Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS monthly rollup updates


  • Please log in to reply
7 replies to this topic

#1 Nightspear

Nightspear

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 02 November 2016 - 02:18 PM

Is there any way to exclude/hide specific updates from the monthly rollup in Server2008R2?

 

Prior to monthly rollup updates:

KB1234567 is incompatible for some reason and causing the test server to crash. Uninstalling KB1234567 and the test server is operational again. Exclude/hide KB1234567 from updates before deploying to actual servers.

 

After monthly rollup updates:

KB1234567 is included in May 9095 rollup and causing the test server to crash. Uninstalling KB1234567 and the test server is operational again. What is this process now? 

 

 

Any insight is appreciated,

Mike



BC AdBot (Login to Remove)

 


#2 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:08:55 PM

Posted 02 November 2016 - 04:47 PM

Not really. But there are a couple of ways to mitigate issues.

 

Each monthly update will be the previous month's update plus the new updates for this month. Strictly the only way to avoid a particular update is not to apply that or future updates. Obviously (in the case of security updates at least) that would be stupid, so what can we do?

 

There are actually THREE different updates provided each month.

 

There is a "Security and Quality" update released on the second Tuesday of each month (aka "Patch Tuesday"). This contains the security updates for that month and the non-security critical and routine updates for that month. as well as all previous security and updates This is the recommended update (Microsoft recommended, and given the poor choice of options, begrudgingly the most sensible update track)

 

There is a "Security ONLY" update also released on "Patch Tuesday" This contains ONLY the security patches for that and previous months and could be applied if you have a need to avoid a particular month's "Security and Quality" update.

 

If you need to fall back to the Security Only update for a particular month, I suppose that you have to hope that MS will fix any issues within a month or at most two (I know - I wouldn't hold my breath!), allowing you to jump back on the "Security and Quality" track. So the first mitigation is to temporarily fall back to security-only updates.

 

Oh yes,..... I said THREE updates.....

On the Third Tuesday of each month MS will release a "Preview" update containing the non-security updates planned for the following month's patch Tuesday. This can be used on test servers to check for issues related to the non-security content planned each month (and give you more time to recognise those issues). The second mitigation is to pre-test the non-security updates if you have the means. (We all have the time, of course! - err thanks MS).

 

So all's OK then.... :crazy:. Now we've cleared that up ... there are a couple more things worth understanding about the new scheme. 

 

In WSUS all of these updates are under the Windows Server category, the first two categorised as "Security" and the preview classified as "Updates", so you can sort of mange them in that way. I tend not to approve the security-only update unless I need (in order to avoid confusing installations depending on installation order)

 

There are separate groups of updates for Windows and .NET, so you will likely get one of each of those patches each month.

 

And now for a big gotcha.... In a prominent blog post, an MS technician says that you should enable "Express updates" in WSUS..... What he does not point out is that doing so will cause massive downloads of additional WSUS content. You may well find that your WSUS cache increses in size a few times over (possibly up to 1TB for a typical selection of MS products and versions). Additionally, once you tick that box, there is no doing back - you cannot untick the box and go back to where you were (at leat not without entirely rebuilding your WSUS cache from scratch and performing open heart surgery on the WSUS database).  I suspect as the cumulative updates grow in size, the Express updates will become more of a necessity and less of an option. Also note that SCCM does not yet support express updates... Of course we all have oodles of disk space just waiting to be allocated to our WSUS cache and plenty of Internet bandwith to download the updates so again no problem.... :unsure:

 

And finally, it's worth noting that MS are initially basing the cumulative updates starting at last month. For the next few months (until January 2017) all of the cumulative updates will be Cumulative from October 2016. From February 2017, MS will start rolling in earlier updates, aiming to complete the task over several months. At the end of that period all earlier updates will have been subsumed.

 

Good luck (we will all need it!)

 

x64



#3 Nightspear

Nightspear
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 09 November 2016 - 03:24 PM

Wow!! It's totally reliant on MS to configure things correctly. I won't hold my breath too long.  Do you know how it works with WSUS? Can specific updates be blocked or held back via WSUS? If it can be done the WSUS way, I see a new server role in my future.



#4 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:08:55 PM

Posted 09 November 2016 - 03:47 PM

All of what I know is in the text above (I've put a lot information in there, but it will probably take a few reads to make sense of it all).

 

You can sort of mange things through WSUS, however it looks as if we will need more space for the WSUS cache, and managing update approval will be a pain in the ****. As all of the Cumulative updates (Both the main package and the security only package) are classified as security updates, it not possible to compose auto-approval rules as accurately as one may wish.

 

x64



#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:55 AM

Posted 13 November 2016 - 06:58 PM

Yes i have disabled all automatic approvals through WSUS and will do them manually and with MS marking some ones as critical as they did with the WINX updates i will be going through them with a fine tooth comb.



#6 Nightspear

Nightspear
  • Topic Starter

  • Members
  • 364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 14 November 2016 - 01:25 PM

Why oh why is MS making this so hard to manage things now days. Oh yeah, it makes their jobs easier.

 

At least there is some good news here and it looks like I will budgeting for a WSUS server in the future. Until I can get one installed, I have to keep my fingers crossed that no updates crash operations here and move to a nightly backup routine to be on the safe side.

 

Thanks for all the info fellas.



#7 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:08:55 PM

Posted 14 November 2016 - 02:22 PM

Yes i have disabled all automatic approvals through WSUS and will do them manually and with MS marking some ones as critical as they did with the WINX updates i will be going through them with a fine tooth comb.

The MS Blog post that I saw stated that the Windows Cumulative updates would be classed as "Security" (I presume because the cumulative content will definitely contain security fixes, even if the new content does not). I'm sorry, I don't have a link to the blog post. The Monthly previews of non-security content will be classed as "Updates"

 

x64



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:05:55 AM

Posted 14 November 2016 - 04:58 PM

Why oh why is MS making this so hard to manage things now days. Oh yeah, it makes their jobs easier.

 

At least there is some good news here and it looks like I will budgeting for a WSUS server in the future. Until I can get one installed, I have to keep my fingers crossed that no updates crash operations here and move to a nightly backup routine to be on the safe side.

 

Thanks for all the info fellas.

I can see why they are doing it because to many zombie machines are being used for ddos and also bitcoin mining etc as they have not updated their pc's.

i regularly get clients who bring their pc in and it has 200 + updates and they wonder why they got exploited through IE LOL.

 

Yes X64 i would agree with that but they need to ensure they have proper QS this time because i know a lot of bad updates have crippled locally hosted exchange servers and domain controllers in recent years because of bad Quality Service checks but in saying that so has apple.

People who use pc's want stability in their updates and not rushed features that bring nothing to most end users.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users