Sat, Nov 3 2012 23:59
*New Update Alert* The following 3421 new updates have been synchronized to SERVER
*New Update Alert* The following 3421 new updates have been synchronized to SERVER since Sunday, November 04, 2012 6:00 AM (GMT).
If you just got something like that on your WSUS, it's normal and to be expected:
"I want to alleviate confusion I may have caused and distinguish between two issues to \
Filed under: Security
help experts and admins understand the potential impact of two changes you may be \
seeing in your environments.
The first issue regards digital certificates (as described in KB2749655); the second \
is related to improvements in the Microsoft Update service used by WSUS Server, SCCM \
and Intune (as described in KB 2718704).
ISSUE 1 - DIGITAL CERTIFICATES
The digital certificates issue is described in the MSRC advisory \
http://technet.microsoft.com/en-us/security/advisory/2749655 and the associated KB \
These updates released on October 9 (2nd Tuesday in October) and resulted in between \
50 and 250 updates being changed depending on how many of these were in your servers. \
Some of these were revisions (metadata only changes). Some were re-releases (due to \
the code-signing elements being integrated into Windows CBS-based binaries). While \
the payload changed for some of these updates, none of them had functional or \
targeting changes beyond the signing corrections. Any additional updates for this \
same issue will likely be released on future 2nd Tuesdays and will appear as a \
similar set of 50 - 250 updates that are either revised, re-released or both.
While I can't discuss future releases, you should expect a few more of these in the \
coming month or so. The impact on WSUS, SCCM servers should be the same as they were \
on October 9. Intune is not affected since it maintains the datastore in the cloud, \
not in a local database like WSUS and SCCM servers.
ISSUE 2 - ADDITIONAL IMPROVEMENTS
As part of a strategy to improve the security of Windows/Microsoft Update, many \
updates were revised in other ways as mentioned in the MSRC blog \
http://blogs.technet.com/b/msrc/archive/2012/06/04/security-advisory-2718704-update-to, in the MSRC advisory \
-phased-mitigation-strategy.aspxhttp://technet.microsoft.com/en-us/security/advisory/2718704 and in the associated KB \
The WSUS team posted this related post Wednesday October 31: \
Within the MU service, a very large number of updates were improved in additional \
ways to secure and harden the service (I'm not able to provide more details).
The large number of improved updates became visible to WSUS servers on a rolling, \
one-time basis beginning the first week of October. This means that one WSUS admin \
may have received the improved revisions all at once one day after a sync, while \
another WSUS server may have received the same large batch of updates 1, 2, 5, 7 or \
even 14 days later than the earlier admin. And once these improvements come down to \
your WSUS/SCCM server, you will not incur another experience like this again. This \
is a one-time sync of the large number of updates we've already made in our service - \
separate and different from those described in ISSUE 1 above.
Depending on how many of these improved updates were present in your WSUS server, you \
may have observed anywhere from 1000 or more revisions. As a result, your managed \
clients may have briefly indicated they weren't compliant (due to the new revisions). \
But after the clients obtained the revision and rescanned, they would report back \
that they were again compliant.
For SCCM admins, the latter issue will incur a one-time cost to re-download any \
active deployments to both sync and redistribute these to ConfigMgr distribution \
points. While there's a wizard that helps, the effort increases with the number of \
active deployments that were changed.
In both cases - whether for digital certificates or the additional improvements - \
neither the targeting (metadata) nor payloads were changed in any functional way.
The impact to WSUS servers is more likely worrying than troublesome. SCCM admins had \
a much greater impact that required manual effort to ensure all clients and their \
active deployments returned to a compliant state.
While both changes we made were to improve the service for enterprises and consumers, \
the impact wasn't sufficiently understood beforehand and communicated proactively. I \
hope this explanation helps describe the situation and helps you plan for and \
accommodate these changes. We strive to provide a powerful service you can trust \
without interruption. And we're already making improvements based on your feedback.
For reporting issues with SCCM or WSUS Server, please take the time to review and \
post on the forums below where we watch for issues affecting our customers:
Microsoft Update (MU)"