MS17-AUG: Cumulative Update for Windows 10 Version 1703 - Windows 10 Version 1703 - KB4034674 (x64)

This fixlet doesn’t seem to be working correctly. I was surprised to see that it wasn’t relevant on many of our systems from within our baseline (though all Win10 versions of Flash seem to be relevant for a single version).

After BigFix patching was “successful” and I rebooted, I ran Windows update. There was KB403674 downloading and installing.

Any one else seeing this?

PMR 57325,227,000.

I would check your WindowsUpdate.log for details on the BigFix install; you can also click the action link and check the exit code of the BigFix install of the patch. It’s possible it wasn’t actually successful, even though it reported completed.

For example, in my environment I’m seeing the following exit codes as an example, all with a BigFix action status of Completed:
0 (The operation completed successfully.)
1618 (ERROR_INSTALL_ALREADY_RUNNING)
3010 (ERROR_SUCCESS_REBOOT_REQUIRED)
-2145124329 (Operation was not performed because there are no applicable updates.)

The first three are pretty self explanatory, but that last one is a lot more tricky to diagnose, and in my experience often includes deep diving to figure out why exactly the fixlet is showing relevant and/or troubleshooting the install itself.

TL;DR
Windows Updates is an extremely complicated process with lots of pitfalls.

BigFix never installed it because it shows as Not Relevant. This seems to be a straightforward relevance issue.

Fixlet ID: 403467401
Relevance 8 in Error:
not exists key "Package_for_RollupFix~31bf3856ad364e35~amd64~~15063.483.1.13" whose (value "CurrentState" of it as integer = 112) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" of native registry

Using QnA Relevance 8 shows False, but when I run Windows Update, I see:

Aah, my mistake, for some reason I thought you were asking about a fixlet that failed to install.

This might be related to the recent change IBM made to the Cumulative and Delta updates; a month or two ago IBM changed it so that if you have the previous month Cumulative Update installed that machine is only relevant for the Delta update.

Conversely, the Cumulative update is only available if a given machine does not have the previous month security updates installed.

Found it; check this thread for details on intended behaviour of Delta and Cumulative updates: June 2017 Microsoft patches - Delta vs Cumulative?

I’m familiar with the Delta updates and we absolutely do not deploy them (personally I think they’re a joke). The short version of the story is that the Fixlet shows False when it should be True. I’ve opened a PMR so we’ll see what happens. I’ll post any updates. Thanks!

Yep, agreed on the Delta updates especially since Microsoft doesn’t specifically make them exclusive with the Cumulative updates, thus potentially leading to double installs which can break a system.

Unfortunately, as a result of Microsoft’s decision on non-exclusivity built into the patch IBM has chosen to make only the Delta update available for machines with the previous month security update installed. Again, if you check out the thread I linked you’ll find this is actually by design as of the last comment from @Jason_L 8 days ago.

Yes… That was the gist I was getting. Thanks for that. I sure hope it is a 100% accurate in determining the correct fixlet to install. I’ll take extra bandwidth over BSD any time. :innocent:

Agreed entirely re bandwidth vs BSD. I would personally have preferred a Cumulative fixlet that has no default action but is applicable similar to the Delta patch, even if such a fixlet was in addition to the two existing CU vs Delta.