forums.wsusoffline.net

[IBU]

Is there a way how to configure WSUS Offline to download and install ONLY Security Updates?
For example for Windows Server 2008 Sp2 64bit a use the following settings:

WSUS Offline Updater 9.4 - unchecked options:
- Include Service Packs
- Include C++ Runtime Libraries and .NET Frameworks
- Include Microsoft Security Essentials
- Include Windows Defender definitions

UpdateInstaller config file options:

Code: Select all

[Installation]
backup=Disabled
updatercerts=Disabled
instie7=Disabled
instie8=Disabled
instie9=Disabled
instie10=Disabled
instie11=Disabled
updatecpp=Disabled
instmssl=Disabled
instdotnet35=Disabled
instdotnet4=Disabled
instpsh=Disabled
instwmf=Disabled
instmsse=Disabled
updatetsc=Disabled
instofv=Disabled
all=Disabled
excludestatics=Disabled
skipdynamic=Disabled
[Control]
verify=Enabled
autoreboot=Enabled
shutdown=Disabled
[Messaging]
showlog=Disabled
[MSI]



These settings install ALL Security Updates, but ALSO several Security Advisories and 1 non-security update.
Is there any setting how to include and install all security updates but nothing else?
Thank you a lot for any hints!

M.

[harry]

Please see .\doc\faq-enu.txt:

Q: Can I exclude patches from download and/or installation?
A: Yes, that's possible through customizing the download- and update scripts according to your requirements. You may add new patches or exclude existing ones. Please follow this guide:

1. Exclude patches from download
You have to differentiate between statically defined updates (like the latest Service Packs, for example) and updates that are determined dynamically at runtime of the script.

a) Statically defined updates
Should you desire to exclude all static updates from download, simply check the "Exclude statically defined updates" checkbox inside the Update Generator before downloading. Please be aware that updates you downloaded earlier, which are now excluded, will be deleted on the run.

b) Dynamically determined updates
To exclude dynamically determined updates from download, insert their knowledge base ID (KBxxxxxx or simply xxxxxx) into the matching exclude file named "ExcludeList-<platform>[-<architecture>].txt".

2. Excluding updates from installation
Once again you have to make a difference between statically defined and dynamically determined updates.
a) Statically defined updates
The statically defined updates (latest version each) are:
- Service Pack (SP)
- Windows Update Agent (WUA)
- Microsoft Installer (MSI)
- Windows Script Host (WSH)
- Internet Explorer (IE)
These updates will be installed only if the version installed on the target system is lower than the versions defined in the file "SetTargetEnvVars.cmd" (directory .\client\cmd). If you generally want to prevent installation of one of those updates, you have to modify the expected values in the "SetTargetEnvVars.cmd" or insert jump marks into the "DoUpdate.cmd" (which controls the installation process). You should do this in very special cases only, as with SP, WUA, MSI and WSH, certain versions are required as preconditions.
b) Dynamically determined updates
To exclude dynamically determined updates from installation, insert their knowledge base ID (KBxxxxxx or simply xxxxxx) into the file "ExcludeList.txt" (directory .\client\exclude). These updates will now be ignored; and you'll receive a warning in the log.

The following updates are already excluded:
- kb816093 (Security update for Microsoft VM)
- kb951847 (.NET Framework 3.5 SP1 Family Update (will be explicitly installed if selected))
- kb890830 (Windows Malicious Software Removal Tool (MSRT))
- kb931125 (Trusted Root Certificates (will be explicitly updated if selected))
- kb2917500 (Revoked Root Certificates (will be explicitly updated if selected))
- kb926874 (Internet Explorer 7 (will be explicitly installed if selected))
- kb940767 (Internet Explorer 7 (will be explicitly installed if selected))
- kb944036 (Internet Explorer 8 (will be explicitly installed if selected))
- kb982861 (Internet Explorer 9 (will be explicitly installed if selected))
- kb2718695 (Internet Explorer 10 (will be explicitly installed if selected))
- kb2841134 (Internet Explorer 11 (will be explicitly installed if selected))
- kb976002 (Browser Choice)
- kb923618 (Office 2003 Service Pack 3 (will be implicitly installed if required))
- kb2526086 (Office 2007 Service Pack 3 (will be implicitly installed if required))
- kb2687455 (Office 2010 Service Pack 2 (will be implicitly installed if required))
- kb2817430 (Office 2013 Service Pack 1 (will be implicitly installed if required))
- kb936929 (Windows XP Service Pack 3 (will be implicitly installed if required))
- kb914961 (Windows Server 2003 Service Pack 2 (will be implicitly installed if required))
- kb936330 (Windows Vista Service Pack 1 (will be implicitly installed if required))
- kb948465 (Windows Vista Service Pack 2 (will be implicitly installed if required))
- kb976932 (Windows 7 Service Pack 1 (will be implicitly installed if required))

Please be aware that excluding updates may have an impact on the security of your PC.

So you have to enter the KBs, you don't want to install, in the file .\client\exclude\custom\ExcludeList.txt. Please don't forget a trailing <CR><LF>.

[IBU]

Hi harry,

thank you for a referal to FAQ file.
I know about a possibility to define a static list of excluded patches.
Although, what I would like to achive is to have a configuration that automatically download a and isntall ONLY security updates.
That should be performed every month for several OS versions without manually inclucing / exluding any KB nubmers.
But maybe I want to much
Thanks for an answer!

M.

[WSUSUpdateAdmin]

Please note viewtopic.php?f=7&t=172: "[...], WSUS Offline Update uses Microsoft's update catalog file wsusscn2.cab to dynamically determine the required patches. This catalog file contains at least all the updates classified as "critical" and "security relevant",[...]".

One should trust the vendor with this, I guess...

RTW

[IBU]

Thank you for an answer Admin,

indeed, I've seen that description, and agree - one should trust the vendor with this.
There is only one tricky thing in the description:
'This catalog file contains AT LEAST all the updates classified as "critical" and "security relevant'
Which means all updates classified as critical and security relevant (which is great) but it can and it does include at least 1 "non-critical" "non security" relevant update.
I am just trying to undestand how exactly WSUS offline works compared to direct Windows Upadate installing "Important updates" and skipping "Recommended updates".
Thank you again for any further explanation - if there is some

M.

[aker]

As long as Microsoft lists them in wsusscn2.cab, there is no other way to exclude them. wsusou does not determine the updates on its own. wsusou feeds the wsusscn2.cab to the Windows Update Agent and parses the result, it returns.

[IBU]

Thank you Aker for the explanation.
One more question to clarify it completely:
Is there way to configure WSUS in way that it excludes all updates and includes only list of specified KB numbers?
In other way - can I use my own white list of updates that want to download?
Thank you again!

[Gerby]

Hello M.!

Q: Can I skip the dynamic update determination during downloading/installation in order to use my static definitions only?
A: Yes.
To avoid dynamic update URL determination during download, add "skipdynamic=Enabled" to the [Miscellaneous] section of your UpdateGenerator.ini file.
To avoid dynamic update ID determination during installation, set "skipdynamic=Enabled" in the [Installation] section of your UpdateInstaller.ini file.

Greetings
Gerby