WARNING: cannot verify download.wsusoffline.net's certificat

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby boco » 06.05.2020, 05:58

Security-only updates are never cumulative on the update level, you need to install each and every one that was released. Note that they might supersede older packages on component level (inside the SXS/component store). The WUA will handle that, internally.

ESU updates are like a chain, each month's SSU enables receiving the next month's ESU patches. This might lead to the odd situation where you need to ignore the "All done" message from WOU and keep rebooting and retrying until there really isn't anything left to install.

The last thing you should get without the ESU license is the January's CU (or SecOnly+IE11 updates), the January .NET updates, and (possibly), the ESU license prep package. Additionally, you might receive further SSUs as they seem to be public (might be that they act as repair for stuck ESU licenses or packages). WU will also give you the fix for the Wallpaper handling they fudged up with the Jan packages.
Well, that's it for non-ESU machines.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2398
Joined: 24.11.2009, 17:00
Location: Germany

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby lioninstreet » 13.05.2020, 03:23

Thank you gentlemen for all the input and comments. I'm seeing my posts could be more concise so after confirming my data, it's probably best if I summarize what I'm seeing and post the spreadsheet based on the download & install runs I put together. Not sure if any of this is on purpose or if some of what I'm seeing are tool errors, just passing along observations by comparing what the tool downloads and installs.

1. NET 3.5.1 updates between 2015-05 & 2017-04 not installing
2. When downloading (selecting security only downloads), 303 updates up to and including 2020-01 are being downloaded. Only 159 of those are installing.
3. When downloading (security only downloads selected), all Security only Quality Updates are downloaded. However during the install run, 4 are not installed (kb3212642, kb4056897, kb4074587, kb4088878). These 4 do not show as superseded per update catalog and are not installed in further runs either.
4. The 2020-01 IE Cumulative Security Update does not download
5. The 2015-01 Security Update kb3021674 (Vulnerability in User Profile Svc.) does not download. It is replaced by the 2020-02 Security only Rollup that does not apply to systems unless the an ESU license is active.
6. There are a total of 13 .NET Security Quality Rollups & Security Only Updates dated between 2015-01 to 2020-01 that do not download. Of those, these 10 are not superseded (kb4014985, kb4019108, kb4041090, kb4099637, kb4340004, kb4345679, kb4471981, kb4487121, kb4498961, & kb4507411. Originally I thought these would be addressed by the 2020-01 .NET Rollup, but kb4534976, kb4535102 were not found either. In addition, .NET update kb4041083 that was not found. it is replaced by an update (kb4055432) but that one was not part of the download so not installed either.
7. The 2020-02 SSU installs 2x (once on install run 5, then again on install run 8)
8. When downloading (security only downloads selected), included are Security Quality Monthly Rollups. Other than adding about 2gb to the instance, I'm not sure if this is causing further install issues.
9. When downloading (security only downloads selected), kb3191566 is not downloaded so doesn't install.

It might help to have a visual reference so my comments are clearer. Ive uploaded a .xls spreadsheet showing the history here and the logs are shown on earlier posts.

https://www.dropbox.com/sh/1z94toy0g00huan/AAB-k2sv8Mn6RaegCGnfuRO1a?dl=0
lioninstreet
 
Posts: 108
Joined: 21.06.2018, 00:06

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby hbuhrmester » 13.05.2020, 06:53

2020-01 kb4534251 CSU IE11 - not downloaded
2020-04 CSU IE11 kb4550905 - downloaded


The update kb4534251 really is superseded. If you browse the Microsoft Update Catalog, it says, that it has been superseded by four newer updates:

2020-01 Kumulatives Sicherheitsupdate für Internet Explorer 11 für Windows 7 für x64-basierte System (KB4534251)

Dieses Update wurde durch die folgenden Updates ersetzt:
2020-02 Kumulatives Sicherheitsupdate für Internet Explorer 11 für Windows 7 für x64-basierte System (KB4537767)
2020-03 Kumulatives Sicherheitsupdate für Internet Explorer 11 für Windows 7 für x64-basierte System (KB4540671)
2020-04 Kumulatives Sicherheitsupdate für Internet Explorer 11 für Windows 7 für x64-basierte System (KB4550905)
2020-05 Kumulatives Sicherheitsupdate für Internet Explorer 11 für Windows 7 für x64-basierte System (KB4556798)

https://www.catalog.update.microsoft.com/Search.aspx?q=kb4534251

Note: click on the title in the left column and select package details in the popup window.


But you can't install the newer versions without the Extended Security Update (ESU) license.

https://support.microsoft.com/en-us/help/4534251/cumulative-security-update-for-internet-explorer
https://support.microsoft.com/en-us/help/4550905/cumulative-security-update-for-internet-explorer

There is an exception list ExcludeList-superseded-exclude.txt for cases, where you may need an older version. To add your own exceptions, create a file:

Code: Select all
exclude/custom/ExcludeList-superseded-exclude.txt


and add:

Code: Select all
windows6.1-kb4534251



5. The 2015-01 Security Update kb3021674 (Vulnerability in User Profile Svc.) does not download. It is replaced by the 2020-02 Security only Rollup that does not apply to systems unless the an ESU license is active.


This is a similar case. Also add:

Code: Select all
windows6.1-kb3021674


to the file exclude/custom/ExcludeList-superseded-exclude.txt.

Regards,
hbuhrmester
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby hbuhrmester » 14.05.2020, 14:16

From the last installation log in https://forums.wsusoffline.net/viewtopic.php?f=4&t=10183&start=10#p30885

Code: Select all
23:03:01.25 - Info: Starting WSUS Offline Update v. 11.9.1
23:03:01.26 - Info: Option /verify detected
23:03:01.29 - Info: Option /updatecpp detected
23:03:01.31 - Info: Option /instmssl detected
23:03:01.34 - Info: Option /updatercerts detected
23:03:01.35 - Info: Option /instdotnet4 detected
23:03:01.37 - Info: Option /updatetsc detected
23:03:01.40 - Info: Option /autoreboot detected
23:03:05.37 - Info: Found Microsoft Windows version 6.1.7601.18247 (w61 x64 enu sp1)


Somehow, I miss the option "/seconly" here. This option indicates, that security-only updates should be installed. If this option is not used, then the cumulative security and quality update rollups are installed (which is the default).

So please check the setting files UpdateGenerator.ini and UpdateInstaller.ini. I guess, that both still have the default option:

Code: Select all
seconly=Disabled


Then the explanation for kb4534310 is simple: This is the January 2020 cumulative update rollup, but it is superseded by the February, March and April update rollups.

https://support.microsoft.com/en-us/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history

The February, March and April updates cannot be installed without the ESU license. To get the January update back, add the number kb4534310 to the file exclude/custom/ExcludeList-superseded-exclude.txt as described above. This assumes, that you really want this cumulative update rollup back.


If the option security-only is enabled in UpdateGenerator.exe, then the file client/exclude/HideList-seconly.txt will be applied:

  • During download, this file is used as an additional exclude list, which prevents all listed cumulative update rollups from being downloaded.
  • During installation, the listed updates, including kb4534310, will be hidden from the Windows Update agent. Therefore, this update should not be listed as "missing". If present, it will not be installed. It shouldn't appear at all in the installation log.

Regards,
hbuhrmester
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby lioninstreet » 18.05.2020, 01:15

hbuhrmester wrote:Somehow, I miss the option "/seconly" here. This option indicates, that security-only updates should be installed. If this option is not used, then the cumulative security and quality update rollups are installed (which is the default).

So please check the setting files UpdateGenerator.ini and UpdateInstaller.ini. I guess, that both still have the default option:

Code: Select all
seconly=Disabled


Thank you for your feedback hbuhrmester (dali, boco and aker). The code shows seconly=Disabled but I did have the security only option selected. Bearing in mind this install does not include the ESU license, first might be for me to try another bare metal install and see if this is a one time bug. I will do that hopefully sometime this week unless you have a different suggestion.

Perhaps there are others that could offer suggestions regarding the other behavior points I noted?
lioninstreet
 
Posts: 108
Joined: 21.06.2018, 00:06

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby hbuhrmester » 18.05.2020, 20:05

The code shows seconly=Disabled but I did have the security only option selected. Bearing in mind this install does not include the ESU license, first might be for me to try another bare metal install and see if this is a one time bug. I will do that hopefully sometime this week unless you have a different suggestion.


Then start all over with a new download run, because the UpdateInstaller.exe inherits this setting from the UpdateGenerator.exe.

https://forums.wsusoffline.net/viewtopic.php?f=4&t=8683#p27372



2018-01 kb4056897
2018-02 kb4074587
2018-03 kb4088878


That was about the time, when the Spectre and Meltdown vulnerabilities were discovered. These were bugs in the CPUs themselves, in the way the internal cache worked. It was first discovered for Intel CPUs, and the first patches in early 2018 were for Intel CPUs only.

So, if you happen to have an AMD CPU, these may not be for you. AMD processors had similar vulnerabilities, but these were described and fixed later.

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

There was also the issue, that you had to set a registry key "ALLOW REGKEY", to install these updates. This was for compatibility with third-party virus scanners and solved in April 2018. So maybe the April update had to be installed first, and then the January, February and March updates could be installed?

https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897
https://support.microsoft.com/en-us/help/4074587/windows-7-update-kb4074587
https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878



In Windows 7, you get the .NET Framework 3.5 pre-installed. WSUS Offline Update installed .NET Framework 4.8 as the latest available version. Thus, you only need updates for the .NET Framework versions 3.5 and 4.8.

Many updates for the .NET Framework versions 4.5, 4.6 and 4.7 just don't apply.

Regards,
hbuhrmester
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby lioninstreet » 20.05.2020, 04:07

hbuhrmester wrote:
The code shows seconly=Disabled but I did have the security only option selected. Bearing in mind this install does not include the ESU license, first might be for me to try another bare metal install and see if this is a one time bug. I will do that hopefully sometime this week unless you have a different suggestion.
Then start all over with a new download run, because the UpdateInstaller.exe inherits this setting from the UpdateGenerator.exe.
https://forums.wsusoffline.net/viewtopic.php?f=4&t=8683#p27372

hbuhrmester wrote:This means, that now both full quality update rollups and security-only updates are downloaded by default.


OK, on clean install w7sp1, fresh download run selecting Sec only updates, then install run (autorecall/reboot).

So far on questions:
hbuhrmester wrote:
lioninstreet wrote:1. NET 3.5.1 (only) updates between 2015-05 & 2017-04 not installing

In Windows 7, you get the .NET Framework 3.5 pre-installed. WSUS Offline Update installed .NET Framework 4.8 as the latest available version. Thus, you only need updates for the .NET Framework versions 3.5 and 4.8.

Looking closer at the download log, the tool is actually downloading the .NET 3.5 (only) updates as far back as between 2012-07 that are not superseded. I'm seeing some being installed, some not. Is that intentional & is there anything I can do on my end so the tool will install them for me
hbuhrmester wrote:
lioninstreet wrote:3. When downloading (security only downloads selected), all Security only Quality Updates are downloaded. However during the install run, 4 are not installed
kb3212642
kb4056897
kb4074587
kb4088878
These 4 do not show as superseded per update catalog and are not installed in further runs either.
2018-01 kb4056897
2018-02 kb4074587
2018-03 kb4088878

That was about the time, when the Spectre and Meltdown vulnerabilities were discovered. These were bugs in the CPUs themselves, in the way the internal cache worked. It was first discovered for Intel CPUs, and the first patches in early 2018 were for Intel CPUs only.

So, if you happen to have an AMD CPU, these may not be for you. AMD processors had similar vulnerabilities, but these were described and fixed later. There was also the issue, that you had to set a registry key "ALLOW REGKEY", to install these updates. This was for compatibility with third-party virus scanners and solved in April 2018. So maybe the April update had to be installed first, and then the January, February and March updates could be installed?

This is good information I had overlooked. I will be able to use it.

Unfortunately on this particular install, no antivirus had been installed yet and it uses an Intel processor. Was there anything particular about the 2017-01 Security only Quality Update causing it to download but not install? At the end of the day, these 4 Security only Quality Update not installing are still at question

------------------------------------------------------------------------------------------
hbuhrmester wrote:
lioninstreet wrote:[4. The 2020-01 IE Cumulative Security Update does not download
5. The 2015-01 Security Update kb3021674 (Vulnerability in User Profile Svc.) does not download.
There is an exception list ExcludeList-superseded-exclude.txt for cases, where you may need an older version. To add your own exceptions, create a file...

Understood, Thank you for the solution

-----------------------------------------------------------------------------------------

hbuhrmester wrote:
lioninstreet wrote:6. There are a total of 13 .NET Security Quality Rollups & Security Only Updates dated between 2015-01 to 2020-01 that do not download. Of those, these 10 are not superseded (kb4014985, kb4019108, kb4041090, kb4099637, kb4340004, kb4345679, kb4471981, kb4487121, kb4498961, & kb4507411. Originally I thought these would be addressed by the 2020-01 .NET Rollup, but kb4534976, kb4535102 were not found either. In addition, .NET update kb4041083 that was not found. it is replaced by an update (kb4055432) but that one was not part of the download so not installed either.

WSUS Offline Update installed .NET Framework 4.8 as the latest available version. Thus, you only need updates for the .NET Framework versions 3.5 and 4.8. Many updates for the .NET Framework versions 4.5, 4.6 and 4.7 just don't apply.

Makes sense. On further study, the first 10 above appear to update 4.5, 4.6, & 4.7 as you noted, but also contain content to update 3.5. This is similar for the 2020-01 .NET update & rollup kb4534976 & kb4535102. All these should still be avoided as unnecessary?

---------------------------------------------------------------------------------------

Between the above open detail and other posts I found to provide answer, I'm left with one other questions open.

lioninstreet wrote:2. When downloading (selecting security only downloads), 303 updates up to and including 2020-01 are being downloaded. Only 159 of those are installing. A difference this large seems unusual.
9. When downloading (security only downloads selected), kb3191566 is not downloaded so doesn't install.


Thanks everyone for the help. It's quite a learning curve for me.
lioninstreet
 
Posts: 108
Joined: 21.06.2018, 00:06

Re: WARNING: cannot verify download.wsusoffline.net's certif

Postby hbuhrmester » 20.05.2020, 13:51

Was there anything particular about the 2017-01 Security only Quality Update causing it to download but not install? At the end of the day, these 4 Security only Quality Update not installing are still at question


WSUS Offline Update lists kb3212642 as superseded in the file exclude/ExcludeList-superseded.txt, but not in the file exclude/ExcludeList-superseded-seconly.txt. The difference is, that the file client/static/StaticUpdateIds-w61-seconly.txt serves as an exception list for updates, which should not be treated as superseded, if security-only updates are selected.

This approach was once necessary: When the different update rollups were introduced, cumulative quality and security update rollups superseded the incremental security-only updates. Therefore, the superseded flag had to be removed, if security-only updates were selected. But that rule was removed by Microsoft after just one month. However, it is still the model, which is used in WSUS Offline Update.

kb3212642 seems to be a rare case, where a security-only update really is superseded. This is shown in the Microsoft Update Catalog:

January, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB3212642)
Last Modified: 1/8/2017
Size: 6.2 MB

This update has been replaced by the following updates:
2019-03 Security Update for Windows 7 for x64-based Systems (KB4474419)
2019-08 Security Update for Windows 7 for x64-based Systems (KB4474419)
2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419)

https://www.catalog.update.microsoft.com/Search.aspx?q=kb3212642


2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419)
Last Modified: 9/9/2019
Size: 53.3 MB

This update replaces the following updates:
2019-08 Security Update for Windows 7 for x64-based Systems (KB4474419)
January, 2017 Security Only Quality Update for Windows 7 for x64-based Systems (KB3212642)
Security Update for Windows 7 for x64-based Systems (KB2868626)
Security Update for Windows 7 for x64-based Systems (KB3005607)
Security Update for Windows 7 for x64-based Systems (KB3033929)
Security Update for Windows 7 for x64-based Systems (KB3138962)
Security Update for Windows 7 for x64-based Systems (KB3153171)
Security Update for Windows 7 for x64-based Systems (KB3161561)
Security Update for Windows 7 for x64-based Systems (KB3167679)
Security Update for Windows 7 for x64-based Systems (KB3175024)
Security Update for Windows 7 for x64-based Systems (KB3177186)
Update for Windows 7 for x64-based Systems (KB3040272)
Update for Windows 7 for x64-based Systems (KB3156417)

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4474419



kb4474419 is the SHA-2 code signing support update for Windows 7. The third revision (kb4474419-v3) for Windows 7 should be downloaded and installed:

http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows6.1-kb4474419-v3-x64_748febffa79a7ae4286b16ff3c373baf344095e6.cab


The support pages for kb3212642 or kb4474419 don't confirm, that kb3212642 is superseded, but rather suggest the opposite:

https://support.microsoft.com/en-us/help/3212642/january-2017-security-only-quality-update-for-windows-7-sp1-and-window
https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update

But I think, that the Update Catalog has the better information.

So, WSUS Offline Update treats all security-only updates as "not superseded" and downloads them all, if security-only updates are selected, just for historical reasons. But if one particular update really is superseded, it will not be installed.


Regards,
hbuhrmester
hbuhrmester
 
Posts: 525
Joined: 11.10.2013, 20:59

Previous

Return to Installation / Updating

Who is online

Users browsing this forum: No registered users and 233 guests