Outdated patches being flagged out by offline WSUS scan

%3CLINGO-SUB%20id%3D%22lingo-sub-1579055%22%20slang%3D%22en-US%22%3EOutdated%20patches%20being%20flagged%20out%20by%20offline%20WSUS%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579055%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%20I%20currently%20have%20a%20Win%202008%20R2%20server%20on%20my%20environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20it%20is%20a%20isolated%20environment%20with%20no%20internet%20access%2C%20I%20have%20been%20patching%20the%20server%20manually%20through%20WSUS%20export%2Fimport%20process.%3C%2FP%3E%3CP%3EI%20understand%20that%20it%20has%20already%20been%20declared%20end%20of%20life%20by%20Microsoft%20early%20this%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20to%20completely%20declare%20my%20server%20is%20free%20from%20any%20further%20updates%2C%20I%20ran%20the%20offline%20scan%20(Scan-UpdatesOffline.ps1)%2C%20the%20script%20flags%20out%20that%20I%20am%20missing%20these%202017%20patches%20although%20I%20have%20the%20Jan%202020%20security%20updates%20installed.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WaynerH_0-1597083221129.png%22%20style%3D%22width%3A%20618px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211477i66DF4BD3897F10F5%2Fimage-dimensions%2F618x158%3Fv%3D1.0%22%20width%3D%22618%22%20height%3D%22158%22%20title%3D%22WaynerH_0-1597083221129.png%22%20alt%3D%22WaynerH_0-1597083221129.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ETried%20to%20install%20them%20manually%20but%20the%20installation%20keeps%20failing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20know%20safe%20to%20ignore%20them%20as%20a%20false%20positive%20so%20I%20can%20let%20my%20higher-ups%20know%3F%3C%2FP%3E%3CP%3EAnd%20does%20the%20CVE%20that%20comes%20with%20them%20are%20fixed%20from%20the%20Jan%202020%20security%20updates%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1579055%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1579649%22%20slang%3D%22en-US%22%3ERe%3A%20Outdated%20patches%20being%20flagged%20out%20by%20offline%20WSUS%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579649%22%20slang%3D%22en-US%22%3EWhy%20do%20think%20they%20are%20outdated%3F%3CBR%20%2F%3Eunless%20you%20installed%20the%20big%20Rollup%20KB3125574%2C%20all%20those%20updates%20are%20still%20applicable%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1580842%22%20slang%3D%22en-US%22%3ERe%3A%20Outdated%20patches%20being%20flagged%20out%20by%20offline%20WSUS%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1580842%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306569%22%20target%3D%22_blank%22%3E%40abbodi1406%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirstly%2C%20thanks%20for%20the%20reply.%3C%2FP%3E%3CP%3EI%20think%20its%20outdated%20because%20I%20already%20has%20the%20latest%202020%20updates%20installed%20on%20my%20machine.%3C%2FP%3E%3CP%3E%3CSPAN%3EKB3125574%20was%20installed%20on%20my%20machine%2C%20so%20the%20updates%20are%20no%20longer%20applicable%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Installed.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F211747i57951B1AD439BF40%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Installed.jpg%22%20alt%3D%22Installed.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EMay%20I%20know%20where%20do%20you%20get%20this%20information%20from%3F%3C%2FP%3E%3CP%3ECan%20you%20share%20it%20with%20me%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1583353%22%20slang%3D%22en-US%22%3ERe%3A%20Outdated%20patches%20being%20flagged%20out%20by%20offline%20WSUS%20scan%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1583353%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F755057%22%20target%3D%22_blank%22%3E%40WaynerH%3C%2FA%3E%26nbsp%3BWindows%207%20%2F%20S2008%20R2%20still%20require%20updates%20that%20goes%20back%20to%202012%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyes%2C%26nbsp%3BKB3125574%20replace%20them%20all%20on%20the%20contained%20components%20level%20(verified%20myself)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eunfortunately%2C%20Microsoft%20have%2Fhad%20a%20rule%20rgarding%20metadata%20supersedence%3A%20optional%20or%20quality%20updates%20do%20not%20replace%20security%20updates%3C%2FP%3E%3CP%3Ethat's%20why%20you%20don't%20see%20in%20MU%20catalog%20that%26nbsp%3BKB3125574%20replace%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20cannot%20provide%20you%20with%20a%20solid%20evidence%20of%20this%3CBR%20%2F%3Ehowever%2C%26nbsp%3BKB3125574%20actually%20live-up%20to%20the%20info%20mentioed%20in%20its%20KB%20article%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3125574%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3125574%3C%2FA%3E%3CBR%20%2F%3Emeaning%2C%20it%20does%20replace%20all%20post%20SP1%20updates%2C%20except%20the%20hotfixes%20listed%20explicitly%20(IE%20updates%20are%20exempted%20of%20course)%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all, I currently have a Win 2008 R2 server on my environment.

 

As it is a isolated environment with no internet access, I have been patching the server manually through WSUS export/import process.

I understand that it has already been declared end of life by Microsoft early this year.

 

So to completely declare my server is free from any further updates, I ran the offline scan (Scan-UpdatesOffline.ps1), the script flags out that I am missing these 2017 patches although I have the Jan 2020 security updates installed.

WaynerH_0-1597083221129.png

Tried to install them manually but the installation keeps failing.

 

Is there any way to know safe to ignore them as a false positive so I can let my higher-ups know?

And does the CVE that comes with them are fixed from the Jan 2020 security updates?

 

Thank you

3 Replies
Why do think they are outdated?
unless you installed the big Rollup KB3125574, all those updates are still applicable

@abbodi1406 

 

Firstly, thanks for the reply.

I think its outdated because I already has the latest 2020 updates installed on my machine.

KB3125574 was installed on my machine, so the updates are no longer applicable?

Installed.jpg

 
 
 
 

May I know where do you get this information from?

Can you share it with me?

@WaynerH Windows 7 / S2008 R2 still require updates that goes back to 2012

 

yes, KB3125574 replace them all on the contained components level (verified myself)

 

unfortunately, Microsoft have/had a rule rgarding metadata supersedence: optional or quality updates do not replace security updates

that's why you don't see in MU catalog that KB3125574 replace

 

i cannot provide you with a solid evidence of this
however, KB3125574 actually live-up to the info mentioed in its KB article
https://support.microsoft.com/en-us/help/3125574
meaning, it does replace all post SP1 updates, except the hotfixes listed explicitly (IE updates are exempted of course)