Missing Updates Round 3: Windows 7
 Posted: 04.11.2023, 04:39
Posted: 04.11.2023, 04:39I've FINALLY got back around to looking at Windows 7 updates again. Don't worry, it's not on any production machines, just old laptops I use for messing around with. Those of you with longer memories will remember that I've worked on this intermittently over the last couple of years.
Current configuration:
- WSUSOfflineCE 11.9.11hf5
--- Last updated 30/Oct/23
--- Windows 7 x86 and x64 only
Download log for this instance is here (PasteBin).
Installation procedure:
- Windows 7 x64
- Drivers
- WSUSOffline
- Windows Update
Installation log for WSUS Offline is here.
It's a long log, so below are some notes of interest. It's also worth noting that a load of the installs failed with 1642 error, but that's ok - update not required for this computer.
Of those updates, none appear in the download log, so I'm not quite sure why WSUSO is looking for them. When I looked at the updates WU wanted to install, all but two of them were present - KB2685939 (Security update, RDP vulnerability, June 2012) and KB4534251 (2020-01 Cumulative Security Update for Internet Explorer 11 for Windows 7).
The Windows Update Catalog shows that KB2685939 has been superseded multiple times, BUT, none of the listed replacement packages is on the list of updates that Windows Update wants to install, AND all of them were released after the Win7 EOL in Jan 2020. I'm thinking that it's been superseded by KB4535102, which is the 2020-01 Security and Quality Rollup for .NET Framework, so would be the last update for Win7, and is offered by WU (see below).
The remaining updates are as follows:
KB2491683 - Security Update for Windows 7 (Fax Cover Page Editor, only installed if editor is installed)
KB2506212 - Security Update for Windows 7 (Fax Cover Page Editor, all affected OSes)
KB2620704 - Security Update for Windows 7 (Windows Mail and Meeting Space remote code execution)
KB3011780 - Security Update for Windows 7 (Kerberos vulnerability)
KB3021674 - Security Update for Windows 7 (Windows User Profile Service vulnerability)
KB4054518 - 2017-12 Security Monthly Quality Rollup for Windows 7
KB4534310 - 2020-01 Security Monthly Quality Rollup for Windows 7
WU offers all of those, but also these:
KB4041083 - 2017-09 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
KB4049016 - 2017-11 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
KB4535102 - 2020-01 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
Lastly, there are some 57 other non-security updates which WU offers, but those fall out of WSUS Offline's scope and I'll probably just download them and install them with an automated batch script (unless anyone has any better ideas).
So, the questions I have are:
1) Why isn't WSUSOffline downloading those nine updates?
2) Should WSUSOffline be offering the three .NET security rollups?
In addition, I'm finding that I have to run WSUSO multiple times to get all the updates installed, even though I have the automatic reboot and show log options enabled. It runs, reboots a couple of times, then quits out showing the low. Additional runs find other updates to install. This doesn't seem right?
I appreciate everyone's time and patience as always.
			Current configuration:
- WSUSOfflineCE 11.9.11hf5
--- Last updated 30/Oct/23
--- Windows 7 x86 and x64 only
Download log for this instance is here (PasteBin).
Installation procedure:
- Windows 7 x64
- Drivers
- WSUSOffline
- Windows Update
Installation log for WSUS Offline is here.
It's a long log, so below are some notes of interest. It's also worth noting that a load of the installs failed with 1642 error, but that's ok - update not required for this computer.
- Code: Select all
- 03/11/2023 1:18:58.60 - Info: Listed ids of missing updates
 03/11/2023 1:19:00.11 - Info: Listed ids of installed updates
 03/11/2023 1:19:00.23 - Warning: Update kb2491683 (id: b89ec71a-1103-4ea7-b123-1c4d2e23f97a) not found
 03/11/2023 1:19:00.23 - Warning: Update kb2685939 (id: 5fc16654-0e03-40ca-a39e-5187b26c378e) not found
 03/11/2023 1:19:00.23 - Warning: Update kb2506212 (id: f76f5a9c-8325-4256-a632-654f153704b4) not found
 03/11/2023 1:19:00.23 - Warning: Update kb2620704 (id: 939403e9-f009-4244-b259-b5c1b003a1d3) not found
 03/11/2023 1:19:00.23 - Warning: Update kb3011780 (id: 22e8f446-ab25-4687-b724-9d0a3a123f00) not found
 03/11/2023 1:19:00.23 - Warning: Update kb3021674 (id: e8c8bfc5-cadb-4b5a-8ebe-340b78b76a6b) not found
 03/11/2023 1:19:00.23 - Warning: Update kb4054518 (id: 8fde14d1-2fd6-4705-b2ab-b2aaf1aa7a05) not found
 03/11/2023 1:19:00.23 - Warning: Update kb4534251 (id: 3c998415-659d-41e9-8da0-21de1270d66f) not found
 03/11/2023 1:19:00.23 - Warning: Update kb4534310 (id: 5512bdce-73de-49dd-bcdd-da0c2432d00e) not found
Of those updates, none appear in the download log, so I'm not quite sure why WSUSO is looking for them. When I looked at the updates WU wanted to install, all but two of them were present - KB2685939 (Security update, RDP vulnerability, June 2012) and KB4534251 (2020-01 Cumulative Security Update for Internet Explorer 11 for Windows 7).
The Windows Update Catalog shows that KB2685939 has been superseded multiple times, BUT, none of the listed replacement packages is on the list of updates that Windows Update wants to install, AND all of them were released after the Win7 EOL in Jan 2020. I'm thinking that it's been superseded by KB4535102, which is the 2020-01 Security and Quality Rollup for .NET Framework, so would be the last update for Win7, and is offered by WU (see below).
The remaining updates are as follows:
KB2491683 - Security Update for Windows 7 (Fax Cover Page Editor, only installed if editor is installed)
KB2506212 - Security Update for Windows 7 (Fax Cover Page Editor, all affected OSes)
KB2620704 - Security Update for Windows 7 (Windows Mail and Meeting Space remote code execution)
KB3011780 - Security Update for Windows 7 (Kerberos vulnerability)
KB3021674 - Security Update for Windows 7 (Windows User Profile Service vulnerability)
KB4054518 - 2017-12 Security Monthly Quality Rollup for Windows 7
KB4534310 - 2020-01 Security Monthly Quality Rollup for Windows 7
WU offers all of those, but also these:
KB4041083 - 2017-09 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
KB4049016 - 2017-11 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7
KB4535102 - 2020-01 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8
Lastly, there are some 57 other non-security updates which WU offers, but those fall out of WSUS Offline's scope and I'll probably just download them and install them with an automated batch script (unless anyone has any better ideas).
So, the questions I have are:
1) Why isn't WSUSOffline downloading those nine updates?
2) Should WSUSOffline be offering the three .NET security rollups?
In addition, I'm finding that I have to run WSUSO multiple times to get all the updates installed, even though I have the automatic reboot and show log options enabled. It runs, reboots a couple of times, then quits out showing the low. Additional runs find other updates to install. This doesn't seem right?
I appreciate everyone's time and patience as always.
