none
Security Only Quality Updates for November - superseded already? RRS feed

  • Question

  • For reasons beyond control, we are a place that only deploys the Security Only Quality Updates. Not the monthly "rollups" that were introduced in October.

    Having just completed my WSUS syncs everywhere, I go into SCCM to make my update list, and low and behold, my search folder is not picking up any of the Security Only updates for 2008R2 and 2012/2012 R2. Turns out they're already superseded.

    Example:

    November, 2016 Security Only Quality Update for Windows Server 2012 R2 (KB3197873)

    Updates superseding this update: November, 2016 Security Monthly Quality Rollup for Windows Server 2012 (3197874)

    So what gives?... is that intentional? Is my hand being forced so soon that I am unable to continue down the Security Only path? Or is this a mistake and I just need to re-sync again in a couple of hours?

    Tuesday, November 8, 2016 11:28 PM

Answers

  • So, I raised a Premiere Support case to find out what the go is. I've been advised that the Security Only Quality update is meant to come out as superseded straight away upon release and that this is the way its happening into the future. Unfortunate.

    I'm honestly fine with the new methodology of single patch, rollups and all that stuff. But I honestly feel it is pointless to offer a Security Only approach at all if you're going to make it substancially more difficult to deploy? Seriously, why bother? Just take the option away and end the madness.



    Thursday, November 10, 2016 9:11 AM

All replies

  • I see the same thing too.  November security only updates showing as superseded already.  Hopefully this is just a mistake as October's updates were not tagged that way.. 

    KD

    Wednesday, November 9, 2016 12:26 AM
  • Same here. I was under the impression the "security only quality update" group would be available every month. Hopefully someone from Microsoft can help clear things up.
    Wednesday, November 9, 2016 12:29 AM
  • After reading this (related to SCCM 2007 but whatever): https://blogs.technet.microsoft.com/configurationmgr/2016/11/04/deploying-superseded-down-level-windows-updates-with-microsoft-configuration-manager-2007/ I get the impression that this may be an intended move.

    I've had a crack at deploying the Security Only update (that are superseded) to a couple of test servers and it installs okay. However, in order to have those available to deploy in the first place you must ensure your Software Update Point settings are set to expire superseded updates after X months (as opposed to immediately), otherwise you'll never see them in your All Updates view to deploy.

    So, I guess we'll have to be more proactive going forward, if you wait too long to get around to deploying the Security Only patches, you can miss out on the opportunity altogether.

    Wednesday, November 9, 2016 1:42 AM
  • Thanks for pointing this out. After changing my software update point expiration setting and doing a full sync, I got the Security Only updates in SCCM.

    • Edited by slarocko Wednesday, November 9, 2016 3:06 AM
    Wednesday, November 9, 2016 2:44 AM
  • Same issue for me 

    Wednesday, November 9, 2016 5:56 AM
  • Same issue for me.

    Wednesday, November 9, 2016 7:28 AM

  • Having just completed my WSUS syncs everywhere, I go into SCCM to make my update list, and low and behold, my search folder is not picking up any of the Security Only updates for 2008R2 and 2012/2012 R2. Turns out they're already superseded.


    If it's not showing because your supersedence rule has expired it then you need to adjust your supersedence rule accordingly to adapt to this new behaviour. There is no technical problem in deploying superseded updates in CM. Only expired.

    Rolf Lidvall, Swedish Radio (Ltd)

    Wednesday, November 9, 2016 9:49 AM
  • If I understand correctly November security only quality updates are superseded by November security monthly rollups. 

    Why in October release security only quality updates was not superseded by rollups?

    Of course we can change supersedence rules in SCCM, but this can be at least one month to wait before superseded update is expired. This setting will affect all other updates also.

    Many companies delivering only security only updates so by my opinion this security only quality updates should not be superseded till next month's release.   


    Wednesday, November 9, 2016 12:39 PM
  • Microsoft keeps making Software updates via CM more and more difficult.

    First CM clients cannot download just the deltas of Rollups, leading to progressively larger update sizes, and now security only are superseded immediately.


    • Edited by bilson22 Wednesday, November 9, 2016 5:27 PM
    Wednesday, November 9, 2016 5:24 PM
  • Same issue here.

    Martin Myers, Systems Engineer, Baltimore, MD

    Wednesday, November 9, 2016 7:02 PM

  • If it's not showing because your supersedence rule has expired it then you need to adjust your supersedence rule accordingly to adapt to this new behaviour. There is no technical problem in deploying superseded updates in CM. Only expired.

    Rolf Lidvall, Swedish Radio (Ltd)

    Yep, that's exactly what I did. It seems to install fine, but you need to increase the maximum run time on this patch up from the default of 10 minutes, it doesn't seem to be long enough for most of the servers out there.

    What I still want to know is - is superseding the Security Only update immediately on release the norm? I only want to deploy Security Only updates. If what I need to deploy is superseded straight away, maintaining a baseline of patches for newly built becomes a cumbersome task. The struggle is real boys and girls.

    Wednesday, November 9, 2016 11:14 PM
  • Yep, same boat here. Maintaining a baseline is what I'm a little worried about. We will either have to.

    - Gather the .cab files and package them for deployment via Software Distribution to maintain a baseline, let the updates expire out of Software Updates

    or

    - Crank up that expiry rule to an undesireably long time, like 12 months.

    Wednesday, November 9, 2016 11:16 PM
  • So, I raised a Premiere Support case to find out what the go is. I've been advised that the Security Only Quality update is meant to come out as superseded straight away upon release and that this is the way its happening into the future. Unfortunate.

    I'm honestly fine with the new methodology of single patch, rollups and all that stuff. But I honestly feel it is pointless to offer a Security Only approach at all if you're going to make it substancially more difficult to deploy? Seriously, why bother? Just take the option away and end the madness.



    Thursday, November 10, 2016 9:11 AM
  • Thanks for tracking that down and confirming Tim.

    I think it's clear that MS is pushing us hard towards the cumulative updates.  Really, the move is inevitable since the moment you want/need a non-security update you were going to be forced to install everything you had previously held back on.

    Superseding these actually solves an issue for SCCM admins.  You don't want to deploy both rollups yet they're both released using the same category making it more difficult to automate.  By excluding superseded updates (like most do) you can exclude the security-only update.

    Thursday, November 10, 2016 6:23 PM
  • I disagree with that is doesn't solve an issues it just make patching as a whole more difficult.

    What about customer with CCM 2007?

    they can no longer use SUM to deploy the Security only update, MS solution is to deploy it as a software package!! there are some meany issues doing that i cant even start to highlight them here.

    for 2012 we now have to change the expire superseded setting to accommodate this. how are we meant to manage products that are't induced in the roll out, this also effects them.

    Friday, November 11, 2016 8:04 AM
  • To work around this issue, I changed our ADRs to not block deploying Superseded updates, so at least the SCCM 2012 clients now get the "superseded already" (!) Security Only Quality Update for November 2016, but I also got two Security Updates for Adobe Flash Player that both installed as well...even though one of those supersedes the other, but because of this allowing superseded updates requirement, I end up with clients installing unnecessary updates that get updated almost immediately?  And I don't even know if this is the same behaviour for each client (i.e. - will some install the newer update first, then work out they don't need the superseded update?  If so, now I get configuration drift between similar systems - e.g. servers!).

    I invested a lot of time researching all of this prior to the October Quality updates changes, including lengthy discussions with Microsoft, remoting into a Premier session talk, reading the very long blog & Q&A from Nathan Mercer, and I guess I either missed that this was going to happen (Security Only Quality Updates being superseded by the Security Monthly Quality Rollup) or it wasn't mentioned very clearly...

    Mike Niehaus's article mentions it very briefly (now that I am reading it again!) but is also not that clear, as it states "installing the Security Monthly Quality rollup..." however we don't install the rollup, we install the Security Only, so I interpreted this statement as not applicable to Security Only!

    e.g.

    Starting in November 2016, installing the Security Monthly Quality Rollup will also supersede the Security Only Quality Update from the same month, allowing compliance tools to report the Security Monthly Quality Rollup installation as satisfying the fixes in the Security Only Quality Update.

    As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.


    • Edited by Kiwifulla2 Friday, November 11, 2016 10:51 AM
    Friday, November 11, 2016 10:50 AM
  • To clarify, it solves an issue for those of us following Microsoft's best practices.

    I think it's becoming clear that Microsoft is focused on making it easier to follow their best practices and harder and harder to deviate from them.  


    Friday, November 11, 2016 1:47 PM
  • Microsoft provided 2 solution because they understand that some (most i have come across) enterprise customers haven't and don't have the need or desire due the the amount of testing and potential issue they could cause to install non-security updates. Then Microsoft take that option away. Microsoft have made it impossible to follow 1 of there own provided practices. 
    Friday, November 11, 2016 3:56 PM
  • This effectively breaks software updates in SCCM 2007. Our business has 30k Windows 7 clients and has stayed on SCCM 2007 and will upgrade when we move to Windows 10. What are we supposed to do given a few days notice of the change to supersedence rules. This is a disaster...
    Saturday, November 12, 2016 8:09 PM
  • My biggest complaint is notification of these changes.  We too did not figure out the issue until two days after patches have been rolled out to a portion of our environment.  For now, we removed the "Superseded=No" criteria in our ADR as a workaround but that means superseded patches will now potentially become part of our deployment package.  Not ideal.  We are going to start talking to our organization about rolling out the "...Rollup" bundles instead.
    Monday, November 14, 2016 8:39 PM
  • This effectively breaks software updates in SCCM 2007. Our business has 30k Windows 7 clients and has stayed on SCCM 2007 and will upgrade when we move to Windows 10. What are we supposed to do given a few days notice of the change to supersedence rules. This is a disaster...

    We're in the same boat, gotta take the risk the cumulative updates don't break anything.  

    It wasn't noticeable because our server didn't show them as superseded under the Search Folders but showed the status under the Update List.  Funny, it's only one showing as superseded for Windows 7 x64 while the rest are still looks to be deployable they don't show as applicable to any system.

    Tuesday, November 15, 2016 4:34 PM
  • If you're feeling a little saucy, you can run this WSUS command in Powershell on your WSUS server to purge the roll-up updates which effectively makes SCCM/WSUS re-consider its expiry on the Security Only Patch.

    Here's the command:

    [reflection.assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration") | Out-Null
    $wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::getUpdateServer() 
    $wsus.getupdates() | Where {$_.Title  -like '*Quality Rollup*'} | ForEach-Object {$wsus.DeleteUpdate($_.Id.UpdateID); Write-Host $_.Title removed}
    

    It's a simple string filter on any update title containing the words "Quality Rollup"

    This is probably not supported, so use at your own risk, don't whinge to me if it ruins your day. FWIW, I've run it on one WSUS server of mine and it works fine. You absolutely MUST trigger a full update sync after running the command though (not just a regular right-click synchronize, go into SUP settings, and change the scheduled time, that will trigger a full sync to occur) otherwise the updates won't pop back up in your console.



    Friday, November 18, 2016 3:37 AM
  • To work around this issue, I changed our ADRs to not block deploying Superseded updates, so at least the SCCM 2012 clients now get the "superseded already" (!) Security Only Quality Update for November 2016, but I also got two Security Updates for Adobe Flash Player that both installed as well...even though one of those supersedes the other, but because of this allowing superseded updates requirement, I end up with clients installing unnecessary updates that get updated almost immediately?  And I don't even know if this is the same behaviour for each client (i.e. - will some install the newer update first, then work out they don't need the superseded update?  If so, now I get configuration drift between similar systems - e.g. servers!).

    I invested a lot of time researching all of this prior to the October Quality updates changes, including lengthy discussions with Microsoft, remoting into a Premier session talk, reading the very long blog & Q&A from Nathan Mercer, and I guess I either missed that this was going to happen (Security Only Quality Updates being superseded by the Security Monthly Quality Rollup) or it wasn't mentioned very clearly...

    Mike Niehaus's article mentions it very briefly (now that I am reading it again!) but is also not that clear, as it states "installing the Security Monthly Quality rollup..." however we don't install the rollup, we install the Security Only, so I interpreted this statement as not applicable to Security Only!

    e.g.

    Starting in November 2016, installing the Security Monthly Quality Rollup will also supersede the Security Only Quality Update from the same month, allowing compliance tools to report the Security Monthly Quality Rollup installation as satisfying the fixes in the Security Only Quality Update.

    As long as you install one or the other (security-only update or monthly rollup), the PCs will have the needed security fixes released that month.


    Ah this backfired on me, as the next day I saw another 100 expired updates turn up in my deployment and violate my disk space/Deployment Package. I guess I didn't notice them as my clients in question didn't need them.  Luckily this was only in DEV, so I ripped them out again and put my Superseded No filter back on.  Instead what I did as a Oct/Nov only workaround, was to search for "Security Only" updates that are Superseded, downloaded them to their respective Deployment Package, then edited their "Membership" and added them to my deployments manually. 

    This has worked perfectly for the October and November ones, but when the ADRs run next month, they will flush out as the criteria will remove them again (I think).  Between now and then, we will hopefully aim to replace this hack workaround by going to the Monthly Rollup...due to this being forced upon us, and what Microsoft are aiming everyone to eventually go to anyway...


    Friday, November 18, 2016 5:12 AM