question

DavidHenderson-2743 avatar image
0 Votes"
DavidHenderson-2743 asked DavidHenderson-2743 answered

Windows 10 Cumulative Updates requiring previous updates as a prerequisite, KB5003173, SSU not included in current updates.

Since KB5003173 was release in May there has been an issue with current CU not including the required SSU to be installed.

Is this going to be fixed in upcoming updates? This is an issue because current updates supersedes this update but they cannot be installed as the SSU in the May update is a pre-requisite.

This is creating issues for organizations that use WSUS as current updates are downloaded to client machines from the WSUS server and fail to install because the SSU version is incorrect.

If an update is cumulative it need to include the SSU update required to install itself.

Articles for reference on the issue.

https://redmondmag.com/articles/2021/06/24/windows-security-patch-blocked.aspx
https://techcommunity.microsoft.com/t5/configuration-manager-blog/known-issue-the-june-2021-windows-10-security-update-is-reported/ba-p/2471737

windows-10-securitywindows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidHenderson-2743 avatar image
0 Votes"
DavidHenderson-2743 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered LukeM-7359 commented

I have sent an email to the MVP distro list asking for an explanation. I'll reply pointing to this thread too.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are also seeing this in our environment, the May CU for Windows 10 20H2 is required before the July update will install, however the July update is marked as superceding the May update, and many of our clients are no longer seeing the May update as required, and simply error out trying to load the July update.

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered DavidHenderson-2743 commented

@DavidHenderson-2743
Thanks for your posting on Q&A.

What is the version of the clients in your environment? The clients tried to install the KB5003173 but it shown that the update isn't applicable for the computer. Am I right?


I tested it in my lab environment. The windows version is windows 10 2004. I tried to install the KB4598481 then I installed the KB5003173 successfully.
121558-snipaste-2021-08-09-14-29-46.png

In my opinion, the SSU is integrated into the latest CUs in Windows 10 2004 and the later. There is no need to approve the SSUs for the windows 10 2004 and the later versions.
121532-1.png

Hope the above will be helpful. Thanks for your time.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.png (11.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am working with 20H2, using WSUS to distribute updates.

The issue is recent Cumulative Updates require the SSU update in the May CU KB5003173 to be installed.
Current Cumulative updates supersedes previous updates.
When clients attempt to update to the current update they receive error 0x80242017.

If you have a client that is behind on updates for any number of reasons, new install, recently updated to feature update, or offline for another reason and it scans against WSUS for updates it will see the current CU from July, on installation attempt it will fail. The May CU is also approved, but the July update supersedes this update so the client will only attempt to install the July update.

0 Votes 0 ·
RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT converted comment to answer

@DavidHenderson-2743
Thanks for your feedback.

According to this link, we have to install the May 11, 2021 update (KB5003173) before we install the latest cumulative update:
121844-8.png

Please try to install the KB5003173 Cumulative Update first and then we could try to install the latest Cumulative Update.

Note that we may need to install KB4598481 before installing the KB5003173 due to my lab test.

In additioin, I found a related link for your reference.

Hope the above will be helpful.

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


8.png (6.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am aware of the prerequisite, but that is the problem.
When using WSUS to distribute updates it is not possible to require an update that is superseded without marking the newer updates as Not Approved.
This is an issue when you have no way of targeting devices that need this pre-requisite while also providing the current update.

0 Votes 0 ·
AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

KB5005260 was released as an SSU Update.

Method 3: Windows Server Update Services

This update is also available through Windows Server Update Services (WSUS).

https://support.microsoft.com/en-us/topic/kb5005260-servicing-stack-update-for-windows-10-version-2004-20h2-and-21h1-august-10-2021-ec4c5daa-2cec-4b06-be93-037f150fe3ba

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RitaHu-MSFT avatar image
0 Votes"
RitaHu-MSFT answered RitaHu-MSFT edited

@DavidHenderson-2743
In my opinion, whether the clients download and install the updates depend on the Windows Update Agent. It has nothing to do with WSUS role. Please try to approve the KB5003173 for the clients first.

In addition, I tested it in my lab environment. Here are the screenshots for your reference:
The KB5003173 shown Declined on the WSUS console:
122265-10.png

But I tried to approve it for the windows 10 2004 client. I'm sorry that there is no such windows 10 20h2 client for test. But the windows 10 2004 client downloaded and installed the update successfully:
122272-14.png

122255-15.png

Regards,
Rita


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


10.png (42.5 KiB)
14.png (25.2 KiB)
15.png (27.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.