[German]Microsoft has released a large number of security updates for Windows and Exchange on February 14, 2023. However, they made a mistake with some updates and simply delivered the wrong update packages via Windows Update, WSUS or the downloads. Some administrators did not get the updates for Windows Server 2022 and Windows 11 22H2 in WSUS. Other administrators had problems with Exchange because the wrong package was distributed. For Windows 7 the WSUS loads outdated updates. Here's a quick rundown of what went wrong.
WSUS glitch with updates
Microsoft has "laid an rotten egg" for its administrators in several places with the WSUS (Windows Server Update Services). I summarize it as an overview for administrators to read across.
Updates foür Windows 11 22H2/Server 2022 missing
Microsoft posted a new entry WSUS might not offer updates to Windows 11, version 22H2 on the Release Health status page of Windows 11 22H2 in the Known Issues section last night (colleagues here noticed it).
Updates released on or after February 14, 2023, may not be offered by some Windows Server Update Services (WSUS) servers for Windows 11, version 22H2. The updates are downloaded to the WSUS server but may not be pushed to client devices.
Only WSUS servers running Windows Server 2022 that have been updated from Windows Server 2016 or Windows Server 2019 are affected.
This issue is caused by the accidental removal of the required Unified Update Platform (UUP) MIME types during the upgrade to Windows Server 2022 from a previous version of Windows Server.
This issue can affect security updates or feature updates for Windows 11, version 22H2. Microsoft Configuration Manager is not affected by this issue.
To fix this issue, administrators can manually add the deleted MIME types (see the Techcommunity article Adding file types for Unified Update Platform on premises dated Sept 8, 2022). According to MIME types, see also the following tweet.
Windows 7: WSUS shows old updates
German blog reader R.S. points out in this comment that Microsoft has probably changed its meta descriptions for Windows 7 patches:
Addendum: In WSUS on 2/9/2023 all Windows 7 rollups from September 2022 were offered again.
Even with Windows 7 without WSUS, it finds these rollups when searching for updates if Bypass ESU v12 is installed.
Even if they are already installed, they are offered again with release date 9.2.2023.
Here, for example, the update KB5017361, which originally appeared in September 2022, has popped up again with the date 2023-02.
Microsoft seems to roll out the old updates once again, but the reason is unknown.
What else is noticeable: When rebooting after installing the February updates for Win 7 Embedded, the usual counting up to 30% before shutdown and the counting up from 30% to 100% after reboot is missing.
If anyone else is affected, just keep it in mind. Gerold pointed out here a statement from aboddi86:
For whatever reason, MS expired "2022-09 Security Monthly Quality Rollup (KB5017361)" for Windows 7 (regular client) it's the only one expired (so far)
this break the metadata supersedence chain i.e. for 2022-8 Rollup (KB5016676) you see now it's not replaced by any newer Rollups (link zum update catalog, den lasse ich weg) but because all Rollups are connected to each other by CBS package name "Package_for_RollupFix", 2022-8 Rollup (KB5016676) is automatically marked as superseded when newer rollup(s) is installed this cause the old updates superseded by metadata of 2022-8 Rollup (KB5016676) and older rollups (but not newer rollups) to show up in WU just ignore or hide those old updates (or even install them, they have no effect and all are replaced).
Microsoft Exchange receives old update
I had reported in the German blog post Exchange Server Sicherheitsupdates (14. Februar 2023) about the security updates for February 2023. In the comments, cram wrote that he was getting build number 15.01.2507.018 displayed on Microsoft Exchange 2016 CU23 after the update installation, even though 15.01.2507.021 was intended. Blog reader Markus then pointed out in this comment that Microsoft shipped the wrong package:
They must have packaged the wrong package :(.
I specially left out the part that causes the mess with the services and directly released the new one, and then the old one is inside …
I guess you have to download it manually if you want it directly.
German blog reader Thomas Z. also stumbled upon the problem and sent me the following mail:
Yesterday ran the Exchange Update 2016-CU23 right away. Shows:
Today update started again. Same KB. At M$ I then find that there but a new update 15.01.2507.021. The version 15.01.2507.018 has disappeared …
It's worse, what Microsoft is doing here, but we have to live with it.
Thanks to the readers and to Thomas for the comments. Thomas would have found nk's comment in my blog post Exchange Server Sicherheitsupdates (14. Februar 2023). Microsoft employee Nino Blic confirmed the bug in a comment in the Techcommunity post on Exchange security updates:
"I added a note to the blog now on this but: Windows Update is currently delivering a later version of January 2023 update. This is going to be addressed shortly. Then later today, Windows Update will get the actual February 2023 update bits so there will be another February update for customers who are getting updates from Windows / Microsoft Update. Yes, mistakes were made, but your server is not in an unknown state and will get back on track once new builds are available and are installed (but this will be a new update installation, yes) and then Health Checker will show it all updated."
In the meantime Microsoft has fixed this and shipps the right patch to WSUS.
Microsoft Security Update Summary (February 14, 2023)
Patchday: Windows 10 Updates (February 14, 2023)
Patchday: Windows 11/Server 2022 Updates (February 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 14, 2023)
Patchday: Microsoft Office Updates (February 14, 2023)
Exchange Server Security Updates (February 14, 2023)
Exchange Server Security Updates (February 14, 2023)
Windows Server 2022: February 2023 Patchday and the ESXi VM Secure Boot Issue
Cookies helps to fund this blog: Cookie settings
This is NOT fixed. We just deployed the CU security update to our fisrt exchange server delivered by WSUS and it is in a broken state.
The installation failed with:
Windows failed to install the following update with error 0x80070643: Security Update For Exchange Server 2016 CU23 (KB5023038)
more than half the services do not start and we cannot either rollback or re-install the update. We are considering a restore of the VM. Please can anyone advise what the latest advice is from MS or have been able to fix a broken update.