Scott Williams Profile picture
Sep 12, 2018 18 tweets 4 min read Read on X
A rant about service updates (SSU) and why Microsoft really needs to work something better out for this:
When the major monthly cumulative update requires the SSU as a pre-req, it creates major pain points with managed deployment. If you are running "unmanaged" and just let clients go to Microsoft directly to get whatever is applicable, then you probably aren't worried about this.
So first scenario: Small org using WSUS, and/or someone with ADR setup to auto-approve "needed" updates. In this case, the main CU doesn't even register with WSUS as needed because it needs to install the SSU first. So think about the timing here.
WSUS gets the latest catalogue, client scans/reports results, ADR runs and gets "needed" SSU update, client installs update, next client scan now detects CU needed, next ADR run now sees CU needed, next client scan sees CU now applicable and install... this cycle could take days!
Now, if you are using something like GPO or have expected time frames you want thing to install in (change windows), this certainly makes things complicated.
Even if you manually approve the CU, it will still depend on how often your clients run the update scan to get it
If use WSUS to patch servers, and need to have that install process happen within a specified change window, you need a process/config that triggers the clients to do multiple update scans within your change window so it can detect and install the CU after the SSU is done
So now what about using a managed system like ConfigMgr? Unfortunately in some ways it can be even worse, but essentially the same challenges remain. Since the SSU doesn't require a reboot, it won't trigger the ConfigMgr setting for "run scan after update triggers restart"
This means that the update deployment you send out will install the SSU, but then nothing more until your client policy triggers another Update scan cycle. You don't know *exactly when* the SSU will be installed, so what options do you have?
For servers we have a clearly defined maintenance window we can do things in, so the awful hack is to have a script that trigger the update scan cycle *every hour* during the change window so it can detect the CU after the SSU has completed
But for workstations we just have a "start time", so the SSU could install, no reboot needed, and then nothing happens until the next scan cycle. This means we will likely end up with machines wanting to reboot a day after we said the updates start.
You can't have a recurring job triggering an update scan on workstations since we don't have a clear window when they will install, and if you have your "re-scan" schedule set to 7 days (default) then it might be a week before the CU is actually detected as needed.
Fortunately for workstations, there are usually Office updates that also need to install and they will require a reboot, so you get to use the "scan after restart" option.
This does mean however, that after all those Office updates have finally installed, and the user finally reboots, that the CU will get detected, and then it will start installing and then require another reboot.

Users love that experience.

Now what if you don't force reboots?
Well, if you only notify users a reboot is required and leave it up to them, you can be back to spending days/weeks waiting for machines to get compliant.
So what's the solution for all this? I dunno. Maybe there needs to be some special logic for updates/WSUS/ConfigMgr to deal with the SSU when installed. Maybe have an option to require a reboot for the SSU even if it doesn't need one. Maybe find a way to roll SSU's into CU?
If SSU's are going to become a regular thing, then there needs to be a better way to deal with them.

Because the current options are not much fun.

<end>
@threadreaderapp please unroll
If you really want to read it all, here's an easier unrolled version threadreaderapp.com/thread/1039668…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Scott Williams

Scott Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ip1

Feb 25, 2019
Crazy IRL story time: Decades ago now, there was a senior division director who wasn't really "impressed" by computer but was being forced to use one. He had a desk with years and years of paper stacked all over it.
The computer monitor was perched precariously on top of one of those stacks, and the keyboard on another, but in those days the mouse was the original IBM PS/2 roller ball style, so you needed a clear surface to operate it on
So on this HUGE desk piled high with paper, there was a clear strip that ran from one side of the desk to the other.

I asked him why he had this weird cleared area...
Read 18 tweets
Aug 7, 2018
A story about a non-conventional backup and DR strategy for ConfigMgr. Four or so years ago, before there was support for things like SQL Availability Groups or "HA" site servers, a ConfigMgr 2012 environment was built. This environment would be relatively small (5000 clients)
however it'd be operating in a very large organisation. Interestingly enough, despite the nature of use, namely to build and manage servers in the datacentre, it was allocated as an "incidental" service so not given any status of import. This was important for discussions on DR
It is a single stand-alone Primary, remote SQL (a requirement for all database services here) and a couple of remote DP's. So design-wise it's nothing complicated. In a DR scenario (think loss of datacentre bad) things got complicated
Read 29 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(