There are several reasons why. One of our longest running and most asked for feature requests was the ability to block patches by KB. Previously there was no way to stop something like Print Nightmare from jacking up your entire base, so you had to explicitly stop installing that category of patches, which of course prevented other critical patches from deploying. It’s really required functionality as an MSP, and speaking frankly, we were quite simply not up to snuff with our Windows Patch Management capabilities (until now).
On top of that, MSPs need a way to granularly control approvals for patch categories/severities. We added this functionality as well. This includes our new “Defer” functionality, something that most other RMMs do not support. This allows MSPs to put entire categories or severities of patches into a “pending approval” state for a customizable amount of time, ensuring if a bad patch does present they have enough time to add it to their exception list to ensure it never installs. The last thing you want to do is have a bad patch go out to your entire fleet requiring you to work backwards. This new functionality ensures you’ll never have to.
With the ability to block patches by KB, or flat out reject entire categories or severities of patches, there isn’t much of a need to work backward uninstalling patches from machines. This isn’t all that common in the space, and not something we’ve seen a lot of requests around (short of asking for a workaround for our previous lack of blocking patches by KB).
Finally, as Andrew correctly pointed out, Feature Packs are not the same as Feature Updates. Feature Updates are handled completely differently inside of Windows, which is why a lot of platforms don’t support managing them. It doesn’t mean we’ll never support installing Feature Updates, it doesn’t mean we ever will, either.
Our goal was simply to deliver on our biggest feature requests revolving around Windows Patch Management, and the feedback we’ve received so far from users that have had it rolled out to their Syncro instances has largely echoed that sentiment.
Great answer from Andy. The updates are awesome and I’m happy to have them. The deferment and blocking KB is WELL worth it.
I mentioned in the main post about this update, Feature Updates are not part of the Windows Update API and that is why no RMM I have ever worked with or even read about, automates the handling of Feature Updates.
If you really want Feature Updates to push through the RMM, I recommend you take the time to create a script that will allow this. You can script the use of the Media Creation tool to download and install the latest feature update, however there are a lot of things to consider when pushing multiple gigs worth of data to multiple machines in the same environment.
Microsoft removed EULA acceptance and silent install switches from the feature updates, so RMMs can’t push them. This is not a fault of Syncro. You can script the update assistant to install 21H2 and there are several scripts floating around.
I’m sure it’s easy when your the ones that created the whole OS They’ve had ways (not just intune) to control these for years but haven’t given us automation options outside of using them. Scripting the update assistant is still the best method unfortunately.
I might be mistaken, but the major feature updates used to show up in in Windows Patches and could be run from there. That option is missing and was most helpful as I recall. I just discovered 100 of my assets are running on 1803 and 1809 and 1902.
Perhaps detect available feature update and integrate a button or tick-box that would run this script.
Devices appear to be 100 % patched, but how can that be if 1803 is end of life as of Nov 2019, and is a security risk.?
I just failed my own audit, good thing a competitor doing a free security assessment hasn’t come before I discovered this…
You are mistaken. They appear patched because technically, Feature Updates are new “versions” of Windows 10. So if you have all available patches for that version, it’s up to date. Just like if you were still running something on Windows 7, is it out dated? Yes. Is it EOL? Yes. Is it fully patched? Yes. lol.
I generally run a monitor or simply create an asset search for anything that has Operating System = Windows 10 and OS Build less than 19044 (21H2).
Then you can simply run a script against those machines. You can script the Update Assistant as mentioned or the actual media creation tool.
I wrote mine using the Update Assistant and I have it check the OS version to be safe as well as ensure there is at least 15GBs free disk space before it runs.