What is the point of the NEW - Windows Patch Management

Am I missing the point of this update. Syncro state that:

What it Doesn’t Do

  • Uninstall or remove existing patches.
  • Install feature updates, such as Windows 10 21H2.
  • Install updates for Microsoft products, such MS Office for Desktop.

So why is there the option to install ‘Feature Packs’?? I just don’t get it.

Cannot remotely uninstall software, or install 21H2. There is so much more that needs to be available before this.

2 Likes

Feature Packs are not the same as Feature Updates.

1 Like

There are several reasons why. One of our longest running and most asked for feature requests was the ability to block patches by KB. Previously there was no way to stop something like Print Nightmare from jacking up your entire base, so you had to explicitly stop installing that category of patches, which of course prevented other critical patches from deploying. It’s really required functionality as an MSP, and speaking frankly, we were quite simply not up to snuff with our Windows Patch Management capabilities (until now).

On top of that, MSPs need a way to granularly control approvals for patch categories/severities. We added this functionality as well. This includes our new “Defer” functionality, something that most other RMMs do not support. This allows MSPs to put entire categories or severities of patches into a “pending approval” state for a customizable amount of time, ensuring if a bad patch does present they have enough time to add it to their exception list to ensure it never installs. The last thing you want to do is have a bad patch go out to your entire fleet requiring you to work backwards. This new functionality ensures you’ll never have to.

With the ability to block patches by KB, or flat out reject entire categories or severities of patches, there isn’t much of a need to work backward uninstalling patches from machines. This isn’t all that common in the space, and not something we’ve seen a lot of requests around (short of asking for a workaround for our previous lack of blocking patches by KB).

Finally, as Andrew correctly pointed out, Feature Packs are not the same as Feature Updates. Feature Updates are handled completely differently inside of Windows, which is why a lot of platforms don’t support managing them. It doesn’t mean we’ll never support installing Feature Updates, it doesn’t mean we ever will, either.

Our goal was simply to deliver on our biggest feature requests revolving around Windows Patch Management, and the feedback we’ve received so far from users that have had it rolled out to their Syncro instances has largely echoed that sentiment.

4 Likes

Great answer from Andy. The updates are awesome and I’m happy to have them. The deferment and blocking KB is WELL worth it.

I mentioned in the main post about this update, Feature Updates are not part of the Windows Update API and that is why no RMM I have ever worked with or even read about, automates the handling of Feature Updates.

If you really want Feature Updates to push through the RMM, I recommend you take the time to create a script that will allow this. You can script the use of the Media Creation tool to download and install the latest feature update, however there are a lot of things to consider when pushing multiple gigs worth of data to multiple machines in the same environment.

1 Like

There is a script to push feature updates available within Syncro:

“Install Windows Feature Update - Silently installs the Upgrade Assistant to install feature updates.”

From the script:

Import-Module $env:SyncroModule

$dir = ‘C:_Windows_features\packages’
mkdir $dir
$webClient = New-Object System.Net.WebClient
$url = ‘https://go.microsoft.com/fwlink/?LinkID=799445
$file = “$($dir)\Win10Upgrade.exe”
$webClient.DownloadFile($url,$file)
Start-Process -FilePath $file -ArgumentList ‘/quietinstall /skipeula /auto upgrade /copylogs $dir’

1 Like

Microsoft removed EULA acceptance and silent install switches from the feature updates, so RMMs can’t push them. This is not a fault of Syncro. You can script the update assistant to install 21H2 and there are several scripts floating around.

I love the new update.

Where are you able to block patches by KB in the Policy?

This feature is not fully rolled out to all users yet, but it’s in the Windows Update section (in the Windows Update sub-policies) of policies.

when are the last stages of the rollout happening? really keen to get this new feature up and running for our clients. and haven’t got the honour of being one of the lucky ones yet :stuck_out_tongue:

They are ongoing. You’ll be notified in your Syncro instance when it’s made it’s way to your account.

Any ETA for the Rest of us?

Hopefully not too much longer, but the rollout is still in progress.

Intune seems to have figured out installing feature updates, maybe take a look how they did it.

Feature updates for Windows 10 and later policy in Intune

I’m sure it’s easy when your the ones that created the whole OS :slight_smile: They’ve had ways (not just intune) to control these for years but haven’t given us automation options outside of using them. Scripting the update assistant is still the best method unfortunately.

I might be mistaken, but the major feature updates used to show up in in Windows Patches and could be run from there. That option is missing and was most helpful as I recall. I just discovered 100 of my assets are running on 1803 and 1809 and 1902.

Perhaps detect available feature update and integrate a button or tick-box that would run this script.

Devices appear to be 100 % patched, but how can that be if 1803 is end of life as of Nov 2019, and is a security risk.?

I just failed my own audit, good thing a competitor doing a free security assessment hasn’t come before I discovered this…

You are mistaken. They appear patched because technically, Feature Updates are new “versions” of Windows 10. So if you have all available patches for that version, it’s up to date. Just like if you were still running something on Windows 7, is it out dated? Yes. Is it EOL? Yes. Is it fully patched? Yes. lol.

I generally run a monitor or simply create an asset search for anything that has Operating System = Windows 10 and OS Build less than 19044 (21H2).

Then you can simply run a script against those machines. You can script the Update Assistant as mentioned or the actual media creation tool.

I wrote mine using the Update Assistant and I have it check the OS version to be safe as well as ensure there is at least 15GBs free disk space before it runs.

@mgiordano - wouldn’t be able to provide that script and howto?

Also, what monitor or seach do you do to highlight as you say Opertating Systems = Windows 10 OS Build less than 19044 etc.?

Thanks for your help…

On the main assets screen, left hand side there is the magnifying glass. Click it and then create a new search. These are the only options you need to see a list of devices that are not on 19044.

On the asset screen, you might also want to his customize and select OS Build so you can see that as a column on the screen.

Sure. Mine is very much like the others floating around. I simply added those couple checks. It also checks at the start to make sure it’s a workstation OS and not a server.

Write-Host "Checking OS Version to see if Update is needed..."
$OSInfo = Get-CIMInstance Win32_OperatingSystem
$Version = [version]$OSInfo.Version

if ($OSInfo.ProductType -ne 1) {
    Write-Host "Not designed to run Server OS. Exiting."
    Exit 1
}

if (($Version.Major -eq 10) -and ($Version.Build -lt 19044)) {
    Write-Host "Version $Version detected. Checking for sufficient disk space..."
    $VolumeInfo = Get-Volume 
    $CheckDriveSpace = [math]::Round(($VolumeInfo | Where-Object { $_.DriveLetter -eq $env:SystemDrive.Trim(":") }).SizeRemaining / 1gb, 2)
    if ($CheckDriveSpace -le 15) {
        Write-Host "ERROR:Upgrade needs at least 15GBs and only $($CheckDriveSpace)GBs remains. Exiting."
        Exit 1
    }

    Write-Host "Beginning download and installation. This could take hours to complete."
    Write-EVLog $EVLMessage
    $DestinationPath = "$env:SystemDrive\WindowsFeatureUpdate"
    New-Item $DestinationPath -ItemType Directory
    $WebClient = New-Object System.Net.WebClient
    $URL = 'https://go.microsoft.com/fwlink/?LinkID=799445'
    $DestinationFile = "$DestinationPath\Windows10Upgrade.exe"
    $WebClient.DownloadFile($URL, $DestinationFile)
    Start-Process $DestinationFile -ArgumentList "/quietinstall /skipeula /auto upgrade /copylogs $DestinationPath"
    Exit 0
}

Write-Host "Version $Version detected. No update needed. Exiting."
Exit 0
1 Like

Just tried to run the script against an asset and got the following error: