Page 1 of 3

Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 02:43
by testimonyhead
Do you guys try to prevent malicious updates being brought on board, for example, in regards to Windows 7? Or does WSUS grab all what Microsoft ships?

Re: Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 04:33
by boco
Up 'till now WSUSOU covered only security-critical updates. This will change now due to their packaging of security+optional and Telemetry updates into one package and labeling that package as security update. So, you now need to add the full pack's KB number to your personal blacklist each month, WSUSOU will then install only the security-only package.

viewtopic.php?p=20751#p20751

Re: Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 10:45
by testimonyhead
I'm sorry, but how can WSUS only install security package if now they are being delivered in bundle along with telemetry spyware by Microsoft? I mean, where is WSUS gonna take security only package from?

Re: Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 15:47
by Dalai
Since the catalog used by WSUS Offline contains BOTH update packages (Security-Only Rollup and Monthly Rollup), it can install both of them. In fact, it WILL install both because the Update Agent rates both of them as missing (if none of them is installed).

So, if you blacklist the Monthly Rollup, WSUS Offline will only install the Security-Only Rollup. But, as boco already said, you must add them to the exclude list yourself.

Regards
Dalai

Re: Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 17:09
by aker
@WSUSUpdateAdmin
Could we add OS-specific ExcludeLists for the UpdateInstaller and dynamically update it as we do with the static links?

Re: Does WSUS Offline protect against telemetry?

PostPosted: 06.11.2016, 21:43
by boco
Currently, I'm using the Force-all blacklist. That's a good approach because it will already prevent the download of the huge cumulative pack and save quite a bit of space (even more over time).

Re: Does WSUS Offline protect against telemetry?

PostPosted: 07.11.2016, 18:06
by aker
@WSUSUpdateAdmin
Could we blacklist the full update?

Re: Does WSUS Offline protect against telemetry?

PostPosted: 10.11.2016, 13:08
by WSUSUpdateAdmin
Hi.

aker wrote:Could we add OS-specific ExcludeLists for the UpdateInstaller and dynamically update it as we do with the static links?

I'll do so if necessary...

aker wrote:Could we blacklist the full update?

..., but it isn't yet - all I was presented on a W7 machine for this month was one update: kb3197868.

Cheers,
Torsten

Re: Does WSUS Offline protect against telemetry?

PostPosted: 10.11.2016, 14:14
by hbuhrmester
There are two update rollups:
But, as mentionend in another thread viewtopic.php?f=4&t=5138&start=60#p20838 , the Security Only Update is superseded by the November 2016 Security Monthly Quality Rollup. Therefore, kb3197867 ends up in the file ExcludeList-superseded.txt and is not downloaded.

It may require up to four steps to handle this situation:
  1. Add kb3197867 to the file ExcludeList-superseded-exclude.txt, to download the security only update.
  2. Add kb3197867 to the files client/static/StaticUpdateIds-w61-x64.txt and client/static/StaticUpdateIds-w61-x86.txt, to install it.
  3. Add kb3197868 to exclude/ExcludeList-w61-x64.txt and exclude/ExcludeList-w61-x86.txt, to prevent the full update rollup from download and save some 80 MB.
  4. Add kb3197868 to client/exclude/ExcludeList.txt, to prevent spurious error messages about missing updates.

Re: Does WSUS Offline protect against telemetry?

PostPosted: 11.11.2016, 09:44
by WSUSUpdateAdmin
Hi.

Oh, I see.
So I'ld have to do that every month?
And quickly after the patchday, of course, because one doesn't know the kb numbers before... :shock:

Why the hell does M$ let the "Security Monthly Quality Rollup" supersede the "Security Only" one? :x
The normal way would be the last one mandatory and the first one optional, wouldn't it?

Cheers,
Torsten