When you Finish saving the January Optional Updates

This blog will be about Patch Tuesday and how to deal with those additional updates when you configured some nice Windows Update for Business (WufB) rings.

By now, I guess everyone heard the news about the Microsoft January 2022-01 Updates that could break your DC or your IKE connection. If not please bing/google it….

I will divide this blog into multiple parts

  1. The issue explained
  2. The first attempt
  3. The second attempt
  4. Results

As always, let’s start taking a look at what happened. Microsoft decided to release some nice Updates in January 2022 (Kb5009543 and Kb5009566).

But unfortunately, these updates could break your Windows VPN client and you will end up with this screen: Can’t Connect to VPN

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay, okay it could be worse right? Way, way worse could be seeing your DC’s ending up in a boot loop every 3 hours? I guess it’s every IT pro worst nightmare, noticing this 0x50006 LSASS error in your event log

But let’s go back again to the Windows 10/11 update massacre. When we were getting the first phone calls about the VPN software not working,the first thing we did was “pausing” the Update Rings

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When using the “Pause” feature updates option, you can make sure the device will stop receiving those features updates for a period of 35 days. When configured, Intune will create a nice registry key “PauseFeatureUpdatesStartTime” inside the MicrosoftPolicyManagerdefaultUpdate registry key.

Normally 35 days should be enough for Microsoft to fix it but luckily Microsoft decided to pull back those updates and released an out-of-band optional update to fix it. (KB5010793 and KB5010795)

January 17, 2022—KB5010793 (OS Builds 19042.1469, 19043.1469, and 19044.1469) Out-of-band (microsoft.com)

Looking at the Highlights, it’s pretty obvious what this update is going to fix!

Updates a known issue that affects VPN connections”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

But here comes the pain! How the hell are we going to install this optional update on the devices experiencing the issue?

Because you can forget about that optional update automatically being deployed to the devices with the use of the WUfB deployment rings. Also letting all of your end-users search for new updates isn’t going to install that nice optional update. So what now? Are we just going to deploy a PowerShell script to uninstall that update and be done with it?

wusa /uninstall Kb5009543

Uninstalling the update could be a solution but not the one we want! Luckily I needed to do the same, some time ago when we were dealing with the Windows Update Health Tools (KB4023057) that were missing on a device. So fixing this is going to be a piece of cake..(at least what I thought at first)

So I just downloaded this nice Proactive remediation script I created earlier to only change the KB I need to download

Intune deploy / Expedite Quality Updates and troubleshoot it (call4cloud.nl)

Afbeelding met tekst  Automatisch gegenereerde beschrijving

After changing the KB to match the optional update we need to deploy, I uploaded the script to Intune and assigned to a PROD ehhh sorry TEST group… Prod/test, what’s the difference?

Mobile, Manufactured & Modular Homes - What is the Difference?! — The Sall  Team

But after waiting a while, the Proactive remediations didn’t do anything except notify the user it was searching for updates. So I needed to take a look myself at a test device.

So the first thing I did was check out if the PSwindowsupdate PowerShell module was successfully installed

Afbeelding met tekst  Automatisch gegenereerde beschrijving

As shown above, it has been installed successfully so that wasn’t the issue. I also tried to install the update manually but as shown below, nothing happened?

Okay okay, let’s try something else and just try to find any available update! But you could guess the outcome, it didn’t get me any results.

And just at that point, I was like duhhhhh. It’s an optional update and not available to be deployed with the Update ring! No wonder I couldn’t find the update!

Ohduh GIFs | Tenor

So now I have seen with my own eyes that my first idea wasn’t going to work I needed to change some stuff! Looking at the script also made me realize the fact we are also dealing with Windows 11 now.

So I need to change some parts in the ProActive remediation scripts (I will post the link to the zip file with both of the PowerShell scripts at the end of this part)


Let’s start with the changes in the detection script

$Version = (get-wmiobject -class win32_operatingsystem | Select Version).Version
if($Version -like "10.0.1*"){
$kb = "KB5010793"
elseif($Version -like "10.0.2*"){
$kb = "KB5010795"

$kbsearch = "*$kb*"

So we added this part to first check the Windows version and if the required update is already installed. Okay that was easy, but we still need to fix the update issue itself


Now we learned the hard way, we can’t download or install this update with the use of the PSupdate powershell module we need to download it ourselves!

As shown below, we removed the install-windowsupdate part and replaced it with some invoke-webrequest to download the specific update for the proper Windows version.

And after downloading the update we just use WUSA.exe to quietly install and wait for the update to be installed and trigger the toast message. We also show a toast message to the end user, otherwise how could they now they need to reboot their device?

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Looking at the screenshot above, you will notice I have put everything after #, why? Because I am using a scheduled task to trigger it with PowerShell, run as system and with an encoded command (that’s above this part)

So every time you need to deploy an optional update, you will need to change this part and make sure you remove the # before converting it to an encoded script

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Please note: You could change/update the Toast message to your liking. I guess we still need to improve it a bit and add our own Company Logo to it.

And as promised the link to the zip file containing the detection and remediation script!


After waiting some time to get the proactive remediations script deployed, the end-user would be prompted with the toast message telling you, you will need to reboot your device!

Of course, I wanted to be sure the update was installed successfully. So I entered this PowerShell command $status = Get-hotfix | where-object {($_.HotFixID -like $kbsearch )} to be sure.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

As shown above, the toast message was right! The update is installed successfully! Let’s circle back to the ProActive remediations and take a look if they are also detecting the update now!

As shown below, the proactive remediations are without any errors and show us the KB5010795 has been installed!

Sometimes you will need to do some manual labor to fix things! It’s a shame there isn’t a possibility to deploy these kinds of optional updates with built-in Intune tools but then again we have proactive remediations, right?

GIF s1e10 - animated GIF on GIFER
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles

%d bloggers like this: