Deploying Superseded Down Level Windows Updates with Microsoft Configuration Manager 2007

UPDATE 12/5/2016: In November 2016, the Security Monthly Quality Rollups were released as superseding the Security Only Quality updates. This resulted in an impact to customers deploying the Security Only Quality updates, using tools that cannot easily deploy superseded updates such as System Center Configuration Manager 2007. Based on customer feedback, this supersedence has been changed in December 2016. If you’re using Configuration Manager 2007, you do not need to leverage the workarounds noted in the post below after December’s patch Tuesday.

=====

As you are probably aware, Microsoft previously announced Windows servicing changes on down level operating systems aiming to have a more consistent and simplified servicing experience to down level operating systems. As part of this simplified servicing model, the 2nd Tuesday of each month will see the release a new Security Monthly Quality Rollup and a new Security Only Quality Update. As the Security Monthly Quality Rollup contains the same security fixes as the Security Only Quality Update, as well as all fixes from previous monthly rollups and Security Only Quality Updates, there is a supersedence relationship between these updates. This supersedence allows installers of the Security Monthly Quality Rollup to see that fixes in earlier Rollups and Security Only updates are included, and allows for machine disk space to be managed appropriately when updates are superseded. See More on Windows 7 and Windows 8.1 servicing changes for more information about the servicing changes and supersedence rules.

Cross-Month and Intra-Month Supersedence Relationships

In Configuration Manager 2007 (ConfigMgr 2007), superseded updates are automatically expired and can no longer be deployed using the built-in software updates management (SUM) feature. As noted above, there is a cross-month supersedence relationship as well as an intra-month supersedence relationship between Security Only Quality Updates and Security Monthly Quality Rollups. For example, the Security Monthly Quality Rollup released in November will supersede the Security Only Quality Update also released in November as well as the updates (Security Monthly Quality Rollup and Security Only Quality Update) released in October.

Operational Impact (Security Monthly Quality Rollup Deployments)

Configuration Manager 2007 customers have roughly a month (from the 2nd Tuesday of each month to the following 2nd Tuesday) to test and fully deploy a new Security Monthly Quality Rollup for a given month using the SUM feature. If this deployment does not complete before the next superseding rollup is released, there are two primary options to continue:

1. Choose to switch to testing and deploying the latest superseding Security Monthly Quality Rollup using the SUM feature.

OR

2. Choose to deploy the superseded Security Monthly Quality Rollup using an alternate deployment method (outside of SUM), such as general software distribution.

Operational Impact (Security Only Quality Update Deployments)

Given that new Security Only Quality Updates are superseded by the new Security Monthly Quality Rollup for the same month, they will be marked as expired and unavailable for deployment each month via the SUM feature. Customers that desire to install Security Only Quality Updates will need to do so using an alternate deployment method (outside of SUM), such as general software distribution.

Alternate Deployment Methods using Software Distribution

Using the software distribution feature to deploy superseded updates, which you may have done previously in the past, will entail manually downloading the desired update content from the online Microsoft Update Catalog site. The update content will be .MSU based. Wusa.exe is the command line installer that can be used to install the updates. See Description of the Windows Update Standalone Installer in Windows for more information about using Wusa.exe.

Important Notes:

1. There will be update content packages per down level OS and per platform. Multiple packages and programs may be needed, as applicable.

2. You may need to create specific collections for targeting. It could be as simple as ‘All Windows 8.1 Computers’ or as complex as ‘All Windows 8.1 Computers that Require October’s Security-only Quality Update’.

3. You may need to test and define recurring advertisements designed to reinstall updates that are removed by end users.

4. Configuration Manager (current branch) and Configuration Manager 2012 have a Supersedence Rules feature that allows customers to define the expiration behavior for superseded updates. For example, instead of superseded updates being expired immediately, you can define that there is a three (3) month wait, allowing additional deployment time.

Deleting Superseding Updates

By deleting the superseding update, the superseded update will be unexpired and available for deployment in ConfigMgr 2007. See the Deleting updates using the WSUS API section below for more information, including how it affects Configuration Manager 2007.

Publish Superseded Updates Separately Using SCUP

See Deploying Custom .MSU Updates with SCCM (and SCUP) and read it thoroughly. One thing to avoid using this method is that you must not put in the Vendor/Publisher “Microsoft” or “Microsoft Corp” – this will break reporting in Configuration Manager.

Deleting Updates Using WSUS API

Delete the update in question directly using the PowerShell script below, or by calling the IUpdateServer.DeleteUpdate method from your own script/application. Run the PowerShell script to delete a specific Monthly Quality Rollup by using the KB article number:

[reflection.assembly]::LoadWithPartialName(“Microsoft.UpdateServices.Administration”)
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer();
$updates = $wsus.getupdates() | Where {$_.KnowledgebaseArticles -eq ‘1234567’}
foreach ($upd in $updates){
$wsus.DeleteUpdate($upd.Id.UpdateId.ToString());
Write-Host $upd.Title removed
}

To delete all Monthly Quality Rollups at once, replace the third line above with the following:

$updates = $wsus.getupdates() | Where {$_.Title -like ‘*Security Monthly Quality Rollup for Windows*’}

Save the script as a .PS1 file and run it from an administrative PowerShell command prompt on the WSUS server in question.

If the above script times out, you can delete the updates directly by ID. The ID for an update can be found by querying for KB number in the Microsoft Update Catalog or in the WSUS console. For example, if you wanted to find the ID for October, 2016 Security Monthly Quality Rollup for Windows 7 for x64-based Systems, you could search for “security monthly quality rollup for windows” in the Microsoft Update Catalog:

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows

Then find and click the entry of interest – that will open it in a new window. If you look at the properties of the window, the update ID is embedded in the URL:

http://catalog.update.microsoft.com/v7/site/ScopedViewInline.aspx?updateid=4a7c98c1-098e-46ca-af01-1b80eee5f48c

As we can see, the update ID for October, 2016 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB3185330) is 4a7c98c1-098e-46ca-af01-1b80eee5f48c.

You can also find it in the WSUS console:

clip_image002

Therefore, if the update ID is 4a7c98c1-098e-46ca-af01-1b80eee5f48c, you can replace line 3 in the script above with the line below:

$wsus.DeleteUpdate(‘4a7c98c1-098e-46ca-af01-1b80eee5f48c’)

This avoids the search against all updates until the WSUS has been cleaned. To fix the general issue with the timeout error, implement the actions described in the blog below:

https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

IMPORTANT: If you have a WSUS/SUP hierarchy, run the script on every WSUS server, including replicas. It is strongly recommended that you start on the lower-most, downstream/replica WSUS server first, then move up the hierarchy. The upstream server should be the last one on which the script is run. See the Important/Warning notes in this Use the Server Cleanup Wizard article for more details.

Triggering a manual sync in Configuration Manager 2007 will only run a delta sync with WSUS and nothing will be updated. You must wait until ConfigMgr 2007 does a full sync (scheduled sync) or you can schedule a custom schedule for the next few minutes to see the changes immediately:

clip_image004

You can monitor the sync in the wsyncmgr.log file. It should look something like this:

clip_image006

In the Configuration Manager console you will also see the Security Only Updates being available and deployable (green arrow) and the deleted Monthly Quality Rollup undeployable (grey arrow):

clip_image007

Reimporting deleted updates

If at any point you require the deleted updates again, you can import them back from the WSUS console:

clip_image009

This option will open the Microsoft Update Catalog (now working from every browser), where you can search and select the updates you want to import:

clip_image010

clip_image011

DISCLAIMER

Each individual action discussed above is supported, however the end-to-end process has not been tested by the WSUS/ConfigMgr product groups and is therefore not officially supported. The Microsoft CSS organization will assist in any case delivering best-effort support (meaning no guaranteed solution). As always, be sure to test and verify this in a lab environment first, and be sure to complete a backup before making any major changes.

Microsoft System Center Configuration Manager 2007 System Center 2012 Configuration Manager ConfigMgr 2012 R2