2

I'm a little unsure how WSUS behaves in this scenario. I'll use the latest KB3097877 issue as an example.

We have a main WSUS server and a downstream server at a remote site. When I approve patches on the main one, they get pushed to the downstream and then all clients will install the patches. For KB3097877, Microsoft had an issue and it was causing problems for many users so they pulled it. Under normal circumstances this would be fine because I would just then set that patch to Approve for Removal then deny it. Happy days. However they decided to re-release that same patch (fixed) under the same KB. What does WSUS do now? Do I need to set the patch for removal, wait until I get 100% compliant, then approve it again? Or will this approve the same old, previously downloaded patch and screw up users again? How do I tell the WSUS to delete the old and get the new one from Microsoft Update? Or does it do all this automatically?

Hope to get some clear answers as our users are having issues again!

Thanks

MarcLaf
  • 105
  • 2
  • 12

2 Answers2

1

I think WSUS gets automatically any updates that get re-released - that's how some of the definitions are distributed.

You can easily see this by searching for KB3097877 and then right clicking the patch and selecting Revision History. On my servers I can confirm that there are two version of the patch for 7 and 2008, and that one of them shows it's declined because of attribute being expired. The other one is with a later date of revising that corresponds to the article's one.

Stoinov
  • 578
  • 2
  • 9
  • 15
  • I see both patches as well but I'm curious as to how this will apply to machines being patched. If a machine already had the bad patch installed, would it be smart enough to see the updated one from WSUS the next time it searched for updates and then reinstall it? Or would it see that it already had 3097877 installed (despite it being the broken one) and ignore it? – MarcLaf Nov 19 '15 at 15:15
  • It's a logical thing to do - otherwise a lot of machines will stay with compromised updates. If WSUS can see that update is being rereleased, WU should be able to do it too. I can see on my test machine that KB3097877 is installed on 16th - after I approved it for second time. The other updates are installed on 13th - just after Patch Tuesday. – Stoinov Nov 20 '15 at 17:19
1

This scenario is called "supersedence" in Microsoft terminology. WSUS should automatically handle installing the new update revision, and uninstalling the old one in the progress. AFAIK, it will not, however, automatically decline the old superseded update. Take a look at this post for more information.

tfrederick74656
  • 1,442
  • 1
  • 12
  • 29
  • Thanks for the link to that article. Still struggling with declining superseded patches that aren't listed as 100% not needed as we don't force the updates to install, just download and notify. I'm thinking that we may have to force the installs in the new year so we can get closer to 100% compliant. I'm curious to know whether or not a superseded update will install without having the old patch installed first. – MarcLaf Dec 11 '15 at 12:07
  • It should install either way. Consider a standalone desktop running Windows, and set to automatically install using Windows Update (the big WSUS server in the sky). It will install revision 1 of the patch and then, when revision 2 is released, automatically install revision 2. If, however, you were to build a new machine (post-rev 2) with the same configuration, it would have no knowledge that there was ever a revision 1 of said patch and happily install revision 2. – tfrederick74656 Dec 11 '15 at 17:06
  • That's what I thought and it makes sense to operate that way, however, I've read numerous documents that say you should ensure you have 100% install/Not Needed before declining any superseded patches. So I'm not sure if I should trust my instincts and your recommendation or the MS docs... Wouldn't hurt to try it out on a test group which I'll probably do when I have some time...(which in the sysadmin world seems like never...) – MarcLaf Dec 11 '15 at 17:19
  • Haha I hear that - there's never enough hours in the day. If you have a large number of clients, you could always make a small group in WSUS and test either scenario. You could also just get the patches from catalog.update.microsoft.com and manually remediate if it's only a few systems. – tfrederick74656 Dec 11 '15 at 17:39