Windows update fails on Windows Store?
Now, all Microsoft apps are checking for updates, at times they would download or be stuck checking for install or in a loop for downloading some info then becoming stuck. In order to resolve it I would have to go into services and restart Microsoft Store Install Service, then it would update the apps no issue. I ran the troubleshooter for that tonight as well in hopes of resolving this issue, but given how many users are having issues with Windows S mode recently on the store, anyone else have similar issues like me?Announcing FSLogix release changes and Windows multi-session updates in Azure Marketplace
Starting on August 8th, 2023 (patch Tuesday), Windows multi-session images will come with the latest version of FSLogix already installed. This means that you can skip the hassle of installing or updating FSLogix on your virtual machines and enjoy its amazing features right away.Multiple devices unable to connect to Windows Update
I have now seen 8 devices that are unable to connect and download Windows Updates. They vary between Windows 10 and Windows 11 and all started in the past month. When trying to run updates I am given the error in the image attached. I have tried the following to solve the issue but have not had any luck. Restarted the Windows Update service from Services Run the Windows Update Troubleshooter Changed the DNS servers Delete the SolftwareDistribution folder (after using net stop wuauserv, cryptSvc, bits, msiserver, deleting SoftwareDistribution, then net start wuauserv, cryptSvc, bits, and msiserver) Run SFC Run DISM Uninstalled the three updates that were available to uninstall (thinking something in one of them failed and caused this) Reset Windows components (https://www.tenforums.com/tutorials/24742-reset-windows-update-windows-10-a.html) Disabled Proxy in Network and Internet Run Windows Store Reset (WSRESET.exe) None of the following has helped. Does anyone have any other ideas other than reimaging the device?
BITS Downloading App updates from unknown endpoint
Hi, Our IDS started freaking out today because a large number of our endpoints started initiating BITS downloads to an unknown endpoint. My initial reaction was ransomware, but after further investigation it appears that these BITS downloads are updates for Windows Store Apps. I am making this post to confirm that these endpoints are actually indeed official Microsoft endpoints. The BITS requests I had seen were all for the Limelight Networks CDN (llnwd[.]net), which I have heard hosts content for a lot of MSPs, one of which being Microsoft. Checking the logs, it appears that our workstations have never made BITS requests to this CDN. All previous BITS updates were carried out using official microsoft.com endpoints. The following are some examples of the domains seen in the BITS requests: ic-c39e4900-0f7065-msftstoretlu19.s.loris.llnwd[.]net ic-c39e4900-0d5ab5-msftstore19.s.loris.llnwd[.]net ic-c39e4900-08b3f9-msftstore19.s.loris.llnwd[.]net ic-c39e4900-0700f8-msftstore19.s.loris.llnwd[.]net Although all my investigations point to these being official Microsoft endpoints, I am worried that a CDN is being used because a malicious actor could easily mangle the URLs to make them look like official Microsoft ones. Is this the correct place to confirm that the above sub-domains are official Microsoft, and if not where should I ask this question instead? ThanksGuidance on Security-only Updates and Extended Security Updates, potentially save costs on ESU
Motivation Today I would like to post about questions I get frequently asked by customers. This guide explains the benefits using "Cumulative Updates" which have a different name in down-level OS. In other Microsoft products they are also abbreviated as "CU". It will cover certain aspects about Extended Security Updates, which are vital for organizations that must run down-level operating systems and Microsoft products. This guide also includes references that are still relevant but spread across different documentation and blogs, I hope aggregating them here helps you to find relevant an related information, quickly. What do I consider as down-level product? Products that not only have reached extended support but also end of service, and which are only serviced by exception or via Extended Security Updates (ESU). So simplified, as per time of posting, anything below Windows Server 2016, Windows 10, SQL Server 2016, Exchange Server 2013. Reasons to stay on down-level products and down sides Many organizations still rely on down-level versions, even for business critical services. Some of these products still receive regular or occasional updates, so we still have to service them. The reasons for organization that keep them away from migrating to a newer product vary. Often there are dependencies between the use of down-level OS and other Microsoft products in regards of hardware, like machines or appliances. Benefits of using current OS / Microsoft products keeping OS and products current can significantly reduce costs for migrations less hassle with compatibility and compatibility matrixes they should be tendentially more secure or offer latest security features they should offer compatibillity with latest hardware and offer best performance and scalability they usually reduce efforts for servicing by improved updates methodology, improved servicing stack, reduced update size and update installation time (except Windows Server 2016, known issue) they often have updated or fewer dependencies it is often easier to find and access relevant and current documentation the amount of IT pros and MVPs being involved into the products is significantly higher in many cases offer improved automation Understanding naming convention of updates Naming convention for cumulative updates The naming convention is not 100% consistent across products. Cumulative updates include security fixes and all bugfixes and product improvements for the same version and edition of an installed product. Here is a list of OS / product specific differences in regards of the naming: Windows 7, 8.0, 8.1 Monthly security and quality update Windows Server 2008 R2, 2012, 2012 R2 Monthly security and quality update Update rollups (rare) Windows Server 2016, 2019, 2022, Windows Server version (SAC), Azure Stack HCI Cumulative Update Dynamic Update (special purpose) Exchange Server 2013, 2016, 2019, [2022] Cumulative Update (CU) Update Rollups (rare, but often foundational) Service Packs (rare, but foundational) SQL Server 2014, 2016, 2019, [2022] Cumulative Update (CU) Update Rollup (rare) - Service Packs (rare, but foundational) Naming convention for Security Updates Windows 7, 8.0, 8.1 Security-only update Windows Server 2008 R2, 2012, 2012 R2 Security-only update Other products: Security Update Know the important differences about several types of updates “Monthly security and quality updates” as well as “Update Rollups” or Service Packs (both have become rare) are equivalent to cumulative updates in modern OS or other Microsoft products. The “Security-only” for Windows, as well as security updates for other products are not cumulative, unless the naming convention state that is a cumulative update. See above. Extended security updates are “Security-only” updates by design, means they are not cumulative. Reasons to prefer cumulative updates All modern Microsoft products have moved on to cumulative updates for many reasons: get up to date from any servicing state latest state consistently, reducing the number of installed updates, restarts, reduced or eliminated update dependencies simplified and consistent experience more transparent outcome testing / reproducibility of case of issues, also for Microsoft partners, ISV, or Microsoft Support Please let me explain why “Security-only” updates expose you to a higher risk for issues: Using “Security-only” updates inherits the risk that one update might have been skipped and so leaving security holes unfixed. Only the installation of a “Monthly security and quality update” from time to time can assure compliance here, or good inventory SAM, which could cause more time and so costs for reporting etc. Same applies if a “Security-only” update fails to install, and this has not been monitored correctly. A “Security-Only” update will only address security issues, as per definition. Sometimes the security fixes have side effects or create dependencies, which are fixed with the same or a later “Monthly security and quality update”. From my experience installing only "Security-Only” cause more issues compared to the full stack. We can only speculate about reasons. It could happen Microsoft isn't using them broadly in their own infrastructure or the amount of telemetry is limited compared to the other updates. If a company decides to install “Security-only” updates, in addition they are often very sensitive in other areas, too. This could be due to strict / narrowed regulations they have to follow. They are more unlikely able or willing to send any telemetry, which causes less reported issues to Microsoft etc. Cat bites into its own tail here. In addition to the item before: From my experience other Microsoft products (than OS) and products from other vendors have caused more issues with security only updates in the past years compared to “Monthly Security and Quality Updates”, as they “expect” and test against the Security and Quality updates. There could be other experiences about this. Extended Security Updates Extended security updates have been established first with the End of life for Windows 7, Windows Server 2008 R2 and SQL Server 2008. Potentially due to feedback from customers and partner, eventually due to own internal feedback, not least due to telemetry Microsoft introduced a novum in terms of servicing a product even after its servicing lifespan, at extra costs. Distribution of ESU updates, next with Windows Server 2012 / 2012 R2 requires a license and an internet connection for activation. ESU updates are not available for download in Update Catalog. So you can only retrieve them on computers that are successfully licensed and also fulfill further requirements. Activating and managing ESU The installation and activation, as well as reporting of the required activation keys can be easily managed with the latest Microsoft VAMT, which is regularly updated as part of the Windows ADK. Many organizations, as well as Microsoft docs and blogs still reference to manage this with scripts or even manually using slmgr.exe, which I personally find quite cumbersome. NOTE: I cannot confirm yet that the current versions of VAMT from Windows ADK support the installation and activation of the Windows Server 2012 / 2012 R2 ESU keys. It might be this needs an update of VAMT (uninstall / reinstall) at a later time, to make it compatible. This was the case with Windows 7 / 2008 R2 ESU. The ESU activation is a stacked activation. Means you cannot activate Y2 without installing and activating Y1, which of course requires purchase of both licenses. The ESU activation is on top and independent from the OS activation. ESU is a per device activation, you may not use the following methods to activate ESU: KMS the modern version of KMS, ADBA (Active Directory based activation) PRO TIP: The ADBA method is still very uncommonly used in many organizations. One of the main reasons, imho, is that it works only with Windows OS 8.0 or newer / Windows Server OS 2012 or newer and Microsoft Office perpetual 2013 or newer. So for many it was not worth to bother to look for an alternative or to remove KMS, due to dependencies to previous versions. In 2022, this might and should have changed now for many, when the oldest down-level version remains to be Windows 8.1 / Windows Server 2012 or Office 2013. If not, ADBA and KMS can coexist, if you still need KMS some older products. Imho also Microsoft contributes to this situation, as docs.microsoft.com often relies on KMS as a primary method for activation, especially if you check the docs for Windows Server. ADBA is serverless and has no requirement to firewalling. Contrary AD join and recurring connection to AD is required. VAMT from the latest ADK makes it very easy to bulk migrate from "legacy" KMS server to the modern ADBA, where technically appropriate and to monitor results. This means if you want migrate to ADBA you have just gained an additional usecase for VAMT, besides managing your ESU activation broadly. How to save costs on ESU 1. Plan and migrate to newer products, consider in-place upgrades where appropriate 2. Don't hesitate to get help from Microsoft partners 3. Get an offer for new hardware from your preferred vendor or Microsoft partner Wait what? Even the cost of new hardware, licenses, migration efforts and monthly costs and can effectively save costs on ESU? Yes, you got that right. This can happen. Azure Stack HCI monthly fees covers all costs for ESU for workloads running on the cluster. Inform yourself about details. If your company runs an amount of workloads with OS or other Microsoft Products that are qualified for ESU, such as SQL Server and you have no plans to migrate in the near future, you should consider and calculate the costs of new hardware to migrate and host the workloads on-premises with Azure Stack HCI. It is a scalable solution for your on-premises datacenter or edge, starting from 2 nodes only, with no requirement for a hardware / virtual machine as witness. In fact Azure Stack HCI is the most modern iteration of Hyper-V Clustering, advanced virtual networking, software defined storage (S2D), GPU acceleration and pooling, monitoring, that's incomparable even to the latest of feature set Windows Server 2022 has to offer. It receives improvements and more features on an annual schedule. The hardware, firmware and cluster is majorly managed and monitored by great OEM plugins made for Windows Admin Center. Here is an example for DELL. Again, I am not advocating to remain on old products and even boost them with new hardware, but if your transition is foreseeable not possible or slow, causing your organization predictable and accountable costs this "bonus" should be a certain consideration. There is great content about AzureStack HCI available on YouTube. On your current hypervisor like Hyper-V or VMware you can even create a virtual Azure Stack HCI cluster "lab" through nested virtualization. It will not be billed for 90 days, which gives you time to get familiar with the technical details, the look and feel compared to what you know about your current Hyper-V or VMware or other hypervisor solution. Further references Updates and terminology Further simplifying servicing models for Windows 7 and Windows 8.1 (microsoft.com) Comprehensive Update Overview and download links for SQL Server Understanding B, C, D week updates GUIDE: Where to find information about Windows Updates and release information (any version) Description of the standard terminology that is used to describe Microsoft software updates Extended Security Updates and management Obtaining Extended Security Updates for eligible Windows devices FAQ about Windows 7 ESU How to get Extended Security Updates (ESU) for Windows Server Volume Activation Management Tool (VAMT) from ADK Download and Install Windows ADK FIX: VAMT Database from Windows 11 & Windows Server 2022 ADK is inaccessible Misc: Active Directory Based Activation (ADBA) Create Microsoft labs, including Azure Stack HCI History: 04/02/2022 - initial post, some additions and corrections, formatting
WUfB enabled with Update Baseline, No Notifications
We are piloting a group in our environment to switch to WUfB for servicing and previously deployed updates from WSUS. All our endpoints are currently on Windows version 1803 and joined to a local AD DS domain managed by ConfigMgr. We have deployed Update Baseline in its default configuration via group policy setup a WUfB policy deployed from ConfigMgr. Devices now appear to be updating as expected and are automatically downloading and installing 20H2 directly via WUfB. However, we have yet to see any notifications, toasts, or engaged restart banners for users that have made it past the initial automatic installation and are awaiting a restart. Windows update shows the following: Users are able to initiate the restart themselves, however none of our desktops that have been left online overnight appear to be restarting automatically. These devices all appear to be set to the default active hours of 8:00 AM to 5:00 PM and have no logged in users. I see that the registry key HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\EngageReminderLastShownTime appears to be set to a time earlier today, however this computer has no toast notifications to be seen. Are there any additional settings we should ensure are enabled in order to ensure devices are restarting when possible and notifications are being shown for users? Any advice here would be greatly appreciated!
3rd party Whitelisting Application Control and Windows OS Upgrades from SCCM
Hello everyone! I am being as ambiguous as possible because I do not want to identify the vendor or customer. I am an admin for a 3rd party Application Control software with a client with a concern: OS: Windows 10 1909, upgrading to 20H2 Some context: Automating Windows Upgrades. I use 3rd party software to manage the same software. Windows Updates work fine, as only a few execution control rules need to be created. Major OS Upgrades (1909 to 20H2, in this case) are largely blocked, which is by design since the Windows directory itself is protected. The customer has a strict governance on the software allowed/whitelisted. While my software has a specific mode that is designed for this type of upgrade, which by nature allows changes to be made to the system. Leaving the system in this mode longer than is required for the OS Upgrade is a security hole we need to avoid. We do this the Application to change to this mode in order to make the required changes to the OS. Currently, SCCM creates a custom variable that my software scans for, and then executes the change on the system(s), then creates another variable when the upgrade is complete to lock the system down again. I do not want to depend on SCCM for my deployments. I'm trying to remove an extra point of failure. All that leads to this ask: Is there any flag, change, or otherwise modification that occurs, with respect to Windows, before the upgrade? I'm effectively looking for something that I can detect or scan for reliably to automate changing modes from my own automation. Thank y'all for your time!
