Microsoft’s track record with Windows Updates over the last several months means I don’t approve updates in WSUS the day they come out. I generally wait to see how things go over the first few days before I feel comfortable releasing them to our PCs. So I wasn’t too concerned when I saw the reports of KB3001652 causing systems to hang. I assumed this was a new update, and knew that it would be sitting safely “unapproved’ in WSUS. That turned out to be a bad assumption.
When I received an email about one of our digital sign PCs hanging on a Windows Update screen, I immediately thought of that problem patch. But how could that be? I didn’t approve any updates for February? I was still able to connect to the system, and when I checked the running tasks, I found vstor_redist.exe happily running while the Windows Update service was trying to stop (without much success). I killed vstor_redist.exe, and Windows Update moved on to a second update and successfully rebooted.
I checked WSUS, and sure enough the update was approved for installation. That’s when I discovered that this wasn’t a new update. It was from last October. According to the revision history in WSUS the October release was revision 201. The version that went out yesterday was revision 202. Because my WSUS settings were set to automatically approve new revisions of approved updates, this new revision went out without any vetting. Thankfully, I only know of one machine that grabbed it. That one digital sign wound up being a dozen or so systems.
What changed between October and yesterday? Here’s what WSUS has to say:
The applicability rules or prerequisites have changed. This type of change means that the set of machines on which the new revision is offered may be different from the set of machines on which the old revision is offered.
Information has changed about how to install the update files.
Looks like someone borked the detection rules. January was a quiet set of patches, so I guess it was too much to ask for a second straight month without any issues. That being said, I’ve changed my WSUS settings to not automatically approve new revisions or approved updates. You can find this setting in WSUS by going to Options > Automatic Approvals > Advanced. Uncheck the box “Automatically approve new revisions of updates that are already approved” and click OK.
Thankfully, this was a fairly benign issue with a simple fix (in our environment at least). I’m thankful it wasn’t something more disruptive that prompted me to check my update settings.
Update 2:28 PM CST: Rod Trent asked on Twitter if anyone was seeing KB3001652 offered again today, so I checked WSUS. Microsoft is now offering a new revision (204) of that patch. Haven’t tested it out, but I’m hopeful it resolves the issue with the last one.
Update 5:25 PM CST: I tested a couple of PCs that had issues with the update, and with this new revision it installed successfully and without a reboot.