From Doug Neal at Microsoft Update:

 

I want to [...] distinguish between two issues to help experts and admins understand the potential impact of two changes you may be seeing in your environments.

 

The first issue regards digital certificates (as described in KB2749655); the second is related to improvements in the Microsoft Update service used by WSUS Server, SCCM and Intune (as described in KB 2718704).

 

ISSUE  1 - DIGITAL CERTIFICATES

The digital certificates issue is described in the MSRC advisory http://technet.microsoft.com/en-us/security/advisory/2749655 and the associated KB article http://support.microsoft.com/kb/2749655

 

These updates released on October 9 (2nd Tuesday in October) and resulted in between 50 and 250 updates being changed depending on how many of these were in your servers. Some of these were revisions (metadata only changes).  Some were re-releases (due to the code-signing elements being integrated into Windows CBS-based binaries).  While the payload changed for some of these updates, none of them had functional or targeting changes beyond the signing corrections.  Any additional updates for this same issue will likely be released on future 2nd Tuesdays and will appear as a similar set of 50 - 250 updates that are either revised, re-released or both.

 

While I can't discuss future releases, you should expect a few more of these in the coming month or so. The impact on WSUS, SCCM servers should be the same as they were on October 9.  Intune is not affected since it maintains the datastore in the cloud, not in a local database like WSUS and SCCM servers.

 

ISSUE 2 - ADDITIONAL IMPROVEMENTS

As part of a strategy to improve the security of Windows/Microsoft Update, many updates were revised in other ways as mentioned in the MSRC blog http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to-phased-mitigation-strategy.aspx, in the MSRC advisory http://technet.microsoft.com/en-us/security/advisory/2718704 and in the associated KB article http://support.microsoft.com/kb/2718704.

 

The WSUS team posted this related post Wednesday October 31: http://blogs.technet.com/b/sus/archive/2012/10/31/support-tip-many-new-revisions-of-updates-may-be-downloaded-by-the-wsus-server.aspx

 

Within the MU service, a very large number of updates were improved in additional ways to secure and harden the service (I'm not able to provide more details).

 

The large number of improved updates became visible to WSUS servers on a rolling, one-time basis beginning the first week of October.  This means that one WSUS admin may have received the improved revisions all at once one day after a sync, while another WSUS server may have received the same large batch of updates 1, 2, 5, 7 or even 14 days later than the earlier admin.  And once these improvements come down to your WSUS/SCCM server, you will not incur another experience like this again.  This is a one-time sync of the large number of updates we've already made in our service - separate and different from those described in ISSUE 1 above.

 

Depending on how many of these improved updates were present in your WSUS server, you may have observed anywhere from 1000 or more revisions.  As a result, your managed clients may have briefly indicated they weren't compliant (due to the new revisions).  But after the clients obtained the revision and rescanned, they would report back that they were again compliant.

 

For SCCM admins, the latter issue will incur a one-time cost to re-download any active deployments to both sync and redistribute these to ConfigMgr distribution points.  While there's a wizard that helps, the effort increases with the number of active deployments that were changed.

 

TECHNICAL IMPACT

In both cases - whether for digital certificates or the additional improvements - neither the targeting (metadata) nor payloads were changed in any functional way.

 

The impact to WSUS servers is more likely worrying than troublesome.  SCCM admins had a much greater impact that required manual effort to ensure all clients and their active deployments returned to a compliant state.

 

While both changes we made were to improve the service for enterprises and consumers, the impact wasn't sufficiently understood beforehand and communicated proactively. I hope this explanation helps describe the situation and helps you plan for and accommodate these changes.  We strive to provide a powerful service you can trust without interruption.  And we're already making improvements based on your feedback.

 

For reporting issues with SCCM or WSUS Server, please take the time to review and post on the forums below where we watch for issues affecting our customers:

 

 

 

doug neal

Microsoft Update (MU)