4 Replies Latest reply on Nov 13, 2015 1:06 PM by slatey

    3 Reboots Needed after November's Patches

    Apprentice

      I know this month's patch release is a big one, but I don't really recall WSUS requiring all these reboots. Has anyone else experienced multiple reboots on large patch releases where certain patches are required to be installed in a certain order? Example below:

       

      [1]Note that update 3101746 in MS15-115 and update 3101246 in MS15-122 are releasing concurrently with update 3081320 in this bulletin, MS15-121. Customers who intend to install all three updates manually on Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 should install the updates in the following order: 3101246 first, 3081320 second, and 3101746 third (this is taken care of automatically for customers with automatic updating enabled). For more information see the Known Issues section of Microsoft Knowledge Base Article 3105256.

        • 1. Re: 3 Reboots Needed after November's Patches
          Apprentice

          Looking closer at the actual patch definitions - There doesn't seem to be any logic to detect and then install the patches in the right order. Looking at a Repair task on one of my systems confirms this more.

           

          Here is the order Microsoft gives:

           

          1) 3101246

          2) 3101746

          3) 3081320

           

          Here is the order LANDesk installed (or attempted):

           

          1) 3081320

          2) 3101246 (failed)

          3) 3101746

          4) 3101246 (failed)

          5) 3101246 (failed)

          6) 3101246 (failed)

           

          At which point, a new Vulscan was run and detected that 3101246 was no longer needed due to the following detection:

           

          ClientFilesToCheck(0,filename) =strSystem32 & "adtschema.dll"

          ClientFilesToCheck(0,gold_gdr) ="*"

          ClientFilesToCheck(0,gold_ldr) ="*"

          ClientFilesToCheck(0,sp1_gdr) ="6.1.7601.19043"

           

          And the current version of my adtschema.dll is now "6.1.7601.19043"

           

          Interesting to note, however, that the 3101246 patch STILL has not installed on my system, and due to the way LANDesk installed the patches in the wrong order, manually installing it won't work. It claims my system doesn't need the patch now.

          I'm willing to bet if I uninstall the patches and then install them in the right order, they will work.

           

          Looks like the detection and installation scripts here have some flawed logic.  Please do correct me if I'm wrong - but this is causing incorrect reporting of installed/applicable patches - is it not?

           

           

          Orderlandesk.png

           

           

          *Update* - Uninstalling the other 2 patches and then installing them in the right order works.  We've got two issues here, LANDesk needs to build their definitions better for these kinds of scenarios, and the Windows Update Standalone Installer should also have some kind of built in logic to handle this.

          • 2. Re: 3 Reboots Needed after November's Patches
            MarXtar ITSMMVPGroup

            If you haven't already, please get this logged with support so they can get looking at the logic.

             

            Mark McGinn

            MarXtar Ltd/MarXtar Corporation

            http://landeskone.marxtar.co.uk

            LANDESK One Development Partner

             

            The One-Stop Shop for LANDESK Enhancements

            • 3. Re: 3 Reboots Needed after November's Patches
              Apprentice

              Done.

               

              Just a warning, the last time I put in a request with support for an issue with patch defs, they updated the current defs to include the pre-requisite. This was back in February for MS15-011 and MS15-015.

               

              All the people that had already set the patches to autofix, they started experiencing unintended reboots due to a new patch definition being included. Something to keep an eye out for.

              • 4. Re: 3 Reboots Needed after November's Patches
                Apprentice

                This appears to be fixed now. Tested on one machine and it installed in the proper order. If you look at the defs, you'll see that the letters A,B,C are prepended to the definitions depending on if it's Windows 7 & Windows 8. That seems to be the only thing changed. The actual detection script is the same. I'm guessing LANDesk installs patches alphabetically?

                 

                order.png

                Also, my initial report had the wrong order - according to MS, the patches install in a different order for Windows 7 and Windows 8. I'll be pushing out to a few more machines to test, but this looks good now.

                 

                [1]Note that update 3081320 in MS15-121 and update 3101246 in MS15-122 are releasing concurrently with update 3101746 in this bulletin, MS15-115. Customers who intend to install all three updates manually on Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 should install the updates in the following order: 3101246 first, 3081320 second, and 3101746 third (this is taken care of automatically for customers with automatic updating enabled). For more information see the Known Issues section of Microsoft Knowledge Base Article 3105256.

                [2]Note that update 3081320 in MS15-121 and update 3101246 in MS15-122 are releasing concurrently with update 3101746 in this bulletin, MS15-115. Customers who intend to install all three updates manually on Windows 8 or Windows Server 2012 should install the updates in the following order: 3101246 first, 3101746 second, and 3081320 third (this is taken care of automatically for customers with automatic updating enabled). For more information see the Known Issues section of Microsoft Knowledge Base Article 3105256.