Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 10 Updates - Best Practice

Posted on 2016-07-20
16
Medium Priority
?
188 Views
Last Modified: 2016-08-01
I have a customer who is justifiably concerned about staying up with Windows updates on all their machines.
Often, they get messages that say an update failed but will be tried again (but when?).  And, when did it fail?

This is important because most of these computers MUST have DCOMCNG setting: Default Properties / Default Authentication Level set to NONE instead of the Windows default of CONNECT.
Now, we know that Windows updates won't happen with it set to NONE.  So, I've written scripts to switch it at midnight (to CONNECT) and at 8am (to NONE).  Perhaps I could open that window in time a bit and start at 8pm instead of midnight.

This raises two questions:

1) can the message "will try again" be relied on and the updates be done in a timely manner?  Do you experience this same thing with the DCOM set to CONNECT all the time?  Is it a matter for concern?

2) is there a way to know or control when the updates will be attempted?  During the working day seems untoward.  The old 3am time seems to have gone out the window altogether.
0
Comment
Question by:Fred Marshall
  • 6
  • 4
  • 2
  • +4
16 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 41722029
Windows 10 updates WILL happen at some point. I think there may be registry hacks (not GPO's) to prevent updates but I do not recommend such.

Updates failed is a different thing and should be addressed.

To hide an update temporarily, run wushowhide.diagcab and select the update to hide

https://support.microsoft.com/en-us/kb/3073930

Sooner or later the update will be properly addressed. In the meantime, updates will be able to proceed.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41722032
With respect to number 2 (is there a way to know or control when the updates will be attempted?  ) you can set Auto Updates in Windows 10 to notify to schedule restart.

You can also defer updates for (I think) up to 2 weeks.
0
 
LVL 13

Expert Comment

by:Bryant Schaper
ID: 41722151
Is it a domain environment and you can setup wsus, you have a lot more control then.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 26

Author Comment

by:Fred Marshall
ID: 41723522
Not on a domain.

I haven't investigated:
What does it mean to "schedule restart"?  That tells me nothing about updates except that it's presented in a dialog that exists in an updates context.  I do think I know what an update is.  I do think I know what a restart is.  I do know that some updates require a restart.  But, so far I have not learned that a restart will necessarily cause updates!!
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41723670
I asked:
1) can the message "will try again" be relied on and the updates be done in a timely manner?  Do you experience this same thing .....?  Is it a matter for concern?

Well, I asked three questions here in a short paragraph.  My bad.:

Maybe you don't experience this "update failed - will try again" message at all?  Maybe you do.
It would be informative for me to know if you do or don't.

If you do, are you not concerned, ignore the message as "info" and carry on, finding that the updates eventually happen OK?
If  you don't, then that's curious but I don't know what to say or do about our experience.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41723678
Did you try wsushowhide?
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41723690
John Hurst:  It seems to me that it's for the opposite issue.  The issue is *getting* updates reliably, not hiding them.  I don't think most of the users know how to hide them.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41723693
I have a customer who [said] get messages that say an update failed but will be tried again

I can never help you so I will unsubscribe. The solution to the above is wsushowhide until fixed. You do not know when Microsoft will fix it.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41723779
John:  Please help me understand just how wsushowhide is a solution.  That's what I tried to convey my lack of understanding.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41724752
OK.  I ran WSUSHOWHIDE on one of my Win 10 systems.  It does exactly as advertised and doesn't address this question at all.

It has also been suggested that our use of DCOM settings makes this question more complex.  Allow me to suggest a simpler  framework:
Our forced use of unconventional DCOM settings simply switches the ability to do updates ON and OFF.  We are quite confident of that.  So, this part of the question comes down to one of "updates at what time of day?"  We have implemented a script to automatically make the switch so we know it happens daily.
Our ability to allow updates is limited to non-working hours.  Accordingly, updates might be blocked from 8 a.m. to 6 p.m. M-F and possible from 6 p.m to 8 a.m. and possible from 6 p.m. Friday to 8 a.m. Monday.  Should that cause a problem?  Might that cause "update failed, we will try again?" messages to occur?

We are puzzled re: what the Microsoft approach to update scheduling is...
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 41724879
I don't know how DCOM interferes with the updates, but Windows 10 checks once a day for updates, and at that time retries failed ones too. The time as with prior OS can be set up too, but you'll need to use the Group Policy objects or the registry for that. Otherwise the "update when idle" stuff applies.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 41724882
In Windows 10, the default update time is at 3:30 A.M. on the next Wednesday and I know that because I have created a shortcut to Windows Updates and use it to ensure that client's PC's are completely updated before they carry them away (or I leave if I'm onsite).
I also always check and, rather regularly, see the update failed message; though, most often (90%), they are a hardware driver update or an Office update and they seem to install successfully the second time around.
As long as they are not the flash player updates or security updates, I wouldn't worry about it until one has failed three times.
0
 
LVL 8

Expert Comment

by:Hector2016
ID: 41724898
I have another idea.

Why dont you try to modify the script to include the installation of all updates?

It may be like this:

1. Enable DCOM Authentication.
2. Search for Updates.
3. Download founded and needed updates.
4. Auto-install downloaded updates.
5. Disable Windows DCOM Authentication
6. Auto-Reboot if needed.

I have a piece of code in VBS that can make steps 2-4 including 6.

What language are you using on your current scripts?
0
 
LVL 20

Expert Comment

by:marsilies
ID: 41725281
You could run this command from a script to prompt Windows Update to check for and install updates:

wuauclt.exe /detectnow /updatenow

Open in new window


That way you can ensure it's checking during the time DCOM is set to Connect.
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41731772
Should I see anything if I run wuauclt?  I don't...
0
 
LVL 20

Accepted Solution

by:
marsilies earned 2000 total points
ID: 41731793
Nothing should appear on the command line, or pop up

You can check Event Viewer for Events 30, 31, or 33
https://technet.microsoft.com/en-us/library/cc735613(v=ws.10).aspx

You can also check the Windwos Update log at %windir%\Windowsupdate.log (typically C:\Windows\WindowsUpdate.log). Best to check after 10-15 minutes to let it run first.
https://technet.microsoft.com/en-us/library/cc719838(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc720477(v=ws.10).aspx
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question