Seconly Mistake

Seconly Mistake

Postby Robou » 18.08.2017, 11:22

Version 11.0.1, both ini-files hold seconly=Enabled.
On 10-8-2017 both KB4034679 (Security) and KB4034664 (Quality rollup) are downloaded.
Not much of a problem if it were not for the fact that KB4034664 is installed!
This happened on two locations and it made it necessary to use dism.exe in order to correct the problem.

Could anyone explain what may have caused this phenomenon and tell me how to avoid this in the future?
Robou
 

Re: Seconly Mistake

Postby Dalai » 18.08.2017, 13:25

Well, first you should find out who installed the rollup packages, which is easy to do: check C:\Windows\wsusofflineupdate.log. If it's not in there (other than it being set to hidden), it was probably installed by regular Windows Update.

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Seconly Mistake

Postby hbuhrmester » 18.08.2017, 16:48

Quality and security-only updates cannot be differentiated automatically; they always need some manual configuration. Basically, quality updates belong in the file:

Code: Select all
wsusoffline/client/exclude/HideList-seconly.txt


Security-only updates belong in the files:
Code: Select all
wsusoffline/client/static/StaticUpdateIds-w61-seconly.txt
wsusoffline/client/static/StaticUpdateIds-w62-seconly.txt
wsusoffline/client/static/StaticUpdateIds-w63-seconly.txt


For August 2017, we have some new updates:

Windows 7 SP1 and Windows Server 2008 R2 SP1 update history
https://support.microsoft.com/en-us/hel ... te-history

August 8, 2017—KB4034664 (Monthly Rollup)
https://support.microsoft.com/en-us/hel ... -kb4034664

August 8, 2017—KB4034679 (Security-only update)
https://support.microsoft.com/en-us/hel ... -kb4034679


Windows Server 2012 update history
https://support.microsoft.com/en-us/hel ... te-history

August 8, 2017—KB4034665 (Monthly Rollup)
https://support.microsoft.com/en-us/hel ... -kb4034665

August 8, 2017—KB4034666 (Security-only update)
https://support.microsoft.com/en-us/hel ... -kb4034666


Windows 8.1 and Windows Server 2012 R2 update history
https://support.microsoft.com/en-us/hel ... te-history

August 8, 2017—KB4034681 (Monthly Rollup)
https://support.microsoft.com/en-us/hel ... -kb4034681

August 8, 2017—KB4034672 (Security-only update)
https://support.microsoft.com/en-us/hel ... -kb4034672
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: Seconly Mistake

Postby Robou » 19.08.2017, 12:00

Thanks both for the interest in my post. But as no answer really hits the point I will be more precise.
1- On both the locations both the upgrades were downloaded notwithstanding the seconly is activated.
2- On both the locations both the upgrades were (attempted to) being installed.

Attempted to, because on one location I was saved by the bell:
wo 16-08-2017 14:40:13,47 - Info: Installed ..\w61\glb\windows6.1-kb4034679-x86_9dc5008be60160b2af31b4691064f7bd7d57c025.cab
wo 16-08-2017 14:44:13,82 - Warning: Installation of ..\w61\glb\windows6.1-kb4034664-x86_ff9212f7fb8c0d85f1341b0ad68c4828d32d734d.cab failed (errorlevel: 17)
The errorlevel is from dism.exe.
On the other location:
do 10-08-2017 23:14:07,86 - Info: Installed ..\w61-x64\glb\windows6.1-kb4034679-x64_86b5e4e495891e142450d3f4ebbda4a7abb69e12.cab
do 10-08-2017 23:18:00,85 - Info: Installed ..\w61-x64\glb\windows6.1-kb4034664-x64_f9b1078ad2d6d7d5e4a555ebd1dbbc786767cec7.cab

This clearly is not supposed to happen. So I will refrase my question:
What is it I am doing wrong or what is it I am missing in preventing this to happen.
Robou
 

Re: Seconly Mistake

Postby Dalai » 19.08.2017, 15:42

OK, I now see why this is happening: The SecOnly list must be changed every month (because nobody knows their KB numbers in advance). This hasn't happen in August so far, because the admin is ... well, he hasn't done it yet for personal reasons.

hbuhrmester already named the files that have to be changed, so you can add the rollup KB numbers and the SecOnly KB numbers to these files respectively. You can also wait for the admin to update the according files, but note that this may take some time (he'll be off for more than a week).

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Seconly Mistake

Postby Robou » 19.08.2017, 18:04

Thank you. Now I will have to reorganise my brains.
The seconly parameter is apparently not what it suggests or promises as can be read in i.e. the under "References" cited article "WSUS Offline Update 10.9".
It needs additional labour, some lists need to be updated after thorough inspection of the downloaded updates.
These lists seem to be all located under client, so probably have no influence on the download.
The lists were updated without my doing from October 2016 through July 2017 (for obvious reason February is missing).

So far my observations after your helpful post.
My conclusion is to postpone the download as long as acceptable in order to allow WsusOffline to edit the lists.
Then run a script with "findstr" in order to check if the lists are updated.
When the running month is not found I will have to update the relevant lists.

When you find some rubbish here, would you please react?
Robou
 

Re: Seconly Mistake

Postby Dalai » 20.08.2017, 15:13

Robou wrote:It needs additional labour, some lists need to be updated after thorough inspection of the downloaded updates.

Normally it doesn't require any additional work for users of WSUS Offline. If the lists are updated in a timely manner, rollups are excluded from installation (and maybe download?).

These lists seem to be all located under client, so probably have no influence on the download.

Hm. I'm not sure. I use an older version that doesn't know about Rollups and Security-Only packages, so I maintain these lists (for) myself. Unfortunately the list files are different in the new versions so it wouldn't help anyone if I said what I do...

The lists were updated without my doing from October 2016 through July 2017 (for obvious reason February is missing).

Correct. WSUS Offline downloads the lists every time it runs and if they're newer than the local ones.

My conclusion is to postpone the download as long as acceptable in order to allow WsusOffline to edit the lists.

That's the easier way that doesn't require additional work on your side. The other way is to edit the lists yourself.

Then run a script with "findstr" in order to check if the lists are updated.

findstr is not really needed (date would be enough), on the other hand it makes sure unwanted updates don't get installed.

---

Perhaps it would be a good idea to write a HowTo (which files to edit, where to find the KB numbers, etc) for such situations so that users can help themselves at least.

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Seconly Mistake

Postby hbuhrmester » 21.08.2017, 07:09

About the usage of the configuration files during download

The configuration files mentioned above:

Code: Select all
wsusoffline/client/exclude/HideList-seconly.txt
wsusoffline/client/static/StaticUpdateIds-w61-seconly.txt
wsusoffline/client/static/StaticUpdateIds-w62-seconly.txt
wsusoffline/client/static/StaticUpdateIds-w63-seconly.txt


are also used during download, but only if the option Use 'security only updates' instead of 'quality rollups' is selected in UpdateGenerator.exe.


Full quality updates preferred

By default, the option security only updates is not selected. Then the seconly configuration files are not applied. The download result is:

  • The latest full quality update rollup is downloaded. These update rollups are cumulative, so only the last one is needed.

  • All security only update rollups from October 2016 to August 2017 are downloaded. These updates are not cumulative, so all of them are needed.

This was different in November 2016: Only for that month, full quality updates superseded security only updates. This caused problems with WSUS Offline Update, when security only updates were needed, and it lead to the current implementation.

But it also caused problems with Microsoft's own configuration tools, and therefore it was revised the very next month:

More on Windows 7 and Windows 8.1 servicing changes

UPDATE: 12/5/2016: In November 2016, the Security Monthly Quality Rollups were released as superseding the Security Only Quality updates. This resulted in an impact to customers deploying the Security Only Quality updates, using tools that cannot easily deploy superseded updates, such as System Center Configuration Manager 2007. Based on customer feedback, this supersedence has been changed in December 2016. Please review the updates below if this impacts your deployment scenarios.

(...) UPDATED 12/5/2016: Starting in December 2016, monthly rollups will not supersede security only updates. The November 2016 monthly rollup will also be updated to not supersede security only updates. Installing the latest monthly rollup will ensure the PC is compliant for all security updates released in the new servicing model."

https://blogs.technet.microsoft.com/win ... g-changes/


With the mentioned supersedence in place, WSUS Offline Update didn't need to do anything special to exclude security only updates from download. But now, the download of both full quality and security only updates seems to be redundant. I don't know, if both sets of update rollups are actually installed.


Security only updates preferred

When the option security only updates is selected, the download results are:

  • Full quality update rollups are not downloaded. The file HideList-seconly.txt is used as an additional exclude list during download.

  • All security only update rollups are downloaded. WSUS Offline Update uses the file StaticUpdateIds-w61-seconly.txt as an exclude list override file, to mark the updates in this file as "not superseded". But this step doesn't seem to be necessary anymore.
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: Seconly Mistake

Postby Robou » 21.08.2017, 10:11

The answers restored my faith, thank you both. Particularly hbuhrmester's prompt reaction on Dalai's remark about a HowTo was impressive.
Still some doubt remains. As for this moment the mentioned lists HideList-seconly.txt and StaticUpdateIds-w61-seconly.txt are not updated for August. This lets me hope that Admin's reason for not doing so is not too serious, on the other hand it leaves the seconly parameter useless for this month.
Security only and the full quality update rollup both are installed as is shown in my post on the 19th. So the well-thought machinery depends on the maintenance of these files.

This can fail, obviously. I will stick to my idea of a script starting UpdateInstaller only when the current month and year are mentioned in said files in order to prevent mishap and if not, knowing now where to pay attention to, update the files myself.

Besides, I wonder why this subject did not get more attention. Remember, a rollup is installed, all precautions taken from October 2016 are turned useless. And what an uninstall really affects, I do not dare to investigate.
Robou
 

Re: Seconly Mistake

Postby Dalai » 21.08.2017, 17:53

Robou wrote:This lets me hope that Admin's reason for not doing so is not too serious

No, it's nothing serious. He needs some time off, that's all.

on the other hand it leaves the seconly parameter useless for this month.

Yes, unfortunately.

So the well-thought machinery depends on the maintenance of these files.

Correct.

This can fail, obviously.

Yes, that's why I wrote that some kind of HowTo would be nice, so that, even in situations like this (list files not updated in time), users are able to help themselves. Another idea would be to set write access for other users/mods/admins to these files on the server, so that it doesn't depends on one person only to update them. But that's just some random ideas, I guess we'll have to wait for the admin to return and then we'll see what he thinks about it.

I will stick to my idea of a script starting UpdateInstaller only when the current month and year are mentioned in said files in order to prevent mishap

Actually I like this idea. Maybe this can even be implemented in WSUS Offline, depending on the Last Build date of the repos, of course, so the user could get a warning of some kind (although a chance to abort the installation process would probably be best).

Besides, I wonder why this subject did not get more attention.

It probably does now ;).

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Next

Return to Installation / Updating

Who is online

Users browsing this forum: No registered users and 57 guests