WSUS Offline Update Incomplete?

Topic

New Reply

Once Windows 8.1 was installed, I used the free WSUS Offline Update tool with another computer to install security-only Windows updates for Windows 8.1. The process was long but appeared to work well and many updates were installed on my W 8.1 computer. However, after the process finished, I checked the monthly list of security-only patches available on AskWoody’s site and found that 13 of them (from 2016-present) had not been installed. I then installed these manually. Then I went to Windows Updates on my 8.1 computer and scanned for updates, hiding any rollups or other unwanted patches. There were a few other important updates offered. I installed these then rescanned. More important updates were found. In fact, in the latest scan there were now 20 updates going back as far as 2015. I did not install these but wonder why WSUS Offline Update did not catch them.

My questions are:

1. Did WSUS Offline Update miss these, or did it reject them because they were superceded, not security related, etc.? I now have the dilemma of whether or not to install the new found updates, assume they are not necessary and skip them, or go through each of them to determine what they do, which would be very time consuming.

2. I only installed the latest (March, 2019) IE 11 update, assuming that because these updates are cumulative I don’t need the earlier patches listed each month on Woody’s site. Is this correct? Please note that WSUS Offline Update did not download IE 11 updates because I had “removed IE 11” in Windows Components (that is, the closest thing to removing IE on my computer).

The bottom line is after using WSUS Offline Update, do I need to add any other updates or can I consider the program to have done a thorough job to date? Any help would be appreciated.

Reply | Quote

Replies

anonymous wrote:

I used the free WSUS Offline Update tool with another computer to install security-only Windows updates for Windows 8.1. The process was long but appeared to work well and many updates were installed on my W 8.1 computer. However, after the process finished, I checked the monthly list of security-only patches available on AskWoody’s site and found that 13 of them (from 2016-present) had not been installed. I then installed these manually. Then I went to Windows Updates on my 8.1 computer and scanned for updates, hiding any rollups or other unwanted patches. There were a few other important updates offered. I installed these then rescanned. More important updates were found.

I assume by “monthly list of security-only patches” you mean a list of the monthly “Security-Only Quality Updates”. If it missed 13 of those, that would indeed be concerning. I use WSUS Offline Update almost exclusively to update Win7/8.1 clean installs, and it’s been my experience that WSUS Offline Update doesn’t normally miss those.

When you ran the UpdateGenerator step, did you tick the box to “Use ‘security-only updates’ instead of ‘quality rollups’?” When the UpdateInstaller step finished, were there any warnings in the WSUS log about KB files missing or not found? I wonder if the patches didn’t get downloaded in the first place.

I think WSUS Offline Update uses the same wsusscn2.cab file that Windows Update uses to determine which updates your system is missing, so it shouldn’t miss things, but it could help if you could determine whether the UpdateGenerator step failed to detect which patches it should download, vs. the UpdateInstaller step failing to determine which patches your system was missing. You can check the UpdateGenerator log (or simply peruse the client/w63 and w63-x64 folders) to see if the errant patches were actually downloaded to begin with. Unfortunately, I don’t think the UpdateInstaller step saves its log file, so you have to cut-and-paste it when it’s displayed at the end if you want to examine it later.

As for overlooking patches on a single pass, that’s not unusual. I think you intuitively know that because you mentioned following up with a WU scan which installed some missing updates, then you rescanned and WU found more. So you’re already in the habit of repeat scanning with WU, you just need to get in the same habit of repeat scanning with WSUS Offline Update a few times to catch updates missed on the first go-round. I don’t have any special insight, but my guess is it might not be able to figure out if patches not yet installed are going to need subsequent patches. IOW, if a patch that hasn’t been installed yet has a subsequent update, how do you know you need the second patch until the first one is installed?

The bottom line is no, don’t expect either method to identify all missing patches on the first go-around.

Even if you do WSUS-OU a couple times, it’s still not unusual for a WU follow-up to find a few that WSUS-OU doesn’t think are necessary. From time to time I’ve randomly looked into what extras WU has turned up, and have never considered them to be very important, either.

Finally, let me remind you that you can’t use WU for Security-Only Quality Updates, anyway. It only works for “Security Monthly Quality Rollups”, which includes more than just the security updates. So if WU and WSUS-OU disagree on what’s missing, I’m inclined to trust WSUS-OU.

This is just a personal opinion, but I trust WSUS-OU more than WU.

 

Reply | Quote

dg1261 wrote:

Finally, let me remind you that you can’t use WU for Security-Only Quality Updates, anyway. It only works for “Security Monthly Quality Rollups”, which includes more than just the security updates.

Sort of confusing that it still has the option to try the Security-Only type anyway.

But yes, I can confirm that this is what happens with WSUS-OU on Windows 8.1 with rollups selected, and that’s after iterating UpdateInstaller / reboot / UpdateInstaller/ reboot through a fresh WSUS-OU package until it no longer installed anything. (Took a whole bunch of turns, yes.)

Since I was just using WSUS-OU to get the system up to initial shape before hooking it up to the network and attaching to the regular update cycle, I wasn’t particularly bothered, but if this’d been the “only” update method I would’ve been.

(Just to be clear, I’m not the anonymous thread starter.)

Reply | Quote

This is anonymous. Thank you dq 1261 for your very thoughtful reply. I did some further investigation, and I believe that the problem may have been downloading to a USB device that was too small (4GB). I decided to retry the whole WSUS Offline process again from stratch on a different computer using a larger USB. So far, I have completed the “download” part of WSUSOffline and noticed that my USB device has over 5GB on it (initially it was empty except for the wsusoffline1161 folder, which I believe was less than 50MB). Therefore, I believe I didn’t get all the updates the first time because WSUSOffline ran out of space. I looked at the log file this time and didn’t see any warnings.
I’m going to try the install portion shortly assuming that it will only install patches I don’t already have installed. When I downloaded using WSUS-OU I did check “security-only” updates, and I think I understand what you mean by “Security Monthly Quality Rollups”. I do have one more question, however. After completing WSUS-OU process, if I check for Windows Updates in the usual manner, what should I do if I find many? Should I ignore them, hide them, or download them? On the WSUS-OU author’s site, he seems to suggest sticking with WSUS-OU results since some updates may have been superseded or many not be security-related updates. What do you suggest?
mn-: Thank you for your comments also. When I do the installing I’m going to try running it several times until I get a message saying nothing more to do.

Reply | Quote

anonymous wrote:

I believe that the problem may have been downloading to a USB device that was too small (4GB). I decided to retry the whole WSUS Offline process again from stratch on a different computer using a larger USB. So far, I have completed the “download” part of WSUSOffline and noticed that my USB device has over 5GB on it

It depends on how many option boxes you have ticked, but yeah, 4GB is almost certainly too small. It’s probably adequate for Win7x32 alone, or 7×64 alone, or 8.1×32 alone, but for 8.1×64 the client/w63-x64 folder alone is almost 4GB, without the ancillary folders.

 

anonymous wrote:

On the WSUS-OU author’s site, he seems to suggest sticking with WSUS-OU results since some updates may have been superseded or many not be security-related updates.

I’m comfortable with that. As I suggested earlier, WU isn’t really designed to stop at scanning just for security updates, so if it’s picking up stuff WSUS-OU is not, I tend to assume what it’s picking up is not actually security related.

 

anonymous wrote:

After completing WSUS-OU process, if I check for Windows Updates in the usual manner, what should I do if I find many?

Well, I tend to obsess less than many others here over Windows updates, so I may not be the best voice of counsel, but I’d ignore them. For the aforementioned reasons, I don’t even touch WU anymore, and leave it permanently turned off on Win7/8.1 machines.

Of course, the caveat here would be that you’re actually letting WSUS-OU do its work, and not hindering it with a too-small USB stick.

 

 

Reply | Quote

Thank you, dq1261. This is anonymous again. I completed the WSUS Offline redo with an 8GB USB device starting from scratch. All went well, and an additional 28 patches from what I had previously downloaded with WSUS-OU were added. I then checked for Windows Updates and there was only one important update listed. It turned out to be one I didn’t want (something to do with configuring for W10) so I hid it and rescanned for updates… nothing. Therefore, I would say that WSUS-OU was a great success as long as you have the right amount of memory for an older unpatched computer. Having too small of a USB is evidently what led to my initial concerns about WSUS-OU.

I did get two warnings during the installation phase:

1) “Skipping installation of most recent Internet Explorer (seems to be disabled on this system).” I had in fact disabled it, but I did manually download separately the latest IE 11 cumulative update. I assume that’s all I need to protect IE, which is diabled and not used for surfing, although I understand some processes in Windows still use IE 11 so updating is important.

2) “Windows Defender definition file (…) not found.” I didn’t check for WD files to be installed in WSUS-OU since I do them manually through the WD GUI. I also hide Windows Updates related to WD definitions. Therefore, I assume this warning is not important.

Thank you again for your responses.

Reply | Quote

I get the dual-format of x86 and x64 which require a larger USB drive so I use a 16GB [got several when on sale local chain store] which allows saving later build updates and I get the .iso file for both versions which requires using a DVD+R/DL disc at about 8GB.  Just completed a Clean reinstall of Win10 today, got Version 1809 Build 17763.253.  After finishing I checked for updates and got Build 17763.437.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote