WSUS Update Query

Topic

New Reply

Hi all,

So, I have held off on patching our office PCs since December, and it looks now is probably a good time to move forward.

HOWEVER…

Looking at my WSUS console, I get some very strange numbers in the NEEDED COUNT column…

2018-01 and 2018-02’s Security Only updates show up with the full number of PC clients (68).

2018-03 (KB4088878) shows up only needed on THREE PCs….???

2018-04 (4093108) shows up for all PCs again.

Anyone know why this is? Is there something in the latest 4093108 that supercedes 4088878?

No matter where you go, there you are.

Reply | Quote

Replies

PerthMike wrote:

Is there something in the latest 4093108 that supercedes 4088878?

While I can’t hazard any logic to the unusual pattern of updates indicated, the Security Only updates are not cumulative, so the supercedence you mention is not likely.

PKCano wrote:

KB4093118/Kb4093108 replace KB4100480 according to the MS pages.

woody wrote:

Security-Only patches are not cumulative

Reply | Quote

No idea.

Perhaps one of our WSUS experts can help?

Reply | Quote

@PerthMike
Stop wasting time with details and approve all Monthly Rollups as they are offered.
You can enable the supersedence column in WSUS and will show you what is superseded to avoid approving, only to save bandwidth and time in not downloading superseded updates.
If you really want to get things simple you can approve Monthly Rollups AND Security Only updates and allow the Windows Update and CBS to sort out. This is a practice more common than you imagine.
Approve only 2018-04 patches for now if you believe to be fully patched until December 2017.
It is simple really, only people reading a lot of non-sense tend to make it more complicated than it is.

Reply | Quote

ch100 wrote:

@perthmike Stop wasting time with details and approve all Monthly Rollups as they are offered. You can enable the supersedence column in WSUS and will show you what is superseded to avoid approving, only to save bandwidth and time in not downloading superseded updates. If you really want to get things simple you can approve Monthly Rollups AND Security Only updates and allow the Windows Update and CBS to sort out. This is a practice more common than you imagine. Approve only 2018-04 patches for now if you believe to be fully patched until December 2017. It is simple really, only people reading a lot of non-sense tend to make it more complicated than it is.

Nice “comment”, but you’re not helping. I patch for a government agency, and we have rules about not just patching the minute patches come out. We only patch critical updates, and only once the word is that the updates are working. And even then, we have to go through a rigorous regime of rolling patches out to test systems.

This whole saga of the January to March updates has shown that patching on the say-so of Microsoft is a bad idea, especially if it breaks things.

I am asking for technical help, not for the opinion of someone who believes in the gospel of St. Bill.

 

No matter where you go, there you are.

Reply | Quote

Curious behaviour continues when I approve the four 2018 Security Only updates.

After approving 4056897, 4074587, 4088878 and 4093108 (2018-01 to 2018-04) for my test fleet, these PCs only get offered (and installed) 4074587 and 4093108. 2018-01 and 2018-03 aren’t offered.

The WSUS console does not show those two updates being needed by PCs when they have received the other two patches.

However, when downloading 4088878 from the Update Catalog and running them manually on one of the test PCs, it still installs (if it was truly superceded, it would refuse, saying “this update is not applicable to this system).

So there is something very weird going on here.

(Having installed March after April, will this screw up the order of fixes or should they be independently working?)

No matter where you go, there you are.

Reply | Quote

I believe the changed it so that 4099950 has to be approved and installed before 4088878 gets offered – based on the KB article for 4088878.

Regarding 4056897 – I believe was reissued to check for a specific registry key, and won’t install if it isn’t present. Check for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat in the registry. They have since removed that check starting with the April updates.

As far as the order of installation – in release order would probably be best. I think it doesn’t matter though as any file that is a newer version then what the update contains shouldn’t get replaced.

Reply | Quote