Update: After doing a full-court press on this we were able to get Microsoft to address this officially. My thanks to Mary Jo Foley and Donna Ryan for help make that happen.
Updating Windows 10, version 1903 using Configuration Manager or WSUS
Apparently Microsoft isn’t ready to talk about this yet so I guess I will. As you probably know, Microsoft recently released Windows 10 1903 as well as Server 1903 to their respective Semi-Annual Channels. What you may not know is that the updates for those pigs are now being released under new product categories: Windows 10, version 1903 and later and Windows Server, version 1903 and later.
Mkay, What Does that Mean
What that means is that the OS updates for the 1903 versions may not sync/apply/deploy/whatever if the technology you use to apply updates filters by the product category in any way. Every ConfigMgr or WSUS administrator on the planet will need to manually enable these new categories if they plan to deploy updates for them. Keep in mind that this is a software update metadata thing and is not tied to WSUS or ConfigMgr per-se. Those tools simply consume the metadata from the updates. If you are using other tools (ex: Symantec Management Platform, PDQ, BigFix) then you will want to take note and review your processes to see if you need to make changes.
You’re Wrong, It Doesn’t Work That Way
I’ve had a few people argue with me on this whole thing as if I was trying to be alarmist for no reason. They reminded me that all Windows 10 updates are always released under the Windows 10 product category. That’s the whole point of this PSA. This was how Microsoft has released updates since the very first release of Win 10. Until now. With 1903 they have changed this by creating version-specific product categories. Don’t believe me? Go sync whatever tool you use and look at the list of product categories. Here’s screenshots from ConfigMgr showing the new categories:
You’re Wrong, I Already Deployed 1903
Well look at you Mr/Ms/Mrs fancy-pants … living on the bleeding edge. Indeed you may have but that’s not relevant here. The Feature Updates used to update existing systems to 1903 were published under the existing Windows 10 product category (see image below). The problem is that the monthly updates for the 1903 release are not. So you may be able to deploy 1903 but you can’t patch it. That’s what we in the industry like to call ‘bad’.
Why Is This A Problem?
It’s a problem because if you aren’t syncing updates for these new product categories then you’re not patching them. What’s worse is that if you miss this, deploy 1903, but don’t enable these new product categories you may never know until bad things happen. See, if you don’t sync these new product categories then the updates aren’t in your WSUS/ConfigMgr update catalog (other tools may vary). If the update isn’t in your catalog then your devices can’t scan for them. If your devices can’t scan for them then they can’t report them as needed. The end result: all your 1903 devices will report fully patched/compliant because no updates were detected as needed. Again, that’s double not good.
Who Would Do Such a Thing?
I actually applaud this change. As I’ve talked about before, there is huge value in keeping your WSUS catalog small. The Windows 10 product category currently has 263 updates in it not counting Feature Updates. The new Windows 10, version 1903 and later product category has 26. Importantly, there’s no reason that should grow much beyond that number over time as older cumulative updates are expired. Further, when you retire a version from your environment you can now disable it and those updates will be removed from your catalog.
This is the ‘right thing to do’ from a technical standpoint. The problem is simply one of messaging. Every patch admin on the face of the planet needs to be aware of this change. I don’t know how you do that but I do know it’s not with complete radio silence.
Fine, Just Tell Me What To Do!
The good news is that the action you need to take is very simple and straight forward. If/when you deploy the 1903 versions of either Windows 10 or Server you need to also enable those products in your patching tool. It’s not hard, you just need to know to do it and knowing is half the battle. In this case, it’s really 99% of the battle because clicking a checkbox ain’t hard people … come on.
If you are using ConfigMgr and Automatic Deployment Rules (that Venn diagram should be a perfect circle) make sure you add these categories to any Product filter as necessary.
Cool, What About The Future?
Good question. Glad you asked. I have two questions going forward.
First, is the plan to use new version-specific product categories for each future release? I’m fine with that but the new 1903 categories both state ‘or later’ which is confusing if that were the case. Maybe someone was hedging their bets. If they do continue this trend though then you need to know that in addition to deploying the new version of the OS you need to enable the corresponding update category.
Update: I got word from the ConfigMgr product team that currently this is a one-time thing. This new category will be a single dividing line between pre-1903 and post-1903 updates. In other words, the plan isn’t to do this again.
Second, can we get the Feature Updates categorized in these new version-specific product categories as well? I really think that would solve a bunch of problems. That way, if you are getting the Feature Updates then you are getting the monthly (or better) updates as well. That would limit the damage. Plus, it would also help solve the communication problem as well. People know that a new version of Win 10 is being released and they will look for it. If they can’t find it they will work to figure out why. It’s really a win-win that I hope the Windows product team adopts. So if you know anyone of that persuasion please tell them for me.
EDITED TO ADD: It just occurred to me that this last thing really needs to happen. If FUs are left in the Windows 10 product category then you can’t ever deselect it which defeats the purpose of the category.
TL;DR
Go enable the new Windows 10, version 1903 and later and Windows Server, version 1903 and later product categories and if you’re using ConfigMgr Automatic Deployment rules add them there as well if you’re doing product filtering.
We caught that little bundle of joy as we were evaluating ADR results for 2020-01 Windows patches. This is akin to some needed updates having a new update classification: “None”. Problem is, you need those.
Yep, I remain concerned about how many organizations don’t know about this. Until I pushed like hell Microsoft has zero plans to even state this publicly. Let alone the full-court ‘every admin in the world needs to know this’ press they needed to really do.
Lovely!!! Keep them coming 😉
Very good read!
“Your Wrong, It Doesn’t Work That Way” = it’s spelled “You’re”
And this is one of many reasons why you should jump out of bed at 11:30 at night and start writing a blog post. [Thanks]
OK, in your paragraph Fine, Just Tell Me What To Do! you say: “If/when you deploy the 1903 versions of Windows 10, or Server you need to also enable those products in your patching tool.” Since I have a personal laptop and use WSUS as my patching tool, WHERE WILL THE “LITTLE CHECKBOX” BE so I can click on Windows 10, version 1903 or later (particularly since it isn’t there now, because I haven’t gotten Windows 10, version 1903 yet. Please have MaryJo publish this in her blog so all us WSUS users can click this checkbox once Windows 10, version 1903 installs.
Many Thanks Advance for your prompt / complete reply thru MaryJo.
If you’re using stand-alone WSUS it will be in the WSUS console’s product selection.
Thank you Bryan for this article. If I check the version-specific product for Windows 10, version 1903….Will this start deploying the feature update to 1903? I have existing 1903s that need the patches, but I do not want my existing 1803s or 1809s to start upgrading to 1903. This is a 2 hour upgrade. I use WSUS. thanks,
Enabling the product will simply sync the updates. What they do after that is based on your auto-approval rules.
A quick check shows that the 1903 FUs are in _both_ the ‘Windows 10’ and ‘Windows 10, version 1903 and later’ product categories.
Thanks for the quick reply. I do not have any of the features updates approved, nor do I plan on it anytime soon – so these will not go thru automatic updates if I understand correctly?
To clarify, I only auto approve critical and security updates, so the feature updates does not belong to those to categories and will not get automatically pushed out. Thanks again,
Exactly. Whether they are automatically approved or not is purely up to your configuration.