Does WSUS Offline protect against telemetry?

Re: Does WSUS Offline protect against telemetry?

Postby boco » 11.11.2016, 09:54

Of course, but it's MS we are talking about. One security pack and one with the non-security stuff would have been enough.

Downloading part: Use the ExcludeList-superseded-exclude.txt file for the , as you do not need to get the download URLs, that way. Exclude the full pack the default way.
Installing: Statics. Or maybe using a similar approach Dalai has just released a script for: Hiding the full pack KB will then report the security-only one as missing.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2199
Joined: 24.11.2009, 17:00
Location: Germany

Re: Does WSUS Offline protect against telemetry?

Postby aker » 11.11.2016, 22:33

@WSUSUpdateAdmin & @hbuhrmester

Simple question: is it possible to dynamically generate the list of supersedances including a kind of blacklist?
I mean, let's take a blacklist containing the UpdateId of the full update. Then filter the list of superseding revisions using this blacklist. All updates superseded by such a blacklisted update isn't treated as superseded for the download part. Also we could use this Id to remove the update from the download links to save free disk space. (And we don't need to maintain two blacklists containing the same update, one with the id to filter the superseding revisions and ome with the name to exclude it from being downloaded)
I'm not good in XSL and do not know, if it is possible to dynamically generate an XSL-Script for generating a filtered revision list or we have to use batch.

For the installation part, we could use this id, too. I know, that WUA accepts a commandline similar to "AND NOT UpdateId=xxxxx". I just have to check, if the security only will be listed then.
[edit]
WUA reports the security-only update KB3197867, if you change
Code: Select all
Set objSearchResult = objUpdateSearcher.Search("Type='Software' and IsInstalled=0 and IsHidden=0")

to
Code: Select all
Set objSearchResult = objUpdateSearcher.Search("Type='Software' and IsInstalled=0 and IsHidden=0 and UpdateID!=2501ea5a-6fed-4767-8a3f-1702b0956b4b")

, which excludes the full rollup KB3197868.
Test-OS was w61 x86 with all updates released before 2016-11-01.
[/edit]
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3339
Joined: 02.03.2011, 15:32
Location: %SystemRoot%\System32\Boot\winload.efi

Re: Does WSUS Offline protect against telemetry?

Postby Etikett » 16.11.2016, 22:23

I tried to use hbuhrmester´s recommendation (viewtopic.php?p=20850#p20850) but failed miserably.
Excluding kb3197868 worked but downloading and installing kb3197867 did not :cry: .
The problem was adding adding kb3197867 to the file ExcludeList-superseded-exclude.txt: Wsusou simply replaced the modified text file with the previous one. Result was that NOTHING was downloaded and therefore installed.

So i simply installed kb3197867 manually (with no problems occurring) but that´s not what i wanted.
Etikett
 

Re: Does WSUS Offline protect against telemetry?

Postby hbuhrmester » 17.11.2016, 00:35

Etikett wrote:The problem was adding adding kb3197867 to the file ExcludeList-superseded-exclude.txt: Wsusou simply replaced the modified text file with the previous one. Result was that NOTHING was downloaded and therefore installed.

This is an old problem with old versions of wget. Wget will download a file in two cases:

  • There is a newer version of the file available online
  • The file size of the local file is different than that on the server. Then the timestamps of the local and the remote file don't matter. Wget will replace a newer file with an older file, if there are differences in the file size.

This also caused problems elsewhere: viewtopic.php?f=5&t=5902&p=20277#p20277

But there are two possible workarounds:

  • Try aria2, which uses a different method for timestamping by sending a conditional header "If-Modified-Since". aria2 is not affected by differences in the file size.
  • Replace the bundled wget with the latest Windows build. Wget 1.17 and higher uses the same method for timestamping as aria2.

Of course, my idea was, that these files would be changed on the server. Then it should work better.
hbuhrmester
 
Posts: 378
Joined: 11.10.2013, 20:59

Re: Does WSUS Offline protect against telemetry?

Postby hbuhrmester » 17.11.2016, 02:48

Furthermore, you can surely download the file manually and put it into the directory wsusoffline/client/w61/glb, but there are a few caveats:

  • If you run the download script again, the verification of existing files may fail, because the files don't exactly match the hashes file wsusoffline/client/md/hashes-w61-glb.txt. Missing or additional files will be treated as an error by the hashdeep "audit" mode. Then you could just delete the hashes file and it will be rebuilt on the next run.

  • The downloaded file will be at risk of getting deleted by the cleanup part of the download script, because it may be considered "obsolete".

I think, if changing the file ExcludeList-superseded-exclude.txt doesn't work, then the file should be treated as custom download:

Create a file wsusoffline/static/custom/StaticDownloadLinks-w61-x86-glb.txt and put the whole URL into it.

See also the file wsusoffline/doc/faq-enu.txt: Can I download/install additional patches?
hbuhrmester
 
Posts: 378
Joined: 11.10.2013, 20:59

Re: Does WSUS Offline protect against telemetry?

Postby Dalai » 17.11.2016, 02:57

You can add the KB to .\exclude\custom\ExcludeList-superseded-exclude.txt which gets merged with .\exclude\ExcludeList-superseded-exclude.txt during the download phase.

Regards
Dalai
Dalai
 
Posts: 921
Joined: 12.07.2016, 21:00

Re: Does WSUS Offline protect against telemetry?

Postby boco » 17.11.2016, 05:37

For own entries, always use the "custom" subdirectory! It never gets overwritten by any update or file from the server. It's exactly the reason why the "custom" subdirectory exists.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2199
Joined: 24.11.2009, 17:00
Location: Germany

Re: Does WSUS Offline protect against telemetry?

Postby hbuhrmester » 17.11.2016, 18:06

It seems, that there are four updates for Windows 7 to consider.

The full Update Rollup for November is:

November 2016 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/kb/3197868

It replaces (supersedes) three other updates:

October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/kb/3185330

October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/kb/3192391

November 2016 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us/kb/3197867


The goal for a manual customization would be:

  • download and install the two security only updates
  • exclude the two full update rollups

This requires several steps (but without guarantees, since I don't actually have Windows 7):

  1. Put

    Code: Select all
    kb3185330
    kb3197868


    into the files:

    Code: Select all
    wsusoffline\exclude\custom\ExcludeList-w61-x64.txt
    wsusoffline\exclude\custom\ExcludeList-w61-x86.txt


  2. Put

    Code: Select all
    kb3185330,October 2016 security monthly quality rollup for Windows 7
    kb3197868,November 2016 Security Monthly Quality Rollup for Windows 7


    into the file:

    Code: Select all
    wsusoffline\client\exclude\custom\ExcludeList.txt


  3. Put

    Code: Select all
    kb3192391
    kb3197867


    into the files:

    Code: Select all
    wsusoffline\exclude\custom\ExcludeList-superseded-exclude.txt
    wsusoffline\client\static\custom\StaticUpdateIds-w61-x64.txt
    wsusoffline\client\static\custom\StaticUpdateIds-w61-x86.txt


As a side note: You can get virtual machines for various Windows versions from Microsoft: The "browser stack" is meant for web developers, who like to try their project with all available versions of Internet Explorer and the new Edge browser:
https://developer.microsoft.com/en-us/m ... tools/vms/
hbuhrmester
 
Posts: 378
Joined: 11.10.2013, 20:59

Re: Does WSUS Offline protect against telemetry?

Postby aker » 17.11.2016, 19:33

This might fail, if one of the old updates gets superseded.
It would be easier to expclue the full rollup using the WUA command-line. Then wsusou lists the SecOnly ones.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to sell it.
aker
aker
 
Posts: 3339
Joined: 02.03.2011, 15:32
Location: %SystemRoot%\System32\Boot\winload.efi

Re: Does WSUS Offline protect against telemetry?

Postby WSUSUpdateAdmin » 24.11.2016, 15:07

Hi.

As I see, there are technical ways to hide updates like the cumulative "Monthly Quality Rollup" packages ( :arrow: viewtopic.php?f=4&t=5138&p=20913#p20852, thanks to Dalai).
Furthermore, WOU already leaves hidden updates aside.

Unfortunately, we can't predict the kb numbers for the next month's "Quality Rollup" (for exclusion) and "Security Only" (for inclusion (or better: exclusion from supersedure)) packages, so there's no way yet to prepare the relevant exclusion text files in advance.

If I guaranteed WOU to be free of any telemetry stuff probably delivered within the "Quality Rollup" packs, I'ld have to spend every second Tuesday's night with waiting for the patches, which I'm not willing to do.

I'll have a look at Dalai's "hide" script mentioned above and think about integrating this functionality into WOU, but unless someone finds a fully automated way to determine the kb numbers, the customers will have to maintain the relevant lists on their own, if requested.

Sorry & kind regards,
Torsten

Backref: viewtopic.php?f=5&t=5910
WSUSUpdateAdmin
Administrator
 
Posts: 2214
Joined: 07.07.2009, 14:38

PreviousNext

Return to Verschiedenes / Miscellaneous

Who is online

Users browsing this forum: caliber, Dalai and 8 guests