Jul 24, 2017 Jim Bezdan

Demystifying Patch Management Q/A


When you put two experts together for a webinar, it’s basically like looking into a crystal ball: you get instant clarity for present and future matters.

With their combined knowledge about real-life issues, Jim Bezdan and Dave Fuller provide valuable advice and direction about patch management. In case you missed it, the full recording is available here. Below you’ll find answers to some questions the audience posed to Jim and Dave along with their responses.

Question:  ConfigMgr works in conjunction with Windows Update. We seem to have to repair Windows Update on many devices. Are you aware of a way to keep it updated silently?
Answer:  Microsoft has defined a process that is outlined here for resetting Windows Updates components. As for automation, the tasks outlined in the article have been compiled into a script that is available in the TechNet Script Center here. What’s a challenge is how to automate the detection of issues so the script can be triggered to run automatically. One option would be to create a Configuration Item that detects the various status message errors around the failures, then executes the fix.

Question: About SCCM and server update, does the option “no reboot” really work? Or does it just delay it?
Answer: It is used to prevent an automatic restart. Many updates have to replace files that are locked due to being in use by the operating system, so the only way for the update to take effect is to restart the system. This allows you to restart it when it is convenient to the business.

Question: In the beginning, you were talking about cumulative and delta updates for Windows 10. But halfway through you suddenly introduce the Quality updates? What is the difference there?
Answer: Yes – it is a bit confusing! The Microsoft Update Catalog defines the monthly cumulative updates as a ‘Cumulative Update’ for Windows 10 and a ‘Security Monthly Quality Rollup’ for the older operating systems. These are the titles you will see in WSUS, Configuration Manager and other patch management solutions. Microsoft product marketing is using the term ‘Quality Update’ to refer generally to OS fixes in contrast to ‘Feature Upgrade’, which is an upgrade to a new version of Windows 10.

Question: Do we have any plan for Windows Servicing with SCCM?
Answer: You might want to check out Troy Martin’s webinar from April.

Question: Can an organization use Windows Update for Business with ConfigMgr or WSUS? We don’t want WUfB pulling updates directly from Microsoft over the internet instead of using internal (WSUS) servers to get updates.
Answer:  An organization can use WUfB with Configuration Manager or WSUS, but you are then only deploying other application updates from CM and WSUS; the Windows 10 Quality (security + other fixes) and Feature (upgrades) updates will come from Microsoft. We will be publishing a blog detailing these aspects of WUfB this week that provides more information on this specific issue along with the pros and cons of using WUfB with Configuration Manager or WSUS.

Question: Does OMS require an organization to have an Azure account? And does it cost anything?
Answer: The Update Compliance dashboard is a component of OMS and requires an Azure subscription for which there is a cost.