Patch Management Solution

 View Only

 Can't apply SBSP-Windows10_1909 (and can't see 20H2)

ianatkin's profile image
Trusted Advisor ianatkin posted Feb 10, 2021 10:26 AM

We've been trying to rollout out feature updates with patch management, and have hit a snag. When we make ready the SBSP-Windows10_1909 bulletin to 1903 machines, they aren't seen as being an applicable update. In the remediation portal, we can't see the 20H2 update either to try that.

We've noticed that the 1909 seems to refer explictly to "Windows 10 Enterprise N", and "N" is present in the batch file, but other than that we've made no headway.

Anyone got any thoughts on this?

Philip Wheaton's profile image
Philip Wheaton
Hey Ian,

It should be listed if you've got it selected under the Microsoft bit in Vendors :
20H2 should also be there.
Note to make the update much faster from 1903 to 1909, if the machines already are up to date on all of their 1903 patches, the 1909 features are already included.
If you apply kb4517245 (Which is about 20K) and reboot it enables the features.

On your last Patch Data import, what is the version number?

Phil
Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev
Hi Ian,

I had a quick look and both 1909 (you may need to modify "Release Date From:" setting to see this one) and 20H2 are applicable to my outdated Windows 10 computers in "Windows Compliance by Bulletin" and other reports.

May you check STPatchAssessment.xml in C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{6D417916-467C-46A7-A870-6D86D9345B61}\cache location on problematic machines - what OS versions do you have listed in ApplicableServicepacks section there?

At what point does your problem appear? Machines are not shown as applicable/vulnerable/targeted in the reports? Policy with this bulletin doesn't arrive on them? Policy arrives but update installation doesn't start?

Thanks,
Dmitri.
ianatkin's profile image
Trusted Advisor ianatkin

Thanks for the prompt response.

>you may need to modify "Release Date From

I didn't get to recheck the dates ranges before re-running the PMImport with delete option to enforce a clearing our of our Windows 10 patches to start clean again. We can now see the later patches, but that may well have been because I didn't check the date ranges.

>check STPatchAssessment.xml 

Moving to a client machine, I the applicableServicePack sections I can see three element for 1909,2004 and 20H2 respectively. 

>At what point does your problem appear? Machines are not shown as applicable/vulnerable/targeted in the reports? 

If I look at the computer in the patch reports it's not seen as vulnerable to 1909, only 2004 and 20H2. So, the client never downloads the patch.

ianatkin's profile image
Trusted Advisor ianatkin
I've just seen that a machine is now being targeted by the 1909 patch. Sigh.  I think the clean out and rebuild with the PMImport process has somehow unstuck things. I can see that the policy details when created the 1909 patch have also changed from what I posted in the pick above (4 updates in the package now rather than 1).
ianatkin's profile image
Trusted Advisor ianatkin

Update from here. We can now see all the feature update bulletins, but only the 20H2 Enablement bulletin. This means we're still stuck on using ISO deployments.

Our metadata import options are below,

The languages imported here are EN and EN-GB.

Without access to the enablement package we are trying to use the ISO method. After the full clean out and rebuild of bulletins yesterday a 1903 test client saw the 1909 Feature update package, so following the package download we saw it successfully update. As that process started the OOBE experience, we then included a setupconfig.ini, but what that seemed to do was simply to delay those OOBE questions the first logon. The contents of our SetupConfig.ini are,

[SetupConfig]
Auto=Upgrade
Quiet
ShowOOBE=none
Telemetry=Disable
DynamicUpdate=disable
BitLocker=AlwaysSuspend

Is this behaviour to be expected for the ISO deployments? Also, any idea why we might not be seeing the 1903-1909 Enablement package?

Thanks for your time,

Ian./

 

Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev
Hi Ian,

I recall seeing some OOBE UI after ISO based upgrade but it was limited to accepting new privacy option of new OS version, etc. - not entire OOBE with selecting keyboard language and so on.

Just to clarify - where do you place SetupConfig.ini in your environment? You may check this KB for Windows 10 feature update customization options supported by Patch Management: https://knowledge.broadcom.com/external/article/173085/using-patch-management-solution-to-deplo.html

> Also, any idea why we might not be seeing the 1903-1909 Enablement package?
Unfortunately Microsoft decided not to make it available outside of WSUS (you cannot download it from Microsoft Update Catalog so it was not possible to add it to our datafeed).

https://support.microsoft.com/en-us/topic/feature-update-via-windows-10-version-1909-enablement-package-f23694fa-7088-6d16-2b73-bf7e2ea45cd1
Phil Wheaton - were you able to get kb4517245 from some publicly available location? 

Thanks,
Dmitri.​​
Philip Wheaton's profile image
Philip Wheaton
Hi Dmitri and Ian,

The cab is available from Microsoft, just not searchable :

http://b1.download.windowsupdate.com/d/upgr/2019/11/windows10.0-kb4517245-x64_4250e1db7bc9468236c967c2c15f04b755b3d3a9.cab
http://b1.download.windowsupdate.com/d/upgr/2019/11/windows10.0-kb4517245-x86_8463271782b79ce8214772c62552b8961feb7ccb.cab

Phil
Johannes Bedrech's profile image
Broadcom Partner Johannes Bedrech
Hi Ian,

Take a look at my blog: https://epm-blog.com/2020/01/14/windows-10-feature-update-using-symantec-itms-lessions-learned/
There is also a section about OOBE with the relevant regkeys..
I´m not using Patch Management to run the IPU instead I use a MSD...
ianatkin's profile image
Trusted Advisor ianatkin

Hi All,

So thanks to all that responded here. In the end rolled out the full package, but a couple of days after emptying and rebuilding the catalog ALL of the SBSP entries appeared in the remediation center. As we'd already started the rollout of the full package we just sighed. The extra issue we had with machines in testing being forced into answering OOBE questions seemed to vanish when testing moved to a domain joined computer (we test on non-domain machines first to avoid policy issues). 

Everything here helped, and also enabled us to learn/remember how patch works. Sorry for the delay.

One day, I'll also find a tutorial on how to find my posts that have recieved updates on the Broadcom site!

Dmitri Gornev's profile image
Broadcom Employee Dmitri Gornev
Hi Phil,

Windows 10 1909 feature update enablement package (KB4517245) is now available in datafeed, starting from PMImport 7.3.720.

Thanks,
Dmitri.