5 Replies Latest reply on Oct 25, 2019 12:36 AM by palinxy

    Dealing with exclusive updates

    frgpugs

      How is everyone else dealing with exclusive updates these days? 

      It seems like we are getting more and more of them and they are breaking my update maintenance windows and causing me major headaches.  Running updates on the endpoints works fine.  Running updates via update maintenance wizard only works if I select install exclusive update or ignore exclusive update.  It seems to be only on Windows 10 machines this is happening.

        • Re: Dealing with exclusive updates
          jrouviere

          My suggestion is to set your tasks to ignore exclusive updates when it discovers them.  That way you will still update 99%+ of the updates and be behind only one update when it happens and you will need to set up a separate ad-hoc task to handle that update.  You can discover this via reporting or your patching percentage dropping from 100% to 99% if you're that current on your updates.

           

          The issue is that the default task behavior is to fail entirely if an exclusive update is available.  As you mentioned you can change this and only install the exclusive update, or my suggestion which would be to ignore the exclusive update and install all other updates.

            • Re: Dealing with exclusive updates
              frgpugs

              The problem is that I have the AU settings done via GPO, so I have several target groups in WSUS for like a test group, no java, etc, and then on friday I approve all the updates we have tested to the general population and then the AU settings are at 6pm daily they will install any updates.  Servers get updates on Saturday at 5 or 6 depending on the OU they are in.  With this setup, there is no task, its all automated and hands off.  Are you suggesting to make tasks for each patch cycle and not use AU?

                • Re: Dealing with exclusive updates
                  jrouviere

                  Not necessarily.  My suggestion is based off of my experience of when this issue typically comes up and typically involved using the scheduled updates, my bad assumption in this case.  Really at that point if you're not using Patch Manager to deploy the updates, then it's a Microsoft WSUS topic entirely:

                   

                  How do you work updates that have to be installed exclusively into your update schedule?

                   

                  The suggestion seems to be:  Patch more than once a month or create a patching plan separate from typical patches.  For example, if you approve your Exclusive Updates separate from your Patch Tuesday updates (this article is a little out of date, but suggests that the Exclusive updates don't typically appear on Patch Tuesday) then they will be installed on a subsequent patching schedule.  Or, you can create a task specifically to handle it in Patch Manager or some other tool or task that you would like to use to handle it one off.

                   

                  I checked the group policy settings to make sure I wasn't missing anything about exclusive update handling and didn't find anything to review.  WSUS is mostly just a repository so the exclusive update handling is going to be more about process than settings.  When you approve the update and when your updates are scheduled to install will have more impact than settings that you have to handle update installation.

                   

                  Here's another example from Lawrence where he talks about setting up multiple groups and moving the machines between groups as a possible solution:

                   

                  Install all patches via WSUS in one session

                   

                  The goal being the exclusive update is the only thing approved and to be installed for that group, once the update happens, move the machines back to the typical group to receive the rest of their approved patches.

                    • Re: Dealing with exclusive updates
                      frgpugs

                      Thats what i was afraid of, it seems like a rotten process.  What stinks is the PCs know how to deal with exclusive updates on their own if you just go and click check for updates it all works out fine. 

                       

                      The problem I have is i think these do come out in patch tuesdays now and they dont announce it (or at least I cant find it easily) when they are exclusive so even after I approve the updates for the non test group the AU settings should be installing updates every day at 6am and 6pm but they fail because it has an exclusive update.  I dont get why the PC can figure it out but WSUS cant.

                       

                      If this manuall shenanigans is needed to get this done then i guess its just the future and I have to spend a lot more time dealing with patches but I really hope someone out there has a better idea or process

                        • Re: Dealing with exclusive updates
                          palinxy

                          This also recently became a problem for us due to the number of exclusive updates coming through with the later Windows versions.  We patch 1 month behind the patch Tuesday, so we approve all security and critical updates 1 month old, we run a Patch Manager report that shows the updates for the month and filters only exclusive updates (Installation Behavior: Impact does not equal Normal).  If there are any exclusive updates to install we manage these separately by running another patching job to just handle these updates, from experience these updates don't require a reboot.  Then we just continue with our other patching jobs to handle the normal patches.  This is working well for us.