Patch Management Group

Has there been any news given to customers about what will be supported for customers to update clients to Win10 1909?

I understand that it's a unique update (not typical feature update), and I don't see it in patch management yet.

All of our clients are 1809 and we are trying to skip the spring releases (i.e. 1903) because of their shorter support window so we need a supported workflow to go from 1809 to 1909 ideally without stopping at 1903 first.

Thanks

Hi Sally,

actually there will be two ways to upgrade to 1909 - old way using feature update ISO will remain plus additional solution with a small enablement package is introduced. We're working on adding ISO updates to datafeed at the moment - should be there this week or early next week.

As for small enablement package it's not yet available as a stand alone download (only from WU/WSUS) so it's not possible to add it to datafeed at the moment. Here are some additional details:

Windows 10, versions 1903 and 1909 share a common core operating system and an identical set of system files. As a result, the new features in Windows 10, version 1909 were included in the recent monthly quality update for Windows 10, version 1903 (released October 8, 2019), but are currently in a dormant state. These new features will remain dormant until they are turned on using an enablement package, which is a small, quick-to-install “master switch” that simply activates the Windows 10, version 1909 features.

This Microsoft blog post provides more details for new architecture: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1909-delivery-options/ba-p/1002660
And here is information for the enablement package: https://support.microsoft.com/en-us/help/4517245/feature-update-via-windows-10-version-1909-enablement-package
 

Thanks,
Dmitri.

Thanks. Looking forward to testing the process coming from 1809.

Hi, I'm not sure if it is just our environment but we still can't see the SBSP Windows 1909 bulletin. We already upgraded to 8.5 RU3 and distributed the upgraded engine to all clients in order to be compatible. Are we missing something or is the ISO update still not added to the data feed?

Barbaros, this is still in progress, so the bulletin is not yet availible in the feed.

Thanks for the quick response.

SBSP-Windows10_1909 and SBSP-WindowsServer_1909 bulletins were released today

Thanks @CFarrell - just confirming I need to follow this KB to deploy via patch - nothing has changed even though this feature update is a little bit unique compared to prior ones, right?

 

Thanks

https://support.symantec.com/us/en/article.doc9422.html

Sally the only I found is they left out the part making sure you rename the iso to match the batch file name, swore that was in there before they revised it

Any update if we can do this strictly via patch management yet?  I would prefer not to do this via the old way.

Hi rwlang74,

may you clarify the change you're looking for?

Hi Cody,

> they left out the part making sure you rename the iso to match the batch file name

this is actually still covered in 6.6.

 

 

My bad I missed it when reading through, but I have run into one issue:

 

We use symantec endpoint encryption, 11.3. We install with the WinSetupAutomation=1 and have been able to push 1809 and 1903 to devices encrypted with SEE 11.3 using patch managment and it works fine as long as you send the disable pre-boot

With 1909 feature release seeing the below, worked with SEE support to confirm its not an issue on their end:

On a device running 1803 and no SEE installed: 1909 applies without issue using patch managment 

On a device running 1803 with SEE installed: 1909 fails to apply, the patch runs, device reboots to the "select keyboard country, followed by contuine to windows" and remains 1803 once into windows

On a device running 1803 with SEE installed: Don't use patch managment but instead run the command:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files" /Postoobe "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\setupcomplete.cmd

The device updates to 1909 without issue

So any ideas on why it fails with in patch managment? 

My first attempt at pushing this feature update out via patch failed as well (coming from 1809).  I'm putting a ticket in.

Edit: seems to be installing if I manually suspend bitlocker before letting patch install.  Hopefully that's something team can address?

Seems like reading this that the native windows installer should be able to handle bitlocker encryption:https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq

I tested installing feature updates a year+ ago via software portal and bitlocker wasn't an issue then.  Hope Patch can work with it....

Hi Cody,

do you use solution from https://support.symantec.com/us/en/article.TECH252359.html to workaround the encryption piece?

Thanks,
Dmitri.

hey @Dmitri - I did some digging and looks like this is the command line Altiris/Symantec/Broadcom is running

 "%volume%:\setup.exe" /auto upgrade /quiet /showoobe none /noreboot /telemetry disable /dynamicupdate disable /Postoobe %STscript%setupcomplete.cmd & SET LASTERR=!errorlevel!

shouldn't there be a  /bitlocker AlwaysSuspend in there?  Really hope we can get this working.  Thanks!  I have a ticket in, if that helps - 31619367

 

Thanks!

Hi Sally,

as far as I know previously Windows 10 feature setup was able to understand each other with BitLocker successfully so it could be some change on Microsoft's side.
We have a solution for Symantec encryption products that may be potentially useful for you as well as it provides an ability to pass custom command line parameters to setup.exe - check here for details: https://support.symantec.com/us/en/article.TECH252359.html

Thanks,
Dmitri.

 

bitlocker wasn't an issue when I tested with previous feature updates, but that was through software portal.  I dont know why Symantec wouldn't pass the /bitlocker switch as otherwise it will never work for any customers that use Bitlocker, and adding it wouldn't break those that don't, no? 

I get symantec has their own product but certainly many use the native windows product.

I don't want to script to disable bitlocker in place of letting setup.exe do it natively.  I'm not following how prepare.cmd is disabling it reading the article.

Hi Sally,

we don't have a specific handling for BitLocker as previously (?) it worked fine on its own. For non-Microsoft encryption products (like ours) we needed to pass additional parameters to setup.exe to instruct it where to load encryption product drivers from, etc.

Prepare.cmd prepares encrypted system for Windows 10 feature update installation and as part of this creates several artifacts used in the process. One of them is SetupConfig.ini - file that contains instructions for setup.exe. If feature update installation script detects existense of SetupConfig.ini (either created by prepare.cmd or provided by admin) it doesn't pass default command line to setup.exe but rather instructs it to take parameters from SetupConfig.ini.

Step 4 in Customizations section of the referenced article describes how you can control the list of parameters that will be passed to setup.exe.

Thanks,
Dmitri.

Is there anyone that can help me figure out how to update to 1909 via patch AND disable bitlocker so it actually works?

It should be simple as adding command line switch /bitlocker AlwaysSuspend 

i've literally put in 3 tickets with support since January on this.  1 was ignored, the 2nd opened for months and closed on employees last day, and the 3rd still opened the only response i got was "use a managed delivery policy" which isn't what I asked.

I am very concerned if there are any patch employees left to support the product.
Original Message:
Sent: 01-09-2020 11:22 AM
From: Dmitri Gornev
Subject: Windows 10 1909 Update via Patch

Hi Sally,

we don't have a specific handling for BitLocker as previously (?) it worked fine on its own. For non-Microsoft encryption products (like ours) we needed to pass additional parameters to setup.exe to instruct it where to load encryption product drivers from, etc.

Prepare.cmd prepares encrypted system for Windows 10 feature update installation and as part of this creates several artifacts used in the process. One of them is SetupConfig.ini - file that contains instructions for setup.exe. If feature update installation script detects existense of SetupConfig.ini (either created by prepare.cmd or provided by admin) it doesn't pass default command line to setup.exe but rather instructs it to take parameters from SetupConfig.ini.

Step 4 in Customizations section of the referenced article describes how you can control the list of parameters that will be passed to setup.exe.

Thanks,
Dmitri.

Hi Sally,

Our Windows 10 feature update installation scripts detect whether Setupconfig.ini is supplied during installation and run feature update setup.exe with parameters from configuration file instead of standard command line if detected - you can use it to append required switches to command line.
To utilize this option create Setupconfig.ini using template from TECH252359 and place it next to ISO file when following the instructions of section 6 from TECH257212. File contents may look like:

[SetupConfig]
Auto=Upgrade
Quiet
ShowOOBE=none
NoReboot
Telemetry=Disable
DynamicUpdate=disable
BitLocker=AlwaysSuspend

I'll also share a test version of prepare.cmd script that detects BitLocker and generates  automatically in a private message.

In our tests systems with BitLocker were updated to Windows 10 1909 feature update successfully using default command line so you may have some components potentially non-compatible with 1909 in your environment - this could be worked around by adding additional "Compat=IgnoreWarning" line to Setupconfig.ini.

Best regards,
Dmitri.
Original Message:
Sent: 04-01-2020 02:32 PM
From: amanda wuest
Subject: Windows 10 1909 Update via Patch

Is there anyone that can help me figure out how to update to 1909 via patch AND disable bitlocker so it actually works?

It should be simple as adding command line switch /bitlocker AlwaysSuspend

i've literally put in 3 tickets with support since January on this.  1 was ignored, the 2nd opened for months and closed on employees last day, and the 3rd still opened the only response i got was "use a managed delivery policy" which isn't what I asked.

I am very concerned if there are any patch employees left to support the product.
Original Message:
Sent: 01-09-2020 11:22 AM
From: Dmitri Gornev
Subject: Windows 10 1909 Update via Patch

Hi Sally,

we don't have a specific handling for BitLocker as previously (?) it worked fine on its own. For non-Microsoft encryption products (like ours) we needed to pass additional parameters to setup.exe to instruct it where to load encryption product drivers from, etc.

Prepare.cmd prepares encrypted system for Windows 10 feature update installation and as part of this creates several artifacts used in the process. One of them is SetupConfig.ini - file that contains instructions for setup.exe. If feature update installation script detects existense of SetupConfig.ini (either created by prepare.cmd or provided by admin) it doesn't pass default command line to setup.exe but rather instructs it to take parameters from SetupConfig.ini.

Step 4 in Customizations section of the referenced article describes how you can control the list of parameters that will be passed to setup.exe.

Thanks,
Dmitri.

Ahhh thank you so much for pointing me toward the prepare.cmd!

So mine is working now using the prepare.cmd, one question is what would be the best way to add this in?

"C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\eedadmincli.exe" --enable-Autologon --count 6 --au SEEADMIN --ap *******

I want to be able build in the allow three reboots with the pre-boot login screen, should I add that to prepare or add it as its own cmd in the patch deployment?

So I used 

swuenv.bat && call prepare.cmd && call "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\eedadmincli.exe" --enable-Autologon --count 4 --au SEEADMIN --ap 3******* && call "%InstallToolsPath_832C527C-B9C9-46FB-B1F1-2F35434FF90D%\AeXPatchDeployment.exe" -DeploymentId=00001f9b-0001-0000-0000-000000000000 -LanguageGroup=1

for command line, it worked. Disabled pre-boot and let the feature run, only thing being is it popped a cmd box up on the screen saying it login had been enabled, next step is I'm going to see if I can just add this to that prepare.cmd somewhere 

So maybe need to look at this more next week but I can't seem to find the right spot in prepare.cmd that I could edit and put in the above command, it can't just be in the cmd line since on non-see devices the install will fail