Win10 LTSB updates and regular versions of Win10

Win10 LTSB updates and regular versions of Win10

Postby Moopere » 21.04.2018, 05:56

I did a search before posting and can't find this subject covered.

It may be just me, but I can't fully get my head around the idea that 1507 LTSB is supported by security updates for 10 years, yet, regular (non LTSB) versions of Win10 are already unsupported. My thoughts are that there must be a form of artificial block to the regular versions, as they are, at their foundation (surely?) the same as the LTSB and therefore the same security patches must surely be applicable?

The reason I'm posting this thought here on WSUS Offline is that I find it interesting that a notice has been posted on the latest version of WSUS Offline to the effect that 11.2.2 is the last version to support Win10 1511 ... yet, though I've searched, I can't find the same notice for the earlier version Win10 1507 ... surely this must be because, security wise, 1507 is still supported (because of the LTSB versions)????

I need to test for myself I guess, but I'd be interested for knowledgeable folks to tell me if a clean 1507 build, regular non LTSB version of Win10 will still be patched by the current (11.2.2) WSUS Offline? Does anyone know?

If so, this is hugely interesting to me as an Admin. I'm not in the slightest bit interested in MS's 18 month upgrade cadence. Far too much work, and for no benefit whatsoever in my corporate world. I spend all my time with new releases of Win10 building install scripts to basically make the newest version look and feel as much like Win7 as is humanly possible. New builds are entertained only (only!) due to the promise of security patching. If I could feel reasonably confident of security updates on non-LTSB versions of 1607 I'd probably keep most of my users on that for at least 5 years, maybe even longer.
Moopere
 
Posts: 6
Joined: 16.08.2016, 13:07

Re: Win10 LTSB updates and regular versions of Win10

Postby aker » 21.04.2018, 10:29

This is enforced by Microsoft by adding a SKU-exclusive CBS-package for every Windows edition.
In the past (up to Windows 8.1) updates requiered "Microsoft-Windows-Foundation-Package" to be installed, which is available on all editions of Windows.
update.mum of a Windows 7 update:
Code: Select all
    <parent buildCompare="EQ" serviceCompare="GE" integrate="separate" disposition="detect">
      ...
      <assemblyIdentity name="Microsoft-Windows-Foundation-Package" language="neutral" version="6.1.7601.17514" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
     ...
    </parent>


With Windows 10 MS introduced for every SKU an EditionSpecific package.
(Core = Core, Professional = Professional, Enterprise = Enterprise, Education = Education, EnterpriseS = Enterprise LTSB/LTSC)
update.mum of the last Windows 10 (1507) update, available for all editions:
Code: Select all
    <parent buildCompare="EQ" integrate="separate" disposition="detect">
      <assemblyIdentity name="Microsoft-Windows-CoreCountrySpecificEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-CoreEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-CoreNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-CoreSingleLanguageEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-CoreSystemServerEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EducationEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EducationNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseEvalEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseNEvalEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSEvalEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSNEvalEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-PPIProEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-ProfessionalEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-ProfessionalNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-ServerDatacenterEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-ServerHyperCoreEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-ServerStandardEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      ...
    </parent>


By simply removing everything except for "Microsoft-Windows-Server*Edition" and "Microsoft-Windows-EnterpriseSEdition" from the dependency-list it's easy to enforce, that this update cannot be applied to a non-LTSB/LTSC Windows 10 Enterprise.
update.mum of a LTSB/LTSC-only update
Code: Select all
    <parent buildCompare="EQ" integrate="separate" disposition="detect">
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
      <assemblyIdentity name="Microsoft-Windows-EnterpriseSNEdition" language="neutral" version="10.0.10240.16384" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" buildType="release" />
     ...
    </parent>


How does this apply to wsusou?
wsusou supports the LTSB/LTSC editions of Windows 10, that's why the TH1/1507/10240-support is kept. (It's just the LTSB/LTSC, which gets updates now, as the updates themselves enforce that). The support for 1511 was dropped, because there is no LTSB/LTSC.

Is it possible to modify a LTSB/LTSC-update to work on nonLTSB/LTSC systems. I'm sure, that some person will achieve this in the future, but it's not that easy as adding one line to update.mum. You have to do this for every CBS-element, which should be applied, agian and check, if that on can/has to be installed. And if you did all this, there still is code-signing. WUA will refuse to install user-modified packages...
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3045
Joined: 02.03.2011, 16:32
Location: /dev/kmem

Re: Win10 LTSB updates and regular versions of Win10

Postby boco » 21.04.2018, 10:37

MS can freely define for what OS builds and branches their updates work. The CUs for 1507 LTSB will NOT install on the regular 1507 build. The "applicability" setting inside the packages mandate that they will only work on LTSB.

In other words: Although the updates would most probably work correctly on the 1507 regular build, MS made them artificially and intentionally incompatible. So, they will stop with an error ("This update does not apply to this system").
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2005
Joined: 24.11.2009, 18:00
Location: Germany

Re: Win10 LTSB updates and regular versions of Win10

Postby Moopere » 22.04.2018, 03:17

Thanks for the full technical reply - I really appreciate this. Surprisingly, this subject is seldom covered in a complete way, at least in a technical sense, out in the wider web.
Moopere
 
Posts: 6
Joined: 16.08.2016, 13:07


Return to Installation / Updating

Who is online

Users browsing this forum: Google [Bot] and 16 guests

cron