none
KB2859537

    Question

  • Microsoft has pulled this patch (KB2859537) from window updates (see link below), but it continues to show up in WSUS.  How do we remove it from WSUS ?

    http://news.softpedia.com/news/Microsoft-Pulls-Botched-KB2859537-Windows-7-Update-377356.shtml

    Thursday, August 29, 2013 10:51 PM

All replies

  • Microsoft has pulled this patch (KB2859537) from window updates (see link below), but it continues to show up in WSUS.  How do we remove it from WSUS ?

    http://news.softpedia.com/news/Microsoft-Pulls-Botched-KB2859537-Windows-7-Update-377356.shtml


    Also having this issue and finding no information on how to clear this.  As a result Windows Update Reporting is useless as it says all of my machines are not up to date due to an  unapproved update.  I don't want to decline the update and have a subsequent patch revision automatically declined and thus be unaware of the revision release.
    Friday, August 30, 2013 12:59 PM
  • I would just decline the patch. When and if the update gets revised you can reset the approval. I had to do that for some service packs a few years ago.
    Friday, August 30, 2013 1:28 PM
  • Actually, we're using sccm2012, so l'll have to ask in that forum how to decline the patch, unless someone in this forum knows ?

    Friday, August 30, 2013 9:54 PM
  • Microsoft has pulled this patch (KB2859537) from window updates (see link below), but it continues to show up in WSUS.  How do we remove it from WSUS ?

    You can't really remove it. The best option is to simply leave it "Not Approved" if it's known to be problematic. It's important to not decline it (yet) because its state as NotInstalled is critically valid information for your patch compliance condition, as you have a known vulnerability that is not patched.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, August 31, 2013 1:43 AM
  • As a result Windows Update Reporting is useless as it says all of my machines are not up to date due to an unapproved update.

    Truly, I fail to see how this is "useless". It's factual information -- you're machines are NOT up to date, because you have an unpatched vulnerability. Why the vulnerability is still unpatched is something you document in conjunction with the compliance report as "Pending resolution by Microsoft for unreliable update"

    I don't want to decline the update and have a subsequent patch revision automatically declined and thus be unaware of the revision release.

    Declining this update will not have that effect.

    First, if the *patch* is defective (meaning even if you installed it manually it would cause problems), then that means any replacement patch will have a NEW binary file. A NEW binary file is not issued as a revision, it's issued as a new update. (As was ostensibly done with MS13-052 recently -- though that one is still messed up too.)

    In fact, the only thing that would happen automaticaly is that if the update was approved, and a revision were released, the revision would be automatically approved. NEW updates must always be explicitly approved, and that would be completely independent of the approval state on the previous update. But a revision would only be released if the metadata or detection logic were flawed, in which case you could still install the existing patch manually and be done with the task.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, August 31, 2013 1:47 AM
  • Actually, we're using sccm2012, so l'll have to ask in that forum how to decline the patch, unless someone in this forum knows ?

    For ConfigMgr.. just don't put the patch in any deployment package.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, August 31, 2013 1:47 AM
  • Microsoft has pulled this patch (KB2859537) from window updates (see link below), but it continues to show up in WSUS.  How do we remove it from WSUS ?

    http://news.softpedia.com/news/Microsoft-Pulls-Botched-KB2859537-Windows-7-Update-377356.shtml

    All of the previous applies, in general, to patches.

    As for MS13-063 in general, the only issues of BSODs, as reported by Softpedia, that have actually been confirmed were on systems with modified kernels, typically done in order to bypass normal Activation Methodologies ... i.e. it occured on CRACKED installations of Windows.

    I personally installed this update on a half-dozen Windows7 systems last week and did not have a single issue. Dozens of other patch administrators have successfully installed this update on their systems with no adverse effects.

    Unless you have systems with invalid licenses and/or running alternate/patched kernels, I wouldn't really worry too much about this update. Install it on some test systems, to be sure, and if nothing adverse occurs, deploy it.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, August 31, 2013 1:55 AM
  • Okay, since we use automatic deployment rules with defined criteria to deploy updates, we could exclude updates with severity level "Important" which this one is, but that would catch too many updates.

    Would the solution in the link below of moving the update into a subfolder in the All Software Updates node/list keep the update from being picked-up by the automatic deployment rules ?

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/40598c2c-f71a-4b9e-8e4b-e4f07a5edd98/decline-and-update-using-sccm-2012

    Thanks

    Saturday, August 31, 2013 2:44 AM
  • I can right-click the update and select Edit Membership to remove it from the appropriate software update group, but would our automatic deployment rules when scheduled to run next, put the update back into the same software update group ?
    Friday, September 06, 2013 5:43 PM
  • As for MS13-063 in general, the only issues of BSODs, as reported by Softpedia, that have actually been confirmed were on systems with modified kernels, typically done in order to bypass normal Activation Methodologies ... i.e. it occured on CRACKED installations of Windows.

    I personally installed this update on a half-dozen Windows7 systems last week and did not have a single issue. Dozens of other patch administrators have successfully installed this update on their systems with no adverse effects.

    Unless you have systems with invalid licenses and/or running alternate/patched kernels, I wouldn't really worry too much about this update. Install it on some test systems, to be sure, and if nothing adverse occurs, deploy it.


    Well, Thinstuff released an update for the XP/VS-Server because of KB2859537. (see http://www.thinstuff.com/releases/changelog.txt). So you dont need a cracked Windows to run into trouble.

    Monday, September 09, 2013 5:40 PM
  • Well, Thinstuff released an update for the XP/VS-Server because of KB2859537. (see http://www.thinstuff.com/releases/changelog.txt). So you dont need a cracked Windows to run into trouble.

    This is correct .... any modified kernel is subject to issues with this update.

    HOWEVER.... organizations running legitimately modified kernels should only be installing updates vetted by their kernel provider anyway. ;-)


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, September 09, 2013 8:22 PM