From 3c247195a3e701ff261bfa5da9c4fb8f330002bd Mon Sep 17 00:00:00 2001
From: Jacques Eloff <joeloff@users.noreply.github.com>
Date: Thu, 8 May 2025 15:29:22 -0700
Subject: [PATCH 1/5] WSUS offline scans & .NET

---
 docs/core/install/includes/microsoft-update.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/core/install/includes/microsoft-update.md b/docs/core/install/includes/microsoft-update.md
index 7719b4cd25c6f..63c68a9d0137d 100644
--- a/docs/core/install/includes/microsoft-update.md
+++ b/docs/core/install/includes/microsoft-update.md
@@ -39,3 +39,10 @@ Updates for server operating systems are supported by WSUS and Microsoft Update
 | .NET 6 | HKLM\SOFTWARE\Microsoft\\.NET\6.0 | AllowAUOnServerOS | REG_DWORD | 0x00000001 |
 | .NET 5 | HKLM\SOFTWARE\Microsoft\\.NET\5.0 | AllowAUOnServerOS | REG_DWORD | 0x00000001 |
 | .NET Core 3.1 | HKLM\SOFTWARE\Microsoft\\.NET\3.1 | AllowAUOnServerOS | REG_DWORD | 0x00000001 |
+
+#### WSUS and update classifications
+
+WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older security update may be offered when an older version of .NET is installed that is superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
+
+> [!NOTE]]
+> A user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Another application installs an older version, 6.0.33. It is not uncommon for applications to include specific versions of .NET as a prerequisite. If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.

From 6535715ab3516cff4ff6578844aef04ad7270905 Mon Sep 17 00:00:00 2001
From: Jacques Eloff <joeloff@users.noreply.github.com>
Date: Thu, 8 May 2025 15:43:22 -0700
Subject: [PATCH 2/5] Fix NOTE

---
 docs/core/install/includes/microsoft-update.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/install/includes/microsoft-update.md b/docs/core/install/includes/microsoft-update.md
index 63c68a9d0137d..0ad745012de53 100644
--- a/docs/core/install/includes/microsoft-update.md
+++ b/docs/core/install/includes/microsoft-update.md
@@ -44,5 +44,5 @@ Updates for server operating systems are supported by WSUS and Microsoft Update
 
 WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older security update may be offered when an older version of .NET is installed that is superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
 
-> [!NOTE]]
+> [!NOTE]
 > A user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Another application installs an older version, 6.0.33. It is not uncommon for applications to include specific versions of .NET as a prerequisite. If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.

From 24156964d6c1ff3ba8b6e81875ee3c13240c4355 Mon Sep 17 00:00:00 2001
From: Jacques Eloff <joeloff@users.noreply.github.com>
Date: Thu, 8 May 2025 16:23:11 -0700
Subject: [PATCH 3/5] Update docs/core/install/includes/microsoft-update.md

Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
---
 docs/core/install/includes/microsoft-update.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/install/includes/microsoft-update.md b/docs/core/install/includes/microsoft-update.md
index 0ad745012de53..91aaf0f474599 100644
--- a/docs/core/install/includes/microsoft-update.md
+++ b/docs/core/install/includes/microsoft-update.md
@@ -42,7 +42,7 @@ Updates for server operating systems are supported by WSUS and Microsoft Update
 
 #### WSUS and update classifications
 
-WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older security update may be offered when an older version of .NET is installed that is superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
+WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older *security* update might be offered when an older version of .NET is installed that's superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
 
 > [!NOTE]
 > A user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Another application installs an older version, 6.0.33. It is not uncommon for applications to include specific versions of .NET as a prerequisite. If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.

From 4b3a44e27da3a5daf0ba5eb39e50af350b1c67bb Mon Sep 17 00:00:00 2001
From: Jacques Eloff <joeloff@users.noreply.github.com>
Date: Thu, 8 May 2025 16:23:17 -0700
Subject: [PATCH 4/5] Update docs/core/install/includes/microsoft-update.md

Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
---
 docs/core/install/includes/microsoft-update.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/install/includes/microsoft-update.md b/docs/core/install/includes/microsoft-update.md
index 91aaf0f474599..eb0b1cc7609db 100644
--- a/docs/core/install/includes/microsoft-update.md
+++ b/docs/core/install/includes/microsoft-update.md
@@ -45,4 +45,4 @@ Updates for server operating systems are supported by WSUS and Microsoft Update
 WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older *security* update might be offered when an older version of .NET is installed that's superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
 
 > [!NOTE]
-> A user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Another application installs an older version, 6.0.33. It is not uncommon for applications to include specific versions of .NET as a prerequisite. If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.
+> In some cases, WSUS might report a missing update for a version that's older than the .NET version you installed. For example, imagine a user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Then an application installs an older version, 6.0.33. (It's not uncommon for applications to include specific versions of .NET as a prerequisite.) If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.

From acd2c11093948713948ca73a391ca11fc9260e7d Mon Sep 17 00:00:00 2001
From: Jacques Eloff <joeloff@users.noreply.github.com>
Date: Mon, 12 May 2025 08:48:43 -0700
Subject: [PATCH 5/5] Clarify offering 6.0.35

---
 docs/core/install/includes/microsoft-update.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/core/install/includes/microsoft-update.md b/docs/core/install/includes/microsoft-update.md
index eb0b1cc7609db..9650f195a4588 100644
--- a/docs/core/install/includes/microsoft-update.md
+++ b/docs/core/install/includes/microsoft-update.md
@@ -45,4 +45,4 @@ Updates for server operating systems are supported by WSUS and Microsoft Update
 WSUS can be configured to provide specific updates based on their [classification](/troubleshoot/windows-client/installing-updates-features-roles/standard-terminology-software-updates). Updates for .NET are classified as either *security* or *critical*. If the latest update is classified as critical, an older *security* update might be offered when an older version of .NET is installed that's superseded by the latest security update. This also applies to using the offline CAB [(Wsusscan2.cab)](/windows/win32/wua_sdk/using-wua-to-scan-for-updates-offline?tabs=powershell) to scan a machine.
 
 > [!NOTE]
-> In some cases, WSUS might report a missing update for a version that's older than the .NET version you installed. For example, imagine a user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Then an application installs an older version, 6.0.33. (It's not uncommon for applications to include specific versions of .NET as a prerequisite.) If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.
+> In some cases, WSUS might report a missing update for a version that's older than the .NET version you installed. For example, imagine a user installs .NET 6.0.36, the latest release of .NET 6. This version is classified as a critical (non-security) update. Then an application installs an older version, 6.0.33. (It's not uncommon for applications to include specific versions of .NET as a prerequisite.) If an admin configured WSUS to only provide security updates, the next scan will report 6.0.35 as a missing update. Machines configured to receive *security* updates through AU or WSUS will be offered 6.0.35, even when 6.0.36 is installed. The reason for this is that 6.0.35 supersedes 6.0.33 and is the latest *security* update.