Windows 10 Managing Updates

We encountered a problem on Friday that seems to have occurred when KB4056892 Windows update was installed.
It appears that legacy software, if started, won't run and damages many of the normal OS functions (more related to menus?).
Some things say that there's no permission to run.  Other things just don't run.  etc.  

We have a few options for this.
The legacy software is critical and is not going to change any time soon if at all.
It's been suggested that we could install Windows 10 ver. 1607 and it won't gather more updates.  That could be a solution.
Yet, that would avoid good updates.

My thought is this:
1) start with a clean 1709 system fully updated.
2) remove KB4056892 using Programs and Features, View installed updates, Uninstall an update.
3) using wushowhide.diagccab, hide KB4056892 so it won't come back.
(same for any updates that prove to be problematic).

But all this is a bit of a problem in navigating through it all:
In some cases, the Control Panel \ Programs and Features \ View Installed Updates list is empty
BUT if you click on Uninstall an update, there *is* a list.
That just seems wrong.....
But one can live with it.

wushowhide.diagcab may show There areNO updates available to Hide.
Now what?

wmic qfe lists full
Shows some updates but they don't 100% match those shown with Control Panel.

I might suppose that an update could be hidden before it's installed.
But, how can an update be on a list available for hiding if it hasn't already been at least downloaded?
This seems a catch 22.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
1. Using a working LTS version will get security updates but not feature updates.

2. (remove KB4056892 and hide). If you can hide with wushowhide.diagcab, that works - I use this myself. If you cannot hide then you cannot get rid of the single update. wushowhide.diagcab  does not / will not hide working updates.

So for your situation, number 1 is the best option which is why Microsoft provides it.
Fred MarshallPrincipalAuthor Commented:
wushowhide.diagcab  does not / will not hide working updates.
Do you mean it doesn't hide INSTALLED updates?  That makes sense because it's too late, right?

So, first you have to uninstall and then you might hide, eh?
JohnBusiness Consultant (Owner)Commented:
It will not hide any update that works and the one you have here works (not for you, I understand). So you cannot use it for this purpose.

Even if you uninstall, I doubt wushowide.diagcab would work.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

RaminTechnical AdvisorCommented:
I doubt if wushowhide.diagccab works on Windows 10 Version 1709.
It works on Version 1607 and 1511.
JohnBusiness Consultant (Owner)Commented:
Yes, it works for updates that will not install. But there are no longer many of these.
Fred MarshallPrincipalAuthor Commented:
If it gets installed and then it's uninstalled, won't it show up again as available for download and/or install?
If that's the case then one might expect wushowhide to work to hide it.
Unless there's proof/experience to the contrary.

Updates that will not install are in the same or similar category of "not installed" which includes "uninstalled".  Well, according to English anyway.
So, if there's a difference between the two then it would be good to know more about that.

Aside from the semantic logic, why the doubts?
JohnBusiness Consultant (Owner)Commented:
My work on wushowhide.diagcab is that it only hides updates that do not work.  HP Null Fax was one - it would not install. The update you are dealing with works (just not for your software).
RaminTechnical AdvisorCommented:
So it must be possible to install Windows again and before installing KB4056892 use wushowhide.diagccab to hid it.
JohnBusiness Consultant (Owner)Commented:
I don't think so. The update works so the Microsoft tool will not hide it. Otherwise users would be hiding all the updates. That would defeat the use of the tool as provided.
RaminTechnical AdvisorCommented:
I saw some problems with KB4056892 on the net and the workaround was to use system restore to restore the PC back to the state that update was not installed,  that can mean if that update installed on your PC you cannot use wushowhide.diagccab  to prevent / hide it.

Here is the link:
Fred MarshallPrincipalAuthor Commented:
John Hurst:  Perhaps this should be rethought so as not to mislead.  The idea of "working" or "not working" isn't in Microsoft's ability.  They say this:
In rare cases, a specific driver might temporarily cause issues that affect your device. In this situation, you can prevent the problematic driver from reinstalling automatically the next time Windows Updates are installed.
So, in what manner can they determine that there are "issues that affect your device"?  I don't think they can.
Given that it's much easier to keep a database (or create one in real time) that determines what *is* installed and what *is* hidden is much easier than being able to definitively say and keep track of the dynamics of: what *had been installed and wasn't (then) pleasing*?

Ramin:  Yes, that would seem logical with a clean install.  How practical it might be int he world of installation methods is a question.
As I mentioned earlier, it's not clear to me just what the "live" installation does and doesn't do.  It's certainly useful!
We have done "live" reinstallations in the last couple of days that didn't fix as much as was expected.  
Now, I can't say that this was accompanied by 4 reboots.
I believe at least one system reported having quite a few updates afterwards.  If so, it's not a "clean" install from a given baseline.  I can't prove this right now - but I believe I've observed it.  Could be wrong.

 Perhaps we need to chant "FREE USER HIDING"  "FREE USER HIDING"  :-)
JohnBusiness Consultant (Owner)Commented:
Drivers are different than applications. Yes , wsushowhide can and does hide generally errant drivers. I referred to that above. But the update you are talking about works on all our machines. Your software does not work with. That is your software's issue
Fred MarshallPrincipalAuthor Commented:
Ramin:  I don's follow that logic.  It seems to me that it's saying that system restore was the method used to REMOVE it.  There may be other methods for removal.  But hiding is another thing altogether.  In one case it's installed.  In the other case it isn't installed.  Right?
I do see that they did both:
1) remove by using a restore point.  Although I'm unclear on that because it hadn't installed anyway.
2) hide thereafter by using ShowHide.
And, in this case, if I understand it, there never was an installation that succeeded.

But thank you for probing into this issue!
JohnBusiness Consultant (Owner)Commented:
I think you are into a black hole trying to solve this issue with updates. The method provided is the Long Term Service branch of Windows 10 and Microsoft can help you get there. You are in a business, they want your business, and this is how they provide a solution.
RaminTechnical AdvisorCommented:
You're welcome Fred.
Fred MarshallPrincipalAuthor Commented:
John Hurst:  I've provided some background earlier re: motivation yes.  But the question was only about update installation and hiding.  My reasons for doing this are, so far, quite immaterial.

That something works for you or others is only of interest if it suggests a solution for me.  
Otherwise, it seems diminishing.

I don't know what "all of our machines" is actually referring to.  TDB or the entire universe?
I have machines that aren't affected either.

I do have machines that are in need of having updates managed.  
I well know that there are others who have similar problems.  
So, they too need to have updates managed.
Ramin gave an example of some of those others.

Your suggestion for using LTSB was a good one!  It does address how one might manage updates.  Thanks for that.
Fred MarshallPrincipalAuthor Commented:
It appears that we've succeeded in dealing with this but there are still questions regarding using wuShowHide.

- One band aid approach is to turn off Windows Update Service.  But this was only a stopgap measure to protect systems from damage in the near term.  It worked.  But, of course, we want this service to be running.

So, the approach is to use wuShowHide to Hide the incompatible update (not a statement of "fault" just a fact).

- In order for wuShowHide to list anything, it appears that the Windows Update Service needs to be running.
- If the Windows Update Service is running then it's possible that an unwanted update can be installed.  So, let's just say that this has indeed happened so we are starting with the incompatible update installed.
- Next step is to uninstall the incompatible update.  This forces a reboot.  I believe the uninstall and the reboot can happen with the Windows Update Service NOT running.
- OK.  Now START Windows Update Service.
- Immediately start wuShowHide <<< because we can't allow the incompatible update to reinstall at this point.
- Scan and hide the incompatible update.  When it gets hidden, the process in wuShowHide shows "Fixed" but thereafter the update will show on the hidden list.

This seems to work....
The tricky part is the coordination between the Windows Service being running and avoiding reinstallation of removed updates before you can run wuShowHide.

Or, am I missing something in how to best proceed with this?  Thus: Update Management?
Fred MarshallPrincipalAuthor Commented:
Nobody suggested how we might do update management on a peer-to-peer network of workstations.....
You could look at something like a Solarwinds or Connectwise Automate, the latter would be good for you to use at your business and have a central place to see what's going on at all of your clients (no need for anything at each client other than an agent to be installed on their machines). However, you'd have to be sure to disable automatic updates in Windows itself. Here's an article to assist with what part of Group Policy to edit for Windows 10:
Fred MarshallPrincipalAuthor Commented:
By now, I've read some and gained quite a bit of hands-on experience with this.  
The fact is that wuShowHide *does* hide updates.  What's not so clear is when it's able to "grab" them so one can tell it to do so.
One big problem is that the updates process is being obscured to the point of there being no "baseline" from which to take action.
Nonetheless, one can describe some "close enough" scenarios:

1) if there is no update waiting to be installed then wuShowHide can't list it to be hidden.  This includes updates already installed!
2) If there is an update waiting to be installed then wuShowHide appears to be able to list it to be hidden.  This may be unreliable.
3) if there is an update already installed, then if it's uninstalled, it appears that wuShowHide will list it to be hidden.
4) wuauserv must be running for wuShowHide to work it appears.

So, if one wants to hide an update, here is what seems to work IF one can stand having the update installed even briefly:
1) Assure that the update has been or will be installed.  Sometimes it will show as being downloaded and installing - so that's one place to find out.  Rebooting is one way to "push" it.  Asking for an update check is another.
2) Once installed you can uninstall it.
3) Once uninstalled, you can run wuShowHide to hide it.  Presumably it's waiting to be installed again so it's on the list.
I recommend that one not *wait* between steps here as the update may get installed again while you're out having coffee.

Some of the tools recommended require a server-based environment.  This remains peer-to-peer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalAuthor Commented:
This remains an ongoing saga.  We have learned a lot about it and the current state is frustrating.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.