forums.wsusoffline.net

[rbronca]

Recent .Net patches for these OS's require Kb4019990 to be installed beforehand.
I believe this also applies to Windows 7.

https://support.microsoft.com/en-au/hel ... 1-to-4-7-2

"All updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 require that the d3dcompiler_47.dll update is installed. We recommend that you install the included d3dcompiler_47.dll update before you apply this update. For more information about the d3dcompiler_47.dll, see KB 4019990."

Also, making an edited copy of StaticUpdateIds-wupre-w61.txt and StaticUpdateIds-wupre-w62.txt in the custom directory doesn't appear to override the existing version in the static directory.

Keep up the great work!!

[Dalai]

Well, I don't see a need to change anything. KB4019990 is included in the offline installers of .NET Framework 4.7.2 and 4.7.1 (*). WSUS Offline (currently) downloads and installs .NET 4.7.2, so it correctly assumes that KB4019990 is installed (or will be installed alongside .NET 4.x) - and thus d3dcompiler_47.dll is present - when you install .NET Framework 4.x and its updates via WSUS Offline.

*) You can see that when you open NDP472-KB4054530-x86-x64-AllOS-ENU.exe or NDP471-KB4033342-x86-x64-AllOS-ENU.exe with an archiver like 7zip or WinRAR. There are several files that have the "KB4019990" part in their names.

Regards
Dalai

[rbronca]

I had originally expected that too, but the kb4019990 patch isn't being installed, blocking the .net patches from installing.
PowerShell get-hotfixes doesn't show kb4019990 listed with the default prereqs.
Add kb4019990 to the prereqs and it does get installed.

[Dalai]

Please check in Control Panel > Programs and Features > View installed updates if KB4019990 is installed after installing .NET 4.7.2. Please also specify which OS you're testing on.

I installed .NET 4.7.2 (via my own scripts) in a Win7 x64 VM and KB4019990 is present after doing so.

Regards
Dalai

[rbronca]

Thank you Dalia for checking, This is much appreciated.
I have back tracked, and have rechecked everything.

I can confirm my previous comments are accurate. For W2K8 R2 using either the quality rollup or security only paths, without adding kb4019990 to the prereqs, it isn't installed.
(I checked both Powershell get-hotfixes and Control Panel, Uninstall an update).

Rerunning wsusoffline comes up with nothing to do.

A scan using the current wsusscn2.cab shows 2019-02 kb448078 and 2017-09 kb4041083 are missing. Both are .Net Quality rollups that should have been installed.
Checking the sub patches for KB448078 shows that kb4483451 is missing on the server.
(The .Net framework version for this server is 461814 - 4.7.2)

The builds with kb4019990 as a prereq come up clean.

I'm still reviewing the W2K12 details. I will report back again when those builds are finished.

[Dalai]

Are your machines completely offline while you install .NET Framework and its updates? If so, it might be an issue with a missing (Microsoft) Root certificate.

PS: My VM doesn't have internet access (which might have been the case before), but I installed the mentioned MS Root cert previously.

Regards
Dalai

[rbronca]

Yes, these VM's are completely isolated from the internet.

I can confirm that adding the root certs as per here: http://woshub.com/updating-trusted-root ... indows-10/ "The List of Root Certificates in STL Format" didn't change that kb4019990 was not being installed for W2K8R2 without it being added to the prereqs.

I'm currently testing a number of VM's with the certs installed and the additional pre-req to see if that resolves other issues I'm seeing that are likely due to the certs.
I will report back my findings.

It maybe a worthwhile addition to wsusoffline to have the option to download both the latest certs and disallowed certs and run certutil to update them.

[boco]

The problem is that there isn't any official place to download the certs in a format that can be understood by certutil.

@dev: Wouldn't it be possible to include the skeleton/core functionality for updating the certs into WOU, but not include the certs itself in the download? The user would then have to download and prepare the certs and place them into a special directory. When run, WOU installs them and all problems solved. Celebrate!

Sounds good?

[Dalai]

I'll do more tests myself with Windows 7 because I can't believe that Server 2008 R2 behaves any different than Win7 (it's NT 6.1 after all).

Adding an ability to update certificates would definitely help in certain situations, although I'm not sure how it would work.

Regards
Dalai

[Dalai]

Alright, I made some more tests. Here's what I did:

1. Created a new VM
2. Installed Win7 x64 SP1 in the new VM. The system was installed in an unattended manner with network settings that do not allow internet access (invalid gateway)
3. Installed KB4490628 (SSU, March 2019), KB3172605 (Rollup July 2016) and KB4474419 (SHA-2 code signature update, March 2019) - in this order, and all of them were installed during the first Administrator logon of the unattended Windows installation
4. Installed .NET Framework 4.7.2 via my own script (switches /passive /norestart /lcid 1033) and the German language pack

Here's what I got:

Code: Select all

C:\Users\Administrator>powershell -noprofile -command get-hotfix

Source        Description      HotFixID      InstalledBy          InstalledOn
------        -----------      --------      -----------          -----------
PC-NAME       Update           KB917607      PC-NAME\Administr...
PC-NAME       Hotfix           KB2534111
PC-NAME       Update           KB3172605     PC-NAME\Administr...
PC-NAME       Security Update  KB4474419     PC-NAME\Administr...
PC-NAME       Update           KB4490628     PC-NAME\Administr...
PC-NAME       Update           KB976902      PC-NAME\Administr...

C:\Users\Administrator>powershell -noprofile -command get-hotfix | find 999
PC-NAME       Update           KB4019990     PC-NAME\Administr...


That the first run shows the state before the .NET installation and the second one the state afterwards. Conclusion: KB4019990 is definitely installed alongside .NET 4.7.2 on Windows 7, even if everything is installed completely offline.

Another observation I made during these tests: Both Root CAs "Microsoft Root Certificate Authority 2010" and "Microsoft Root Certificate Authority 2011" are installed by any of the three Windows updates mentioned above. I don't know which one exactly, and in the end it doesn't really matter, but it's certain that these CAs have not been downloaded from the internet.

Unfortunately I don't have installation DVDs for Server 2008 R2 and TechBench doesn't offer them, so it's currently impossible for me to tell if the results would be any different than on Win7.

Regards
Dalai