This is the Windows Server Update Services support team blog. We cover all things relating to WSUS and Windows Update.
I just wanted to let you know about a couple issues we are seeing on our support team related to detection and install issues for MS10-090 (KB2416400). Please note that these are preliminary troubleshooting steps that we have found in our investigation of these issues and you may find other factors in your configuration that also contribute to the issue that do not align with those that are documented here.
Note: Issue 2 below was updated on 12/21/2010 for clarity.
================================= Issue 1:
WSUS managed clients experience a re-offer loop for this update.
· You approve MS10-090 (KB2416400) for installation to clients.
· Clients download/install MS10-090 (KB2416400) successfully and a reboot is needed.
· The reboot is completed.
· After the reboot, KB2416400 is reoffered for installation.
As noted in the MS10-090 security bulletin and article KB2416400, KB2467659 should be deployed along with KB2416400.
Resolution: If you have installed KB2416400 without installing KB2467659, clients may be re-offered KB2416400 one or more times even when it installs successfully. The resolution for this issue is to install KB2467659.
WSUS managed clients experience a re-offer loop for this update and updates it supersedes.
• You approve MS10-090 (KB2416400) for installation to clients and have already approved KB2467659 as well (issue 1 above).
• Clients download/install MS10-090 (KB2416400) and a reboot is needed.
• The reboot is completed.
• The client prompts to install an older update that MS10-090 (KB2416400) supersedes.
• You install this older update and a reboot is needed.
• The client prompts to install KB2416400 again.
• If you repeat the installation, the two updates continue to be offered in an endless loop.
At least one of the updates in the supersedence chain for MS10-090 (KB2416400) has an approval state that is NOT set to “Declined”.
We recommend that all updates that are superseded by KB2416400 (MS10-090) be set to “DECLINED” for their approval state within WSUS. Here are some fairly quick steps provided by Vishal Gupta (thanks, Vishal!):
Decline all updates that are superseded by KB2416400.
• Open the WSUS console.
• Expand the WSUS server’s name on the upper-left.
• Right-click on Updates and choose Search.
• In the Text field, enter the following text:
Cumulative Security Update for Internet Explorer
• Click Find Now and wait for the search results to build.
• When the results are shown, select the first item in the list so that it becomes highlighted, scroll to the bottom of the search results, hold down the SHIFT key on your keyboard, select the last update in the list, and release the SHIFT key. Now all updates in the search result should be highlighted.
• Right-click in the highlighted list of updates and choose “Decline”; when prompted if you are sure you want to decline the updates, choose “Yes”.
NOTE: This declines KB2416400, but the later steps will allow you to approve this one again.
• When this task completes, change the search Text to:
• Select all of the items returned, right-click, and choose Decline.
• Select all of the items returned, right-click, and choose Decline.
Set the approval to “Install” for each of the versions of KB2416400 you wish to deploy in your environment.
• Using the same Search dialog, change the search Text to:
• For each version of KB2416400 you need to deploy in your environment, right-click the update and choose Approve.
Confirm that KB2467659 has an approval set to “Install”.
• Click Find Now and wait for the search results to build
• For each version of KB2467659 you need to deploy in your environment, right-click the update and choose Approve.
This takes care of all of the approval changes on the WSUS server so you can do the following on some of the clients to confirm the issue is resolved:
• Restart the Automatic Updates service/Windows Update service on an affected client.
• From a CMD prompt, run WUAUCLT /DETECTNOW.
================================ Issue 3:
SMS/ITMU installations of KB2416400 fail.
Scenario: You deploy KB2416400 via SMS 2003/ITMU. The clients attempt to install KB2416400 but fail with exit code 1642.
Resolution: Create a software deployment for both KB2416400 and KB2467659.
You can download the standalone versions of these from the Microsoft Download Center
Hope this helps,
Mike Johnson | System Center Senior Support Escalation Engineer
The App-V Team blog: http://blogs.technet.com/appv/ The WSUS Support Team blog: http://blogs.technet.com/sus/ The SCMDM Support Team blog: http://blogs.technet.com/mdm/ The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/ The SCVMM Team blog: http://blogs.technet.com/scvmm/ The MED-V Team blog: http://blogs.technet.com/medv/ The DPM Team blog: http://blogs.technet.com/dpm/ The OOB Support Team blog: http://blogs.technet.com/oob/ The Opalis Team blog: http://blogs.technet.com/opalis The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager The AVIcode Team blog: http: http://blogs.technet.com/b/avicode
I don't know if it is "fixed," but the patch catalog certainly changed sometime yesterday. I'm using SCCM, and yesterday 51% of my workstations were compliant. Today only 5% are. The only thing that changed was that my SCCM server refreshed its patch catalog at 7 pm last night. Now a large number of my workstations are requesting patches today that they were not requesting when we deployed patches this past weekend.
That makes sense. I am using WSUS and I have synced a few times and I have not recieved any new updates (except definition updates). I will keep an eye on my Sync logs. I currently do not have the patch approved for install as it was causing issues on our DCs with the multiple reboots.
Which one is better:
Declining the Old revision and approving the latest revison of the Updates we might have missed during these years (Although it take time to find the update chain)
Declining all the Updates
We have the same issue as "Jeff H 16 Dec 2010 12:59 PM " reported earlier. All htm and mht files created with office tools are not showing any drawings when opened in Explorer 8. Does anyone knows a solution for this?
I ran into an issue when declining KB960714. When you search for KB960714 only the IE7 updates show up so I did not decline the patch for previous versions of IE causing our clients to get in a loop installing KB960714 and KB2416400. Make sure you search for 960714 when declining this update.
Same issue as Jeff H 16 Dec 2010 12:59 and LodeV 22 Dec 2010 7:39 AM. Images in MHT file are being replaced by text "Bitmap" After uninstalling this update images display perfectly fine. Has anyone figured out a solution for this yet?
(working in Windows 7 with Office 2010 installed)
It seems that the issue with 2416400 is that it does something to the browser so it doesn’t like the way MS Word creates .mht files. MHT files created with Internet Explorer 8 or the Windows Problem Steps Recorder both work fine and display images even with 2416400 installed.
I did a test where I created a simple html file with an image and opened it up in IE8. I then saved it out of IE8 as a mht file. The file opens fine and displays the image in IE8. I then opened the file in Word 2010 and simply saved as a different name. That file does not display the image.
I also opened the file up on an XP machine with Word 2003 and saved it. That file also won’t display the image in IE8 when 2416400 is installed. After uninstalling 2416400 on this machine and rebooting all of the mht files then displayed the image correctly.
For what it’s worth and out of curiosity I built a quick VB6 browser (basically I just dropped the Microsoft Internet Controls tool on a form – ieframe.dll) to see if the problematic .mht files would work and they do, perfectly! Good old old technology! ;-)
Workaround 2 fixed the issue
Thanks a lot
Sounds like I'm having a similar issue as a few others who have commented here, and I've been searching for 2 days to find an answer! All of the graphics in published MS Producer presentations have disappeared. If you don't know about MS Producer, and published files contain video synchronized to PPT slides. Once published, a hundred different files are generated, and the graphics are jpg, gif, and png, so I don't think it matters what format the graphics are. They've simply disappeared! Uninstall the KB2416400 IE patch, and the all work fine. Uninstalling isn't an option, this patch was pushed out to thousands of users. HELP! I've posted on a dozen different forums and have been googling for days!
In my environment, after approving the MS10-090 patch, only the MS10-071 is offered/installed again.
Can I just decline only MS10-071 and approve MS10-090?
More FYI... (Using Vista - Office 2007 - IE7)
I used PowerPoint to create MHT files which I ultimately saved as complete Web pages (.htm). The picture portions of these pages no longer appear when viewed in IE, but the hyperlinks and text remain. Like others, uninstalling 2416400 is the only way I've found to restore the pictures. I too am looking for a resolution that doesn't require uninstalling the security fix. Thanks!
MHT Viewing Problem Resolved!
My problem turned out to be a conflict with a McAfee application, and the link below leads to the explanation and fix: