What is the latest ABB verified cumulative security update for Win10 LTSB2016 and Server 2016 (5th April 2019)

I'm setting up new 800xA system (6.0.3.2).

I have installed Windows 10 Enterprise LTSB 2016 (1607) on the clients, and Windows Server 2016 on the servers. I'm looking to install the latest cumulative security update from Microsoft before I start the Node Prep.

The table for Win10 1607 updates published by Microsoft (which covers both Win10 LTSB 2016 and Server 2016) shows the most recent KBs (below, I have listed the most recent first), and I've added the comment for each taken from the 3BSE041902_OO ABB Third Party Update Validation document by ABB (20th March 2019):

KB4489889 (19/03/2010) - <Not tested by ABB at time of publishing validation document>
KB4489882 (12/3/2019) - "is not qualified for 800xA due to Microsoft known issues"
KB4487006 (19/2/2019) - "Not applicable as superseded by 4489882"
KB4487026 (12/2/2019) - "is not qualified for 800xA due to Microsoft updated known issues"
KB4480977 (17/1/2019) - <not mentioned in ABB validation document>
KB4480961 (8/1/2019) - "Not qualified for 800xA. This update has known issues from Microsoft. (Our test environment foes not provide conditions that our customer may have for symptoms of issues from Microsoft.)"
KB4483229 (19/12/2018) - "Released on Dec 19th 2019. Superseded updates have been qualified"
KB4471321 (11/12/2018) - "Not approved for 800xA due to potential impact of known issues reported in Microsoft KB"
KB4478877 (3/12/2018) - <not mentioned in ABB validation document>
KB4467684 (27/11/2018) - <not mentioned in ABB validation document>
KB4467691 (13/11/2018) - "Not approved on 800xA on Windows Server 2016 due to potential impact of known issues reported in Microsoft KB"
KB4462928 (18/10/2018) - <not mentioned in ABB validation document>
KB4462917 (9/10/2018) - "Prerequisite KB4132216 [an SSU update] is qualified"
KB4457127 (20/9/2018) - <not mentioned in ABB validation document>
KB4457131 (11/9/2018) - Approved

My interpretation of the information above is that the most recent approved updates are:

Server 2016 - KB4457131 from the 11th of September 2018. Now nearly 7 months old.
Windows 10 LTSB 2016 - KB4467691 from the 13th of November 2018. Now nearly 5 months old.

Can someone confirm that these are the correct cumulative security updates for me to use, and that none of the newer updates are applicable for use with 800xA?

Comments (7) New comment

by T.Walker Rank: 3505 on 4/4/2019 11:03:12 PM | Like (0) | Report

I note that there is a similar question from 9 days ago that seems to have been misunderstood, and was never satisfactorily answered. I did not find this in my search prior to posting my question here.
https://forum-controlsystems.abb.com/20207474/2016-MS-Security-Patches-not-approved-by-ABB-since-2018-11

by jesperkl Rank: 100 on 4/5/2019 12:11:38 AM | Like (0) | Report

Hi Walker, It was me that asked the initial question. I think ABB has an explanation problem why MS-Security updates is not longer getting approved.

by backdraft AKS expert

Rank: 22 on 4/5/2019 1:14:31 AM | Like (0) | Report

I think it is related to a known issue with MSXML6, but please refer the Microsoft KB for each case. If you want an official answer I propose to contact your ABB Representative or Service Contact.

by Stefan Stromqvist AKS expert

Rank: 1 on 4/5/2019 11:46:55 AM | Like (0) | Report

@backdraft: Amen!
@OP + Jesper: I have forwarded your questions internally. I hope to receive some answers shortly.

If MS says "known problems exist", shall ABB anyway say "OK" then?

Off topic: we have had a few sites where MS Trusted Installer pegs the CPU 100%, up to a couple of hours *after* installing QSU and rebooting. This has caused disturbances for the HMI (having servers pegged to 100% + interruptions when TiWorker perform "executive" changes.

Seems like an update must be followed by some hours with the targeted machines in "quarantine" until the coast is clear...

E.g. by having the ABB Service Manager Service (in Windows Control Panel-->Services) set for MANUAL (instead of the normal AUTOMATIC) mode will prevent a rebooted server from joining the HMI services.

Is it required to call 1-800-MICROSOFT for each KB and ask "Does this KB trigger TiWorker.exe" to eat all of my CPU or not?

by T.Walker Rank: 3505 on 4/7/2019 4:45:58 PM | Like (0) | Report

@backdraft thanks for the potential insight with MSXML6.

@Stefan Stromqvist, thank you for forwarding the question.

If there are demonstrable issues where every one of the recent MS security updates interferes with the correct operation of 800xA, I'm happy that ABB would mark those updates as unsuitable. I would hope that in those cases feedback is provided to Microsoft, to resolve issues on their end, or that ABB is working to update 800xA itself to work with the OS updates... otherwise we as end users will eventually find ourselves in a position where it's impossible for us to have a 'secure' system.

Also, directing end users to "refer to the Microsoft KB for each case" may not be particularly useful advice in many cases. I can definitely read the list of known issues... but how do I know which one (if any) impacts 800xA? That's the information I was hoping to get out of the 3BSE041902_OO ABB Third Party Update Validation document.

The reason I raised this question is that the existing ABB Update Validation document has no real detail on why these updates were not accepted by ABB, or in some cases don't even list the cumulative update at all. If the best answer at the moment is that the September and November updates I highlighted in my original post are the most recent updates recommended for use, then I will move forward at that patch level until new updates are approved in the future.

by Stefan Stromqvist AKS expert

Rank: 1 on 4/8/2019 10:19:19 AM | Like (0) | Report

I got some minor feedback saying that if MS says "known problems", ABB will not go ahead and pass that KB as "qualified".

The matter is complex since the "MS known" issue might not strike unless certain parameters are met. The current format of the QSU document does not permit giving detail on "OK if this, not OK if that, etc. for every possible permutation.

I hear your pain; I suggest that you ask your regional ABB sales representative to submit a "CCRP", Customer Complaint Resolution Program. A CCRP draws management attention.

by T.Walker Rank: 3505 on 4/8/2019 4:33:45 PM | Like (0) | Report

Thanks Stefan.

I appreciate you taking the time to follow that up. It definitely is a complex situation, and I understand why validation is difficult, especially when certain known issues may only apply to components like the IM, or specific connectivities.

I will look into submitting a CCRP.

Add new comment