2021 it will install 2009/20H2.  This also means it will only install one FU per year rather than two, because 2004 is skipped.

So we've been installing about 9-12 months behind but will be leveraging this new approach, and will plan to roll out 20H2 in January or so.

An alternative is to set a TargetVersion registry entry which locks the PC onto a specific Win10 version.

 

For a quick and dirty approach one can create a search that looks for a specific missing CU KB, but the number changes with every CU release, and Windows version:

image.png.7e1712e10c9842fbf0f487cc238ebb58.png

Edited by SteveYates
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...