Deploy Windows SSUs and LCUs together with one cumulative update
Published Dec 08 2020 10:01 AM 94.2K Views
Microsoft

Update 2021.02.09: Thank you all for your feedback and for deploying the one monthly cumulative update packages in December and January through the Windows Insider Pre-Release category. Beginning with the February 2021 LCU, we will now publish all future cumulative updates and SSUs for Windows 10, version 2004 and above together as one cumulative monthly update to the normal release category in WSUS.

For those of you curious about when this capability will be available for earlier versions of Windows, stay tuned!


You can now deploy the December 2020 latest cumulative update (LCU) and servicing stack update (SSU) together via our new one cumulative update package, or separately.

On September 9th, 2020, I announced the work in progress to simplify on premises deployments of servicing stack updates. Today, I am excited to announce that you can take advantage of this new capability using Windows Server Update Services (WSUS) and the Windows Insider Program for Business.

We have released the December 2020 LCU and the December 2020 SSU to WSUS in two ways for devices running Windows 10, version 2004 and later: to the typical Security Updates category and to the Windows Insider Pre-Release category.

To deploy the cumulative update and servicing stack update separately, no special action is needed. Just ensure, as always, that you deploy the SSU prior to deploying the LCU so that both updates install successfully on the device.

To deploy the LCU and SSU together using the new one cumulative update package, simply follow three easy steps.

Note: Before completing the steps below, ensure that you have installed the September 2020 SSU on the targeted devices.

Step 1: Sync the Windows Insider Pre-Release category

  • In the WSUS console, from Products and Classifications, select Windows Insider Pre-Release Product and Upgrades. Sync WSUS.
  • In Microsoft Endpoint Manager Configuration Manager, navigate to the Products tab of
    Software Update Point Component Properties and select Windows Insider Pre-Release. Select OK to confirm this selection.

windows-insider-pre-release.gif

Step 2: Select the OS version

From the list of All Updates, select the cumulative update for the version of Windows 10 running on the device(s) that will receive the update. Currently, this would be either of the following:

  • 2020-12 Cumulative Update for Windows 10 Version 2004
  • 2020-12 Cumulative Update for Windows 10 Version 20H2

cumulative-update.png

Step 3: Deploy the update

Deploy the update to the desired devices in your organization the same way you would deploy any other monthly cumulative update.

Note: When you deploy the update package to your devices, the client will automatically orchestrate the proper ordering of installation to ensure the SSU and LCU are both applied correctly on the device. This will be the exact same content as if you had deployed the December 2020 LCU and SSU separately.

Check your preferred method of reporting and note that your devices are now running the December LCU (KB4592438) and SSU (KB4593175).

That’s it! It’s that simple.

The best part? Like all preview builds published to commercial devices in the Release Preview Channel and to the WSUS Windows Insider Pre-Release category, testing out this new deployment technology for LCUs and SSUs from WSUS is fully supported.

If you run into an issue that prevents you or other users in your organization from deploying or updating using this new one cumulative package, use this online form to request assistance directly from Microsoft Support at no cost to you. Or contact customer support through your typical channel.

Try out this new way of deploying LCUs and SSUs and let us know what you think by commenting below or reaching out to me directly on Twitter @ariaupdated.

 

28 Comments

Thanks for the post, It's a great and much appreciated move, simplifies updating clients. I don't think there is any reason left to use the old approach anymore.

Iron Contributor

Hi, thank you for the information.

 

Can you please explain why thise were added to this product and not just a new name under the regular Windows 10 1903 and later product??

asking because when we check this one and sync, it will also sync a ton of Insider Feature Updates that we will need to decline (since we don't use those) to keep our WSUS catalog as slim as possible.

 

Thank you for your collaboration

Microsoft

@HotCakeX Thanks! I'm glad this change will help simplify your deployments. :)

 

@lalanc01 apologies for the inconvenience. As stated in the September blog, we plan to fully transition to the new one cumulative update packages (LCUs + SSUs together) and publish only those payloads to the typical Windows 10 1903 and later product category and no longer publish the LCUs and SSUs separately down the line. Until then, we are publishing the one cumulative updates to the Windows Insider Pre-release category to provide an opportunity for admins to switch over prior to one cumulative updates (SSUs + LCUs together) becoming the default state.  Does this help to clarify? 

 

P.s. You make a really good callout about having to decline updates. We should be expiring the old feature updates that are no longer being used for validation to keep the pre-release category small and I will actually go work on that to simplify such in future. :) 

Silver Contributor

The name of a separate old style CU for December and new combined update are the same? How can one tell them apart if you sync both normal product and Insider?

 

As you mention that in future this will go into 1903 and later product, this means that new combined updates will be supported by 1903 and 1909 also? I was under impression this was only supported by 20H2 (i think i first read about this in 20H2 release post, which is confusing now, why to mention this in 20H2 release notes).

 

Also, can you say when combined updates might become final and replace separate ones? Because we don't use WSUS and our third party software will not pull Insider product, i think.

Steel Contributor

@wroot The combined update has no supersedence info (yet)

 

the "Windows 10 1903 and later" is just the category name

v2004/20H2 falls into the later term

What happens if you have automatic rules that approve both the LCUs, SSUs and these new combo bundles?

Microsoft

@Susan Bradley If you approve all three payloads, they will all be offered to the device. From there, the order of installation will depend on the network (congestion, disruptions, retransmission) but given ideal conditions the order should be based on size of the payload. In this case, that would mean the standalone December SSU will install first followed by the standalone December LCU, which will then make the December one cumulative update no longer applicable given the device will already be up to date. Please let me know if you have any further questions. 

 

Indeed, I see two KB4592438 and one 4593175 queued up and ready to be installed.  I don't mind as long as the duplicate will fail gracefully and not install in an incorrect manner and crater machines.  I am crusty enough to remember when an SSU didn't install in the right order and it cratered machines.

Microsoft

@Susan Bradley failing gracefully should be what happens. If not, let me know! :) 

Copper Contributor

Can we deploy a combined LCU & SSU for Windows Server?  Half of my devices are Windows Server 2016 (with a few Windows Server 2019 servers and a few 2012 R2 servers).  How about Windows 10 1909?

Microsoft

Unfortunately, we are currently only providing the one cumulative update (LCU & SSU together) for 2004+. Once we make it available downlevel you will be able to deploy on Servers as well. Stay tuned for announcements of when such backport will happen and what versions it will be for. 

Brass Contributor

How can I find the new package download (without WSUS)? I'm using dism to add new updates to a 20H2 image and I have to always add the SSU update before the LCU. But now that they are together in one package, I wanna try it.

Steel Contributor

@Vandrey Trindade The updates themselves are not in one package (cab file), they are still separate updates
so continue as usual, and get SSU/LCU from Microsoft Updae Catalog

Copper Contributor

Hello,

any update or plan about implement it for Win 2016 and WIn 2019?
Thank you 

Microsoft

@MartinKrivak Yep! We will be bringing this capability down to Windows Server 2016 (running 1607) and Windows Server 2019 (running 1809) in the coming months. Note - the February 2021 SSU will be a pre-requisite to support these one cumulative udpate packages. 

Copper Contributor

Hi,

 

So the first couple of months while the LCU+SSU were in the preview channel (WSUS) things worked great.  We've been plaugued with an issue for years to where we do Windows updates, but the build number does not update.  We've noticed when this occurrs these systems are more likey to have unrecoverable BSOD's.

 

When we did updates with the new LCU+SSU package in the preview channel, it not only updated to the correct build but it also fixed past systems that were on the incorrect build so that they were current.  It was great.  But now that the update is supposedly back in the main channel the updates are back to being terrible again.  I would say less than half that have been updated are reporting the correct build, so now I am worried that we are going to start getting BSOD's again.

 

Can we say for certain that this new package is the same in the main channel as it was in the preview?  We were so excited to have finally nipped our issue in the bud, but it looks like it might be coming back.

Steel Contributor

As KB4601382 (19041.844) is now published in MU catalog as combined pack (SSU cab + LCU cab)

does that mean the SSU (KB5000911) will not have separate download.windowsupdate links?

 

Copper Contributor

@Aria Carley

For the March update and going forward, how do we identify this combined pack?  We are using SCCM to manage our patch deployment and I imagine the combined pack is now available as part of the standard channel and does not need the "Insider Pre-Release" category to be selected under the product tab!

Thx for the reply.

 

Copper Contributor

@Aria Carley -- great article, to further expand on: "Check your preferred method of reporting and note that your devices are now running the December LCU (KB4592438) and SSU (KB4593175)." 

 

I found this registry key that seems to do the job. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version

 

Thanks!

 

John Drinkall

Marvellous! Great efforts you are backporting this neat solution.

Any idea what about these?

K_Wester-Ebbinghaus_0-1623288216640.png

 

 

Copper Contributor

Hi @Aria Carley 

 

Does Microsoft have any predictions on when it will add SSU + CU to the servers (2016/2019)?
I know you commented a while ago, however this is only for Windows Server 2022?

Thanks!

 

Rodrigo Fronza

Steel Contributor

@RodrigoFronza It's already started for Server 2019 since August CU Preview

https://support.microsoft.com/en-us/topic/august-26-2021-kb5005102-os-build-17763-2145-preview-84c55...

 

Server 2016 probably will not get it

Copper Contributor

@Aria Carley,

 

I have a point of confusion regarding the combining of the SSU and LCU.

 

When updating a Windows image, I have a script that follows the order of operations shown in the chart in this documentation:

 

https://docs.microsoft.com/en-us/windows/deployment/update/media-dynamic-update

 

Note that for updating the install.wim, the order begins like this...

 

SSU
Language Pack
Features on Demand
LCU

 

The first time the combined SSU / LCU package is installed, it will install only the SSU if an SSU exists in the package. The second time the package is installed it will apply the LCU. This would allow you to apply the package once, at which time the SSU is installed, then apply the Language Packs and Features on Demand, then apply the LCU package again at which time the LCU is applyed.

 

If no SSU is present in the package then the LCU is installed the first time you apply the package. This causes a problem because the LCU gets applied prior to my installation of the Language Packs and Features on Demand.

 

So here is my question: How can I know if the LCU includes an SSU from my script so that I can intelligently apply the package only after the Language Packs and Features on Demand are installed if no SSU is present in the package?

Copper Contributor

Get-Hotfix finds the SSU KB included in the LCU for Windows Server 2019 for instance:

PS C:\Users\myself> get-hotfix

Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
myserver Update KB5013626 NT AUTHORITY\SYSTEM 08.07.2022 00:00:00
myserver Update KB4470502 myserver\Admi... 01.04.2020 00:00:00
myserver Update KB4486153 myserver\Admi... 01.04.2020 00:00:00
myserver Update KB4530742 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Security Update KB4535680 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Security Update KB4539571 NT AUTHORITY\SYSTEM 01.04.2020 00:00:00
myserver Update KB4577586 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Update KB4584642 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Update KB4589208 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Security Update KB5003711 NT AUTHORITY\SYSTEM 01.07.2021 00:00:00
myserver Update KB5004424 NT AUTHORITY\SYSTEM 03.08.2021 00:00:00
myserver Security Update KB5005112 NT AUTHORITY\SYSTEM 04.02.2022 00:00:00
myserver Security Update KB5012170 NT AUTHORITY\SYSTEM 09.09.2022 00:00:00
myserver Security Update KB5018419 NT AUTHORITY\SYSTEM 04.11.2022 00:00:00
myserver Update KB5009642 NT AUTHORITY\SYSTEM 11.03.2022 00:00:00
myserver Update KB5012675 NT AUTHORITY\SYSTEM 17.06.2022 00:00:00
myserver Update KB5014031 NT AUTHORITY\SYSTEM 08.07.2022 00:00:00
myserver Update KB5014797 NT AUTHORITY\SYSTEM 05.08.2022 00:00:00
myserver Update KB5015896 NT AUTHORITY\SYSTEM 09.09.2022 00:00:00
myserver Update KB5017400 NT AUTHORITY\SYSTEM 04.11.2022 00:00:00

It would be helpful to have a KB article that that explains what KB5017400 is, or at least, show it in the installed updates the same way as with the security updates.

Copper Contributor

I'm back to respond to my own question posted here on Jan 11, 2022 for any who might be interested in an answer.

For the below to make sense, please see that post for my original question.

 

Answer: Rather than attempt to install the combined SSU / LCU package twice, the SSU can be extracted from the combined package, and, if present, the SSU can then be installed as a separate entity just as it was in days prior to the SSU / LCU being combined.

 

NOTE 1: The "f:" in the following command is NOT a drive letter. Don't change it.
NOTE 2: The DISM command below illustrates applying the SSU to a WinRE.wim, but the same same applies to a mounted boot.wim and install.wim. The whole point is simply that the SSU can be extracted first, then applied if it is present. After that the LCU can be applied.

 

expand "C:\WinUpdates\LCU\*.MSU" /f:"SSU*.cab" "C:\Project\SSU"

DISM /Add-Package /Image:"C:\Project\WinRE_Mount" /PackagePath="C:\Project\SSU" /LogPath="C:\Project\Logs\dism.log"

 

Copper Contributor

:hearteyes:

Copper Contributor

Is windows server now supported with combined SSUs and LCUs? 

@Jwckauman yes all versions from Windows Server 2019 and later SSU are included into LCU. Same for Windows Client 10 21H2 and later. Windows 11 included of course.

With this one thing comes into our duty. Have you look and mind please that.

https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/why-no-longer-using-wusa-to-uninsta...

Co-Authors
Version history
Last update:
‎Feb 09 2021 02:09 PM
Updated by: