Server 2008 - Wrong .Net version and missing .Net patches

Server 2008 - Wrong .Net version and missing .Net patches

Postby rbronca » 03.05.2019, 05:08

Hello again. I have been investigating missing patches in both the 32 and 64 bit versions of Windows 2008 server. (This isn't the R2 version)

From a server built from vanilla Microsoft media and using a freshly created wsusoffline iso, I'm consistently left with the following updates missing:

0> Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 (KB3122646)
1> April, 2017 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Vista SP2 and Server 2008 SP2 (KB4014988)
2> May, 2017 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4019109)
3> 2017-09 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4041086)
4> 2017-09 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4041093)
5> Windows Malicious Software Removal Tool - February 2018 (KB890830)
6> 2018-05 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4099640)
7> 2018-07 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4340007)
8> 2018-08 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4345682)
9> 2018-12 Security Only Update for .NET Framework 3.5 SP1, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4471984)
10> 2019-02 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 on Windows Server 2008 SP2 (KB4487081)
11> 2019-02 Security Only Update for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008 SP2 (KB4487124)
12> Windows Malicious Software Removal Tool - April 2019 (KB890830)

Yes, I have gone down to the sub patch level and checked each of them. None of the sub patches of these patches are present.

In my testing I have also performed the following:

Installed the current servicing stack: (kb4493730)
http://download.windowsupdate.com/d/msd ... c009a0.msu
http://download.windowsupdate.com/d/msd ... c2443c.msu

D3D compiler (kb4019478) - which is required for recent .Net patches. (These are hard patches to track down for 2008).
Check here for the requirement: https://support.microsoft.com/en-au/hel ... -0-and-3-0
http://download.windowsupdate.com/c/msd ... a14c1b.msu
http://download.windowsupdate.com/c/msd ... a14c1b.msu

As well as the 7.6 Windows Update Client:
http://download.windowsupdate.com/windo ... .6-x64.exe
http://download.windowsupdate.com/windo ... .6-x86.exe

I have also manually added the Microsoft root certificate and disallowed certs using this guide:
http://woshub.com/updating-trusted-root ... indows-10/ "The List of Root Certificates in STL Format"

I also installed .Net framework 4.6.1.
Wsusoffline still uses the 4.6 version, where 4.6.1 is the latest version for 2008.
https://download.microsoft.com/download ... OS-ENU.exe
Some Microsoft pages suggest 4.6 is the latest for server 2008, others 4.6.1.

The 4.6.1 offline framework actually installs correctly. 4.6.2 doesn't install by comparison.
The .Net 4 build version afterwards is the expected 394271.

After all of these steps, the same patches remain uninstalled on the server.

Most of the required .Net patches are present within the wsusoffline media and I can manually install them from there - confirming that there aren't any missing prerequisites.
I can also install them fine from Windows Update.

Looking back some time ago, this all definitely used to work for this operating system, suggesting some change within wsusoffline that broke 2008 .Net patch support.

I know that the usage of 2008 is getting lower, but as it soon will fall out of support, getting to a solid final patch position will be useful.

Can you please investigate this?

Thank you in advance

Regards

Robert
rbronca
 
Posts: 40
Joined: 19.08.2015, 08:14

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby aker » 03.05.2019, 08:54

I just checked the official requirements for .NET 4.6.1.

Copied from the German page:
Unterstütztes Betriebssystem
Windows 10 ; Windows 7 Service Pack 1; Windows 8; Windows 8.1; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2
Unterstützte Betriebssysteme:
Windows 7 SP1 (x86 und x64)
Windows 8 (x86 und x64)
Windows 8.1 (x86 und x64)
Windows 10
Windows Server 2008 R2 SP1 (x64)
Windows Server 2012 (x64)
Windows Server 2012 R2 (x64)
Hardwaremindestanforderungen:
1-GHz-Prozessor oder schneller
512 MB RAM
2,5 GB verfügbarer Festplattenspeicher (x86)
2,5 GB verfügbarer Festplattenspeicher (x64)


I know, that .NET 4.6.1 is installable on Windows Vista / Server 2008, but wsusou always uses the official system requirements.

Could you please open a second topic for the root certificate instructions, so we can discuss this independeant from w2k8.



I currently cannot check the SecOnly-updates or rollups as I don‘t have access to a computer at the moment.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3430
Joined: 02.03.2011, 15:32

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby Denniss » 03.05.2019, 09:32

I once checked dotnet 4.6.1 on Vista, it was installing but did not receive updates. The same dotnet version on Win7 received updates. Test was made while Vista was still supported.
This may be the same on Server 2008 so I suggest to revert back to dotnet 4.6
Denniss
 
Posts: 867
Joined: 01.08.2009, 10:51

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby aker » 05.05.2019, 17:57

Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3430
Joined: 02.03.2011, 15:32

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby rbronca » 06.05.2019, 01:57

I agree with all of you that .Net 4.6.1 should not be installed on server 2008.
Microsoft clearly made a decision to change this late in the release cycle as all the RC versions supported 2008.
I have found articles pointing both ways, but the actual support requirements and download pages state it is not.

My testing was to try and rectify why the .Net patches wern't being installed. I got the same missing patch results with 4.6 and 4.6.1.

Given that most of the sub patches are in fact downloaded and copied suggests that that side is mostly working correctly.
It appears it is something within the patch deployment detection code that simply isn't adding these patches to the to do list for a 2008 server.

I can provide the list of what is or isn't downloaded if required, but I assume you can track them down pretty easily.

The certificate issue I will discuss in the other new thread.

The D3D patch needs to be added to the prereqs. This is the same issue afflicting both the 2008 R2 and 2012 tracks which has been discussed in another thread .
You cannot apply recent .Net patches without it and if your not internet corrected, it will not be installed.
The prereqs need to be applied and the server rebooted before any of the other tasks take place.

The 7.6 update client needs to be added to both 2008 and 2008 R2 as well as Windows 7 - there are significant fixes addressed.

I'n not sure if there is another interaction at play here. I haven't found one thus far.

Thank you for your thoughts and discussion.

Robert
rbronca
 
Posts: 40
Joined: 19.08.2015, 08:14

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby Dalai » 06.05.2019, 02:29

rbronca wrote:The D3D patch needs to be added to the prereqs. This is the same issue afflicting both the 2008 R2 and 2012 tracks which has been discussed in another thread .

No, it doesn't apply to anything newer than Server 2008 (NT 6.0). On NT 6.1, when you tell WSUS Offline to install .NET 4.x it will install 4.7.2 (or newer) which comes with the required D3D update KB4019990 included. But we already discussed this here: viewtopic.php?f=6&t=9006. If you manually install any older .NET 4.x you're responsible to install KB4019990 as well, IMO.

The 7.6 update client needs to be added to both 2008 and 2008 R2 as well as Windows 7 - there are significant fixes addressed.

You're wrong here in regards to NT 6.1, too. Although both contain a newer WU Agent than what is shipped with the OS, the suggested Windows Agent 7.6 is older (from 2014) than what is installed via KB3172605 (July 2016 Rollup). KB3172605 is part of the prerequisites which are applied before any Windows updates are installed. However, .NET 4.x is installed before that (which fails on offline systems due to missing root certs), but that's a separate discussion and IIRC I already made a suggestion to rectify this issue.

WU Agent 7.6 was explicitely installed by WSUS Offline a couple of years ago (up until and including version 10.7), but removed after that since it's no longer necessary because of proper installation of prerequisite updates. However, I'm not sure about NT 6.0.

Regards
Dalai
Dalai
 
Posts: 949
Joined: 12.07.2016, 21:00

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby rbronca » 06.05.2019, 07:07

Hello Dalai, I disagree with your statement regarding the D3d patch and 2008 R2.

When you run wsusoffline on a fresh vanilla VM, the installation of .Net 4.72 fails.
Only once the entire process is complete, can you successfully retry and install the .Net 4.72 framework.
At the very least this is untidy.

We also have servers running all the other supported .Net framework versions.
These do require the D3d patch to be installed before you apply recent .Net patches.
This is why it should be a prereq.

For .Net, WSUSoffline needs to make sure the required prereqs are installed, server reboot if required, before it attempts to install 4.72 for the first time.
This is exactly the same as already happens for IE.

For 2008, the Windows Update agent 7.6 definitely did update the key file, wuaueng.dll, to a newer version with a 2012 date. (Originally 2009)
For a patched 2008 R2 server, wuaueng.dll has a 2017 date, so you are most probably correct that the 7.6 agent update isn't required for this operating system.

Of course, none of this resolves, why recent .Net patches aren't being installed on 2008.

regards

Robert
rbronca
 
Posts: 40
Joined: 19.08.2015, 08:14

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby Dalai » 06.05.2019, 21:02

rbronca wrote:When you run wsusoffline on a fresh vanilla VM, the installation of .Net 4.72 fails.

No need to discuss this again, is there? My tests in the thread linked above were/are clear: .NET 4.7.2 can be installed correctly on NT 6.1 when the system has internet access, but not on offline systems. However, installing KB4019990 manually doesn't change anything about that. The .NET installation doesn't fail on offline systems because of a missing KB4019990 but because of missing root CAs.

To make it very clear: The installation of root CAs (before anything else) is the key to most of the issues we face currently. Once they're applied to the clients, .NET framework, its updates and Windows updates will install correctly, even when the clients are offline.

These do require the D3d patch to be installed before you apply recent .Net patches.
This is why it should be a prereq.

I disagree. I can only repeat myself. As soon as you install any other .NET version than what WSUS Offline provides, you're responsible for installing the prerequisite KB4019990, too. When installing .NET via WSUS Offline this update/prerequisite is already taken care of. That's how I see it.

Regards
Dalai
Dalai
 
Posts: 949
Joined: 12.07.2016, 21:00

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby aker » 06.05.2019, 23:32

The D3D update is included in the .NET 4.7.1, 4.7.2 and 4.8 installer and will be installed, if not done manually.
The only .NET version requiring manuall installation of the D3D update is 4.7.0.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3430
Joined: 02.03.2011, 15:32

Re: Server 2008 - Wrong .Net version and missing .Net patche

Postby Dalai » 06.05.2019, 23:51

OK, without getting it even more complicated, I'd like to add a small correction to my previous statements. Assuming all .NET updates (even those for 4.5x and 4.6x) require the D3D update*, it's necessary to install that update on Server 2008 since the latest supported .NET is 4.6.0 on that platform.

*) I'm not sure if that's the case.

Conclusion:
For NT 6.0 adding KB4019990 to the prerequisites could be done and would probably be OK. For NT 6.1+ I don't see the need to change anything in WSUS Offline.

PS: Man, if MS had ended support for Server 2008 at the same time Vista went EOL, life would be easier (for some of us, but not others ;)) ...

Regards
Dalai
Dalai
 
Posts: 949
Joined: 12.07.2016, 21:00

Next

Return to Fehlende Updates / Missing updates

Who is online

Users browsing this forum: No registered users and 5 guests