Update on a couple issues we are seeing related to detection and installation of MS10-090 (KB2416400)

InformationI just wanted to let you know about a couple issues we are seeing on our support team related to detection and install issues for MS10-090 (KB2416400).  Please note that these are preliminary troubleshooting steps that we have found in our investigation of these issues and you may find other factors in your configuration that also contribute to the issue that do not align with those that are documented here.

Note: Issue 2 below was updated on 12/21/2010 for clarity.

=================================
Issue 1:

WSUS managed clients experience a re-offer loop for this update.

Scenario:

· You approve MS10-090 (KB2416400) for installation to clients.

· Clients download/install MS10-090 (KB2416400) successfully and a reboot is needed.

· The reboot is completed.

· After the reboot, KB2416400 is reoffered for installation.

Cause:

As noted in the MS10-090 security bulletin and article KB2416400, KB2467659 should be deployed along with KB2416400.

Resolution:
If you have installed KB2416400 without installing KB2467659, clients may be re-offered KB2416400 one or more times even when it installs successfully.  The resolution for this issue is to install KB2467659. 

=================================

Issue 2:

WSUS managed clients experience a re-offer loop for this update and updates it supersedes.

Scenario:

•    You approve MS10-090 (KB2416400) for installation to clients and have already approved KB2467659 as well (issue 1 above).

•    Clients download/install MS10-090 (KB2416400) and a reboot is needed.

•    The reboot is completed.

•    The client prompts to install an older update that MS10-090 (KB2416400) supersedes.

•    You install this older update and a reboot is needed.

•    The reboot is completed.

•    The client prompts to install KB2416400 again.

•    If you repeat the installation, the two updates continue to be offered in an endless loop.

Cause:

At least one of the updates in the supersedence chain for MS10-090 (KB2416400) has an approval state that is NOT set to “Declined”.

Resolution:

We recommend that all updates that are superseded by KB2416400 (MS10-090) be set to “DECLINED” for their approval state within WSUS.  Here are some fairly quick steps provided by Vishal Gupta (thanks, Vishal!):

 

Decline all updates that are superseded by KB2416400.

•    Open the WSUS console.

•    Expand the WSUS server’s name on the upper-left.

•    Right-click on Updates and choose Search.

•    In the Text field, enter the following text:

Cumulative Security Update for Internet Explorer

•    Click Find Now and wait for the search results to build.

•    When the results are shown, select the first item in the list so that it becomes highlighted, scroll to the bottom of the search results, hold down the SHIFT key on your keyboard, select the last update in the list, and release the SHIFT key.  Now all updates in the search result should be highlighted.

•    Right-click in the highlighted list of updates and choose “Decline”; when prompted if you are sure you want to decline the updates, choose “Yes”.

NOTE:  This declines KB2416400, but the later steps will allow you to approve this one again.

•    When this task completes, change the search Text to:

KB976749

•    Click Find Now and wait for the search results to build.

•    Select all of the items returned, right-click, and choose Decline.

•    When this task completes, change the search Text to:

KB960714

•    Click Find Now and wait for the search results to build.

•    Select all of the items returned, right-click, and choose Decline. 

 

Set the approval to “Install” for each of the versions of KB2416400 you wish to deploy in your environment.

•    Using the same Search dialog, change the search Text to:

KB2416400

•    Click Find Now and wait for the search results to build.

•    For each version of KB2416400 you need to deploy in your environment, right-click the update and choose Approve. 

 

Confirm that KB2467659 has an approval set to “Install”.

•    Using the same Search dialog, change the search Text to:

KB2467659

•    Click Find Now and wait for the search results to build

•    For each version of KB2467659 you need to deploy in your environment, right-click the update and choose Approve. 

This takes care of all of the approval changes on the WSUS server so you can do the following on some of the clients to confirm the issue is resolved:

•    Restart the Automatic Updates service/Windows Update service on an affected client.

•    From a CMD prompt, run WUAUCLT /DETECTNOW.

================================
Issue 3:

SMS/ITMU installations of KB2416400 fail.

Scenario:
You deploy KB2416400 via SMS 2003/ITMU.  The clients attempt to install KB2416400 but fail with exit code 1642.

Resolution:
Create a software deployment for both KB2416400 and KB2467659.

You can download the standalone versions of these from the Microsoft Download Center

Hope this helps,

Mike Johnson | System Center Senior Support Escalation Engineer

The App-V Team blog: http://blogs.technet.com/appv/
The WSUS Support Team blog: http://blogs.technet.com/sus/
The SCMDM Support Team blog: http://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: http://blogs.technet.com/operationsmgr/
The SCVMM Team blog: http://blogs.technet.com/scvmm/
The MED-V Team blog: http://blogs.technet.com/medv/
The DPM Team blog: http://blogs.technet.com/dpm/
The OOB Support Team blog: http://blogs.technet.com/oob/
The Opalis Team blog: http://blogs.technet.com/opalis
The Service Manager Team blog: http: http://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: http://blogs.technet.com/b/avicode

clip_image001 clip_image002