Update Windows update so it´s aware of installed patches via BP

[Mbrodin]

Hi Doug

I spin up an old Windows 2012R2 template (2 years old), I patch it with BatchPatch.

When someone later on attach it to internet and do a Windows update, the reply is that the server misses 99 important patches…

Can Windows update “information database” be updated from already installed patches somehow?

Or can you insert a custom message – that the server is patched by other software?

regards

Mats Brodin

[doug]

Mats – The Windows Update database *does* get updated when BatchPatch installs updates. The BatchPatch update installation process actually utilizes the Windows Update Agent (WUA) to install the updates. The WUA handles the process of updating the Windows Update database with all the relevant information about which updates have been installed.

If you connect to Microsoft’s public Windows Update server and see different updates available, there are multiple reasons why this can occur:

1. The most common reason for seeing a different number of available updates in BatchPatch is due to the search scope. In BatchPatch under ‘Tools > Settings > Windows Update’ there is a section titled ‘Search Preferences.’ If you select ‘Search for *all* software updates’ AND ‘Search for *all* driver updates’ then you’ll see every possible available update in BatchPatch. However, if you limit the search to only ‘Important’ and/or ‘Recommended’ then you’ll only find the subset of available updates that Microsoft has deemed ‘Important’ and/or ‘Recommended.’

2. The second reason you might see a different number of available updates in BatchPatch is due to the search location (‘Server Selection’).

Default / Managed: Uses the target computer’s existing configuration to determine where to search for updates.

Windows Update: Bypasses the target computer’s configuration and searches for updates on

Microsoft’s public server. Includes only Windows updates.

Microsoft Update: Bypasses the target computer’s configuration and searches for updates on

Microsoft’s public server. Includes Windows updates AND updates for other Microsoft products.

Before using Microsoft Update, target servers must be opted-in to the service.

See ‘Actions > Windows Updates > Opt-in…’

If your search for updates in BatchPatch is not searching the same location as when you search for updates manually at the Windows Update control panel GUI, then you will not necessarily see identical results. In BatchPatch you can confirm the location that the target computer is configured to use by executing ‘Actions > Windows Updates > Get Windows Update configuration.’

3. It’s possible that what is appearing in the Windows Update GUI on the computer itself is not up to date. On newer Windows operating systems (i.e. Windows 10) this information is cached and can therefore become stale. Until the computer initiates a new search for updates to refresh what it is reporting, the search results it displays could contain out-of-date/inaccurate information.

4. Lastly, another reason for the discrepancy is if you’re using offline mode. Offline mode scans for security updates updates against the wsusscn2.cab file from Microsoft, which does not contain every update that is published on Microsoft’s public update servers. So, if you installed updates using offline mode and then later connected the computer the Microsoft’s public Windows Update server, you will see that Microsoft’s public Windows Update server offers additional updates.

I hope this helps.

-Doug

[Mbrodin]

Hi Doug

1) I use the featute search for all updates and search for drivers.

4) Yes, I use the offline / wsuscab2 update procedure, since the servers are on non-internet network.

My concern is, why does Microsoft classify 99 updates as “Important” while Wsuscab2 file says the server has no updates to apply? It was an additional 5 “optional updates” – those I can understand.

If this is the case, Can I use offline updates and push these 99 other updates in some way (without connecting the server to internet)?

/Mats

[doug]

I understand your concern. Of course this is really a question that only Microsoft could answer, but I have never seen them answer it anywhere. However, I can tell you what we have observed over the years.

First, Microsoft puts all security updates in the WsusScn2.cab file, but they don’t include other updates. This is documented, but I’m not sure of the actual *reason* for excluding non-security updates. They seem to suggest that this is to keep the update footprint as small as possible while still keeping devices secure. I suspect the idea is that the fewer updates that you install, the less likely you are to introduce problems. And in the case of devices where security is the priority, installing only the security updates means you keep the OS secure while reducing any potential negative impact from other non-security updates.

With regard to ‘Important’ updates, we have noticed that Microsoft seems to use the ‘Important’ classification really just as a means to distinguish which updates they want to put on user computers, as opposed the ‘Optional’ updates that they don’t care so much about getting onto user computers or in some cases might even prefer that users didn’t install. For example, you can be sure that Microsoft would release a telemetry update as ‘Important’ because Microsoft wants to have the best possible telemetry. However, this isn’t something that the end user necessarily wants or cares about. So, while it’s not ‘Important’ to the user, it is definitely ‘Important’ to Microsoft. We have also seen cases where they put an update in ‘Optional’ for a few months before later moving it over to ‘Important.’ They move the update to ‘Important’ not because the actual importance level of the update has changed for the end user. It’s because the importance level of the update has changed for Microsoft.

So, while the ‘Important’ classification will include all security updates, it will also include other non-security updates.

To push the other 99 updates to computers using BatchPatch you would have to either use online cached mode instead of offline cached mode, but in this case the target computers would perform their search for available updates against Microsoft’s servers, which you do not want. Or alternatively you could install a WSUS server in your environment. In this scenario you would give the WSUS server internet access, but you would not have to give the target computers internet access. They would simply need access to the WSUS server. You would then update the group policy that controls where the target computers search for updates so that they search the WSUS. Then when BatchPatch tells them to search/download/install updates, they will do that using the WSUS as the source for the updates instead of Microsoft’s public servers.

Let me know if you have any other questions.

[Mbrodin]

Thanks Doug for the excellent answer!

Since we haven´t had any issues with our servers, only using offline patching, I will stick with that, keep the servers safe and secure, and tell people to stay away from other patching alternatives 🙂

Thanks again

Mats

[doug]

Sounds good, Mats. One thing that you might consider as you move forward is to spend some time looking through the KB articles for the 99 remaining updates. That way you can see if you feel like any of those updates is important enough for you to modify your setup so that they get applied to your computers.

Take care,

Doug

[Author]

Posts