Tag: GPO

How to install out of band Windows update?

One of my customers came across a “weird” issue that one Windows update KB5001567 refuses to show up in the WSUS console regardless of repeated synchronizations. With a little search on the internet, I found it to be an out-of-band Windows update.

What is an out-of-band Window update? To put it simple, “An out-of-band patch is a patch released at some time other than the normal release time. Microsoft, for example, normally releases patches on the second Tuesday of every month.

There are three possible ways to install KB5001567 .

Release ChannelAvailableNext Step
Windows Update and Microsoft UpdateYesGo to Settings Update & Security > Windows Update. In the Optional updates available area, you’ll find the link to download and install the update.
Microsoft Update CatalogYesTo get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)NoYou can import this update into WSUS manually. See the Microsoft Update Catalog for instructions.

For details, refer to – March 15, 2021—KB5001567 (OS Builds 19041.868 and 19042.868) Out-of-band (microsoft.com)

To install an out-of-band Windows update, another feasible alternative is to download and install it manually. Take this KB5001567for example. We can download it from Windows Catalog site and then install it on each computer by hand or via GPO.

Demo steps –

  1. Create folder C:\temp
  2. Download the Update to C:\temp directory  (KB5001638 download path: http://download.windowsupdate.com/d/msdownload/update/software/updt/2021/03/windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.msu )
  3. Expand the .msu file to extract the .cab file by running below command in CMD:

   expand -F:* C:\temp\windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.msu C:\temp

  1. Copy windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.cab along with other expanded files to a shared path (that is, copy all the extracted files)
  2. Use the following DISM command to install the update:

    dism /online /add-package /packagepath:\\<Shared-Path>\windows10.0-kb5001638-x64_64937e493ea9574759536d4b2695c05dfa5543e3.cab

If you want to use GPO to save efforts in case of too many computers –

  1. Create a bat file and put the command at step 5 in it and save the bat file.
  2. Then, use GPO startup script to run batch file. Refer to – Using Startup, Shutdown, Logon, and Logoff Scripts in Group Policy | Microsoft Docs

References

Check Windows Update settings on a client

A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

A local Group Policy setting will always be overwritten by an Active Directory Group Policy setting, and this can result in the Configuration Manager client failing to obtain software updates using Configuration Manager.

In order to check the WSUS server that the clients are contacting and also check for any GPOs affecting those clients, you will need to check the following aspects.

RsoP.msc on the client

Check the Computer Configuration > Administrative Templates > Windows Components > Windows Update
– Does it show the correct WSUS server?

RSoP

Registry settings

Compare the following registry keys on the “problematic” machine with the same registry keys from a “working” machine:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

To check the two registry items’ properties, you can run in PowerShell:

Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate'
Get-ItemProperty 'Registry::HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU'

Active Directory Group Policy and SCCM settings

Check if WSUS is defined in the Group Policy (i.e: server name and port) versus how it is set in Configuration Manager(i.e. FQDN)

WUAHandler.log on the client

Check the WUAHandler.log for the WSUS URL used.

Enabling WUA Managed server policy to use server: http://wsussvr.contoso.com:8530

When an Active Directory Group Policy setting overrides the local Group Policy setting, you will see the following:

Group policy settings were overwritten by a higher authority (Domain Controller) to: Server http://newwsussvr.sccmpeek.com:8530 and Policy ENABLED WUAHandler

References

Design a site like this with WordPress.com
Get started