Hi, the latest windows KB5000808 security updates crashes lots endpoints of my customers. I’d like to avoid that situation in the future. What is your patching practice ? Do you suspend automatic udpates and test them in on a testing enviroment first? Thanks
After Microsoft’s latest gift, we have paused automatic updates on our managed endpoints. We are evaluating how to move forward and will likely do exactly that - setup a test environment to see how updates behave.
+1 pause for a bit, may even use another 3rd party product to stop/manage auto-updates, but the exchange stuff was easy compared to workstations bsod calls.
WUS in larger setups is fine.
Yep KB5000xxx was a shocker. Broke a ton more systems than what it should have.
Rollback was mostly manual to fix Kyocera printer crashes, then even hiding the KB did not fully stop it reinstalling…
But unless I missed something the newer optional out of band “fix” KB500xxx was not visable on the EM to be able to push out, just running a patch procedure would not pick this up either.
How does everyone push these out without WUS on small domain or non-domain joined pc’s ?
My Powershell via EM does not appear to work for me.
Anyone have a known good working script for adhock or scheduled optional or feature updates, like 20H2 and the recent fixes, that also plays nice with Itarian and Advanced Endpoint Protection enabled.
mcfproservices
Hi @mcfproservices,
Please try this Script to Perform Windows 10 Build 2004 Feature Update
https://scripts.itarian.com/frontend/web/topic/script-to-perform-windows10-feature-update
Please let us know if you have any issue.
Kind Regards,
PremJK
We tried the “fix” KB5001567 on two test machines today. Both still experience BSOD when printing to Kyocera printers. We uninstalled KB5000802 again and the BSOD no longer occurs when printing. Guess it’s back to pausing updates until Microsoft fixes the fix. Again.
@PremJkumar Thanks,
Not sure how I missed seeing that one but will test over the next few days.
Anything for optional specific KB such as KB5001567 to be able to push out unattended ?
I have done around 100 systems so far with the KB5001567 and every single one was resolved, some had been rolled back and the KB5000802 hidden, but so far 100% success.
I did not test with Dymo printing as that required using an older version of dymo software to resolve earlier on, but KB5000802 also messed with industrial labeling printers as well as some POS/kitchen printers, it was a bad one.
Mixture of standalone, domain, WUS systems.
mcfproservices
Thanks for the info! We are only seeing unresolved issues with Kyocera printers. Previously, all printers were triggering BSOD. Curious… did you use the script provided by @PremJkumar ?
Same here, I removed the KB5000x update, force manually some endpoints to update from window 10 1909 to windows 10 202H because some of them are old Dell dekstops, applied latest windows updates and again they have BSOD. The problem is that the customers don’t care who is the culprit , for them a MSP should prevent this situation.
I wasnt aware of KB5001567. I found out that windows update of the endpoints show it as optional one but there is not sign of it in Itarian patch management. Any idea why?
Also you guys did you have a prefered blog/website/channel where to stay realtime uptodate about latest problems with windows updates? Thanks
I asked for the same request in post #6 https://forum.itarian.com/forum/prod…1412#post61412
No response or any feedback, for me it was mostly a manual process for non WUS systems, login, check updates, click yes.
No point in having a patch management system if we cannot push out these type of fixes, should have been a tick and push job, or script with a KB to enter as a field.
mcfproservices
Hi @mcfproservices,
We have existing scripts for install and uninstall specific KB, please try this and provide your feedback
Install single or multiple KB - https://scripts.itarian.com/frontend/web/topic/install-multiple-kb-updates
Uninstall specific KB - https://scripts.itarian.com/frontend/web/topic/uninstall-specific-kb-updates
Kind Regards,
PremJK
Thank you. It is good if you know what to look for but, because I’d need to understand better how Patch Management work, I’d really like to know why Windows update detects that KB and the Patch Manager not. Is it because it’s a particular kind of fixing update or what ? Thanks.
Thanks, I had checked the scripts page quickly, searching for update or kb did not show these for me.
That would have been perfect, for both removal and installing, well at least a few days ago, I have patched most systems already.
I will test and reply back.
Just out of interest, the prior script you linked me works no problems with AEP on.
In fact it upgraded a few old Windows 7 systems that clients did not want done (software reasons), so yep it works without any user input required, all systems Win7/Win10 jumped to 20H2
Thanks again.
mcfproservices
Hi mcfproservices,
Please try this Script to Perform Windows 10 Build 2004 Feature Update
https://scripts.itarian.com/frontend…feature-update
Please let us know if you have any issue.
Kind Regards,
PremJK
@PremJkumar just some feedback on the script to install siingle or multible KB’s
I edited the script and just remove the 2 example KB’s added the KB5001649, run with use default setting.
Tried to run this against a couple of systems that I had checked that had the KB5001649 ready to manually install.
The Procedure failed, but logs are successful, this is the script log
| 2021/03/25 05:32:38 PM | Finished success | Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. Searching for approved update ... KB5001649 Selected update is not available in Update list. Please give applicable KB value |
| 2021/03/25 05:32:22 PM | Started | Procedure parameters: Enter_the_KB_values list KB5001649 |
So back to manual remote and manual click to install at this stage, will this KB appear in the patch management at any stage ?
mcfproservices
Hi @mcfproservices,
Thanks for trying the script and providing your input. We have shared your feedback with our script developers and they will reproduce and investigate the cause.
Kind Regards,
PremJK
I’m experiencing the same issue when attempting to use this script, it fails saying that the KB is not in the list. I tried running it exactly as posted and it was a no go so I began making modifications to it, tried hard coding the KB value into the vb script but that was a no go. Then modified the conditional value of the if statement on line 65 to say “If InStr(1, updateList.Item(I).Title, KB) > -1 Then”, thinking maybe the calculations were offset by a value of 1 and it executed further along but I got this instead of what I was hoping for:
| 2021/03/30 05:57:18 PM | Finished success | Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. Searching for approved update … KB5001649 Selected update Logitech - USB - 10/22/2012 12:00:00 AM - 13.80.853.0 Downloading… Download Result: 2 Came inside the function Installing… Installation Result: 2 Reboot Required: False Selected update Logitech - MEDIA - 10/22/2012 12:00:00 AM - 13.80.853.0 Downloading… Download Result: 2 Came inside the function Installing… Installation Result: 2 Reboot Required: False Selected update Advanced Micro Devices, Inc - System - 8/30/2017 12:00:00 AM - 5.12.0.38 Downloading… Download Result: 2 Came inside the function Installing… Installation Result: 2 Reboot Required: False Selected update Logitech - Image - 10/22/2012 12:00:00 AM - 13.80.853.0 Downloading… Download Result: 2 Came inside the function Installing… Installation Result: 2 Reboot Required: False Searching for approved update … KB5001649 There are no updates to install. |
Not sure why it pulled down what look like device drivers. Oh well, I will take a crack at it again when I have more time to review the code.
The machine I ran this against is on build version 19042.867 and the KB5001647 update takes it up to .870 or higher which gets you past the BSOD error, at least on build 20H2 it does. Just did this manually to a customer endpoint today by downloading the .msu file from the Microsoft update catalog. Half the time this update isn’t even advertised on the device under updates and settings and you have to go fetch it to install it. Really wish Microsoft would make these mandatory instead of optional.
I might start deploying KB5001647 in the same manner that we do the 20H2 build by download it from our own online repository as a full 8GB plus iso file for both x32/x64 architecture, mounting the ISO file as a virtual CD and running the setup from the mounted ISO drive which works 85% of the time to get that feature update pushed out. Just not very bandwidth efficient so we have to watch how many we deploy at once. With KB5001647 we could download the .msu to a temp folder and execute it with maybe a silent install option.