This is the Windows Server Update Services support team blog. We cover all things relating to WSUS and Windows Update.
I just wanted to let you know about a couple issues we are seeing on our support team related to detection and install issues for MS10-090 (KB2416400). Please note that these are preliminary troubleshooting steps that we have found in our investigation of these issues and you may find other factors in your configuration that also contribute to the issue that do not align with those that are documented here.
Note: Issue 2 below was updated on 12/21/2010 for clarity.
================================= Issue 1:
WSUS managed clients experience a re-offer loop for this update.
· You approve MS10-090 (KB2416400) for installation to clients.
· Clients download/install MS10-090 (KB2416400) successfully and a reboot is needed.
· The reboot is completed.
· After the reboot, KB2416400 is reoffered for installation.
As noted in the MS10-090 security bulletin and article KB2416400, KB2467659 should be deployed along with KB2416400.
Resolution: If you have installed KB2416400 without installing KB2467659, clients may be re-offered KB2416400 one or more times even when it installs successfully. The resolution for this issue is to install KB2467659.
WSUS managed clients experience a re-offer loop for this update and updates it supersedes.
• You approve MS10-090 (KB2416400) for installation to clients and have already approved KB2467659 as well (issue 1 above).
• Clients download/install MS10-090 (KB2416400) and a reboot is needed.
• The reboot is completed.
• The client prompts to install an older update that MS10-090 (KB2416400) supersedes.
• You install this older update and a reboot is needed.
• The client prompts to install KB2416400 again.
• If you repeat the installation, the two updates continue to be offered in an endless loop.
At least one of the updates in the supersedence chain for MS10-090 (KB2416400) has an approval state that is NOT set to “Declined”.
We recommend that all updates that are superseded by KB2416400 (MS10-090) be set to “DECLINED” for their approval state within WSUS. Here are some fairly quick steps provided by Vishal Gupta (thanks, Vishal!):
Decline all updates that are superseded by KB2416400.
• Open the WSUS console.
• Expand the WSUS server’s name on the upper-left.
• Right-click on Updates and choose Search.
• In the Text field, enter the following text:
Cumulative Security Update for Internet Explorer
• Click Find Now and wait for the search results to build.
• When the results are shown, select the first item in the list so that it becomes highlighted, scroll to the bottom of the search results, hold down the SHIFT key on your keyboard, select the last update in the list, and release the SHIFT key. Now all updates in the search result should be highlighted.
• Right-click in the highlighted list of updates and choose “Decline”; when prompted if you are sure you want to decline the updates, choose “Yes”.
NOTE: This declines KB2416400, but the later steps will allow you to approve this one again.
• When this task completes, change the search Text to:
• Select all of the items returned, right-click, and choose Decline.
• Select all of the items returned, right-click, and choose Decline.
Set the approval to “Install” for each of the versions of KB2416400 you wish to deploy in your environment.
• Using the same Search dialog, change the search Text to:
• For each version of KB2416400 you need to deploy in your environment, right-click the update and choose Approve.
Confirm that KB2467659 has an approval set to “Install”.
• Click Find Now and wait for the search results to build
• For each version of KB2467659 you need to deploy in your environment, right-click the update and choose Approve.
This takes care of all of the approval changes on the WSUS server so you can do the following on some of the clients to confirm the issue is resolved:
• Restart the Automatic Updates service/Windows Update service on an affected client.
• From a CMD prompt, run WUAUCLT /DETECTNOW.
================================ Issue 3:
SMS/ITMU installations of KB2416400 fail.
Scenario: You deploy KB2416400 via SMS 2003/ITMU. The clients attempt to install KB2416400 but fail with exit code 1642.
Resolution: Create a software deployment for both KB2416400 and KB2467659.
You can download the standalone versions of these from the Microsoft Download Center
Hope this helps,
Mike Johnson | System Center Senior Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
I am also seeing some weirdness in my testing of the December patches. I am seeing certain XP and 2003 systems re-prompting to download the following older patches, although they are already installed on the system and Set to Install in WSUS - 958215, 961260, 963207.
Any ideas on what is going on?
Another piece of weirdness: our MHT files we use for internal SOP documents, which contain embedded JPG files, are not rendering the images in i.e. If you edit them in Word, for example they show up. The MHT display correctly in other browsers.
Adding to the sentiment experienced above: Older updates were offered to Win2k3 servers (IE 7 related updates - 976325, 974455, 2360131). All of these updates were already installed. Affected servers kept rebooting i.e. installed old update, reboot, WSUS offers/installs it again - reboot. Went into WSUS and declined affected updates. Seems to have fixed the issue.
Thanks for the information, Issue 2 sorted out my problem, though I had to go back through and approve 23 updates in the sequence which took a while.
We're having an issue with a few clients where despite their browser version being IE8, the 2416400 updates for IE6 and IE7 are coming up as required in their compliance reports.. the update for IE8 is installed correctly
My issue is the same as Issue 1 but the fix doesn't work, the client already has KB2467659 approved and installed.
Still everytime I restart it prompts to install KB2416400.
If you have problem with KB2416400, check social.answers.microsoft.com/.../bbd51ac5-ba84-488f-ac17-c87de886b372
We are seeing isues in our SCCM Compliance reports with Server 2003 systems with IE 8 installed:
"Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 (KB2416400)" shows up as approved, required, and installed, which is ok, but the same systems are reporting "Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 (KB2416400)" is approved, required, but NOT installed. It should not be required because they have IE 8 installed.
On a similar note, I've seen one case where a Server 2003 system is not compliant because it is missing "Client Update for Microsoft Forefront Client Security (1.0.1732.0) (Windows 2000 SP4) " - Why is an update for Windows 2000 showing as required for a system running Server 2003?
I ended up declining all old, superceded updates and working fine now.
CURRENT - 2416400 (MS10-090)
DECLINED - 2360131, 2183461, 982381, 978207, 976325, 974455, 972260, 969897, 963027, 961260, 960714, 958215, 956390, 953838, 950759, 947864
We are also seeing the same issue. I followed the troubleshooting steps listed in the "Issue 2" section, however found that all updates were already set to install. So I ended up declining each old superseded IE update that reappeared after installation of KB2416400.
Tried installing patch with MS Update and manually both fail. Tried all of the suggestions still fail. During the MS Update only a partial piece of the update downloads. So I renamed SoftwareDistribution folder and tried again both ways still fail. I give up ! Come exploit my computer.. thanks MS.
Here is another way to resolve this :
- Open up the WSUS console and search for the text “Cumulative Security Update for Internet Explorer”. Decline all the updates that show up in that list.
- Now, apart from these cumulative updates, there are two IE security updates (976749 and 960714) which are also superseded by two of the cumulative updates 976325 and 961260 respectively. Decline these security updates as well.
- Last thing to do, search for the update 2416400 and approve the ones which are being deployed.
- Now, restart the automatic updates/windows update service on the clients and then check for updates again. You should not get prompted for the update any more now.
Note: The above steps are supposed to be followed after making sure that the update 2467659 is installed on the computers.
Grmbl....I have several Windows Server 2003 and XP machines out there which upgraded from IE6 to IE7 and recently IE8. The IE cumulative patch for IE8 has been installed OK...but the ones for IE6 and IE7 are still reported as missing. Manual installation doesn;t bring anything because they report a different version of IE has been installed then where the patch is for....
Looks to me that the detection method is not fully proof.....
Looks like it was fixed in the catalog somewhere in the last 24 hours.....haven't seen any notice about it though....!!
How do you know it was fixed in the catalog?