Upgrading Windows 10 via WSUS

Windows 10 is supposedly the “last” consumer Windows edition Microsoft will release. While the version will stay as 10, over time the whole OS will mature, grow and mutate into something that will look and feel very different from the original release of July 2015. One side effect of this is that in a corporate environment using WSUS, it becomes possible for new versions of Windows 10 to be deployed as an in place fully automatic upgrade, the same way any other patch or service pack is installed. I was curious to see how this worked, so I approved the Anniversary Update (also known as version 1607) for installation at work and let my PC download the update.

Sure enough, the process was the same as what my home PC went through when it upgraded to the 1607 update. A couple of update screens and quite some time later, I was back at my desktop, duly upgraded. Everything was still in place, bar the RSAT pack which had to be updated to a version compatible with v1607. Overall, an extremely smooth and hands free process, just time consuming. I imagine it would easily take twice or thrice as long if the machine runs on a mechanical HD and not a SSD.

That being said, there was one major problem with the 1607 update – checking for updates from WSUS broke due to a bug in 1607. Windows 10 1607 would start to search for updates from the configured WSUS server, only to have multiple services in the background crash repeatedly, with no indication to the user. To the end user, it simply looks like the search is stuck at 1% and never moves from there. Apparently, if one leaves the process running long enough, updates will eventually download. This is obviously an unacceptable bug and Microsoft were made aware of it. They promised a fix in one of the monthly update roll ups, which was subsequently delivered and verified as having fixed the problem. Now you have a chicken and egg situation: deploy the 1607 update via WSUS, but then struggle after that, since you need the Cumulative Update to fix the problem.

You could manually install the update, but this becomes unwieldy in a large organisation. If deploying Windows 10 via deployment tools, you could make sure that the base image has the update injected already, which prevents the issue from cropping up in the first place. Sadly, the 1607 update is delivered from WSUS as an encrypted ESD file. While it is possible to decrypt this and inject the update, I don’t know if it’s possible to convert that back in to an ESD file. Even if you could, the checksum wouldn’t be valid and WSUS would probably fail to work with the modified file.

There’s always a possibility Microsoft could revise the 1607 update in WSUS so that the ESD file comes with the last Cumulative Update installed so that it works correctly out the box. I recall something like this happening with the November 1511 update, which I declined as it was another 3-4 GB download. Unfortunately, one doesn’t know when or even if this will happen. It’s also possible the problem will never be fixed. With the Creators Update due out early 2017 (March?) it’s possible that Microsoft uses that as the new baseline. If I’m correct, once the Creators Update is approved in the WSUS console, it will supersede the Anniversary Update, so the problem should be solved by bypassing the 1607 update.

I look forward to eventually rolling out Windows versions like this, though I think it will be beneficial if every computer had a SSD inside it first. Mechanical hard drives really do slow things down these days. A nice side effect of this is that Windows shouldn’t end up suffering from “Windows rot” as the Windows directory is replaced with each major upgrade. This should keep performance up compared to something like Windows 7 that gets bogged down after years worth of updates. Interesting times ahead…

SparkPost

About a month ago, I received an email at work from the company which develops our school administration software. The email advised us that the company was planning to migrate their backend email delivery provider from Mandrill to SparkPost. We were advised that if we wanted to keep mail delivery free we’d sign up for an account with SparkPost. The email was poorly worded, as both my colleague and I assumed that the change over was going to be happening in a matter of days. Since our school sends out tons of email via the admin package, I acted quickly and got us signed up for a free account.

After getting signed up, I got the company to switch the backend provider on our account over to SparkPost, which worked correctly. I was advised to set up SPF and DKIM records in our DNS zone so that mail sent via SparkPost would be far less likely to be rejected as SPAM. It took me a bit of research on the correct way to set up these records, most especially the SPF record. We have mail coming from our domain from both SparkPost and our MX records, so both need to be covered. A catch is that your SPF record cannot require more than 10 DNS lookups or it would be not be considered a valid record. It took me a bit of fiddling to find the right balance, but I got it done eventually. As a bonus, the SPF record should help get mail delivered to Gmail recipients quicker – we’ve often have long delays in mail getting delivered to Gmail in the past probably due to the lack of the SPF record.

Once term started and users started sending mail, some problems came to light, namely that a lot of mail was simply being rejected as SPAM and that pulling out the list of automatically suppressed email addresses was impossible via the web interface. The SPAM problem comes from the fact that some of the IP addresses used in SparkPost’s free tier pool have been tainted by other users. Since we have no control over which server sends the mail, it’s a crap shoot in which mail gets through and what is blocked as SPAM. One solution is to upgrade to a paid tier and buy dedicated IP addresses, but this was not something we had budgeted for and as such isn’t a viable option just yet.

Contacting their support, I asked for help. I got a reply that apologised, told me that they were terminating accounts for SPAMMING and that they had made some change that would hopefully help our account. Time will tell if that really is the case. We cannot afford to regularly have 20 odd % of our mail routinely fail to deliver because it’s identified as SPAM due to a tainted IP address.

Getting the suppression list was a challenge. I found a command on their blog which would pull it out of a command line using cURL, a Unix tool. This displays a raw bit of JSON code on the command line which includes all the suppressed emails and reasons why it was suppressed. It took me quite some time to figure out that I could echo this output using the > command to a text file with the entire output of the command. Then I needed to get this processed into something I could use, preferably a CSV file for import into Excel. Thankfully I found an website that does just that – website here. Armed with the now useful CSV file, I imported into Excel and made a spreadsheet for our registrar to follow up with the relevant parents so that we can get correct email addresses.

This whole adventure with SparkPost has taught me quite a bit about email out there on the internet, especially when you operate on a bulk scale. It’s also taught me that the spammers have really ruined email as a communication tool. I struggle to explain to staff in plain English why exactly their email isn’t getting delivered, as the concepts are not straight forward for people who don’t have the faintest clue of how email delivery actually works.

Still, SparkPost should be useful in the long run, especially if they get their tainted IP problem sorted out. I have more insight now into the process than I did when Mandrill was the backend delivery tool. I get the feeling that at this point in time, SparkPost is still very much a programmer’s tool rather than something that is geared towards end users. Hopefully in time SparkPost will make their website more user friendly and capable, which will greatly elevate the service I think, especially for a non-programmer like myself who simply needs to get something done.