Not all patches applying

Hello-
This is my first patch week since installing BigFix Patch. I’ve done some testing and had similar issues to what I’m about to describe, but it didn’t really strike me as an issue, until now when the February updates were released and I’m patching in production.

What happened was, I selected two updates,
00-9293: MS19-FEB: Servicing Stack Update for Windows Server 2016 - Windows Server 2016 - KB4485447 (x64) and
00-9294: MS19-FEB: Cumulative Update for Windows Server 2016 - Windows Server 2016 - KB4487026 (x64)

I created a default action against two 2016 servers that needed them and requested a reboot 1 minute after the task is complete. (the whole reason we moved to BigFix, to patch and reboot 2016 servers)

Well, one server installed both patches and rebooted but the other installed only one patch, and ignored KB4487026 and when I look at the summary, it states its not relevant. But it IS relevant, and its sitting there in Windows Update available to be installed via WSUS (WSUS still running as patching solution backup) and both these test 2016 VM’s are exactly alike.

Why is it doing this, and is there anything I can do to fix it? Otherwise, I’m thinking BigFix isn’t our solution moving forward.

Thanks in advance for any help!

Chris

I’d check whether the server is relevant for any otger fixlets that may shed some light.

In particular, there is a case where, if a system installs both the monthly Cumulative update and the Delta update without rebooting in between, the system may bluescreen at bootup. This has been occurring in Microsoft’s patches for almost two years now, with nothing on the MS side to block the installation.

The Bigfix team worked-around it by adding fixlet logic to ensure your system will only be relevant for the Delta update or the Cumulative update, but not both. If the system is current up to last month’s patch set, it will be relevant for only the new Delta update, and not for thr Cumulative. If your system is patched to a level older than last month’s, it will be relevant to only the Cumulative update.

Net result is you need both the Delta and Cumative rollups in your baseline. Your hosts will only download and execute the one relevant to them.

The easiest way to select patches for a new baseline is to view a Computer Group (which you could make for ‘All Computers’, and check the Applicable Fixlets and Tasks pane. That’ll show all the fixlets that can be applied to at least one member of the computer group.

(Edit: I haven’t checked this month specifically. I know Delta Updates are supposed to end this February but not sure whether this month saw the last delta, or the first month without a delta).

Thanks for the reply.

No deltas have ever been applied to either server or in our environment.

Not sure what is going on, but that second patch is definitely needed.
No matter what I try, BigFix won’t see it as relevant.

Chris

If your WinServer 2016 is sitting on the update from January 8th (build version 2724), then the cumulative update won’t be relevant. For the WinServer 2016 patches along with other Win10 and WinServer OS, we have delta updates and cumulative updates. Delta updates are much smaller in size compared to cumulative updates and delta updates are required month to month and only cover the differences while the cumulative updates cover everything but are much larger in size.

Two things that you can do to resolve this issue:

  1. Check to see if the delta update for WinServer 2016 is relevant for that device (fxID: 448702603)
  2. Check the build version of that WinServer 2016 by looking at the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” for it’s UBR value. If it’s sitting on 2724 (the build version from the January update), then the cumulative will not be relevant but the delta will.

Hope this helps!

2 Likes

You can also type “winver” at the command prompt to pull up a dialog with the build version. A bit more convenient that pulling up the registry editor. :slight_smile:

Generally, you should add both the Cumulative and its corresponding Delta to your baseline. Systems that can apply the Delta will have less to download and of course, the systems that cannot will take the Cumulative. As JasonWalker mentioned, there is logic built into the fixlets so that the Cumulative and its corresponding Delta are not relevant at the same time for a given device.

If you don’t want to use Deltas at all, you can set the following client setting on your targeted endpoints.

_BESClient_WindowsOS_ApplyCumulativeUpdateOnly = 1

This setting will switch off the relevance on the Delta fixlet and cause the Cumulative fixlet to be relevant.

2 Likes