Friday, October 28, 2016

Windows 10 Cumulatives and ConfigMgr SUP Supersedence

With version 1607 of Windows 10 MS is pretty responsive and aggressively releasing cumulative updates outside of Patch Tuesday. Since its release on August 2nd they have had 9 Cumulatives. For September 2016 there were 3. August 2016 had 4. October has 2 so far. Either hate them or love them (I love them) it can throw off your patching cycles in ConfigMgr depending on how you have SUP configured.

You have a setting for SUP in relation to how it handles patch supercedence. In the console this is under Administration | Site Configuration |  Sites. Then right click your primary site and choose Configure Site Components | Software Update Point. On the 'Supersedence Rules' tab you have a couple options for how ConfigMgr works with supercedence.

Either expire immediately or wait a set number of months, extremely simple. Expiring immediately is great so it keeps your Software Update Groups and packages cleaner so endpoints have less to process. This doesn't work well for Cumulatives depending on your patch cycle.

Using September 2016 with a pretty commonly used monthly patch cycle as an example. 

  • 09.13 - Cumulative released (Patch Tuesday)
  • 09.15 - Patches sent to patch testing end points
  • 09.20 - New Cumulative released and previous expired
  • 09.20 - Patches sent to all endpoints
  • 09.29 - New Cumulative released and previous expired

With the first option, the cumulative patch released on 09.13 is removed on the 20th. Now you are NOT patching 1607 systems (cumulatives at least) as of that date until you approve the newer cumulative. You thought you were patching 1607 systems when you push to the fleet on the 20th but you are not, its gone due to this setting. 

To resolve, change this to the second option which delays the expiring process by those months. Using a monthly cycle, 2 or 3 months is probably the best option. Use longer then your patch cycle. I am choosing 3 months as i dont know how they are defining a month. The first of the next month? or 30 days later? etc.

Additionally, now you have a new cumulative to send to your patch testing end points since you have to start over with a new cumulative. This can cause some issue if you didn't plan on it as this setting is for any patch expiring. So other patches will remain around for this period if they become superceded. This also makes you rethink your patch cycle strategy. Do you stay on a monthly (or whatever) cadence or follow in Microsofts Aggressiveness? One option is to create a specific Software Update Group with the latest Cumulative and just make it optional vs mandatory. Lots of options here based on your environment.  I wrote a little about Patch Testing here and how to automanage the members.

Additionally, Microsoft posts their Windows 10 Update History here. Great KB to keep up on.