Throttle Downstream WSUS Update Pull from upstream
Is it possible to throttle the download of updates on a downstream WSUS server i.e. when it is pulling it's updates from an upstream WSUS server? We have some downstream WSUS servers on low bandwidth links and whilst we generally schedule the pull of updates during an out-of-hours window this is problematic for us for several reasons. I'd rather they pull during the day but with throttling. I’m aware the WSUS clients can do this in Windows 10 BITS etc. but wondering can the WSUS server do this on the synchronisation cycles.
WSUS Certificate pinning
Hi, is there any docs as to how to enable certificate pinning? Asking because in those posts, it says that we can do this to secure our WSUS servers, but I can't seem to find out to actually do it. Changes to improve security for Windows devices scanning WSUS - Microsoft Tech Community Scan changes and certificates add security for Windows devices using WSUS for updates - Microsoft Tech Community Thank you in advance and don't hesitate if you have any questions
WSUS edge update fail 0x80070643
Hello everyone, it's a little bit of time that one of my clients do not install from wsus server the update for microsoft edge properly. After the install get to 100% return the error code 0x80070643. Already tried to install manually (download edge business from ms site), reset all windows update components. Other updates are installed succesfully. The event log report a different error code (only a generic installation error with code 0x8024200B). The very wierd part is that if I disable the wsus policy and check for update in edge information page, the update install succesfully. Other clients install it from wsus without issues.WSUS and Widows update for Business
I'm confused on how to use WSUS and Windows Update for Business (WUFB) at the same time. Say I'm deploying the monthly quality updates from WSUS and I decline one of them. Will windows 10 just pick it up from Windows Update via WUFB and apply it ? The only way I can see to disable WUFB is to set the group policy setting 'Do not Connect to any Internet Locations -> Enabled' . This seems to break MS Store access though. I'm confused on how these two system work in conjunction. Should be looking a setting deferral policies?
Latest LCU not detected from WSUS if corresponding SSU preinstalled
Hi, for a few months now, the SSU is bundled with the LCU. I have noticed that, if the bundled SSU is manually preinstalled with e.g. DISM, the corresponding LCU portion will no longer be detected as applicable from WSUS! It will however be detected if I scan against WU directly. WSUS will even show the entire bundle as installed for clients which only have the SSU portion installed! This doesn't seem like a common scenario, however it becomes a huge problem if a device does a feature upgrade (from media or WSUS, doesn't matter) from an older version (<= 1909) to 20H2, with the "/DynamicUpdate NoLCU" option enabled. What seems to happen is, Windows Setup does not, as instructed, download and apply the latest LCU, but will still download and apply the latest SSU! This results in an installation that's effectively stuck at the LCU of the upgrade media used (currently 2020-11 for the WSUS upgrade package) and cannot upgrade to the current LCU, if WSUS is used as the only update source - at least until a newer LCU is released and approved. And since SSUs cannot be uninstalled, there is no easy workaround for affected machines. I don't know if anyone from the WSUS team reads this, but there seems to be a faulty "is installed" detection logic in the SSU+LCU bundles published to WSUS, that needs to be addressed asap. Right now I have 35 Windows 10 clients stuck at the November '20 LCU, unable to upgrade. Can anybody else confirm this problem? Regards, Markus
2021-05 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5003171): Not Applicable
2021-05 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5003171) is downloaded in WSUS and approved for installation. It is showing not applicable. I have tons of Windows Server 2019 servers. I have two separate WSUS on different environment and both showing the same status as not applicable. Anyone seeing this issue? Thanks
3rd party Whitelisting Application Control and Windows OS Upgrades from SCCM
Hello everyone! I am being as ambiguous as possible because I do not want to identify the vendor or customer. I am an admin for a 3rd party Application Control software with a client with a concern: OS: Windows 10 1909, upgrading to 20H2 Some context: Automating Windows Upgrades. I use 3rd party software to manage the same software. Windows Updates work fine, as only a few execution control rules need to be created. Major OS Upgrades (1909 to 20H2, in this case) are largely blocked, which is by design since the Windows directory itself is protected. The customer has a strict governance on the software allowed/whitelisted. While my software has a specific mode that is designed for this type of upgrade, which by nature allows changes to be made to the system. Leaving the system in this mode longer than is required for the OS Upgrade is a security hole we need to avoid. We do this the Application to change to this mode in order to make the required changes to the OS. Currently, SCCM creates a custom variable that my software scans for, and then executes the change on the system(s), then creates another variable when the upgrade is complete to lock the system down again. I do not want to depend on SCCM for my deployments. I'm trying to remove an extra point of failure. All that leads to this ask: Is there any flag, change, or otherwise modification that occurs, with respect to Windows, before the upgrade? I'm effectively looking for something that I can detect or scan for reliably to automate changing modes from my own automation. Thank y'all for your time!WSUS plugin in WAC
Are there any plans to bring the WSUS console into WAC as a plugin, reflecting most of the features, including the ability to import updates? Most of the actions in the WSUS console should be underlying PowerShell commands, which would be the qualifying thing for this task, imho. There are still a lot of customers that rely on WSUS and do not leverage ConfigMgr (due overhead, licensing, TCO) or WuFB (cloud use restriction policies), missing ability of WuFB of managing Windows Server. I am not aware if WuFB can now also manage Windows Server 2012 and newer and gather the update status in a dashboard, as it does for Windows 10. If this is a limitation it should be considered to offer a single pane for free* of modern management as a whole pendant to WSUS. *eventually charging log analytics workspaceWindows 10 servicing office hours – May 14th
Our next "office hours" session will take place here in the Windows 10 servicing community on Thursday, May 14th from 8:00-9:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details.
