Simplifying on-premises deployment of servicing stack updates
Published Sep 08 2020 01:25 PM 179K Views
Microsoft

Update 2021.02.09: On February 9, 2021, we released the February 2021 SSU for Windows 10, versions 1909, 1809, 1607 and 1507*. The February 2021 SSU will be a prerequisite for receiving the new one cumulative update (LCU and SSU packaged together) for these versions of Windows 10.

We are planning to switch over to the new combined package format for these earlier versions in the coming months. In the meantime, please broadly deploy the February 2021 SSU across your organization to take advantage of the upcoming capability.

Stay tuned for more information on when we’ll transition to the combined package format for these versions!

*An updated SSU is not currently available for Windows 10, versions 1607 and 1507.


We have heard your feedback and are taking action to provide a more seamless experience for those managing monthly updates on-premises.

To keep devices up to date, IT administrators who manage devices using on-premises methods must select and deploy the correct servicing stack update (SSU) with the latest cumulative update (LCU). In some cases, a specific version of the SSU must already be installed in order to install the latest LCU. If the device in question does not have the required SSU already installed, the LCU will fail to install.

This scenario can be confusing for two reasons. First, it doesn't occur every month. Second, the error message that the LCU failure can produce, "update isn't applicable," doesn't make the root cause immediately apparent. As a result, having an LCU fail to install can be confusing and frustrating for the end user and IT admin alike, but can also hurt security compliance.

With the Windows Update experience where the SSU and LCU are deployed together to the device, the update stack automatically orchestrates the installation, so both are applied correctly.

Our goal is for all IT administrators, whether managing devices on-premises or from the cloud, to experience the simplicity of having a single cumulative monthly update to deploy that includes the month’s cumulative fixes and the appropriate servicing stack updates for that month, if applicable.

Our upcoming changes will ensure that the SSU and LCU are provided together under a single payload to both Windows Server Update Services (WSUS) and Microsoft Catalog.

If you use management tools backed by WSUS, such as the Configuration Manager, you will have to select and deploy the monthly cumulative update. The latest SSU will automatically be applied correctly. If you acquire and apply Dynamic Update packages to existing Windows 10 images prior to deployment, the latest SSU will no longer be available as a separate package in the Microsoft Catalog. If your process requires the SSU, you’ll simply use the new combined SSU and LCU package.

Things you will no longer need to worry about

  • Searching for both the SSU and LCU KB articles. All release notes and file information for monthly cumulative updates, including those related to the servicing stack, will be in a single KB article!
  • Determining if this month's LCU has a dependency on a specific SSU version or newer and ensuring that the right SSU and LCU are deployed and installed in the correct order. The SSU and LCU will be packaged together, and the client will orchestrate the installation. Select the monthly cumulative update you want to deploy, and we will take care of the rest!
  • End users confused at seeing multiple servicing releases in a month. The Window Update Settings and History pages will now look the same as it does for those who update from the cloud today!

How to take advantage of these innovations

To move forward with receiving a single monthly cumulative update package containing the SSU and LCU, you will first need to broadly deploy the September 2020 SSU or any later SSU on all Windows 10, version 2004 devices in your organization.

While these changes are not yet live for any in-market version of Windows, we hope you are excited about what is coming. This announcement gives you plenty of time to prepare for the upcoming changes and deploy the September 2020 SSU and LCU broadly across your organization.

Keep an eye out over the next few months as we release more information!

44 Comments
Copper Contributor

Great news!

Brass Contributor

This will make everyone's life easier. Thanks for the update about updates!

Brass Contributor

@Aria Carley wrote:

How to take advantage of these innovations

To move forward with receiving a single monthly cumulative update package containing the SSU and LCU, you will first need to broadly deploy the September 2020 SSU or any later SSU on all Windows 10, version 2004 devices in your organization.


 

Does this mean SSU bundling with the LCU is only applicable for Windows 10 2004 and newer or will it also be backported to older supported versions of Windows 10? My company doesn't deploy the H1 updates and we won't have H2 2020 deployed until around this time next year. It would be a bummer If I had to wait another year to take advantage of this feature...

Microsoft

@CLove3 Currently we are just announcing the upcoming capability for those on Windows 10, version 2004 and above. Later on as we provide more capabilities / extend this capability to more versions, we will update this community. Stay tuned. :) 

 

 

@Aria Carleythanks a lot for this needed and welcome change.

 

Is it in your range to plea for the following 

1903/1909 have received an own product category in #WSUS and catalog

 

Unpractically

2004/20h2 are now in the same category of 1903 and later.

 

We urgently need an own category for each year's release. Means 

2004 and later for 2004/20h2.

 

Before 1903 and later one had no out of box function to only approve the builds the companies needed.

 

Thanks for your feedback. It's really meaningful to have that, and consistency.

 

Iron Contributor

Thanks Aria! 

Microsoft

@Karl_Wester-Ebbinghaus thank you for the feedback! 

 

While it is true that syncing the 1903 and later category will have all of the feature updates after 1903 sync with your server (including 1903, 1909, 2004, etc. as per the article posted announcing that category), you (the admin) still have full control over which Feature Update to approve/deploy. To better understand, are you looking for a separate category for every Windows feature update released? If yes, why?

Copper Contributor

Not sure if this change is related to the problem I am seeing. 

For any machines with the 20H2 enablement package installed, WSUS reports SSU, LCU and .net framework as Not Applicable.

Looks like something is missing so it think 2004 updates isn't for 20H2 (maybe 20H2 copies should be released, like both 1903 and 1909 versions are being)

It is easy to reproduce, setup WSUS on a 2016 server, install a Win10 2004 machine without the latest updates and point it to the WSUS server. Snapshot the machine and search for updates, the latest 2004 will be found and installed.

Now restore to the snapshot, install the enablement package, reboot and search for updates - no updates will be found, and WSUS will report that the 2004 updates are not applicable.

Sorry if this is not related to this change - if not, can you point me in the direction of where I should report this bug? 

Microsoft

@BjarkeIPedersenAKQA thank you for the feedback. That is not related to this change. However, the problem is dually noted. Please also report this problem either to support or through FeedbackHub so that we can track this bug. 

"While it is true that syncing the 1903 and later category will have all of the feature updates after 1903 sync with your server (including 1903, 1909, 2004, etc. as per the article posted announcing that category), you (the admin) still have full control over which Feature Update to approve/deploy. To better understand, are you looking for a separate category for every Windows feature update released? If yes, why?"

 

hi @Aria Carley sorry for late reply to your question:
- in the past there was only one category called Windows 10. Including all data from 1507 through 1809.

If one uses only WSUS and not WU / WuFB and you would have used autoapproval this would make you DL all patches for all versions no matter if you use it or not.

 

I had high hopes to see 1903 and later meaning 1903/1909 and then hoped it would reoccour for 2004/20H2 as each of these sets as a product category share same Update files. But this did not happen. Rather 2004/20H2 is mystically in 1903 and later category.

 

For the very same reason, yes out of the box, to make it manageable it would be great to only auto-approve the updates of the Windows versions (since 1903) that one is actually using in the field.

 

Does this answer your question? Thanks for your feedback on this!

Copper Contributor

Hi @Aria Carley,

In general these are really great news and I like it very much. :lol:

 

But now there is the drawback! Including all stuff in the install.wim (as of today 2004 with sept updates is 4,487 MB) is already beyond the space limit of FAT32 (4 GB max file size) partitions on USB drives (needed to do an installation with FAT32 while secureboot is on. NTFS partitions e.g. would even not be shown on a Surface device!) :cry:

Whenever you do an inplace upgrade (from running Windows OS) from an USB drive (NTFS) everything is fine. But when you need to do a fresh installation (no running OS, while secure boot is on (and setting it to off is not really a good option)). :facepalm:

Fortunately you would have already a solution for this! You just need to use it! (simply use your own split functionality!)

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/split-a-windows-image--wim--fi...

So it would be very convenient when ever your ISO build process is modified to have 4GB Install wims (.SWM files) instead to deal with this manually.

I think its not a good option whenever we as customers have to modify the install media by ourselves everytime. Just think of home users! For us this is complex, cumbersome and time consuming process. For you its a simple onetime change in your ISO build process.

 

Looking forward to get the next ISO with the right install.wims (splitted accross smaller files). :stareyes:

Microsoft

@JoergWu  The updates should not be going over 4GB... Are you running scavenge (Dism /image:<path to image> /cleanup-image /startcomponentcleanup) after installing the updates to wim? 

Copper Contributor

An option is also to use the /compress:recovery with the wim file and then rename it to install.esd instead. It saves quiet alot of space. 

Brass Contributor

Why there is a new SSU for 20H2 (KB4586864) from 11-2020 in catalog and WSUS?

Microsoft

@Malte This is because these changes for 2004/20H2 are not yet live yet. As per the above article: "While these changes are not yet live for any in-market version of Windows, we hope you are excited about what is coming." Keep an eye out for more updates coming soon! :) 

 

Copper Contributor

why is Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 und 2019  not included, this is essential for software and drivers

Brass Contributor

Is this live on 20H2? I am still seeing 2021-01 Servicing Stack Update for Windows 10 Version 20H2 for x64-based Systems (KB4598481). 

Thanks.

Microsoft

@Tamang this is currently only available if you sync the WSUS Pre-release category. Once you sync the pre-release category, you should see the one cumulative update package containing both the January security LCU and the January SSU. 

Brass Contributor

@Aria Carley Thank you for the clarification.

@JoergWu please upvote this feedback and share it

 

Feedback Hub Feature request: Use SWM (dism Split) per default

https://aka.ms/AAawx6w

Copper Contributor

February 2021 SSU has been canceled.

@win32_lean_and_mean hi AFAIK only the Server 2016 LTSC SSU has been withdrawn but a new one has been released.

The adv9900001 hasn't been updated yet 

Microsoft

@Karl_Wester-Ebbinghaus @win32_lean_and_mean apologies! An issue was noted with the 1607 / Server 2016 SSU and we removed it to prevent people from hitting the issue. We will update this blog once we have confirmed which SSU Server 2016 devices will need to take in order to take advantage of one cumulative udpate in the future. :) 

Hi @Aria Carley as said the new SSU to replace the withdrawn one is already released I have seen it also in WSUS today and installed fine. 
only the ADV990001 has not been updated yet. 

Copper Contributor

When we deployed the March SSU and CU for Windows Server 2019 in the same SUG using MECM 2002 we observed that the CU installed prior to the SSU in every case we examined.  

Can you explain the timeline as to when we will see the SSU install first followed by other updates?   Previously we had always deployed SSU's ahead of our standard Maintenance Windows for server patching to ensure we didn't run into any issues, but based on this blog and other documentation we were under the impression that the SSU would install first followed by other updates in a Software Update Group. 

Thank you.

 

Microsoft

Hello @JCStorbeck1978 thank you for reaching out. Please note that currently the new packaging/technology applies only to 2004+ LCU+SSUs. For Server 2019, you will need to continue deploying the SSU prior to the LCU. Note- as stated at the top, the change for Server 2019 is coming soon! So you won't have to do this for too long. :)

Copper Contributor

Thank you Aria Carley.  Do you anticipate the date will be announced when this feature is implemented?  

Microsoft

I anticipate that this blog will be updated and we will post elsewhere such as Twitter as well. :) 

Copper Contributor

Is it for all Windows Operating systems or Any specific release?

 

Copper Contributor

Great News!

Copper Contributor

Any updated regarding this topic for Windows Server 2022 (LTSC) ?

Copper Contributor

100

Copper Contributor

:smile:

Copper Contributor

@Aria Carley 

Hi Aria, now end of the year 2022, can you give us a small summary about the status on this topic here.

I'm also interested on the backport to Windows server operating systems, (W2K16 & W2K19).

@Werner_I if I am not mistaken it has been backported to WS 2019. Not 2016 though. Never seen a seperate SSU in recent patch days at customers but will double-check.

Copper Contributor

@Karl_Wester-Ebbinghaus THX, we checked it also in our systems. You are right. W2K19 has it also included. In the server environments there are only SSUs for W2K16 available.

Here is the MS article to the SSU releases: https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

@Werner_I sorry I missed that reply. Unfortunately once you open the view all unread messages become read. Great you was able to confirm this. Well WS 2016 never touched my soul because of servicing and other things.

Copper Contributor
@
Copper Contributor
Think you for this position
Copper Contributor

So useful. Thanks for it!

Copper Contributor

email address removed for privacy reasons 

Copper Contributor

email address removed for privacy reasons 

Brass Contributor

I badly need someone to setup the configuration as well as deploying these said option. Thanks in advance Microsoft.

Co-Authors
Version history
Last update:
‎Feb 23 2021 08:17 PM
Updated by: