December Patch Tuesday Frequently Asked Questions
As the final Patch Tuesday of the year draws to a close, we offer you the most frequently asked questions from the analysis webinar this month. And as a special holiday surprise, on this webinar we announced we’re offering an easier way to attend Patch Tuesday webinars in the future. To register for all upcoming Patch Tuesday webinars in 2019, simply fill out this form.
Q: How do I sign up for all 2019 Patch Tuesdays?
A: This is the page where you can register for all Patch Tuesdays in 2019.
Q: I have October Monthly update for Windows 7/2008R2 (KB4462923) on my workstations. I tried to install the December update KB4471318 but got error code 8000FFFF and failed. Any recommendations?
A: I would recommend installing KB3177467, the most recent servicing stack update for Windows 7. Customers with these deployment failures have reported success around this, but it appears to depend on the specific endpoints.
Q: When will you be releasing RSAT for Windows 10 1809 in patching?
A: RSAT is no longer a separate installer for 1809, but rather a “Feature on Demand” as stated in their download center link.
Q: The patch deployment on Windows server 2016 1607 monthly security patches deploy very slowly, up to four hours. Would the changes in 1809 help resolve these issues or is there another solution to improve the patch speeds?
A: Patches for Windows 10 1809/Server 2019 have adopted a new patching strategy which is much faster to deploy compared to Server 2016. These changes, however, have not come down to earlier builds. We have noticed the same substantial deployment times for Windows 10 1607/Server 2016 and have not found any major workarounds here.
Q: Is there an easy way in Ivanti Patch to apply the service stack update, reboot, and then apply the rest of the patches?
A: The best way to ensure install order would be to create two different deployments with the first including the servicing stack update. For simplicity, we have noticed that the servicing stack update has not required a reboot in nearly all of our tested deployments, so ideally two reboots will not be required.
Q: Will Microsoft ever allow the no reboot command? Seems like no matter what ‘no reboot’ command you input, their updates always trigger a reboot.
A: In our testing, we have found that nearly all security updates require a reboot. Inserting the “no reboot” command only ensures that the endpoint does not immediately reboot on patch completion. In most of these cases, critical files will not update until that reboot is performed, so make sure to block off time to ensure your systems remain secure and stable.
Q: Does Ivanti have support for express patching where it makes a differential update of the cumulative update for less download/install time impact?
A: We do not have support for express patching as Microsoft has kept that functionality behind SCCM. Our products do include a delta update between Patch Tuesdays for 1607, 1703, 1709, and 1803 which is much smaller than the full cumulative and should help with install times.
Q: What would be the recommend way to deploy Window 10 Service Pack 1809 to about 30 computers through Ivanti Patch for Windows Servers Standard 9.3.0 Build 4510?
A: You can find our tutorial here. Aside from what is here, we recommend ensuring your drivers are up to date, particularity intel chipset and audio drivers, as we have read about some stability issues from 1809 specifically.
Q: Can you use Landesk Patch Management to upgrade Windows 10 (1803) to Windows 10 (1809)
A: We do offer a definition around that; here’s a document detailing that.