This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Repeated installation of patch KB2798897

After recently getting my Patch Manager server up and into Production, I discovered the update KB2798897 kept re-installing on my PC's. It would install successfully but a few seconds later it would be there again. This was happening on all PC's (only 4 'cause I've only just started migrating)

So, looking into various forums I find a few techniques that may help in certain scenarios but weren't helping me. Obviously my issue was different. So I log into the WSUS console and check the patch in there. What I find is that there are two identical patches, but one is expired.

So I resolved the problem by declining the expired patch.

Here are some thoughts on the issue.

1. The Server Cleanup Wizard only declines expired patches that are not approved for deployment. Why not decline all expired patches ? All expired patches have a successor.

2. When I tried to automate the declining of expired patches in Patch Manager using "Decline (scheduled with rules)" I found the rules were not flexible enough to pick the patches based on "Publication State". Maybe I'll raise this as an enhancement request.

  • With respect to the impact of expired patches, your question (#1) makes great sense, Phil; however, the reasoning is the more fundamental limitation that the Server Cleanup Wizard does not touch any update that has an approval assigned. While I cannot disagree that it would be nice to have the SCW pay special attention to expired updates -- they are, essentially, useless, once expired -- I also like the simplicity of knowing that the SCW is not going to touch any Approved update -- Ever. :-)

    The rulesets for Decline Updates and Delete Updates were derived from the original rulesets developed for the Update Management Wizard (which predates the Decline/Delete functionality by a couple of years), so it is correct that you cannot automatically decline updates based on expired status.

    However, you can build a Custom Update View to show Expired/Approved Updates.

    1. Create a Custom Update View for "Updates have a specific approval and installation status", and set the filters to Approved State="Approved" and Update Status="Any". Name the view Approved-Expired Updates

    2. Enable the "Publication State" column in the view. This column provides two possible values: Published or Expired. Filter on the value "Expired".

    3. Click on Save View Layout to set the Publication State = "Expired" filter as the default.

    Now, from this view, you can simply Ctrl-A and Decline.

    One last note of curiosity -- the WUAgent ignores expired updates, even if approved. KB2798897 is a brand new update, released on January 3, 2013, and has no revisions, and I'm not aware of any replacement cycles concerning this update either, so it would be helpful if you could identify specifically which update you believe was the (older) duplicate - that you saw as expired, and subsequently declined.

  • I wasn't aware of the documented behaviour of the WUAgent, however what I was experiencing (a looping between the 2 patches) was confirmed by the fact that I could see the 2 different file sizes in the Windows Update Control Panel applet. "1 important update selected, 160 KB" and  "1 important update selected, 159 KB"

    I like to automate as much as I can, simply because it reduces my workload and improves reliability and hence improves our security posture. However I'm happy with your response.

    I do have a custom view that is setup exactly as you describe. I created it as soon as I discovered the issue.

    There are 3 expired patches for KB2798897. Here's the details in CSV format.

    Title, Revision Number, Revision Date, File Size, File Modified

    Update for Windows XP and Windows Server 2003 (KB2798897), 201, 01/01/2013 5:59:59 AM, 162976, 29/12/2012 2:07:40 PM

    Update for Windows Vista, WIndows 7, Server 2008, Server 2008 R2 (KB2798897), 201, 01/01/2013 5:59:58 AM, 162976, 29/12/2012 2:07:40 PM

    Update for Windows 8, Windows Server 2012 (KB2798897), 201, 01/01/2013 5:59:57 AM, 162976, 29/12/2012 2:07:40 PM

    Here's a copy of the details of the relevant expired patch I was having trouble with.

    Title:    Update for Windows Vista, Windows 7, Server 2008, Server 2008 R2 (KB2798897)
    Classification:    Critical Updates
    Arrival Date:    01/01/2013 8:37:13 PM
    Approval:    Not approved
    Declined:    Yes
    State:    Files not downloaded (ready for installation)
    Release Date:    01/01/2013 5:59:58 AM
    Update ID:    9368ac9c-b930-4da1-81e9-782386caa3b6
    Installed Count:    0
    Needed Count:    0
    Not Applicable Count:    0
    Pending Reboot Count:    0
    Errors Count:    0
    No Status Count:    0
    Downloaded Count:    0
    Has License Agreement:    No
    MSRC Number:   
    MSRC Severity:    Unspecified
    Products:    Windows Vista,Windows Server 2008,Windows 7,Windows Server 2008 R2
    Revision Number:    201
    KB IDs:    2798897
    Deadline:    No
    Is Latest Revision:    Yes
    Approved for Computer Groups (Direct):   
    Installed Percentage:    0
    Failed Percentage:    0
    Needed Percentage:    0
    No Status Percentage:    0
    Pending Reboot Percentage:    0
    Downloaded Percentage:    0
    Not Applicable Percentage:    0
    Has Superceding Updates:    No
    WSUS Infrastructure Update:    No
    Company:    Microsoft
    Has Earlier Revision:    No
    Has Stale Update Approvals:    No
    Has Superceded Updates:    No
    Editable:    No
    Product Family:    Windows
    Publication State:    Expired
    Source:    MicrosoftUpdate
    Type:    Software
    Description:    Install this update to resolve an issue which requires an update to the untrusted certificate store on Windows systems and to keep your systems up to date. After you install this update, you may have to restart your system.
    Is Exclusive:    False
    Is Uninstallable:    False
    Requires User Input:    False
    SuperStatus:   
    FileStatus:   

    I've disabled the Server Cleanup task so that the declined updates are not deleted. If you are interested in anymore info, let me know.

  • I was able to do some additional research on this. I'm not entirely sure what happened in your environment, but I'm pretty certain it was not the expired instance of KB2798897 that was involved.

    On Jan 1, 2013, two instances of KB2798897 arrived on my system as EXPIRED updates. They were never live. (My weekly run of the SCW on Saturday, Jan 5 declined them.)

    Because they were synchronized as expired updates, even if they were automatically approved, there should be no evidence that the WUAgent detected/downloaded these updates.

    (If there is, this would be a significant change in behavior in the WUAgent -- and given that we're dealing with all new builds of the WUAgent in the past six months, that's certainly a possibility!)

    The current instances (which are Revision 200) were released on Jan 3, 2013. (Oddly, the expired instances from Jan 1 are labelled as Revision 201.)

    I'm not sure why the non-standardized revision numbering is there, or why they were numbered out of sequence.

    A review of the WindowsUpdate.log entries since Jan 1 will indicate when the update was detected/downloaded, and specifically which revision(s) were acquired.

    If you'd like to email me that WindowsUpdate.log, I'd be happy to take a look at it.

    You can also use the Update Approvals tab of the WSUS server node in the Patch Manager console to determine if/when/who approved either of these updates.

  • Here's the update history on the PC. You can clearly see a number of entries for the same patch. All successfully installed.

    WUapplet.JPG

    Here is an excerpt from the WindowsUpdate.log for one of the patches.

    2013-01-09 08:53:10:002  580 ee0 DnldMgr *************

    2013-01-09 08:53:10:002  580 ee0 DnldMgr ** START **  DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

    2013-01-09 08:53:10:002  580 ee0 DnldMgr *********

    2013-01-09 08:53:10:002  580 ee0 DnldMgr   * Call ID = {A8DAD719-57D2-4A7F-ACB3-41E5FE1E86EB}

    2013-01-09 08:53:10:002  580 ee0 DnldMgr   * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}

    2013-01-09 08:53:10:002  580 ee0 DnldMgr   * Updates to download = 1

    2013-01-09 08:53:10:002  580 ee0 Agent   *   Title = Update for Windows Vista, Windows 7, Server 2008, Server 2008 R2 (KB2798897)

    2013-01-09 08:53:10:002  580 ee0 Agent   *   UpdateId = {9368AC9C-B930-4DA1-81E9-782386CAA3B6}.201

    2013-01-09 08:53:10:002  580 ee0 Agent   *     Bundles 1 updates:

    2013-01-09 08:53:10:002  580 ee0 Agent   *       {7C9E0095-39A4-4F41-9585-FE9FCD8E911D}.201

    2013-01-09 08:53:10:018  580 ee0 DnldMgr ***********  DnldMgr: New download job [UpdateId = {7C9E0095-39A4-4F41-9585-FE9FCD8E911D}.201]  ***********

    2013-01-09 08:53:10:064  580 ee0 DnldMgr   * All files for update were already downloaded and are valid.

    2013-01-09 08:53:10:080  580 ee0 Agent *********

    2013-01-09 08:53:10:080  580 ee0 Agent **  END  **  Agent: Downloading updates [CallerId = AutomaticUpdates]

    2013-01-09 08:53:10:080  580 ee0 Agent *************

    2013-01-09 08:53:10:080  580 fd8 AU >>##  RESUMED  ## AU: Download update [UpdateId = {9368AC9C-B930-4DA1-81E9-782386CAA3B6}, succeeded]

    2013-01-09 08:53:10:080  580 fd8 AU Successfully wrote event for AU health state:0

    Here's the same excerpt for the different (but same) patch. NB different update ID but same Title.

    2013-01-09 16:53:42:906  580 1f90 DnldMgr ** START **  DnldMgr: Downloading updates [CallerId = AutomaticUpdates]

    2013-01-09 16:53:42:922  580 1f90 DnldMgr *********

    2013-01-09 16:53:42:922  580 1f90 DnldMgr   * Call ID = {3766CE9D-C8CB-4F83-ADCC-FCFE0993E73B}

    2013-01-09 16:53:42:922  580 1f90 DnldMgr   * Priority = 2, Interactive = 0, Owner is system = 1, Explicit proxy = 0, Proxy session id = -1, ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}

    2013-01-09 16:53:42:922  580 1f90 DnldMgr   * Updates to download = 1

    2013-01-09 16:53:42:922  580 1f90 Agent   *   Title = Update for Windows Vista, Windows 7, Server 2008, Server 2008 R2 (KB2798897)

    2013-01-09 16:53:42:922  580 1f90 Agent   *   UpdateId = {41346B2E-35C4-45C5-9F82-9B70FE9253CB}.200

    2013-01-09 16:53:42:922  580 1f90 Agent   *     Bundles 1 updates:

    2013-01-09 16:53:42:922  580 1f90 Agent   *       {6E35B5A1-6333-47E9-95E0-68B0B4B1B33E}.200

    2013-01-09 16:53:42:922  580 1f90 DnldMgr ***********  DnldMgr: New download job [UpdateId = {6E35B5A1-6333-47E9-95E0-68B0B4B1B33E}.200]  ***********

    2013-01-09 16:53:43:000  580 1f90 DnldMgr   * All files for update were already downloaded and are valid.

    2013-01-09 16:53:43:000  580 1f90 Agent *********

    2013-01-09 16:53:43:000  580 1f90 Agent **  END  **  Agent: Downloading updates [CallerId = AutomaticUpdates]

    2013-01-09 16:53:43:000  580 1f90 Agent *************

    2013-01-09 16:53:43:000  580 19bc AU >>##  RESUMED  ## AU: Download update [UpdateId = {41346B2E-35C4-45C5-9F82-9B70FE9253CB}, succeeded]

    2013-01-09 16:53:43:000  580 19bc AU #########

    2013-01-09 16:53:43:000  580 19bc AU ##  END  ##  AU: Download updates

    2013-01-09 16:53:43:000  580 19bc AU #############

  • well... shucks.  Yes, quite plainly we do see the WUAgent attempting to install the expired Revision 201 on Jan 9.

    I'll need to do some additional research on this. As previously noted, the WUAgent should have been ignoring the Expired update. The fact that it did not is particularly concerning, and defeats a fundamental operating principle of the entire WSUS patch infrastructure.

    It's also a matter of curiosity that WSUS would even alllow an Expired update to be Approved in the first place. The only way I can see this actually happening is that the updates were expired after the original synchronization, but I've not yet been able to find any indication that there was a separate expiration event from the original release date.

    In any event, the correct action is the one you discovered -- to remove approvals from expired updates, or better, to outright decline them. The evidence here, though, suggests that may now be a critical requirement, rather than just nice-to-do, since the WUAgent did not seem to honor that expired state.