suit - honeywell€¦ · server 2016. .....43 3.7.6 known issue: on certain scenarios installing ms...

SUIT

APRIL 2020

SUIT ISO User Guide

APRIL 2020

2

DISCLAIMER

This document contains Honeywell proprietary information.

Information contained herein is to be used solely for the purpose submitted, and no part of

this document or its contents shall be reproduced, published, or disclosed to a third party

without the express permission of Honeywell International Sàrl.

While this information is presented in good faith and believed to be accurate, Honeywell

disclaims the implied warranties of merchantability and fitness for a purpose and makes

no express warranties except as may be stated in its written agreement with and for its

customer.

In no event is Honeywell liable to anyone for any direct, special, or consequential damages.

The information and specifications in this document are subject to change without notice.

Copyright 2020- Honeywell International Sàrl

SUIT ISO December 2019 3

Table of contents

1 ABOUT THIS GUIDE ......................................................................................................................................... 5

1.1 Support and other contacts ............................................................................................................................... 5

1.2 Symbols and definitions ..................................................................................................................................... 6

1.3 Scope ............................................................................................................................................................................ 7

1.4 Revision history ....................................................................................................................................................... 8

1.5 Intended audience .............................................................................................................................................. 14

1.6 Related documents ............................................................................................................................................ 14

2 INTRODUCTION ............................................................................................................................................. 16

2.1 Overview ................................................................................................................................................................... 16

2.2 Supported HPS Products ................................................................................................................................ 16

2.3 Honeywell Recommendation ........................................................................................................................ 19

3 UPDATE MANAGER ..................................................................................................................................... 21

3.1 supported products ............................................................................................................................................ 21

3.2 Checking for Available Updates ................................................................................................................... 33

3.3 Validating Security Updates ........................................................................................................................... 37

3.4 Validating Non-Security Updates ............................................................................................................... 37

3.5 Validating Latest ISO ......................................................................................................................................... 38

3.6 Viewing ISO Configuration File ..................................................................................................................... 39

3.7 Known Issues and Workarounds .................................................................................................................. 40

3.7.1 Known Issue: Updates fail to install due to USB lockdown enabled. Ex: KB982018, KB2775511 ......................................................................................................................................................................... 40

3.7.2 Known Issue: SUIT ISO DVD is taking hours to deploy when a system has WSUS, but the user wants to use the SUIT ISO to align the system. ...................................................................... 41

3.7.3 Known Issue: DVM R500/R600/R620 and EBI R430 ................................................................... 43

3.7.4 Known Issue: SUIT ISO failed on RAE node ......................................................................................... 43

3.7.5 Known Issue: DVM R600/R620/700 and EBI R500/600 On Windows 10/Windows Server 2016. ........................................................................................................................................................................ 43

3.7.6 Known Issue: On certain scenarios installing MS update using Dec 2019 ISO may cause OS crash. ................................................................................................................................................................. 44

3.7.7 Known Issue: ELCN Nodes get stuck in LOC_LOAD after installing Security Update Nov ‘19 or later. .................................................................................................................................................................. 44

3.7.8 Known Issue: Microsoft Security Update September ’19 ->Jan ‘20 might cause a memory leak in Experion Station on Experion R43x and R5xx. ................................................................ 45

3.7.9 Known Issue: KB3125574 install failed on Windows Server 2008 R2 and Windows 7 using August 2019 ISO or later ............................................................................................................................. 46

4 TERMS AND DEFINITIONS ......................................................................................................................... 49

5 NOTICES.......................................................................................................................................................... 50

ABOUT THIS GUIDE


ABOUT THIS GUIDE


1 About this guide

This guide provides information about using ISO and to keep system updated with latest

available/qualified Security/Non-Security updates.

ATTENTION

It is highly recommended that a user completely understands and

exercises precautions published in this document before using the ISO

for installation of Security and Non-Security hot fixes.

1.1 Support and other contacts

Country Contact Phone MAIL/EMAIL FASCIMILE

USA Honeywell

Solution

Support

Center

1-800-822-7673

(outside Arizona)

602313-5558(in

Arizona)

Honeywell TAC, MS L17 1860

W. Garden Lane Phoenix, AZ,

85027 USA

1-973-455-

5000

Europe Honeywell

TACEMEA

+32-2-728-2732 TAC-BE02

Hermes Plaza Hermeslaan, 1H

B-1831 Diegem, Belgium

+32-2-728-

2696

Pacific Honeywell

Global TAC

– Pacific

1300-364-822 (toll

free within Australia)

+61-8-9362-9559

(outside Australia)

Honeywell Limited Australia 5

Kitchener Way

Burswood 6100, Western/

[email protected]

+61-8-

9362-9564

India Honeywell

Global

TAC-India

+91-20-6603-9400 Honeywell Automation India

Limited 56 and 57 Hadapsar

Industrial Estate,

Hadapsar, Pune-411013-

Pune/ India Global-TAC-

[email protected]

+91-20-

6603-9800

Korea Honeywell

Global TAC

– Korea

82-2-799-6317 (toll

free within Korea)

Honeywell Co., Ltd 4F,

Sangam IT Tower

1590, DMC Sangam-dong,

Mapo-gu Seoul, 121-835,

Korea/

Global-TAC-

[email protected]

+82-2-792-

9015

mailto:[email protected]





ABOUT THIS GUIDE


Country Contact Phone MAIL/EMAIL FASCIMILE

China Honeywell

Global TAC

– China

+86- 21-2219-6888

800-820-0237

400-820-0386

Honeywell (China) Co., Ltd

33/F, Tower A, City Center, 100

Zunyi Rd. Shanghai 200051,

People’s Republic of

China/

Global-TAC-

[email protected]

Singapore Honeywell

Global TAC

– South East

Asia

+65-6580-3500 Honeywell Private Limited

Honeywell Building

17, Changi Business Park

Central 1 Singapore 486073/

[email protected]

+65-6580-

3501

+65-6445-

3033

Taiwan Honeywell

Global TAC

– Taiwan

+886-7-536-2567 Honeywell Taiwan Ltd.

17F-1, No. 260, Jhongshan 2nd

Road. Cianjhen District

Kaohsiung, Taiwan,

ROC/

Global-TAC-

[email protected]

+886-7-

536-2039

Japan Honeywell

Global TAC

– Japan

+81-3-6730-7160 Honeywell Japan Inc.

New Pier Takeshiba, South

Tower Building,

20th Floor, 1-16-1 Kaigan,

Minato-ku, Tokyo 105-0022,

Japan

Global-

[email protected]

+81-3-

6730-7228

1.2 Symbols and definitions

The table below describes the symbols and their definitions that are used across in this

document.

Symbols Definitions

NOTE: Identifies advice or hints for the user, often in terms of

performing a task.

ATTENTION: Identifies information that requires special

consideration.








ABOUT THIS GUIDE


1.3 Scope

• This document is expected to guide a user to keep systems updated with the latest

Microsoft Security/Non-Security updates qualified by Honeywell for the supported

HPS products that are released to market.

• Microsoft Security/Non-Security updates are re-distributed as a standard ISO

which has a tool embedded, Update Manager, designed to manage the

Security/Non-Security updates for the supported HPS product nodes.

• The document also provides information on the HPS product nodes which are

assigned with a unique node ID, used by the Update Manager to identify the node.

• The document describes the various recommendation standards followed by

Honeywell to help a user to understand the importance of recommendations which

Honeywell provides to all the security updates.

• The recommendations are provided in the datasheets of all the security updates

bundled in the ISO. The datasheets can be accessed from the Honeywell On Line

Support OLS.

• Though Honeywell provides a recommendation for all the security

updates,Honeywell would not account for any consequences if a user is at his/her

own discretion to override the recommendation provided.

ATTENTION

Regardless of the approach taken to update systems with Microsoft

Security/Non-Security updates, Honeywell disclaims the

consequences of overriding the recommendation associated with all

Security/Non-Security updates.

• This document also deals with the security update install exceptions, it is

imperative for a user to visit this section to obtain a clear set of instructions, if a

security update is to be exempted from installation on any of the HPS products.

https://www.honeywellprocess.com/en-US/pages/default.aspx

ABOUT THIS GUIDE


1.4 Revision history

Revision Release Description

1.0 June 2012 Merged Update Manager User guide and

SUIT-ISO user guide, added region wise

contact details.

1.1 July 2012 ISO support for Safety Manager has been

upgraded to R133.3, R145.1 and R1501.

1.2 August 2012 ISO support for EPKS R400.3, EBR

R400.1/R410.1 and PCUS R400.1 has been

added.

1.3 September 2012 ISO support for Windows Server 2008 &

Windows Server 2008 R2 Domain

Controllers and TPA R690 has been added.

1.4 October 2012 ISO support for LS/HS R400 and PCUS

R400.1 on Windows 7 SP1 has been added.

1.5 November 2012 ISO support for RAE R610 has been added.

1.6 January 2013 ISO support for PMD R800.1, EPKS R410

RESS and SM 133.4 on XP SP3 IE6 & IE7

has been added.

1.7 February 2013 ISO support for SM 133.4 on Windows

Server 2003 & Windows 7, Plant Cruise

R100.3 and BMA R340.2/R400.1/R401.1

has been added.

1.8 March 2013 ISO support for FDM R430.1 and EBR

R410.1 on Windows Server 2008 SP2 has

been added.

1.9 April 2013 ISO support for EPKS R410.2 and RAE5.0

Update6 with EPKS R301.3 & R310.3 has

been added. Removed updates to obsolete

Operating Systems/ obsolete Windows

Components from ISO.

ABOUT THIS GUIDE



2.0 June 2013 ISO support for Plant Cruise R100.3 on

Windows 7 SP1 and DVM R500.1 has been

added.

2.1 July 2013 ISO support for BMA and RAE5 Desktop

Server with EPKS R30x, R310.x & R311.x has

been added.

2.2 August 2013 ISO support for HS R410 and vCenter Server

5.0 on Windows Server 2008 R2 SP1 has

been added.

2.3 September 2013 ISO support for EPKS R410.3 and FDM

R430.1 on x86 has been added.

2.4 October 2013 ISO support for Print a GUS has been added.

2.5 January 2014 ISO support for BMA OPBC Standalone

Client nodes and EBR R410.2 on Windows

Server 2008 R2 SP1 has been added.

2.6 March 2014 ISO support for EPKS R430.1, FDM R440.1

and SM R133.5/146.1 on Windows Server

2003 SP2 & Windows XP SP3 has been

added.

2.7 July 2014 ISO support for SM R133.5/146.1/151.4

and FSC R710.6 on Windows Server 2008

R2 SP1

2.8 January 2015 ISO support for PMD R830.1 ha`s been

added.

2.9 March 2015 Updated node ID’s information table.

3.0 April 2015 ISO support for EPKS R431, PCUS R431,

EPKS R430 & 431 Flex Server, and FDM

R450 on x86 & x64, EBR R430 and SH

R200.2 on x86 & x64 has been added.

3.1 May 2015 ISO support for FDM R440 on x86, PBM

R431.x, SM R152.1 and FSC R710.7 has

been added.

3.2 June 2015 ISO support for PCUS R430 has been added.

ABOUT THIS GUIDE



3.3 August 2015 Removed ISO support for nodes running on

Windows 2003 and XP OS. However, a

separate Phased-out-products ISO is under

progress for these nodes.

3.4 September 2015 Updated Description for Nodes with ID 181-

185

3.5 October 2015 ISO Support added for EPKS 400.8 with IE9,

PCUS 431.2 with IE9 PMD 831.1 and EPKS

410.x & 430.x combinations are added for

BMA nodes 202 to 206

3.6 December 2015 Added Sec 3.7 – Known Issues and

Workarounds

3.7 April 2016 Added Note III(a) in end of 2.2 section

3.8 May 2016 MS ISO support added for BMA nodes

217,219,220, 221,223,225,226,227,

228,230,231,232,233,234,235,236,237,238

3.9 June 2016 Added Note III(b) in end of 2.2 section

3.10 July 2016 EBR 4xx support is added, independent of IE

3.11 July 2016 ISO support added for EPKS R430.5/

R431.3/ R410.9/ R432.1 (Server A, Server B,

ESF, EST, EAPP, Flex Sever) with IE 11 and

.Net 4.5.2, EPKS 431.x Orion Console, BMA

nodes for 4xx releases, P3. Added Note IV in

the end of section 2.2

3.12 September 2016 Reframed node IDs for EPKS R410.9

/R430.5/ R431.3/ R432.1 and added

support (NONRED, SCE, EServer, EHG, EAS

and RESS) nodes. ISO Support added for DC

on W2K8 SP2 with IE 9 and W2K8 R2 SP1

with IE11 Updated the Note I (1) in section

2.2

ABOUT THIS GUIDE



3.13 October 2016 ISO support added for SM 153.3/160.x on

WIN2K8 R2, WIN 7 SP1 and HSR 430.1

(ESVRA/ESVRB/FLXSRVR) on WIN7-64bit,

HSR 430.1 (EESRV) on WIN2K8R2.

Added a known issue description and

workaround under section 3.7.

Added new SM and HSR releases entry in

HPS/Third Party Product table under

section 2.2.

3.14 November 2016 ISO support for LX R 120.1 Patch1 on

WIN2K8 R2 SP1 and Windows 7 SP1 has

been added. Removed Note III(a) in end of

2.2 section

3.15 December 2016 ISO support for FSC 710.9 and Domain

Controllers on Windows Server 2012 and

Windows Server 2012 R2 has been added

3.16 March 2017 ISO support for EPKS R500.1, PMD R900.1,

PBM R500.1, BMA R4xx nodes with IE11 &

3.17 April 2017 ISO support for RAE R700.1, BMA 400 nodes

with .Net 4.5 and Domain Controller on

Windows Server 2016 has been added.

Updated Known Issues section 3.7

3.18 June 2017 ISO support for HS R500 and EBR500 has

been added. Updated Known Issues section

3.7

3.19 July 2017 ISO support for FDM R500 has been added.

3.20 August 2017 ISO support for SM R153.4, DVM R600.1

and EBR R431.x on Windows Server 2012

has been added.

3.21 October 2017 ISO support for EPKS R505, DVM R620.1

and SM R153.5 has been added.

3.22 November 2017 ISO support for PHD R340/R321, UPS

R322/R320, DynAmo R200/R120 and AAM

R321 has been added.

ABOUT THIS GUIDE



3.23 February 2018 Added “Note VI” in page 15.

3.24 March 2018 ISO support for FSC R801.1, SM R161.1, SM

R146.2/153.5 on Win 10 and EBR R501

3.25 April 2018 ISO support for EPKS R501.x, Profit Suite

R412/R431/R442, CPM R601.x, EBI R500.1

and NAS on Windows Server 2016 &

Windows Server 2012R2 has been added.

3.26 May 2018 ISO support for PBM R501.x, RAE R701.1

has been added. Updated Known Issues

section 3.7

3.27 June 2018 ISO support for EPKS R510.x, CPM R570.x,

EBI R430.x and PA R500/R430 has been

added.

3.28 August 2018 ISO support for Safety Manager R200.2 has

been added and removed support for EPKS

R505.Updated Known Issues section 3.7

3.29 October 2018 ISO support for PMD R910.2 has been

added and Updated Known Issues section

3.7

3.30 December 2018 ISO support for EPKS R511, PHD340.X on

Windows Server 2012R2, SM 162.1, SM

200.3, FSC 801.2, Carbon black

3.31 March 2019 Information added for March SUIT ISO DVD

size.

3.32 April 2019 Added attention section for April month ISO.

ABOUT THIS GUIDE



3.33 May 2019 Added attention section for CVE-2019-0708

RDP remote code execution vulnerability

Added attention section for System slow

boot times and performance issue with

April\May ISO.Added attention section for

UM tool modifications for automated

recheck of installed updates on reboot

Added support for SPA120, FDM R511, SM

201.x, IE11 support on FDM R430, R440,

R450, R500 and R501.

3.34 June 2019 Added ISO support for LX

R500/R501/R510/R511 and PC

R500/R501/R510/R511, for HS

R500/R501/R510/R511, Skill IC 101.x

ProfitSuite R500 and CPM 602 Removed

support for ProfitSuite R412 on Windows 7

x86

3.35 July 2019 Added ISO support for SM-154.X-Win10,

VcenterSrv 6.0, EBI 500 With DVM 620, EBR

430 With SM151 and SH200

3.36 July 2019 Added ISO support for DVM R700, Carbon

Black 8.1.0, EBI R600, EBR R501 and

Process Safety Analyzer R115 Added Reboot

required check box support for rebooting the

system automatically after installing all

updates

3.37 September 2019 Added ISO support for Console stations on

all EPKS releases on Windows 2008 R2 and

Windows Server 2016

3.38 October 2019 Modified Node ID support for EPKS 511

Updated Known issues and workarounds

section to include workaround for file not

found error in DVM and EBI nodes

ABOUT THIS GUIDE



3.39

November 2019

Added ISO support for :

AAM 321 on Windows 2012 R2 and Window

server 2016, Dynamo 202 on Windows 2012

R2. SM 146, SM 153 and SM 162 on

Windows server 2016, Trace 130 on

Windows server 2016. SH 200 and 201 on

Windows 10 and Windows server 2016.

3.40

December 2019

Added ISO support for VMWare Workstation

on Windows Server 2016, EPKS R515.1 on

Windows Server 2016 and Windows 10,

FDM R511 on Windows Server 2016 and

Windows 10, SM 154.2 on Windows Server

2016 and Windows 10

3.41 February 2020 Added ISO support for vCenter Server 6.0 on

Windows 2012 R2

3.42 March 2020 Added support for SM 201.2 and SM 210.1

on Windows 10 X64. Added support for FSC

710 on Windows 10 X64. Added support for

EPKS R516 on Windows Server 2016 and

Windows 10 X64.

3.43 April 2020 Added support for QCS SE 100 on Windows

10 X64 Implemented ESU key detection

support.

1.5 Intended audience

This guide is primarily intended for Honeywell field personnel who install and configure the

product.

1.6 Related documents

The following list identifies publications that may contain information relevant to the

information in this document.

Document Name Description

Anti-Virus Software

Guidelines

This document identifies Anti-virus software certified for currently

supported Windows based HPS products along with installation and

configuration guidance.

ABOUT THIS GUIDE


Document Name Description

Anti-Virus Quick

Reference Guide

This document provides Quick information about installation and configuration of McAfee and Symantec Antivirus.

Anti-Virus Software Guidelines for Virtualization Environment

This document guides installation and configuration of McAfee MOVE

Antivirus(Agentless) in an NSX for virtualized environment.

INTRODUCTION


2 Introduction

2.1 Overview

The qualified Security/Non-Security updates are re-distributed as an ISO which is posted

at Honeywell OLS.

Qualification of the Security updates abide by Honeywell policy of supporting N, N-1 and

N-2 HPS product releases, N being the latest HPS product release available to the

customer.

Effectively, systems are updated with latest qualified Security updates using a Honeywell

proprietary application which automatically deploys all the Security updates required on

the target systems. This application is typically termed as Update Manager which is

responsible for managing the qualified updates on systems hosting various Windows

Operating Systems.

2.2 Supported HPS Products

The HPS product software must be installed on the system for Update Manager to

manage the system as the Security/Non-Security updates are qualified on various HPS

product releases. The Update Manager application cannot manage an Operating System

which does not have any of the HPS product software installed on it.

The following table describes HPS product releases which are Supported by the Update

Manager.

If a HPS product is not mentioned in the list below, then that product is not supported by

Update Manager and it is recommended to contact the local TAC for registering a request.

ATTENTION

Update Manager doesn’t support all HPS products by default, using ISO

on a product node not supported by Update Manager will not help a user

to keep system updated with latest qualified security updates.

ATTENTION

USB lockdown policy must be disabled. Kindly follow the steps described

in section 3.6 of “SUIT-ISO-USER-GUIDE.pdf” before deploying the MS

ISO updates.


INTRODUCTION


ATTENTION

Microsoft Windows 7 64bit and Windows Server 2008 R2 64bit reached End of

Extended Support on 14-Jan-2020, and general security updates are no longer

available for these operating systems. Continued access to critical security

updates is available through an active Extended Security Update (ESU)

agreement with Honeywell. Please contact your Honeywell account manager for

details.

Update Manager tool supports only those systems which have ESU key installed

in it. User will not be able to proceed with update installation if ESU key is not

installed on systems with Windows 7 and Windows Server 2008 R2 operating

systems.

HPS/Third Party Product Release

Experion R400.x, R410.x, R430.x, R431.x, R432.x, R500.x,

R501.x, R510.x, R511.x,R515.x, R516.x

Experion Small Systems LSR400, HSR400, HSR410.x, HSR 430.x, HS R500,

HS R501, HS R510, HS R511

Experion Plant Cruise R100.x, LXR120.1 Patch1, LX R500, LX R501, LX

R510, LX R511

PC R100.x, PC R120.1 Patch1, PC R500, PC R501,

PC R510, PC R511

EBR R410.x, R410.x, R430, R431, R500, R501

PCUS R400.x, R431.x

Safety Manager R133.x, R146.x, R151.x, R152.x, R153.x(3,4),

R154.X R160.x, R161.x, R162.1, R200.2, R200.3,

R201.x, R210.x

Fail Safe Controller R702, R710.x, R801.x(1,2)

Safety Historian R200.x

Digital Video Manager R500.x, R600.x, R620.1, R700.1

Enterprise Buildings Integrator R500.x, R430.x, R600.1

Pulp, Paper and Printing RAE 600, RAE 601, RAE 602, RAE 603, RAE 61X.x,

RAE 700.x, RAE R701.x and RAE R702.x, TPA 690,

PMD R800.x, PMD 830.x, PMD831.x, PMD R900.x,

PMD R910.x

Field Device Manager R410.x, R430.x on x64, R430.x on x86, R440.x on

x64, R440.x on x86, R450.x on x64 and R450.x on

x86, FDM R500, FDM R501, FDM R511

INTRODUCTION


HPS/Third Party Product Release

Procedure Analyst 500.x, R430.x

Blending Movement Automation R400.x, R401.x, R410.x, R430.x

Profit Blending & Movement R431.x, R500.1, R501.x

PHD R340, R321, R340.X

UPS R322, R320

DynAmo R200, R120, R201.x, R202.x

AAM R321

Profit Suite R431, R442, R500, R500

CPM R570.x, R601.x, R602.x

Uniformance Trace

R120.x, R130.x

Skill IC

R101.x

Domain Controller (Only with High

Security Policies)

Windows 2008 SP2, Windows 2008 R2

SP1, Windows 2012, Windows 2012 R2, Windows

2016

VCenter Server 5.0, 5.5, 6.0

Network Attached Storage Windows 2012 R2, Windows 2016

Carbon Black-8.0.0 Windows Server 2016, 64bit, No Service Pack

SPA 120 Windows Server 2016, 64bit, Windows Server 2012

R2

Process Safety Analyzer R115 Windows Server 2012 R2, 64bit, No Service Pack

NOTE

NOTE III

The following updates are “Not Applicable” for the EPKS R410.X nodes

using RS-Linx PCIC Driver on Windows 2008 R2 SP1 and will fail

installing: KB3155413 & KB2921916.

INTRODUCTION


NOTE

NOTE IV

The Optional updates are excluded from the ISO media, due to the size

constraints.

Also, the “Optional Updates” recommendation document is provided with

ISO media, where the user can download and install the necessary

optional updates based on the recommendations provided for EPKS

4xx/5xx releases.

NOTE

NOTE V

From March-17 onwards providing four ISO images. i.e.

1. ISO for HPS Products/Releases running on Windows Vista SP2,

Windows Server 2008 SP2, Windows 7 SP1-x86, and Windows

Server 2008R2 SP1 and Windows 7 SP1-x 64 operating systems.

2. ISO1 for HPS Products/Releases running on Windows Server 2016

and Windows 10x64 operating systems.

3. ISO3 for HPS Products/Releases running on Windows Server 2012,

Windows Server 2012 R2 and Windows 8.1 operating systems. ISO

supports Domain Controller on Win 2012 SP2 with IE10 and Win

2012 R2 with IE11 only.

NOTE

NOTE VI

In some cases, (for example, prerequisites for the current updates are not

installed), the Update Manager will identify prior updates to be installed,

and the user will be presented with the option to install those prior

updates and continue the installation of the current updates. In rare

instances, the Update Manager may not be able to locate the prior

updates; in these instances, the Honeywell Technical Assistance Center

(TAC) should be contacted for assistance.

2.3 Honeywell Recommendation

Honeywell provides a recommendation with every security update which is qualified and

published at the OLS in the form of datasheets. The table below shows different

recommendations provided by Honeywell and details on the connotation of each one of

them.

The recommendations are provided by Honeywell with respect to the HPS products and

this recommendation is made in the datasheets provided for every security update against

all supported HPS products. These datasheets along with the ISO image and user guide

can be obtained from the OLS.


http://www.honeywellprocess.com/


http://www.honeywellprocess.com/

INTRODUCTION


Recommendation Description

Install

Mandatory install.

This update is related directly to Honeywell software. This

update has been qualified for installation and should be installed

at the earliest convenience. Please use the installation

procedures as per the Microsoft instructions (click the link in the

Microsoft KB Article column) associated with the update.

Install-Optional

Optional install.

This update is related to approving the optional software

loaded on a node, an example of this is Microsoft Excel. This

update has been qualified for installation and should be installed

at the earliest convenience based on the existence of the

approved optional software. Please use the installation

procedures as per the Microsoft instructions (click the link in the

Microsoft KB Article column) associated with the update.

Install – Latent

Mandatory install.

This update is related to an embedded software in the OS that is

not used by Honeywell software or recommended for use (e.g.

Outlook Express) but their existence without their updates

represents a security risk. This update has been qualified for the

installation and should be installed at the earliest convenience.

Please use the installation procedures as per the Microsoft

instructions (click the link in the Microsoft KB Article column)

associated with the update.

Exception

Do not install.

This update that is not applicable to the approved Base

Honeywell Platform software implementation. Note that the

components for the update are not present in the system.

Hold Take no action until the testing is complete, and final

recommendation has been posted to OLS.

ATTENTION

A user must complete registration with the Honeywell OLS website. to

view and download the details of Update Manager from the ISO.


3 Update Manager

3.1 supported products

Node Windows SP IE Node ID

Experion R400.8 Server (ESV, eServer, EAPP, ACE

or EHG or SIM or EBR Server or RESS)

2008 2 9 1

Experion R400.8 Client (ESF, ESC, EST, ES-CE) WIN7 1 11 2

Domain Controller on Windows Server 2008 2008 2 9 3

Domain Controller on Windows Server 2008R2 2008R2 1 11 4

Experion R410.9 (Server A, Server B, ACE,

NONRED, ESC, SCE, eServer, EHG, EAS, RESS)

2008R2 1 11 5

Experion R410.9 (ESF, EST, ESC) WIN7 1 11 6

Experion R410.9 EAPP 2008R2 1 11 7

Experion R430.x (Server A, Server B, ACE,

NONRED, ESC, SCE, eServer, EHG, EAS, RESS)

2008R2 1 11 8

Experion R430.x (ESF, EST, ESC) WIN7 1 11 9

Experion R430.x EAPP 2008R2 1 11 10

Experion R430.x Flex Server WIN7 1 11 11


NONRED, ESC, SCE, eServer, EHG, EAS, RESS,

Orion console Server)

2008R2 1 11 12

Experion R431.x (ESF, EST, ESC, Orion Console) WIN7 1 11 13



Experion 432.x (Server A, Server B, ACE, NONRED,

ESC, SCE, eServer, EHG, EAS, RESS, Orion console

Server)

2008R2 1 11 16

Experion 432.x (ESF, EST, ESC, Orion console) WIN7 1 11 17

vSphere Client WIN7 1 NA 17

UPDATE MANAGER







PCUS)

2016 NA 11 20

vSphere Client 2016 NA NA 20

Experion R500.x (ESF, EST, ESC, Orion Console,

PCUS)

WIN10 NA 11 21

vSphere Client WIN10 NA NA 21

Experion R500.x EAPP 2016 NA 11 22

Experion R500.x Flex Server WIN10 NA 11 23

HSR 430.1 ESVRA/ESVRB/FLXSRVR WIN7 1 9 24

HSR430.1 eServer 2008R2 1 9 25

LX PC 120.x (Server A, Server B, SCE, eServer, Flex

Station and Direct Station)

2008R2 1 11 26

LX PC 120. x (Server A, Server B, SCE, eServer, Flex

Station and Direct Station)

WIN7 1 11 27

PMD R830.x/831.x/R900.x/R910.x DM, DM_R on

WIN2008 SP2-32 Bit

2008 2 9 28

PMD R900.x/R910.x DM, DM_R on WIN7 SP1-32

Bit

WIN7 1 11 29

Domain Controller on Windows Server 2012 2012 NA 10 30

Domain Controller on Windows Server 2012R2 2012 R2 NA 11 31

DynAMo M&R 200.x/201.x/202.x 2016 NA 11 32

Domain Controller on Windows Server 2016 2016 NA 11 33

Experion R400.x Server or ACE or EHG or SCE or

eServer or RESS (x = 2 to 7)

2008 2 8 34

RAE R700.x AV/QCS Server with EPKS R500.x 2016 NA 11 36

RAE R701.x AV/QCS Server with EPKS R501.x 2016 NA 11 36

UPDATE MANAGER



RAE R702.x AV/ QCS Server with EPKS R50X.x 2016 NA 11 36

RAE R700.x Opstn/Desktop with EPKS R500.x WIN10 NA 11 37

RAE R701.x Opstn/Desktop with EPKS R501.x WIN10 NA 11 37

RAE R702.x Opstn/Desktop with EPKS R50X.x 2016 NA 11 37

QCS – Performance CDMV R700.1 without EPKS

R500.1

WIN10 NA 11 39

EBR 500 on Windows Server 2016 2016 NA 11 40

EBR 501 on Windows Server 2016 2016 NA 11 40

Experion R400.x eApp (x = 2 to 7) 2008 2 8 41

PHD340 / R400.x 2016 NA 11 42

UPS 322+ PHD 340 clients-64Bit WIN10 NA 11 43

RAE 60X - QCS quality server 2008 2 8 45

FDM R500/R501/R511 Server/Client/RCI

Client/RCI on Windows Server 2016

2016 NA 11 46

EPKS R500.x/501.x with PBM 500.x/501.x 2016 NA 11 47

EPKS R500.x/501.x with PBM 500.x/501.x WIN10 NA 11 48

PBM 500.x/501.x - No EPKS 2016 NA 11 49

PBM 500.x/501.x -No EPKS WIN10 NA 11 50

FDM R500/R501/R511 Server/Client/RCI

Client/RCI on Windows 10 64Bit

Win10 NA 11 51

Experion HS R500/R501/R510/R511 (SRVA,

SRVB, SCADA

WIN10 NA 11 52

Experion HS R500/R501/R510/R511 EServer 2016 NA 11 53

DynAMo M&R 120.2 2012 R2 NA 11 58

Experion R400.x Client (ESF, ESC, EST, ES-CE) (x =

2 to 7)

WIN7 1 8 59

vSphere Client WIN7 1 NA 59

AAM R321 2008R2 1 9 60

UPDATE MANAGER



AAM R321 2008R2 1 11 61

PHD R321 \ R400.x 2008R2 1 11 62

UPS 320.x \ PHD 321 clients-32Bit WIN7 1 11 63

PHD R321\ R340.x \ R400.x 2012 R2 NA 11 64

UPS 320.x \ PHD 321 clients WIN8.1 NA 11 65

Experion R501.x(ServerA, ServerB, ESV-T, ACE,

ACE-T, ESC, SCE, eServer, EHG, EAS, RESS, PCUS)

2016 NA 11 66


PCUS, vSphere)

WIN10 NA 11 67

RAE 60X AV\QCS Server 2008 2 8 68

RAE 60X Opstn\ Desktop Server WIN7 1 8 70

QCS – Performance CDMV R600 WIN7 1 8 71

Network Attached Storage 2016 NA 11 73

Carbon Black-8.0.0 2016 NA 11 73

Carbon Black-8.1.0 2016 NA 11 74


Experion R501.x (Flex Server, eServer) WIN10 NA 11 76

FDM R410.1 Server on Windows Server 2008 2008 2 8 77

FDM R410.1 Server/Client/RCI/RCI Client on Win

7

WIN7 1 8 78

Plant Cruise R100.3 Server on WIN2K8 2008 2 7 79

Plant Cruise R100.3 SCE on WIN2K8 2008 2 8 81

Experion R410.1 Server (ESV, eServer, EAS, ACE,

EHG, ESC, SCE, RESS)

2008R2 1 8 82


Safety Manager R146.2/153.5/R154.x/R161.1/R200.2/R200.3/R201.x

R210.1 and Fail Safe Controller R710.x

WIN10 NA 11 84

UPDATE MANAGER



Safety Manager R200.x / 201.x / R210.1 License Server

WIN10 NA 11 84

Experion R410.1 eApp 2008R2 1 8 85



PCUS)

2016 NA 11 86


PCUS)

WIN10 NA 11

87


Experion R510.x Flex Server WIN10 NA 11 89

RAE 61X.x AV/QCS Srv on WIN2K8 R2 SP1 IE8 2008R2 1 8 93

RAE 61X.x Opstn/Desktop on WIN7 SP1 IE8 WIN7 1 8 94

RAE 61X.x Qlty Srv on WIN2K8 R2 SP1 IE8 2008R2 1 8 95

Network Attached Storage 2012 R2 NA 11 96

TPA GUS/DxM 032/005 Win7 SP1 IE8-32 Bit WIN7 1 8 97

TPA GUS 032 on Win7 SP1 IE8-64 Bit WIN7 1 8 98

TPA GUS 032 on Remote Srv Win2K8 SP1 IE8 2008R2 1 8 99

Experion LS R400 – Server, Flex and ACE WIN7 1 8 100

Experion HS R400 – Server and Flex WIN7 1 8 101

PCUS R400.1 on Win7 SP1 IE8 WIN7 1 8 102

CPM 570.x 2008R2 1 11 103

CPM 570.x on Win7 SP1 -32 Bit WIN7 1 11 104

CPM 570.x on Win7 SP1 -64 Bit WIN7 1 11 105

CPM 570.x WIN8 NA 11 106

PMD R800.x Srvr/RHS on WIN2K8 R2 SP1 2008R2 1 8 109

PMD R800.x HMI, Console on WIN7 SP1-64 Bit WIN7 1 8 110

Safety Manager R146.2/153.5/

R154.X/R162.x/R200.2/R200.3/ R201.x,R210.1

2016 NA 11 111

UPDATE MANAGER



Safety Manager R200.x / R201.x / R210.1

License Server 2016 NA 11 111

PMD R800.x DM, DM_R on WIN7 SP1-32 Bit WIN7 1 8 112

FDM R430.1/R440.1 Server on Windows Server

2008R2 SP1- 64 Bit

2008R2 1 8 113

FDM R430.1/R440.1 Server/Client/RCI/RCI Client

on Win 7 SP1-64 Bit

WIN7 1 8 114

EBR 410.1 on Win2008 SP2 IE8 2008 2 8 115

Profit Suite R442 / R501 2016 NA 11 116

Profit Suite R442 / R501 WIN10 NA 11 117

Profit Suite R442 / R501 2012 R2 NA 11 118

Profit Suite R442 2012 NA 10 119

Profit Suite R442/R431/ R501 2008R2 1 11 120

Experion R410.2/R410.3 Server (ESV, eServer,

EAS, ACE, ESC, EHG, SCE, RESS)

2008R2 1 8 121

Experion R410.2/R410.3 Client (ESF, ESC, EST,

ESCE)

WIN7 1 8 122

Experion R410.2/R410.3 eApp 2008R2 1 8 123

DVM R500.1 on Windows Server 2008 R2 IE8 2008R2 1 8 126

DVM R500.1/R600.1/R620.1 on Windows Server

2008 R2 IE11

2008R2 1 11 127

DVM R500.1 on Windows 7 SP1-64 Bit IE8 WIN7 1 8 128

DVM R500.1/R600.1/R620.1 on Windows 7 SP1-

64 Bit IE11

WIN7 1 11 129

Profit Suite R442 on Windows 7 SP1-64 Bit IE11 WIN7 1 11 130

Profit Suite R431 2008 2 9 131

DVM R500.1 on Windows 7 SP1-32 Bit IE8 WIN7 1 8 132

UPDATE MANAGER



DVM R500.1/R600.1/R620.1 on Windows 7 SP1-

32 Bit IE11

WIN7 1 11 133

Profit Suite R431 on Windows 7 SP1-32 Bit IE11 WIN7 1 11 134

EBI R500.1 Server 2012 R2 NA 11 135

EBI R500.1 Remote Point Server, Client WIN10 NA 11 136

CPM R601.x / R602.x 2016 NA 11 137

CPM R570.x / R601.x / R602.x 2012 R2 NA 11 138

Procedure Analyst R430 2008R2 1 NA 139

Procedure Analyst R430 WIN7 1 NA 140

EBI R430.x 2008R2 1 11 141

EBI R430.x/R500.1 on Win 7 SP1-64 Bit WIN7 1 11 142

EBI R430.x on Win 7 SP1-32 Bit WIN7 1 11 143

Procedure Analyst R500 WIN10 NA 11 144

Procedure Analyst R500 2016 NA 11 145

Plant Cruise R100.3 Station and SCE on Win 7

SP1

WIN7 1 8 146

System Performance Analyzer R120.1 2016 NA 11 147

System Performance Analyzer R120.1 on

WIN2K12R2

WIN2K12R2 NA 11 148

FDM R430.1/R440.1 Server/Client/RCI/RCI Client

on Win 7, 64bit

WIN7 1 11 149

BMA With EPKS R400.x Srvr -.Net 3.5 2008 2 8 150

BMA With EPKS R410.x 2008R2 1 8 151

LX PC R500 / R501 / R510 / R511 (Server A,

Server B, SCE, eServer, Flex Station and Direct

Station)

2016 NA 11 152

LX PC R500 / R501 / R510 / R511 (Server A,

Server B, SCE, eServer, Flex Station and Direct

Station)

WIN10 NA 11 153

UPDATE MANAGER



Skills Insight Immersive Competency R101.x 2016 NA 11 154

BMA with EPKS R400.x Flex -IE8 .Net 3.5 WIN7 1 8 155

BMA with EPKS R410.x WIN7 1 8 156

Standalone OBPC Server- Win2K8 SP2 IE8 2008 2 8 157

BMA with No EPKS 2008R2 1 8 158

Experion R511.1(ServerA, ServerB, ESV-T, ACE,

ACE-T, ESC, SCE, eServer, EHG, EAS, RESS, PCUS)

2016 NA 11 159

Experion R511.1 (ESF, EST, ESC, Orion Console,

PCUS,)

WIN10 NA 11 160

Experion R511.1 EAPP 2016 NA 11 161

Experion R511.1 (Flex Server, eServer) WIN10 NA 11 162

Vcenter Server 5.0 /5.5/6.0 on Win2K8 R2 SP1 2008R2 1 NA 163

Experion HS R410.1 – Server and Flex on Win 7

SP164 Bit

WIN7 1 8 164


2008 SP2-32 Bit

2008 2 8 165

FDM R430.1/R440.1 Server/Client/RCI/RCIClient

on Win 7 SP1-32 Bit

WIN7 1 8 166

Experion R430.1Server (ESV, eServer, EAS, ACE,

ESC, EHG, SCE, RESS)

2008R2 1 9 167


Experion R430.1 eApp 2008R2 1 9 169

EBR 410.2 on Win2008 R2 SP1 IE8

2008R2 1 8 170

PMD R910.X DM, DMR on WIn 10 32 bit, IE11 WIN10

NA

11 171

Standalone OBPC Client. N e t 3.5

WIN7 1 8 172

UPDATE MANAGER



BMA – No EPKS

WIN7 1 8 173

Experion R431.1Server (ESV, eServer, EAS, ACE,

ESC, EHG,

SCE, RESS)

2008R2

1 9 174

Experion R431.1 Client (ESF, ESC, EST, ES-CE)

WIN7

1 9 175

Experion R431.1 eApp

2008R2

1 9 176

Safety Manager

R133.x/R146.x/R151.x/R152.x/R153.x/SM-

154.X/ R160.x/R161.x/ R162.1/R200.2 and Fail

Safe Controller R710.x/801.1/801.2 on Win 7- 32

bit SP1

WIN7

1 NA 177

Safety Manager R146.x/R151.x/R152.x/

R153.x/ SM-154.X/ R160.x/R161.x/

R162.1/R200.2 and Fail Safe Controller

R710.x/801.1/801.2 on Win 7- 64 bit SP1

WIN7

1 NA 178

Safety Manager

R146.x/R151.x/R152.x/R153.x/SM-

154.X/R160.x/R161.x/R162.1 and Fail Safe

Controller R710.x/801.2 on Win 2K8 R2 SP1

2008R2

1 NA 179

DVM 700 Client \ Console on Windows 10 (1903

Build)

WIN10

NA 11 180

EBI 600 on Windows 10 (1903 Build) WIN10 C 11 181

BMA with EPKS R430.x 2008R2 1 9 182


BMA – No EPKS 2008R2 1 9 184

BMA- No EPKS WIN7 1 9 185

PMD R830.x/831.x Srvr/RHS on WIN2K8 R2 SP1 2008R2 1 9 186

UPDATE MANAGER



PMD R830.x/831.x HMI, Console on WIN7 SP1-64

Bit

WIN7 1 9 187

PMD R830.x/831.x DM, DM_R on WIN7 SP1-32

Bit

WIN7 1 9 188

vCenter Server 6.0 on Windows Server 2012 R2 2012R2 NA 11 189

FDM R450.1/R500 Server on Windows Server

2008R2 SP164 Bit

2008R2 1 8 190

FDM R450.1/R500 Server/Client/RCI/RCI Client

on Win 7 SP1- 64 Bit

WIN7 1 8 191

FDM R450.1/R500 Server on Windows Server

20082 SP232 Bit

2008 2 8 192

FDM R450.1/R500 Server/Client/RCI/RCI Client

on Win 7 SP1-32 Bit

WIN7 1 8 193

Safety Historian R200.2 Basic/Server on Win 7

SP164 Bit

WIN7 1 8 194

Safety Historian R200.2 Basic/Server on Win 7

SP132 Bit

WIN7 1 8 195

EBR R430.1/R431 on Win2008 R2 IE8 2008R2 1 8 196


Safety Historian R200.2 Client on Win 7 SP1-64

Bit

WIN7 1 8 198

Safety Historian R200.2 Client on Win 7 SP1-32

Bit

WIN7 1 8 199

Experion R430.1 Flex Server WIN7 1 9 200

Experion R431.1 Flex Server WIN7 1 9 201

QCS SE 100 WIN10 NA 11 202

BMA with EPKS R431.x 2008R2 1 9 203


Trace Server

2012R2

NA 11 205

UPDATE MANAGER



Trace Server

2016

NA 11 206

VMware Workstation on Windows 10 WIN10 NA 11 207

Risk Manager R150.X\160.X\170.X\171.X

NA 11 208

Enterprise Risk Manager

R150.X\160.X\170.X\171.X

2012R2 NA 11 212

EBI 500 With DVM 620 on Windows Server 2012

R2, 64bit,

WIN2K12R2 NA 11 213

EBR 430 With SM151 and SH200 ON Windows 7,

32bit, Service Pack 1

WIN7 1 11 214

EBR 430 With SM151 and SH200 ON Windows 7,

32bit, Service Pack 1

WIN7 1 11 215


BMA with EPKS R400.x SVR ERC\EBC 2008 2 9 217

DVM 700 on Windows Server 2016

2016

NA

11 218

EBI 600 Server\Client on Win10 (1903 Build) WiN10 NA

11 219

BMA - Standalone OBPC\BPC 2008 2 9 223

BMA Standalone OBPC Client Win 7 32 bit SP1,

IE11, .Net 3.5

WIN7 1 11 226

DVM R600.1/R620.1 on Windows Server 2012 R2

IE11

2012 R2 NA 11 230

DVM R600.1/R620.1 on Windows 8.1 - 64 bit WIN8 NA 11 231

BMA with EPKS R431.x 2008R2 1 11 233


BMA -No EPKS 2008R2 1 11 235

UPDATE MANAGER



BMA -No EPKS WIN7 1 11 236

Experion R515.1(ServerA, ServerB, ESV-T,

ACE, ACE-T, ESC, SCE, eServer, EHG, EAS,

RESS, PCUS)

2016

NA

11 237

Experion R515.1 (ESF, EST,ESC, orion console,

PCUS)

WIN10 NA 11 238

Experion R515.1 EAPP

2016

NA

11 239

BMA with EPKS R430.x 2008R2 1 11 240


Experion R515.1 (Flex Server, eServer)

WIN10

NA 11 242

EBR R431 on Win2012 2012 NA 10 245

EBR R500.1 on Win2008 R2 IE11 2008R2 1 11 246

EBR R500.1 on Win2K12 2012 NA 11 247

PSA R115 on Windows Server 2012 R2 IE11 2012 R2 NA 11 248

BMA With EPKS R410.x 2008R2 1 11 250

BMA With EPKS R410.x Win7 1 11 251

Experion R516.1 (ServerA, ServerB, ESVT, ACE,

ACE T, ESC, SCE, eServer, EHG, EAS, RESS, PCUS)

2016 NA 11 252

Experion R516.1(ESF, ESC, EST, Orion Console,

PCUS)

WIN10 NA 11 253

Experion R516.1 EAPP 2016 NA 11 254

Experion R516.1 (Flex Server, eServer) WIN10 NA 11 255

BMA with EPKS R432.x 2008R2 1 11 256


RAE 61X.x AV/QCS Srv on WIN2K8 R2 SP1 IE11

(EPKS 410.x)

2008R2 1 11 261

UPDATE MANAGER



RAE 61X.x Opstn/Desktop on WIN7 SP1 IE11

(EPKS410.x)

WIN7 1 11 262


2008R2 SP1- 64 Bit, IE11

2008R2 1 11 264

FDM R430.1/R440.1 Server/Client/RCI/RCIClient

on Win 7 SP1-32 Bit, IE11

Win 7 1 11 265

FDM R450.1/R500/R501 Server on Windows

Server 2008R2 SP164 Bit, IE11

2008R2 1 11 266

FDM R450.1/R500/R501 Server/Client/RCI/RCI

Client on Win 7 SP1-64 Bit, IE11

WIN7 1 11 267

FDM R450.1/R500/R501 Server/Client/RCI/RCI

Client on Win 7 SP1-32 Bit

WIN7 1 11 268

Windows 2008 operating system WIN8 1 11 269



Windows 2008R2 operating system 2008R2 1 11 272

Windows Server 2012 operating system Windows

Server 2012

1 11 273

Windows 8.1 operating system Windows

8.1

NA 11 274

Windows Server 2012 R2 operating system Windows

Server 2012

R2

NA 11 275

Windows 10 operating system Windows 10 NA 11 276

Windows Server 2016 operating system Windows

Server 2016

NA 11 277

3.2 Checking for Available Updates

As mentioned above, when the ISO is mounted on a target system, the Update Manager

invokes the following window.

UPDATE MANAGER


A left click on Check All Updates would enable the Update Manager to read the

configuration file from the local directory and parse the information to determine a list of

Security/Non-Security updates that have been qualified for a particular node. Additionally,

the Update Manager checks whether the updates have already been installed on the

system.

If the updates are not installed, they are included in a custom batch file which is used for

automatic installation there by making sure that only those updates are listed as Required

Updates which are not installed on a target system, as shown in the screenshot below.

A left click on the Load Updates which is placed at the bottom of Required Updates

window; this will initiate an installation of all the Required Updates listed above. If an

update is already installed on the target system, then the Update Manager does not list

that update in the Required Updates window.

After initiating the load updates, a command line window opens up to process the

installation of updates as shown below. It is recommended to read information inside this

window before the user acknowledges by pressing any key.

UPDATE MANAGER


UPDATE MANAGER


ATTENTION

Update Manager tools in May 2019.ISO and May1 2019.ISO rerun the

installer automatically post reboot and check if all the required updates

are installed or not. If all the required updates are installed, then user will

be prompted with a message “No more updates are required for this

node”.

In addition, the SQL Server and the DST Security updates are not installed

automatically on servers and users must install manually by following the

special instructions available below.

\SPECIALHANDLING\ directory.

Please note that, in case if the SQL Server or the DST security updates are

not installed on the system, the Update Manager tool lists those updates

on restart until these updates are installed.

A check box has been added for the user’s input if a reboot is required.

• Selecting this check box before applying the updates will result in

automatic restart of the system, after installing all the updates.

• Not selecting this check box will result in waiting for the user

confirmation, to reboot the system after applying all updates.

All activities are logged into the following files:

• %windir%\honeywell_mspatches.txt - This log file is for auditing

only and contains all information about what is required to be on

the node and what was installed. This file is appended each time

whenever the application is run. If there is an issue with the Update

Manager application, please contact TAC for further assistance.

• %windir%\honeywell_required_updates.log - This log file is for

auditing only and contains a log of required updates for a specific

node. This file is overwritten whenever the application is run.

• %windir%\honeywell_installed_updates.log - This log file is for

auditing only and contains a log of installed updates for a specific

node. This file is overwritten whenever the application is run.

NOTE

%windir% is the directory that you installed windows.

For example, C:\Windows.

Log file location for EPKS R5xx nodes will be at:

<SoftwarePath>\Honeywell\Experion PKS\Install.

If you do not wish to load the patches, click Cancel and no changes will be

made to the system. The batch file will not be deleted from the system.

UPDATE MANAGER


3.3 Validating Security Updates



A left click on Check Security Updates Only lists only the security updates which are

qualified to be installed on that node. The Update Manager finds the security updates

which are installed on the system and it is ensured that only those updates which are not

present on the system are listed in the Required Updates window as shown below.

A left click on Load Updates starts installing the required security updates.

3.4 Validating Non-Security Updates



UPDATE MANAGER


A left click on Check Non-Security Updates Only lists only the Non-Security updates

which are qualified to be installed on that node. The Update Manager finds the Non-

Security Updates which are installed on the system and it is ensured that only those

updates which are not present on the system are listed in the Required Updates window

as shown below.

A left click on Load Updates starts installing the required Non-Security Updates.

3.5 Validating Latest ISO

If an older version of ISO is used, the Update Manager displays a message as shown

below. It is always recommended to use the latest version of ISO available at Honeywell

OLS.


UPDATE MANAGER


If the system is already installed with the latest updates, then the Update Manager

notifies the user that the system is already installed the with latest security updates as

shown below.

When the ISO is mounted on a system which is not supported, then the Update Manager

informs a user with the message shown below. It is recommended to contact the local TAC

for further details.

ATTENTION

The Update Manager is disabled if Auto Logon feature of Windows is

enabled on the local node. This is done to ensure that the user must log in

to the computer with their credentials and not with administrator

privileges.

Contact Honeywell, if you have any comments or problems with the

Update Manager or with the installation of Microsoft updates. Ensure

that you have downloaded the latest ISO image from OLS.

If you continue to have problems, log on to the OLS site and click Contact

Honeywell Process Solutions.

3.6 Viewing ISO Configuration File

As mentioned above, the Update Manager invokes the following window, when the ISO is

mounted on a target system.


UPDATE MANAGER


A click on View Config in Notepad launches the ISO configuration file with a notepad and

the user can look in to this file for details on ISO configuration.

ATTENTION

The configuration file provides information on an application level and it

is not recommended to open the configuration file unless required.

3.7 Known Issues and Workarounds

This section provides information on the list of known issues and the corresponding

workarounds to address them.

3.7.1 Known Issue: Updates fail to install due to USB lockdown enabled. Ex: KB982018, KB2775511

Workaround: When usbstor.inf and usbstor.pnf files have non-inherited rights, the

workaround is as follows.

Disable USB Lockdown policy:

1. Go to Start > Run, type “regedit” and press enter to open the registry editor.

2. Navigate to the following key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR

3. In the right pane, select Start and change the value to 3.

NOTE

The value 4 will disable USB to OK. This will re-enable USB Ports and

allow you to use USB or Pen drives.

UPDATE MANAGER


4. If you cannot find Start under USBSTOR, right click USBSTOR and then select

Permission.

5. Click Advanced.

6. Remove non-inherited rights from the Permissions tab.

7. Check if right permissions are granted for usbstor.inf and usbstor.pnf files:

a. Log in as local administrator

b. Navigate to C:\Windows\inf

c. Change the owner of usbstor.inf to administrators (local pc)

d. Edit the security and set to inherit from parent folder Remove non-inherited

rights from the file

e. Repeat step 2 – 5 for usbstor.pnf file

f. Install KB3139398 Patch only and then restart the PC

8. Install MS ISO.

3.7.2 Known Issue: SUIT ISO DVD is taking hours to deploy when a system has WSUS, but the user wants to use the SUIT ISO to align the system.

Workaround: When WSUS is used, please perform the following steps on the system

before running the SUIT ISO.

Export and remove the below registry key bookmark

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

For more information, refer to the guide, Steps to clear windows services logs .docx

UPDATE MANAGER


Steps to clear Windows History on Windows Operating System.

1. Press Windows+R, enter services.msc in the Run dialog, and then click OK to open

the Services window.

2. Select and right-click on the Background Intelligent Transfer Services, and then

click Stop service.

3. Run the SUIT ISO.

4. Reboot the System.

5. Import the exported registry key from Export and remove the below registry key.

6. Reboot the System.

UPDATE MANAGER


3.7.3 Known Issue: DVM R500/R600/R620 and EBI R430

Security Update for Group Policy: KB 3163622 Issue found with this update.

MS16-072: Security update for Group Policy is causing issues for many customers. Some

possible problems caused by the update:

• Drive mappings don’t work

• Settings changed through GPO are no longer retained

• Shortcuts to applications on user's desktops are missing

Reference: http://windowsitpro.com/patch-tuesday/patch-tuesday-security-

updategroup-policy-breaks-gro policy

Workaround: If the update is installed and the issues mentioned are observed, uninstall

this update.

3.7.4 Known Issue: SUIT ISO failed on RAE node

SUIT ISO installation is getting failed on RAE Node for June ISO for RAE 61X.x AV/QCS Srv,

R700.X & RAE R701.x Opstn/Desktop (EPKS 500.x & EPKS 501.x)

Workaround: None.

3.7.5 Known Issue: DVM R600/R620/700 and EBI R500/600 On Windows 10/Windows Server 2016.

When the Load Updates button is clicked, an exception is thrown stating that

“MyPatchList.txt” is not found in C:\Windows directory.

Workaround: Following the steps below.

1. Close the Update Manager tool.

2. Go to C: drive.

3. Copy the “C:\MyPatchList.txt” file.

4. Go to “C:\Windows” directory.

5. Paste the “MyPatchList.txt” file in “C:\Windows”.

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-072

http://windowsitpro.com/patch-tuesday/patch-tuesday-security-%20updategroup-policy-breaks-gro%20policy

http://windowsitpro.com/patch-tuesday/patch-tuesday-security-%20updategroup-policy-breaks-gro%20policy

UPDATE MANAGER


6. Relaunch the Update Manager tool and install updates.

3.7.6 Known Issue: On certain scenarios installing MS update using Dec 2019 ISO may cause OS crash.

PAR DESCRIPTION

On certain scenarios installing MS update

using Dec 2019 ISO may cause OS crash.

Background: Honeywell testing found that

installing MS update using December 2019

ISO causes operating system crash on a

system where July 2019 ISO or prior version

of the ISO is used to install MS updates.

Workaround: First Install MS update using

Nov 2019 and then install MS update from

Dec 2019 ISO

Solution: Honeywell is working with

Microsoft for root cause and solution.

3.7.7 Known Issue: ELCN Nodes get stuck in LOC_LOAD after installing Security Update Nov ‘19 or later.

Problem Description:

On Experion R5xx with ELCN, we have identified that ELCN Nodes may get stuck in

LOC_LOAD after installing Security Update November, or later. Honeywell has identified

the problem and recommends modifying the Windows Firewall rules to include the

LCNP4Emulator process.

This only applies to the PC-based ELCN Nodes, and not the UEA/UVA-based ELCN

Appliance Nodes.

KB impacting the ELCN Nodes as follows

November - KB4525236

December - KB4530689

January - KB4534271

Any future KBs

https://urldefense.com/v3/__https:/www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=acded10d-a3f9-4c4f-ac7a-f410b38098f9__;!Aafu2RsoaTU!3bAJZrH0mduO2eWgy_tEQDXIywPL-TH0rBaHOMEpxCPkse_iDv5CCsPd0mssTdX29ullg-hszdN6$

https://urldefense.com/v3/__http:/support.microsoft.com/kb/4534271__;!Aafu2RsoaTU!3bAJZrH0mduO2eWgy_tEQDXIywPL-TH0rBaHOMEpxCPkse_iDv5CCsPd0mssTdX29ullg66XMdFn$

UPDATE MANAGER


Applicable release and node type

Experion R5xx with ELCN

Node type: Applies to ESVT, ES-T, E-APP, ACE-T and ELCN HM

Resolution

Honeywell has produced a hotfix which automates the Windows firewall rules creation.

On the applicable ELCN nodes. Right click on the exe and Run as administrator

On successful completion, it provides a message “Experion PKS R5XX ELCN PAR1-

C6ISG33 Hotfix installation completed successfully”. Click on OK.

Note: If LNCNP4emulator is not present, then it will display a message “ This patch is not

applicable on this node”

Instructions for download:

Once logged in to www.honeywellprocess.com, you would go to the Support Section, then

search for 106148

3.7.8 Known Issue: Microsoft Security Update September ’19 ->Jan ‘20 might cause a memory leak in Experion Station on Experion R43x and R5xx.

Problem Description:

Microsoft is still working on resolution; the January 2020 is also impacted. It is safe to

deploy security updates with the script workaround found in article 105374.

Microsoft has informed us that the problem is also applicable to Windows 7/W2008,

therefore it also impacts Experion R43x and R400/410 with IE11. The workaround can be

safely used with the last KB installed.

HPS Technical Support would like to inform that Microsoft has introduced a product

anomaly in Windows 7/W2008, Windows 10 & Windows 2016 September 2019-> Jan

2020 security roll up affecting Station robustness on Experion R43x, R5xx. Customers

running with August 2019 (and earlier) are not affected.

The issue is triggered by the use of VBScript in HMIWeb displays causing Station

processes to accumulate memory (memory leak) and overtime impacting Station

operations.

Microsoft has acknowledged the problem and is working on a resolution. At this time,

Microsoft is not able to provide a resolution date, we would revise this notification once

Microsoft have communicated their plan to resolve the product anomalies

https://urldefense.com/v3/__http:/www.honeywellprocess.com/__;!Aafu2RsoaTU!3bAJZrH0mduO2eWgy_tEQDXIywPL-TH0rBaHOMEpxCPkse_iDv5CCsPd0mssTdX29ullg_DSA01c$

UPDATE MANAGER


Multiple triggers have been identified, it would be therefore complicated and impossible to

modify displays to mitigate the issue, we are recommending referring to the

“recommended actions” section for mitigation plans.

Recommended Actions:

Using the PowerShell script below ran from an Domain admin account, it would possible to

verify the Station memory usage, if the memory is usage is found to be > 300Mb, it would

be the time to log off/log in the affected Station.

The script enables you to provide a coma separated list of Station computer name to

monitor (in yellow).

Get-Counter -Counter "\Process(hscStationWindow*)\Private Bytes" -ComputerName

R501Srv,R510Srv | select -ExpandProperty CounterSamples | sort -Property CookedValue

–Descending.

We have identified a method to work around the issue with a simple Station script, it can be

found in article 105374. With the script, the memory leak is mitigated and there is no need

to log off every day.

3.7.9 Known Issue: KB3125574 install failed on Windows Server 2008 R2 and Windows 7 using August 2019 ISO or later

Symptoms

KB3125574 install failed on Windows Server 2008 R2 and Windows 7 using August 2019

ISO or later.

Context

• Experion Server R43x

• MS(SUIT) ISO

UPDATE MANAGER


Diagnosis

KB3125574 installation was completed successfully but status changed back to fail

after reboot.

Cause

3rd Party Application

Resolution

1. Go to UPDATES\MU19-010 folder inside ISO.

2. Double Click WINDOWS6.1-KB3125574-VW-X64.MSU to install manually.

3. When installation complete, don’t reboot the PC.

4. Click Windows Start button then type “msconfig” to run

5. On the Services tab of System Configuration, select Hide all Microsoft services, and

then select Disable all.

UPDATE MANAGER


6. Click OK then reboot the PC.

7. Confirm KB3125574 installation status is still Successful after reboot.

8. Click Windows Start button then type “msconfig” to run

9. On the Services tab of System Configuration, select Hide all Microsoft services, and

then select Enable all.

10. Click OK then reboot the PC.

TERMS AND DEFINITIONS


4 Terms and definitions

The table below lists the terms used in this document.

Terms Definitions

Update Manager This is a tool designed to manage all the Security and Non-Security

updates supported for all the HPS product nodes.

NOTICES


5 Notices

Documentation feedback

You can find the most up-to-date documents on the Honeywell Process Solutions support

website at:

http://www.honeywellprocess.com/support

If you have comments about Honeywell Process Solutions documentation, send your

feedback to: [email protected]

Use this email address to provide feedback, or to report errors and omissions in the

documentation. For immediate help with a technical problem, contact your local

Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell Technical

Assistance Center (TAC).

How to report a security vulnerability

For the purpose of submission, a security vulnerability is defined as a software defect or

weakness that can be exploited to reduce the operational or security capabilities of the

software.

Honeywell investigates all reports of security vulnerabilities affecting Honeywell products

and services.

To report a potential security vulnerability against any Honeywell product, please follow the

instructions at:

https://honeywell.com/pages/vulnerabilityreporting.aspx

Submit the requested information to Honeywell using one of the following methods:

• Send an email to [email protected]; or.

• Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or

Honeywell Technical Assistance Center (TAC).

Support

For support, contact your local Honeywell Process Solutions Customer Contact Center

(CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-

US/contact-us/customer-support-contacts/Pages/default.aspx.

Training classes

Honeywell holds technical training classes that are taught by process control systems

experts. For more information about these classes, contact your Honeywell representative,

or see http://www.automationcollege.com.

http://www.honeywellprocess.com/support


https://honeywell.com/pages/vulnerabilityreporting.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

https://www.honeywellprocess.com/en-US/contact-us/customer-support-contacts/Pages/default.aspx

http://www.automationcollege.com/

<<DocumentID>>

April 2020

© 2020 Honeywell International Sàrl

Honeywell Process Solutions

1250 W Sam Houston Pkwy S #150, Houston,

TX 77042

Honeywell House, Skimped Hill Lane

Bracknell, Berkshire, RG12 1EB

Building #1, 555 Huanke Road, Zhangjiang

Hi-Tech Park,

Pudong New Area, Shanghai, China 201203

www.honeywellprocess.com

suit - honeywell€¦ · server 2016. .....43 3.7.6 known issue: on certain scenarios installing ms...

Documents