Patch Tuesday is tomorrow. Get your system locked down.

Just dealt with a 1909 update that reset the 802.1X settings on the workstation's NIC, not to mention reset a myriad of other settings.
Getting really tired of Microsoft's bullshit with these rolling updates, and it is making me miss the days of service packs with long term support.
"Well my grandma's laptop updated fine so not sure why you hate Microsoft" :D

I miss the service pack days too, where real engineers made sure shit was done properly, not a B-Team of transfers from other departments.

In terms of funding and company focus, Nadella cut the engines on Windows years ago to let it coast into the sunset on inertia, because cloud and big data are the only future he cares about. You'll never hear him mention Windows anywhere.
 
Last edited:
Upgraded all three home pcs last night, no issues.

And as-is typical, my company will delay it rollout until tomorrow (for validation)
 
Last edited:
Personally, at home, I let MS do it's thing. Haven't been bit by a bad Win10 patch yet here *knock on wood*, but again, I don't opt to be an early adopter. Worst case, it toasts my OS and I get to rebuild, I'm due for a rebuild anyway (gotten away from my 1.5 year rebuild schedule I used to follow.)

At work, totally different story. We target our test VM's/test machines for the Pilot/Alpha group the first couple days, a decent number of tech savy folks (mostly, I work for an engineering company) from each department as best we can as our Early Adopters/Beta's over the next ~5 days, then finally everyone else over the course of the next week. Over the course of ~2 weeks, everyone's patched up and the security folks are happy. 0-day gets handled the same way, but on an accelerated 2-3 day schedule. Same story server side.

I can't remember any specific bad KB getting through this process, but the Service Pack level upgrades are another story.... I'm way more worried about those then Patch Tuesday.
 
Having all your companies laptops on auto-update is a recipe for disaster. Windows 10 is fucking ruthless with the way it decides to stop letting you postpone updates and just forces you to restart suddenly. I've seen it happen countless times. When that shit happens to the wrong person at a sales meeting or other public facing event, it makes the company look like they don't know what they are doing. And that's if the patch goes smoothly and the system comes back up. I've seen instances where the system wouldn't come back up and that's when the shit really hits the fan.
 
That would be correct, ti is chicken-little crap. He has no evidence there's anything wrong, it is just to get clicks, which it has successfully done here. He's also basically the computer equivalent of an anti-vaxxer: "You don't need those security updates, all the problems they said have never come to pass!" Same idea as "You don't need a vaccine, you've never seen someone with the disease!" Yes, in both cases is it BECAUSE of the fix. If there's an exploit, and it gets fixed quickly and people widely apply that fix, you don't tend to see anyone develop malware to exploit it. After all, what good is making something that could infect only a tiny number of systems with?

I will NOT be listening to some random fear monger with no evidence. My systems, and all the system at work, will be patching themselves normally, just as they always do. It's not that I've never seen problems with patches, I've seen a few (as in less than 5) over the last decade that would affect certain configurations. Annoying, but no big deal, just roll back. What I've seen a lot more of is systems getting owned and in those cases, it is way harder to clean up than a simple rollback. To truly make sure they are secure, a nuke-and-pave is required.

Unless you are a security professional that takes the time to read the patch notes, check the CVSS of vulnerabilities, and see how that impacts your systems... just let patches auto install. For Windows, for your browser, for your games, for everything. The chances you get bit by a patch issues are way less than the chances you get owned or run in to a nasty bug (remember patches don't only fix security issues) by running old code.

This post is so ironic. You are the one going against industry standards that have proven time and time again to be worth it. You are the anti-vaxxer in this case. There is evidence across the IT industry of why you do TESTING and incremental roll outs on patches. If a client cannot do their job because an untested patch failed, that is a problem. If the entire company gets patches all at the same time, you have a major issue on your hands.

I'm going to guess your environment is less than 50 systems.
 
I get it, we are all supposed to hate updates from Microsoft.

Raise your hand if you've never had one single update for Windows give you a problem, ever...
*raises hand*
Not the point at all. The point is if you are a sys admin and manage lots of MS systems, you should follow industry standards for patching, not just set that shit to auto and hope for the best.
 
Not the point at all. The point is if you are a sys admin and manage lots of MS systems, you should follow industry standards for patching, not just set that shit to auto and hope for the best.

Oh? Not the point you say? Please point out where in the thread title or OP post where it reads "message for system administrators only".

BLNT
 
Oh? Not the point you say? Please point out where in the thread title or OP post where it reads "message for system administrators only".

BLNT

No but that is where I see the target audience of the article being. Who the hell reads articles about Windows updates other than sys admins?
 
1587000771437.png
 
And as-is typical, my company will delay it rollout until tomorrow (for validation)
Microsoft themselves recommend a best practice of enterprises having a 3-tier update environment - an alpha, beta, and production.
If that doesn't say what shit their updates are, right from the horse's mouth no less, I don't know what does.

I've seen one or two bad updates break entire test groups, let alone rolling out that flawed and untested garbage to every workstation and server in an enterprise.
Your company at least has some brains to validate the updates before rolling them out - not sure why you are acting like that's such a bother.


I get it, we are all supposed to hate updates from Microsoft.

Raise your hand if you've never had one single update for Windows give you a problem, ever...
*raises hand*
I have seen so many iterations of Windows 10 from the beginning up to 1909 brick more systems, and corrupt more user data, than Windows 3.0 to Windows 8.1 combined.
Really glad you haven't experienced that, and with a home system/environment, there is a chance you may never experience that, and I hope you don't - it is anything but fun.
 
Last edited:
Microsoft themselves recommend a best practice of enterprises having a 3-tier update environment - an alpha, beta, and production.
If that doesn't say what shit their updates are, right from the horse's mouth no less, I don't know what does.

I've seen one or two bad updates break entire test groups, let alone rolling out that flawed and untested garbage to every workstation and server in an enterprise.
Your company at least has some brains to validate the updates before rolling them out - not sure why you are acting like that's such a bother.



I have seen so many iterations of Windows 10 from the beginning up to 1909 brick more systems, and corrupt more user data, than Windows 3.0 to Windows 8.1 combined.
Really glad you haven't experienced that, and with a home system/environment, there is a change you may never experience that, and I hope you don't - it is anything but fun.

Their updates are not crap, even from them. Their recommendations are best practice mixed with a little common sense. At least that is what some are saying here about not day one installing updates. Also, the same thing would be said about any OS, in a corporate environment.
 
but did it actually install this time?
Shit, I figured it would install on reboot. Just checked and I need to click the button. We will see. I may not post again today!!!

I did try installing it several times over the last month to no avail.
 
If your big patches fail, try running sfc /scannow prior to running the update. Weird things flag errors. For instance, on my system I shift a lot of the Windows system app shortcuts into different folders. Windows seems to think they're missing, so major updates sometimes error out. If I put them back, everything works fine.
sfc /scannow restores a multitude of things to their defaults, so it's easier than trying to do it myself.
 
try that ^^ and maybe the wuauserv method of clearing out the update files. then try again.


sfc /scannow

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver

ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old

net start wuauserv
net start cryptSvc
net start bits
net start msiserver

Check for updates and get yourself a beer, you'll be waiting a bit for it to parse all the updates depending on your flavor of Windows
 
If your big patches fail, try running sfc /scannow prior to running the update. Weird things flag errors. For instance, on my system I shift a lot of the Windows system app shortcuts into different folders. Windows seems to think they're missing, so major updates sometimes error out. If I put them back, everything works fine.
sfc /scannow restores a multitude of things to their defaults, so it's easier than trying to do it myself.
1589570617503.png


1589570808451.png


Going a bit deeper now...
 
sfc /scannow

net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver

ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
ren C:\Windows\System32\catroot2 catroot2.old

net start wuauserv
net start cryptSvc
net start bits
net start msiserver

Check for updates and get yourself a beer, you'll be waiting a bit for it to parse all the updates depending on your flavor of Windows
1589571409035.png


1589571453671.png
 

Ah, I see your windows install is apparently cursed.

Check out this page:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources

I'd make a restore point before trying to re-register DLLs like this, but then try out the script on this link (also referenced in the link above): https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc

Restart after that and then see if update picks back up, failing that you could try to download install the KB for the cumulative update directly too.
 
I had a laptop that would not upgrade to the latest 2019 version earlier this year, it was still stuck on a 2015 or 16 version. Before giving up and just doing a wipe and fresh install from scratch I ran WSUS with latest updates and about 10 minutes later there is a countdown on my screen from Windows saying the new update is ready for install and it will auto reboot in 25minutes.
 
What's with this version coming out like today or etc... I got mine on 05/09... Not sure why but probably cause I did a clean install last week at like 12-1am on Saturday. It's been swimmingly smooth so far.

1589594417859.png
 
Back
Top