Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

Windows 10 Updates - Best Practice

I have a customer who is justifiably concerned about staying up with Windows updates on all their machines.
Often, they get messages that say an update failed but will be tried again (but when?).  And, when did it fail?

This is important because most of these computers MUST have DCOMCNG setting: Default Properties / Default Authentication Level set to NONE instead of the Windows default of CONNECT.
Now, we know that Windows updates won't happen with it set to NONE.  So, I've written scripts to switch it at midnight (to CONNECT) and at 8am (to NONE).  Perhaps I could open that window in time a bit and start at 8pm instead of midnight.

This raises two questions:

1) can the message "will try again" be relied on and the updates be done in a timely manner?  Do you experience this same thing with the DCOM set to CONNECT all the time?  Is it a matter for concern?

2) is there a way to know or control when the updates will be attempted?  During the working day seems untoward.  The old 3am time seems to have gone out the window altogether.
0
Fred Marshall
Asked:
Fred Marshall
  • 6
  • 4
  • 2
  • +4
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
Windows 10 updates WILL happen at some point. I think there may be registry hacks (not GPO's) to prevent updates but I do not recommend such.

Updates failed is a different thing and should be addressed.

To hide an update temporarily, run wushowhide.diagcab and select the update to hide

https://support.microsoft.com/en-us/kb/3073930

Sooner or later the update will be properly addressed. In the meantime, updates will be able to proceed.
0
 
John HurstBusiness Consultant (Owner)Commented:
With respect to number 2 (is there a way to know or control when the updates will be attempted?  ) you can set Auto Updates in Windows 10 to notify to schedule restart.

You can also defer updates for (I think) up to 2 weeks.
0
 
Bryant SchaperCommented:
Is it a domain environment and you can setup wsus, you have a lot more control then.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Fred MarshallPrincipalAuthor Commented:
Not on a domain.

I haven't investigated:
What does it mean to "schedule restart"?  That tells me nothing about updates except that it's presented in a dialog that exists in an updates context.  I do think I know what an update is.  I do think I know what a restart is.  I do know that some updates require a restart.  But, so far I have not learned that a restart will necessarily cause updates!!
0
 
Fred MarshallPrincipalAuthor Commented:
I asked:
1) can the message "will try again" be relied on and the updates be done in a timely manner?  Do you experience this same thing .....?  Is it a matter for concern?

Well, I asked three questions here in a short paragraph.  My bad.:

Maybe you don't experience this "update failed - will try again" message at all?  Maybe you do.
It would be informative for me to know if you do or don't.

If you do, are you not concerned, ignore the message as "info" and carry on, finding that the updates eventually happen OK?
If  you don't, then that's curious but I don't know what to say or do about our experience.
0
 
John HurstBusiness Consultant (Owner)Commented:
Did you try wsushowhide?
0
 
Fred MarshallPrincipalAuthor Commented:
John Hurst:  It seems to me that it's for the opposite issue.  The issue is *getting* updates reliably, not hiding them.  I don't think most of the users know how to hide them.
0
 
John HurstBusiness Consultant (Owner)Commented:
I have a customer who [said] get messages that say an update failed but will be tried again

I can never help you so I will unsubscribe. The solution to the above is wsushowhide until fixed. You do not know when Microsoft will fix it.
0
 
Fred MarshallPrincipalAuthor Commented:
John:  Please help me understand just how wsushowhide is a solution.  That's what I tried to convey my lack of understanding.
0
 
Fred MarshallPrincipalAuthor Commented:
OK.  I ran WSUSHOWHIDE on one of my Win 10 systems.  It does exactly as advertised and doesn't address this question at all.

It has also been suggested that our use of DCOM settings makes this question more complex.  Allow me to suggest a simpler  framework:
Our forced use of unconventional DCOM settings simply switches the ability to do updates ON and OFF.  We are quite confident of that.  So, this part of the question comes down to one of "updates at what time of day?"  We have implemented a script to automatically make the switch so we know it happens daily.
Our ability to allow updates is limited to non-working hours.  Accordingly, updates might be blocked from 8 a.m. to 6 p.m. M-F and possible from 6 p.m to 8 a.m. and possible from 6 p.m. Friday to 8 a.m. Monday.  Should that cause a problem?  Might that cause "update failed, we will try again?" messages to occur?

We are puzzled re: what the Microsoft approach to update scheduling is...
0
 
QlemoC++ DeveloperCommented:
I don't know how DCOM interferes with the updates, but Windows 10 checks once a day for updates, and at that time retries failed ones too. The time as with prior OS can be set up too, but you'll need to use the Group Policy objects or the registry for that. Otherwise the "update when idle" stuff applies.
0
 
Davis McCarnOwnerCommented:
In Windows 10, the default update time is at 3:30 A.M. on the next Wednesday and I know that because I have created a shortcut to Windows Updates and use it to ensure that client's PC's are completely updated before they carry them away (or I leave if I'm onsite).
I also always check and, rather regularly, see the update failed message; though, most often (90%), they are a hardware driver update or an Office update and they seem to install successfully the second time around.
As long as they are not the flash player updates or security updates, I wouldn't worry about it until one has failed three times.
0
 
Hector2016Systems Administrator and Solutions ArchitectCommented:
I have another idea.

Why dont you try to modify the script to include the installation of all updates?

It may be like this:

1. Enable DCOM Authentication.
2. Search for Updates.
3. Download founded and needed updates.
4. Auto-install downloaded updates.
5. Disable Windows DCOM Authentication
6. Auto-Reboot if needed.

I have a piece of code in VBS that can make steps 2-4 including 6.

What language are you using on your current scripts?
0
 
marsiliesCommented:
You could run this command from a script to prompt Windows Update to check for and install updates:

wuauclt.exe /detectnow /updatenow

Open in new window


That way you can ensure it's checking during the time DCOM is set to Connect.
0
 
Fred MarshallPrincipalAuthor Commented:
Should I see anything if I run wuauclt?  I don't...
0
 
marsiliesCommented:
Nothing should appear on the command line, or pop up

You can check Event Viewer for Events 30, 31, or 33
https://technet.microsoft.com/en-us/library/cc735613(v=ws.10).aspx

You can also check the Windwos Update log at %windir%\Windowsupdate.log (typically C:\Windows\WindowsUpdate.log). Best to check after 10-15 minutes to let it run first.
https://technet.microsoft.com/en-us/library/cc719838(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc720477(v=ws.10).aspx
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 4
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now