locked
WSUS clients installed both Delta and Cumulative updates at the same time RRS feed

  • Question

  • Hello,

    I have WSUS running on Windows Server 2012 R2 which has clients with different OSes, including Windows Server 2016. Clients download updates from WSUS. There is also a policy to auto-approve all critical security fixes. Express installation files are disabled.

    Today all my Windows Server 2016 clients that connect to WSUS have blue-screened after updates. My investigation shows that both Delta and Cumulative updates of KB4041691 were installed and I was able to recover by offline uninstalling the Pending Install packages using dism, as shown in https://docs.microsoft.com/pl-pl/windows-server/administration/windows-server-update-services/deploy/monthly-delta-update-isv-support-without-WSUS?f=255&MSPPError=-2147217396. (I confirmed this in the Event Log after recovery, there are separate entries for starting Delta and Cumulative installations prior to restart)

    However, the real question is how to protect from this behavior in the future? Did I misconfigure something? For now I unapproved the entire KB4041691 manually.

    Thanks!

    Wednesday, October 11, 2017 8:49 AM

All replies

  • I would like to know this also, as I had exactly the same problem myself this morning with all my 2016 servers. I have also now disabled KB4041691.
    Wednesday, October 11, 2017 9:37 AM
  • Same issue for us because automatic approval was checked for security fixes. We declined this delta updates and after adittional WSUS synchronisation they became flaged as expired. Will clients that already have delta updates in the list of applicable updates still download and install them once when users start the update process, or client's update cache store should be wiped manually?
    • Edited by MatijaFX Wednesday, October 11, 2017 9:08 PM
    Wednesday, October 11, 2017 9:08 PM
  • Thanks for your reply, how did you actually decline Delta update? From what I see, there is only one record in WSUS for KB4041691, I don't see the way to decline Delta and approve Cumulative.
    Thursday, October 12, 2017 7:42 AM
  • Hey everyone,

    This has caused a lot of issues for us as well. We have MS Intune with the Auto Approval Policy in place for updates to be installed on clients computers. MS Intune utilizes WSUS functionality in the back end, and to our amaze this morning it auto approved the Delta Updates on client PC's.

    Big No No!!!!

    When we dialed into our MS Intune after this issue had been reported we noticed all Delta updates across all our clients sites had been rejected in Intune. Looks like MS did a global rejection of the Delta Updates in MS Intune but we need to know was this a mistake from MS or should we now look at turning off the Auto Approval policy so to not risk Delta Updates and Cumulative updates being installed at the same time.

    We have this on thousands of PC's and can't afford for mistakes like this to be made as manually having to do a DISM removal of these updates to thousands of systems is not practical.

    MS we need answers quickly.

    Thursday, October 12, 2017 7:53 AM
  • Looks like Microsoft admitted they accidentally published both Delta and Cumulative packages to WSUS, and they have now corrected this. We need to clear WSUS cache to get rid of Delta update for future, and they I think it should be safe to re-approve this KB. Source: http://www.zdnet.com/article/microsoft-windows-10-server-2016-patching-error-borks-users-systems/
    • Proposed as answer by Elton_Ji Thursday, October 12, 2017 9:39 AM
    Thursday, October 12, 2017 8:09 AM
  • Hi,

    >> Express installation files are disabled.

    >>confirmed this in the Event Log after recovery, there are separate entries for starting Delta and Cumulative installations prior to restart)

    AFAIK , the client would try to download Express first .

    But , you have mentioned the "express" have no been enabled previously .

    So , it doesn't make sense that the client gets both CU and Delta update .

    Have you checked that KB in WSUS server which has "Deta Version" ?

    Also , is there any server 2016 client get updates from Microsoft Update ?

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 8:49 AM
  • Elton, I agree it doesn't make sense but the problem is now resolved as Microsoft's mistake (both Delta and Cumultive were pushed to WSUS, see the ZDNet article I posted above). Thanks!
    Thursday, October 12, 2017 8:57 AM
  • Hi,


    Thanks for your sharing .

    Best Regards,

    Elton


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 9:40 AM