Some WSUS Users Get Unbootable PCs After Microsoft Goof
Organizations using Microsoft's Windows Server Update Services (WSUS) tool to control Windows client updates may have ended up with dead PCs this week after a Microsoft release mistake.
Update 10/12: Microsoft today published workarounds here for the unbootable PCs resulting from installing Oct. 10 security updates KB4041676 or KB4041691. The problems didn't occur for users who get their updates from Windows Update or Windows Update for Business services. Microsoft has just found that some WSUS and System Center Configuration Manager users were affected. At press time, only scenario No. 3 contained workaround instructions. The fix involves a registry edit, among other steps.
WSUS users may have gotten unbootable PCs if they approved monthly patches alongside another bunch of patches that were labeled as "Delta Updates." In that scenario, after the updates get applied to the machines, the PCs will fail to boot, displaying an "Inaccessible Boot Device" message.
Possible remedies for this situation were described by Michael Nystrom, a Microsoft Most Valuable Professional, in this blog post today, although he noted that Microsoft's official advice is to contact Microsoft Support. Nystrom suggested it was a Microsoft goof that WSUS users even saw these Delta Updates:
This only affects systems that are managed through WSUS and the patches [were] approved at the same time as the "delta" updates also [were] approved. Those [Delta] updates [were] never intended to show up in WSUS, they should be deleted/declined. You should NEVER have Delta updates in WSUS. It was a "whoops" somewhere. But if they were approved, and distributed, and download[ed], and installed at the SAME time as the full patch, then you are affected.
WSUS users may have confused the Delta Updates with "Express Updates," which just deliver the changed bits, or "deltas," as described in this TechNet document. Both approaches are designed to reduce the bandwidth demands on networks from Microsoft's update process.
Michael Niehaus, director of product marketing for Windows Commercial at Microsoft, explained today at Ivanti's Patchmanagement.org list-serve forum that WSUS and System Center Configuration Manager (SCCM) users should want to use Microsoft's Express Update releases. The Delta Updates, on the other hand, were just designed for third-party independent software vendors (ISVs) that haven't implemented support for Express Updates. Niehaus added that Microsoft never wanted IT pros using WSUS or SCCM to see these Delta Updates.
The monthly Delta Updates, designed for ISVs, are available for Windows 10 versions 1607 and 1703, as well as the coming Window 10 version 1709 (the "fall creators update"), according to Microsoft's document, "Monthly Delta Update ISV Support Without WSUS," which describes the Delta Update process. However, Microsoft will stop delivering these Delta Updates after the fall creators update release, which is scheduled for Oct. 17. ISVs will have to use deployment tools that have support for Express Updates, going forward, to get the benefits of receiving smaller update packages from Microsoft, the document explained.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.