October 24, 2016
Windows updates: changes and challenges
We would like to provide more information about the new Windows update mechanism from Microsoft that we reported on
in last week's newsletter. These changes affect both CLASSE-managed and personal/home computers running Windows 7 and 10.
Background: Up until now, CLASSE-IT has had the ability to select, test, and approve individual Windows patches from Microsoft before applying them during our Tuesday 2 AM maintenance periods. This way, we were able to drop any problematic patches, including those with known bugs. These patches sometimes require a reboot, which is done automatically on most computers. Third-party software updates may trigger an additional reboot during the maintenance periods. For some computers (e.g. CESR control system), the maintenance window has been shifted to Tuesdays at 10 AM to accommodate the operations schedule. In a very small number of cases, where automatic reboots would be highly disruptive (e.g. SRF furnace PC), reboots are allowed to be done by hand at the user's discretion but always within 14 days of an update being released, in order to comply with the
Cornell University Policy on Information Security.
New Windows 7 update model: As of October 2016, Microsoft no longer allows the curation of individual patches to apply; all patches for a given month are packaged together in a single "cumulative update". As a result, there is an increased likelihood of (a) reboots during the weekly maintenance window, (b) our being stuck with a buggy patch for a month, and (c) emergency updates to remediate buggy releases. According to various reports in public forums, as part of this change, some users may observe the following behaviors:
- Windows 7 computers may reboot twice in order to complete their Windows updates.
- Windows 7 computers will seem to hang, displaying "Configuring Windows update. Stage 2 of 2" for an indefinite amount of time. If you experience this, just press Ctrl-Alt-Del to log in.
Also, please note that we are not
intentionally changing our update schedule for CLASSE-managed Windows computers. However, another reported side-effect of this change is that, in rare cases, it causes updates and reboots at unscheduled times. The situation here is fluid, and it is not yet clear if or how this will affect CLASSE computers.
Windows 10 (upcoming): We do not plan to migrate CLASSE-managed computers to Windows 10 until late 2017. However, one known challenge with Windows 10 is that we will have even less flexibility in how updates are applied -- not only will we be unable to choose individual patches, but we will also lose full control over the scheduling. In other words, Microsoft will be able to force some updates (and reboots) to occur outside of our regular maintenance windows. We are actively researching options for avoiding unscheduled updates, but as of now, we are recommending that all control and monitoring applications be moved to Linux, if at all possible.
More information is available at
October2016ServicingFAQ. Please submit a
ServiceRequest to discuss any concerns about these changes.
Reminder: Support for Symantec Endpoint Protection has terminated.
Anyone who has installed the Cornell version of Symantec's anti-virus software on a personally owned or managed computer must replace it by some other anti-virus product.
All CLASSE managed computers which previously used Symantec Endpoint Protection have already been migrated to ESET. If you are aware of any CLASSE computer which is not running ESET, please submit a service request immediately.
General network and server maintenance will occur every Tuesday from 12:00 noon to 2:00 PM. The CLASSE-IT group will always announce any expected disruptions in our
NewsLetter and via
CLASSE-IT-NEWS-L, but with the size and complexity of our network there is always the potential for something to go wrong. We will do our best to contain all network maintenance and planned outages to Tuesdays from 12:00 noon to 2:00 PM.
Unless other arrangements have been made,
CLASSE-managed Windows systems may be updated and rebooted on Tuesday morning at 2:00 AM, so please avoid critical or lengthy operations at that time. For more details, please see
Other resources: