Does WSUS Offline protect against telemetry?

Does WSUS Offline protect against telemetry?

Postby testimonyhead » 06.11.2016, 03:43

Do you guys try to prevent malicious updates being brought on board, for example, in regards to Windows 7? Or does WSUS grab all what Microsoft ships?
testimonyhead
 
Posts: 3
Joined: 06.11.2016, 03:40

Re: Does WSUS Offline protect against telemetry?

Postby boco » 06.11.2016, 05:33

Up 'till now WSUSOU covered only security-critical updates. This will change now due to their packaging of security+optional and Telemetry updates into one package and labeling that package as security update. So, you now need to add the full pack's KB number to your personal blacklist each month, WSUSOU will then install only the security-only package.

viewtopic.php?p=20751#p20751
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2007
Joined: 24.11.2009, 18:00
Location: Germany

Re: Does WSUS Offline protect against telemetry?

Postby testimonyhead » 06.11.2016, 11:45

I'm sorry, but how can WSUS only install security package if now they are being delivered in bundle along with telemetry spyware by Microsoft? I mean, where is WSUS gonna take security only package from?
testimonyhead
 
Posts: 3
Joined: 06.11.2016, 03:40

Re: Does WSUS Offline protect against telemetry?

Postby Dalai » 06.11.2016, 16:47

Since the catalog used by WSUS Offline contains BOTH update packages (Security-Only Rollup and Monthly Rollup), it can install both of them. In fact, it WILL install both because the Update Agent rates both of them as missing (if none of them is installed).

So, if you blacklist the Monthly Rollup, WSUS Offline will only install the Security-Only Rollup. But, as boco already said, you must add them to the exclude list yourself.

Regards
Dalai
Dalai
 
Posts: 628
Joined: 12.07.2016, 22:00

Re: Does WSUS Offline protect against telemetry?

Postby aker » 06.11.2016, 18:09

@WSUSUpdateAdmin
Could we add OS-specific ExcludeLists for the UpdateInstaller and dynamically update it as we do with the static links?
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3045
Joined: 02.03.2011, 16:32
Location: /dev/kmem

Re: Does WSUS Offline protect against telemetry?

Postby boco » 06.11.2016, 22:43

Currently, I'm using the Force-all blacklist. That's a good approach because it will already prevent the download of the huge cumulative pack and save quite a bit of space (even more over time).
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2007
Joined: 24.11.2009, 18:00
Location: Germany

Re: Does WSUS Offline protect against telemetry?

Postby aker » 07.11.2016, 19:06

@WSUSUpdateAdmin
Could we blacklist the full update?
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3045
Joined: 02.03.2011, 16:32
Location: /dev/kmem

Re: Does WSUS Offline protect against telemetry?

Postby WSUSUpdateAdmin » 10.11.2016, 14:08

Hi.

aker wrote:Could we add OS-specific ExcludeLists for the UpdateInstaller and dynamically update it as we do with the static links?

I'll do so if necessary...

aker wrote:Could we blacklist the full update?

..., but it isn't yet - all I was presented on a W7 machine for this month was one update: kb3197868.

Cheers,
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2121
Joined: 07.07.2009, 15:38

Re: Does WSUS Offline protect against telemetry?

Postby hbuhrmester » 10.11.2016, 15:14

There are two update rollups:
But, as mentionend in another thread viewtopic.php?f=4&t=5138&start=60#p20838 , the Security Only Update is superseded by the November 2016 Security Monthly Quality Rollup. Therefore, kb3197867 ends up in the file ExcludeList-superseded.txt and is not downloaded.

It may require up to four steps to handle this situation:
  1. Add kb3197867 to the file ExcludeList-superseded-exclude.txt, to download the security only update.
  2. Add kb3197867 to the files client/static/StaticUpdateIds-w61-x64.txt and client/static/StaticUpdateIds-w61-x86.txt, to install it.
  3. Add kb3197868 to exclude/ExcludeList-w61-x64.txt and exclude/ExcludeList-w61-x86.txt, to prevent the full update rollup from download and save some 80 MB.
  4. Add kb3197868 to client/exclude/ExcludeList.txt, to prevent spurious error messages about missing updates.
hbuhrmester
 
Posts: 314
Joined: 11.10.2013, 21:59

Re: Does WSUS Offline protect against telemetry?

Postby WSUSUpdateAdmin » 11.11.2016, 10:44

Hi.

Oh, I see.
So I'ld have to do that every month?
And quickly after the patchday, of course, because one doesn't know the kb numbers before... :shock:

Why the hell does M$ let the "Security Monthly Quality Rollup" supersede the "Security Only" one? :x
The normal way would be the last one mandatory and the first one optional, wouldn't it?

Cheers,
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2121
Joined: 07.07.2009, 15:38

Next

Return to Verschiedenes / Miscellaneous

Who is online

Users browsing this forum: No registered users and 8 guests