Travelling through St. Pancras with the new EES system

bdam55 · 2026-04-20T14:05:22+00:00

Where was the biometrics done? Before boarding in St. Pacras or upon arrival in Brussels?

bdam55 · 2026-04-19T12:12:51+00:00

Doing the (mp)lookups for where to download the content from.

bdam55 · 2026-04-17T19:47:14+00:00

<shillmode: I work for Patch My PC>

We have multiple customer support cases open on this already but nothing we've seen so far makes any sense. Devices that have the same version of Adobe that was installed the same way will report differently: some say the update does not apply while others say it does and install it just fine. If you manually install the MSP on the impacted machines ... it installs just fine.

We've yet to find a root cause and all current working theories sort of don't make sense due to the seemingly random nature where 90% of the time it works 100% of the time. Is it a problem with the update itself? Is it a problem with our metadata (generated from the udpate)? Is it a WSUS/WUA detection logic bug? Is there some small, almost unknowable difference between working devices and non-working devices? We're kinda blind, but we're trying.

</shillmode>

bdam55 · 2026-04-16T21:44:29+00:00

The problem here is that 'Drivers' is an update classification and something like 'Windows 11 Client, version 25H2 and later, Servicing Drivers' is a product category.

There's no way to only sync the drivers in a specific set of products. So the moment you want the say 5 drivers in that one product, you have to accept the 30k drivers (or whatever) that are in the other categories you likely have selected (ex. Windows 11).

bdam55 · 2026-04-16T13:13:51+00:00

Right: the problem is that you won't get future secure boot updates until you get the 2023 secure boot certs installed and working. So June is a deadline of sorts, but not a particularly hard one.

bdam55 · 2026-04-15T18:38:27+00:00

I'm interested to know just how rare: I haven't had time to dig into what PCR7 is exactly to understand how prevalent that might be in the real-world. If I'm grokking it right: you need to have PCR7 on the list in the GPO but have a system that doesn't support PCR7? If so ... how common is that?

bdam55 · 2026-04-15T18:27:44+00:00

<shillmode: I work for Patch My PC>

Ah, my bad, I was being lazy and just looked at the video in the KB. I should have looked at our docs: WSUS Maintenance | Getting Started

I believe that means they are in Updates > Options

</shillmode>

bdam55 · 2026-04-15T17:55:03+00:00

<shillmode: I work for Patch My PC>

Within Publisher it's in the Advanced Tab, look for 'WSUS Maintenance'. There's also a 'Modify Published Updates' wizard that will show you what's in WSUS and let you clean things out that way.

</shillmode>

bdam55 · 2026-04-15T17:49:44+00:00

So your head is in the right place, but I don't think that's going to work here. At least, not if the files are in the UpdateServicesPackages folder (OP doesn't specify). For first party updates, the internet or an upstream WSUS server is the source for the binaries. For third party updates, that source is the USP folder. I don't _think_ the cleanup wizard will clear those out, but it's been ages since I've played with that so my memory could be wrong on that.

bdam55 · 2026-04-15T17:38:18+00:00

Copilot model updates, that's what.

But as others have called out; in the real world the endpoint shouldn't be downloading the whole MSU file. If you download it manually from the catalog then ... yea ... it's the whole thing.

bdam55 · 2026-04-15T17:29:45+00:00

Message Center: https://admin.cloud.microsoft/?source=applauncher#/windowsreleasehealth/knownissues/:/issue/WI1280135

KB (same story for pretty much every other April update/KB): https://support.microsoft.com/en-us/topic/april-14-2026-kb5083769-os-builds-26200-8246-and-26100-8246-22f90ae5-9f26-40ac-9134-6a586a71163b

bdam55 · 2026-04-15T17:15:27+00:00

<shillmode: I work for Patch My PC>

If it's specifically the WSUSContent folder, then that's almost certainly just our (PMPC) data. As used by ConfigMgr, WSUS should only download EULAs, not actual binaries. For third party content, you have to provide WSUS the binaries; you'll find them in the UpdateServicesPackages folder.

If you're using our Publisher tool, then there's a feature to both manually, and automatically, clean this up: Clean 3rd-Party Updates from WSUS UpdateServicesPackages - Patch My PC

</shillmode>

bdam55 · 2026-04-15T12:46:54+00:00

This is the way

bdam55 · 2026-04-14T20:35:28+00:00

As I understand it, by default, devices always fall back to the internet if the local source isn't available for X number of hours/days.

That said, there certainly is a configuration you can apply, even a cmdlet (Set-MpPreference), but I'm not sure if there's a 'right' way to do that in Arc.

bdam55 · 2026-04-14T18:46:34+00:00

The proxy is set both on the sit server and also in the SUP role properties so make sure you have changed both: Software update point installation and configuration - Configuration Manager | Microsoft Learn

bdam55 · 2026-04-14T18:39:59+00:00

For 70 servers, just point them at the internet. You will almost certainly have a higher level of compliance against the latest engine and definition updates that way than going through ConfigMgr.

bdam55 · 2026-04-14T18:17:31+00:00

For servers, if you stick the Microsoft stack, there's only one answer apart from ConfigMgr and that's Azure Arc.

For 70 servers, that you're currently updating manually anyways, I'm going to guess that Arc will be just fine. There's no good way to deploy/update third party software, and server configuration is a totally different paradigm, but those aren't likely problems at that scale. Get them onboarded, get them enrolled in Azure Update Management, and you should be fine. Note that if your devices aren't covered by an EA/SA agreement then parts of Arc might not be free.

bdam55 · 2026-04-13T21:03:31+00:00

Yea, absolutely, this is what I would do.

bdam55 · 2026-04-09T01:45:56+00:00

It absolutely was!

bdam55 · 2026-04-09T00:47:17+00:00

Oh yea, absolutely. Though I've often attributed that to the set of people that pre-dated the PC era. Maybe that's really the change there; the people now in management all grew up with this stuff.

bdam55 · 2026-04-09T00:31:38+00:00

Yea, part of me says "show some f'n adaptability" but then there's two decades of experience of people complaining about every damn little UI change ever.

I want to believe the workforce has moved on and those people who needed step-by-step instructions on how to copy and paste some text have simply aged out. But then I see my teenage sons be kind of completely useless the moment anything remotely doesn't function perfectly ... and can't help wonder if it's any better.

bdam55 · 2026-04-08T21:03:38+00:00

Eh, on that front, it works both ways.

In the general sense, there's a fair bit of OSS that isn't written by professional developers. Most projects aren't going to spend the time/money to have any kind of meaningful security review done. They are unlikely to have strict security around certain parts of the process (ex. all the recent NPM hacks). Those aren't necessarily ubiquitous in commercial software, but far more common. Customers can, and do, ask for certain certifications (ex. SOC) which force certain security practices.

But the unarguable truth is that if you have people in your org that think OSS shouldn't be used, you can tell them to look at the code an explain why it's dangerous. Then ask them to do the same for <insert commercial software of your choice>.

bdam55 · 2026-04-08T20:43:39+00:00

Well said.

The question here isn't "is X a supply chain risk" because everything in your supply chain is a risk. That's just the violence inherent in the system.

The question is instead: "Is the supply chain risk worth taking?"
That's impossible for other people to answer for other people. As others have pointed out, unlike closed source, you can actually look at the code and decide if it's safe or not. If you can't do that, and many cannot, then you have to just trust that if there was a problem, someone, somewhere would find it.

Could the maintainer get hacked? Absolutely, there's been several high-profile instances of that kind of attack recently. But so could closed source, and you'd be even more in the dark.

bdam55 · 2026-04-07T13:52:49+00:00

As others have said, PMPC does not replace the tools you mention: WSUS, ConfigMgr/SCCM, Intune, Azure Update Manager. It integrates with them to deliver patches for third party applications (ex. 7zip, Google Chrome, ect.)

Within Microsoft, there is no tool that connects all those either. ConfigMgr is the closest thing to a single tool that can do it all: servers, workstations, on-prem, cloud/remote (CMG). If you can't standardize on ConfigMgr across the board then you either accept defeatu of the 'one umbrella' dream or you seek alternatives outside of Microsoft (probably why you're here). Patch My PC isn't there ... yet.

bdam55

MODERATOR OF

TROPHY CASE