forums.wsusoffline.net

[jharris1993]

Greetings!

Although WSUS Offline Updater is an absolutely wonderful piece of work, one thing that really causes me to grind my teeth is the automagic inclusion of IE-11. Since IE-11 causes no end of trouble, especially in Win-7, the fact that it is AUTOMATICALLY included, like it or not, is a real pain.

The result is that after I have done all these updates, I have to go back and remove IE-11.

Suggestion:
Make the browser to include a download-time option.

Thanks!

Jim (JR)

[Dalai]

You don't have to remove IE11. Instead, you can launch wsusoffline\client\DoUpdate.cmd with the /skipieinst switch to avoid getting IE11 installed.

Regards
Dalai

[jharris1993]

You don't have to remove IE11. Instead, you can launch wsusoffline\client\DoUpdate.cmd with the /skipieinst switch to avoid getting IE11 installed.

Regards
Dalai

Thanks for the rapid answer!

However, since it appears to be a selectable option - shouldn't it be a user-selectable checkbox option? This way I would not have to waste everyone's time asking stupid stuff like this.

Thanks!

Jim (JR)

[Dalai]

Well, I don't know the exact reason(s) behind this decision to not include a checkbox for this, but I'm sure there is at least one . Most likely: MS has dropped support for all IE versions but IE11, so every system should have it - except for those people who know exactly what they're doing.

Regards
Dalai

[boco]

It is not included as option because MS has declared IE11 mandatory for Win7. For older IE on Win7, no patches at all will be supplied. As the purpose of WSUSOU is to make systems secure, we simply cannot leave users with unsupported and thus insecure IE versions.

[jharris1993]

It is not included as option because MS has declared IE11 mandatory for Win7. For older IE on Win7, no patches at all will be supplied. As the purpose of WSUSOU is to make systems secure, we simply cannot leave users with unsupported and thus insecure IE versions.

When did WSUSOU's mandate become "to make systems secure"?

It's a documented fact that WSUSOU does not install all current updates - the user is still responsible for running Windows Update afterward to catch the updates that WSUSOU misses. If the installation of updates is a requirement for security, then WSUSOU has significant fails here.

This also ignores the fact that not every update helps "make systems secure". There are websites no end that spend their time documenting the many ways Microsoft's updates can - and do - significantly degrade a system's security and/or stability, which is essentially the same thing. What about the updates that are advertising - like the famous "Windows 10 popup" update? Where's the security in that?

WSUSOU has check-boxes for Outlook, Microsoft Security Essentials, updates to the system management console, etc. Any one of which could be considered critical, (or at least important), for system security.

Ultimately, the security, (or lack thereof), is the responsibility of the system's user. WSUSOU dictating to the user what they can or cannot do is just as arrogant as M$'s dictating what O/S the system can or cannot run, with Secure Boot being a classic example. If you want to replace Windows with Linux on a Secure Boot enabled machine, it is not possible without jumping through a lot of hoops. If it's a tablet, you cannot do it at all. The same is true with the dot-net 4.0/4.5 debacle. Many systems were needlessly crippled by the way these two "updates" failed to play well together. And so on.

As far as I can tell by looking at the many WSUSOU fora, your typical user is someone who is knowledgeable and competent when it comes to configuring and updating machines. These are people who know their systems well, know exactly what they want and know exactly what they wish to avoid.

---------------------------------------------------------------------

WSUSOU is, (at least in my humble opinion), a convenience tool that relieves me from having to manually babysit a machine or machines while updates are being installed. Your own web site advertises that "time and bandwidth are money" - extolling the convenience features of WSUSOU. If that makes a system more secure, than so be it. However this is NOT my main reason for using WSUSOU. My main reason - and I am sure it's the main reason of just about everyone else that uses it - is to free me from the drudgery of updating so that I can do more useful things with my time.

-----------------------------------------------------------

I don't want you - or anyone else for that matter - to think that I am bitching or complaining about WSUSOU. It is a wonderful utility that I value highly. I recommend it to every system administrator I know. I recommend it to those of my friends who manage a software QA lab with dozens of machines. In fact, I recommend it to anyone who has more than one or two machines to maintain. And I strongly recommend that they - all of them - plunk down the cash and contribute to this worthy cause as I have done.

The bottom line is that WSUSOU waving the security flag is doing your users a disservice. You should be making it possible for the knowledgeable user to do what they believe is proper and needful for the maintenance of their machines.

What say ye?

Jim (JR)

[boco]

When did WSUSOU's mandate become "to make systems secure"?

It was already created in that context. WSUSOU's use is to apply the security-critical patches to a system before it goes online the first time. Then, the remaining updates are downloaded over WU.

It's a documented fact that WSUSOU does not install all current updates - the user is still responsible for running Windows Update afterward to catch the updates that WSUSOU misses.

WSUSOU does download all updates that Microsoft declares as being "security-critical". The other, remaining updates do not deal with security in MS's eyes. The catalog used is provided by Microsoft, not us.

What about the updates that are advertising - like the famous "Windows 10 popup" update? Where's the security in that?

Such updates are not in the catalog and therefore not installed by WSUSOU.

WSUSOU has check-boxes for Outlook, Microsoft Security Essentials, updates to the system management console, etc. Any one of which could be considered critical, (or at least important), for system security.

Those are extras, provided due to user demand. The core of WSUSOU is entirely driven by the WSUSSCN2.CAB catalog and thus by MS.

Ultimately, the security, (or lack thereof), is the responsibility of the system's user.

Of course, it's one component of keeping a system secure.

WSUSOU dictating to the user what they can or cannot do is just as arrogant as M$'s dictating what O/S the system can or cannot run, with Secure Boot being a classic example.

You're missing the point: It's not us who demand the latest IE. MS stopped support for all but the latest available IE for the OS. Thus WSUSOU will, by default, install the latest IE to keep the system supported.
Can still be disabled in the INI-file, if you know what you're doing. A GUI checkbox will not be provided, to prevent clueless users from harming themselves.

If you want to replace Windows with Linux on a Secure Boot enabled machine, it is not possible without jumping through a lot of hoops. If it's a tablet, you cannot do it at all. The same is true with the dot-net 4.0/4.5 debacle. Many systems were needlessly crippled by the way these two "updates" failed to play well together. And so on.

Again, you're barking up the wrong tree. That's something MS did. We have to live with the consequences.

The bottom line is that WSUSOU waving the security flag is doing your users a disservice. You should be making it possible for the knowledgeable user to do what they believe is proper and needful for the maintenance of their machines.

We provide the options, they just won't jump in the user's face as that will cause confusion. The knowledgeable user should know how to make/switch an INI entry.