locked
MS new update structure and WSUS RRS feed

  • Question

  • I have a few questions about how WSUS handles the new update rollup structure.

    1. Is there any way to exclude/hide or even uninstall a specific updates from the monthly rollup, in Server 2008R2 and newer, using WSUS? I undestand that without WSUS you have to uninstall the entire rollup update, depending on the update general classification, possibly run unprotected until a fix is released. 
    2. I also understand that updates can be distributed via classification (Security, Update, Driver, and etc.) in WSUS. Would I still have to uninstall the entire classification update or could I still go in and uninstall the specific update that is crashing the system? 

     

    For example: 

    Prior to monthly rollup updates:

    Critical update KB1234567 is incompatible in the test environment and for some reason and causing the test machines to crash. Uninstalling KB1234567 and the test machines are operational again. Decline/exclude/hide KB1234567 update before deploying to actual servers.

     

    After monthly rollup updates:

    Critical update KB1234567 is included in May 6, 9095 rollup and causing the test machines to crash. Is it possible to uninstall KB1234567 to make the test machines operational again? If it is possible, is it also possible to decline deployment of this specific update in WSUS or would I still have to decline the entire critical classification? 

     

    Any insight is appreciated,

    Friday, January 6, 2017 7:54 PM

Answers

  • Just to make sure I am understanding correctly. Even with WSUS the cumulative rollups are no more manageable than regular Windows update. However, some software can be released as multiple classification as in the Silverlight example in Don's reply. If manageability of the rollups is nill, what would be the point of WSUS other than to manage drivers and 3rd party software updates? I only ask due to having to remove the entire rollup may leave businesses vulnerable until a fix is released. 

    the purpose/value of WSUS remains largely the same, except the ability to use a granular per-KB approval/withhold/decline is diminished due to this new cumulative approach.

    this new approach, is only really new for the older OS, since Win10 has always (since release to market) used this rollup approach.

    Not all MSFT products are using this approach at this time (eg VL Office products which use MSI technology do not do this)

    in case you've not read about the details of the new approach, there are a few blog posts, including this one

    https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/ (follow the links within, to surrounding blog posts, as the story has evolved a few times since the October 2016 rollups commenced)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by MyName8 Wednesday, January 25, 2017 7:24 PM
    Wednesday, January 25, 2017 12:03 PM

All replies

  • a rollup is effectively regarded as a single unit and cannot be split apart down to individual KB's. It's all-or-nothing. you cannot exclude/uninstall/hide individual bits of a rollup.

    an update, is only categorised in a single classification, a single update cannot be categorised in more than one classification.
    but, an update payload can be published more than once, eg Silverlight, which is published as an 'Update' or as 'Security Update' and also published as 'Feature Pack'

    In the case of Silverlight (or any other item, really), if published as two separate updateID's, once in each Classification, these UpdateID's are not directly related to each other.

    UpdateID = the GUID (it's not the KBarticle number)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Saturday, January 7, 2017 10:23 AM
  • Hi MyName8,

    Just to confirm if the above reply could be of help, if yes, you may mark that as answer. If you still have questions, welcome to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 9, 2017 7:38 AM
  • Just to make sure I am understanding correctly. Even with WSUS the cumulative rollups are no more manageable than regular Windows update. However, some software can be released as multiple classification as in the Silverlight example in Don's reply. If manageability of the rollups is nill, what would be the point of WSUS other than to manage drivers and 3rd party software updates? I only ask due to having to remove the entire rollup may leave businesses vulnerable until a fix is released. 
    • Edited by MyName8 Monday, January 9, 2017 8:49 PM
    Monday, January 9, 2017 8:48 PM
  • Hi MyName,

    > If manageability of the rollups is nill, what would be the point of WSUS other than to manage drivers and 3rd party software updates?

    We are unable to manage the single update in rollups, since they are integrated, while we can manage the rollup for approve or decline.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 25, 2017 2:18 AM
  • Just to make sure I am understanding correctly. Even with WSUS the cumulative rollups are no more manageable than regular Windows update. However, some software can be released as multiple classification as in the Silverlight example in Don's reply. If manageability of the rollups is nill, what would be the point of WSUS other than to manage drivers and 3rd party software updates? I only ask due to having to remove the entire rollup may leave businesses vulnerable until a fix is released. 

    the purpose/value of WSUS remains largely the same, except the ability to use a granular per-KB approval/withhold/decline is diminished due to this new cumulative approach.

    this new approach, is only really new for the older OS, since Win10 has always (since release to market) used this rollup approach.

    Not all MSFT products are using this approach at this time (eg VL Office products which use MSI technology do not do this)

    in case you've not read about the details of the new approach, there are a few blog posts, including this one

    https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/ (follow the links within, to surrounding blog posts, as the story has evolved a few times since the October 2016 rollups commenced)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by MyName8 Wednesday, January 25, 2017 7:24 PM
    Wednesday, January 25, 2017 12:03 PM
  • The updated link Supplied by DonPick has explained the new update process in the most detailed yet simplest terms, maybe it was the WSUS Catalog charts, or was it the update order. I am not exactly sure, but something clicked. It looks like MS stepped up their quality with the SUVP to address specific problems. Thanks Don.

    Wednesday, January 25, 2017 7:24 PM