Security Update 2018-001 High Sierra or Security Update 2018-002 High Sierra

sdagley
Esteemed Contributor II

Anybody else experiencing issues with these updates? https://support.apple.com/en-us/HT209193 talks about Security Update 2018-001 High Sierra that dropped yesterday, but this morning Security Update 2018-002 High Sierra is showing as available when I run softwareupdate --list. More troubling, I had two users report that they turned on their Macs this morning they got a "The macOS installation couldn't be completed" message with an Installation Log window in the background. Unfortunately I did not get a chance to troubleshoot the machines, but I'm guessing Security Update 2018-001 High Sierra was responsible.

53 REPLIES 53

andrew_nicholas
Valued Contributor

I have seen the same, but in both cases users are able to boot back into the OS. I applied it to about four other machines without issue however, and from what I could see the log files basically state that the MacOS HD that was booted into was empty.

correction:

The main OS Installer distribution (/Volumes/Macintosh HD/Library/Updates/AtomicUpdates/041-18191/041-18191.English.dist) did not load with error: The file doesn’t exist.

sdagley
Esteemed Contributor II

@andrew.nicholas Thanks for the confirmation. Was it necessary to re-select the Startup Disk to boot into the OS, or something else? And it's really annoying that Apple still hasn't updated the "About the security content..." document for this yet. What a lovely Trick for Halloween.

alex43
New Contributor

I had the same issue with 2018-002 10.13.6 i was able to boot normally selecting the "Startup Disk"
My only concern is if during the "update process" corrupted some sys files or it just rollback the update.
Now everything looks normal.

AVmcclint
Honored Contributor

I'm seeing weirdness here too. Some machines that I know for a fact installed High Sierra 2018-001 update do not see the 002 update no matter what I do. so now I've got multiple build numbers to keep track of. 17G65 for 002 and 17G3025 for 001 (I think - I have completely lost track now)

CAJensen01
Contributor

We've seen it widespread as well, but I'm still waiting for techs to handoff some logs.

AVmcclint
Honored Contributor

Whoa.... I'm starting to see evidence that the 2018-002 update is installing automatically even when automatic updates are disabled. Even on my Mac Mini at home (unmanaged) I ran softwareupdate -d -a to ONLY download the updates, but it installed it anyway!

andrew_nicholas
Valued Contributor

@sdagley It hasn't been in all cases but some have required it.

sdagley
Esteemed Contributor II

@AVmcclint 17G65 was the build number for the original High Sierra 10.13.6 release. I just installed Security Update 2018-002 (High Sierra) and ended up with build 17G3025 so if 2018-001 reported the same Apple didn't bother to roll the version number between the two. Even more annoying, the Security Update 2018-002 (High Sierra) download from support.apple.com is a .pkg named SecUpd2018-002Sierra.pkg

sdagley
Esteemed Contributor II

@andrew.nicholas Thanks. The field techs that have run into the problem here are reporting that re-setting the Startup Disk seems to be a reliable "fix".

CAJensen01
Contributor

FWIW we've opened an enterprise case with Apple: 20000034091928.

Seeing the same error Andrew is reporting.

Nov  2 13:08:57 Computer OSInstaller[546]: The main OS Installer distribution (/Volumes/Macintosh HD/Library/Updates/AtomicUpdates/041-18191/041-18191.English.dist) did not load with error: The file doesn’t exist.
Nov  2 13:08:57 ComputerLanguage Chooser[528]: Child process exited 11
Nov  2 13:08:57 Computer storagekitd[547]: Removing client connection <SKDaemonConnection: 0x7f99a9c026d0>
Nov  2 13:08:57 Computer storagekitd[547]: No more connections, storagekitd will exit...
Nov  2 13:08:57 Computer Unknown[552]: Launching the Installer Crash Log Viewer

luke_mccubbins
New Contributor

Also having this issue. I'd like to just add this update to the softwareupdate --ignore list but I'm having trouble nailing down the label for this update. Anyone have any ideas?

gforsyth
New Contributor III

I've tested this across the board in our environment and on clean OS installs with mixed outcomes. Some machines install and are stuck in a boot look. Some machines install fine and others fail to install all together. I opened a case with Apple and they are aware of the issue. Hope this is patched soon because we have Firmware PW and Remote Users are out of luck with no boots on the ground. :(

sdagley
Esteemed Contributor II

@luke.mccubbins This is what worked for me: sudo softwareupdate --ignore "Security Update 2018-002"

FrakeTrain
New Contributor

Seeing this issue on multiple sites. My gear: 2017 MPB 14,3. macOS 10.13.6. My experience yesterday: Used App Store updates to update to Safari 12.0.1 and Security Update 2018-002. Downloaded 1.88Gb. Then multiple update bars with multiple on/off screens. Then as described above "The macOS installation couldn't be completed" message with an Installation Log window in the background. The window had a retry button, tried twice to no avail (brought me back to the same error) then was able to save the Update log. Then tried Startup Disk button which brought me to my start up disk and was able to reboot (whew). Noticed that Safari had updated but App Store update was still showing the Security Update 2018-002. So tried to download again and after multiple progress bar back and forth movements among many black screens... finally booted to 10.13.6 (17G3025). This is the first time in 20 years I have had this kind of almost brick issue with updates. Nothing from Apple support, but did send them the Update crash log. I had a prolonged update issue once with High Sierra but no update crash. BUT what I am finding out is that both of these issues have occurred when Apple decides to package a firmware update with the software update. I don't know what my Boot ROM Version was before but now it is: 185.0.0.0.0. And you can see they have completely changed the numerology of the version number. I did a Terminal EFI verification and came up with EFI Version: MBP143.88Z.F000.B00.1809280842. I think this used to match the Boot ROM Version. Also, as others have noted the Apple Security Updates pages still have Security Update 2018-001 listed on their site, not 002??? Also I found the Security Update 2018-002 (there is no 001) download page and noticed the size was 421.1 Gb. WHY is the download from the App Sore more than 4 times as large?? Any ideas on this?

coachdnadel
Release Candidate Programs Tester

This is happening in my environment, too. I’ve also noticed that the installer log actually shows up after the machine is restarted post update. Basically, the security update installs and the machine seems to be working. If the machine is restarted, it boots to the installer log. I also put a ticket in with Apple.

bainter
Contributor

If you download the misnamed SecUpd2018-002Sierra.pkg (for 10.13.6 High Sierra) from Apple's download site:

Apple Support Downloads

If you use it instead of allowing the Appstore to install it, you may encounter far fewer problems. I've had to manually restart a few Macs even though Casper Remote took care of the initial restart, but so far have not run into the numerous boot problems or failure to update. This update process has become very tenuous.

RJH
Contributor

Seeing the same issue. Confirmed same log entries in installer log which would seem to indicate that the UPDATE package itself, or a related file is missing when the update is attempted. File missing - update fails - crash log viewer initiates.

Nov 11 22:11:13 MacBook-Pro OSInstaller[546]: The main OS Installer distribution (/Volumes/Macintosh HD/Library/Updates/AtomicUpdates/041-18191/041-18191.English.dist) did not load with error: The file doesn’t exist.
Nov 11 22:11:13 MacBook-Pro Language Chooser[527]: Child process exited 11
Nov 11 22:11:13 MacBook-Pro storagekitd[547]: Removing client connection <SKDaemonConnection: 0x7f9674d01940>
Nov 11 22:11:13 MacBook-Pro storagekitd[547]: No more connections, storagekitd will exit...
Nov 11 22:11:13 MacBook-Pro Unknown[551]: Launching the Installer Crash Log Viewer

As to solutions, for one user they were able to just restart, and OS started fine, for others the sequence would repeat. For the latter - selected startup disk and this solved the issue. Have put in place an software ignore as per @sdagley suggestion above AND also modified the RESTRICTIONS profile that is pushed to all users to now DEFER UPDATES FOR 90 days. Usually can rely upon Apple Security updates and rollout shortly after release with minimal risk to the fleet. Not so much anymore. Poor form Apple! Hope they fix soon.

carlo_anselmi
Contributor III

@rhill
I noticed on my internal SUS there are newer pkgs released 06/11 (both high sierra and sierra sec. updates)
Perhaps they changed something and also wondering if the pkgs available to download on Apple website had changed too

stevewood
Honored Contributor II
Honored Contributor II

We have had reports of machines failing with the log file showing, as reported above, and we've also had reports of FileVault enabled Macs not completing the restart process and requiring the selection of Startup Disk. On the FV Macs, I noticed the following in the policy log that called softwareupdate:

Downloaded Safari Downloaded Security Update 2018-002 Installing Safari, Security Update 2018-002 Done with Safari Done. To install these updates, your computer must shut down. Your computer will automatically start up to finish installation. Installation will not complete successfully if you choose to restart your computer instead of shutting down. Please call halt(8) or select Shut Down from the Apple menu. To automate the shutdown process with softwareupdate(8), use --restart. A reboot was required with one or more of the installed updates. Software update finished. Reboot is required. Blessing i386 macOS System on /... Creating Reboot Script...

If you look, the log is saying

Installation will not complete successfully if you choose to restart your computer instead of shutting down.

I have never seen a Mac update require a shutdown. I'm wondering if shutting down instead of restarting will "fix" this issue. I have one of our local IT guys that will attempt a shutdown the next time he has a user come up with a "bricked" Mac.

Anyone else seeing this?

AVmcclint
Honored Contributor

I have discovered if I download the confusingly-named SecUpd2018-002Sierra.dmg, mount it and copy the .pkg to the desktop of any Mac that needs the update and run it from there it is guaranteed to fail every time. It runs, it reboots, says Installing Update.... then goes to a black screen with a spinning gear. That's it. it NEVER completes the update process. If I put the pkg into Self Service, it basically does the same thing. If I copy the .dmg to a applicable Mac and run the .pkg directly from the mounted .dmg, then it works - EVERY TIME. WTF, Apple? This has been out for how long and they still haven't addressed the numerous problems?

I'm STILL observing that maybe 20% of applicable Macs can actually see the update in the Mac App Store or via softwareupdate command. I've seen some Macs will show it in MAS, but if I quit and relaunch, it disappears.

shawnis43
New Contributor III

@stevewood I've seen that message in the logs a handful of times. As far as I can tell its only happening with the 2018 T2 chip MacBook Pro's in our environment. I haven't been able to test shutting down instead of restart though. All the ones I've seen have been past that stage and re-running the update installs it. I've also seen the requirement of selecting the startup disk and also the Mac needs to be connected to the internet to complete the install

hkabik
Valued Contributor

I've had two machines attempt install of these automatically and get stuck in a boot loop. And we have Auto-update disabled here. Glad it;s only 2 so far, but that is VERY worrying.

hkabik
Valued Contributor

Make that 6 machines. This update is a nightmare. We block auto-updates to protect against this kind of thing and Apple still finds a way to ruin my day.

simon_brown
New Contributor III

+1 have come across the issue in our company and have pulled the update (for the time being) from our software update server until Apple fix this.

hkabik
Valued Contributor

Setting the startup disk only worked for 1 of the 6 machines. the others were all rebuilds. I hope there aren't more of these in my environment we haven't found yet.

stevewood
Honored Contributor II
Honored Contributor II

Can anyone confirm which models they are seeing this on? Is it only T2 enabled Macs? So iMac Pro and the 2018 models of devices? We're trying to lock this down so we can open an enterprise AC case.

jwojda
Valued Contributor II

@stevewood I just had it on a 2015 iMac 27" 5k

hkabik
Valued Contributor

@stevewood This is not limited to T2 Macs only, we've had it on 2 older machines as well.

stevewood
Honored Contributor II
Honored Contributor II

@jwojda @hkabik

Thanks guys! We release to our test group this week, so I'm waiting for that before opening the AC case. I want to be able to provide some decent evidence. So far I have not been able to replicate, but that has been in VMs and not on physical hardware (except for the cases reported by one of our agencies).

BoscoATX
New Contributor III

I downloaded Security Update 2018-002 from our Reposado server today. Attached screenshot is all that's installed. I parsed through the installer packages using Suspicious Package and theres A LOT of items installed in the SecUpd2018-002Sierra.pkg. 4c47abddd5bd4b53a64b9bc032344e40
37990346efba40268e2c7b1a5d0c03bc

AVmcclint
Honored Contributor

I need to add that installing the update from the mounted .dmg isn't as successful as I believed. On the first 6 Macs I ran it on, it did work every time. Now it doesn't work at all on any Mac - I've even redownloaded it just in case something happened to my original dmg. It "installs" for a few seconds, reboots (bypassing FileVault), I login, and I'm back at the desktop still not updated. I've scoured the logs and can find no indication of any kind of failures or errors. The only solution I keep hearing from people who contacted Apple is to reinstall the OS from the Recovery partition. This is happening on brand new Macs fresh out of the box so I seriously doubt a reinstallation is going to fix anything. Besides, who has time to reinstall the OS on 100+ Macs?

hkabik
Valued Contributor

Did any body else make a bug report on this? Or take it to Enterprise support as an issue?

tdilossi
Contributor

This didn't start for us until Tuesday the 27th. I'd just like to add that we are running 10.12.6 on all of our devices and this has been a complete nightmare for us as well! I thought at first it was something I had missed in my settings, but soon found that Apple appears to be screwing with us! I have at least 6 bricked systems at this point, and pointing them to the startup disk has only worked on 1 of them. A few are on a constant reboot cycle. I've tried the recovery drive on a few as well, but found that it is failing at about 90% complete. I'm contacting Apple developers to let them know what a shit show this is, hopefully others will do the same.

stevewood
Honored Contributor II
Honored Contributor II

@hkabik yes, we just opened ACE 100689231892.

hkabik
Valued Contributor

Thanks to everyone else that is making noise about this with Apple.

jwojda
Valued Contributor II

@hkabik our ACE is 100666331583.

GabeShack
Valued Contributor III

I've seen similar issues with drives not using APFS and or raided/Fusion Drives trying to apply certain updates. Anyone have any corroborating evidence to support this? Also I've seen firmware updates fail when 3rd party programs are installed that modify core systems IE a fan controller for iMacs or anything that requires the SIP to be disabled for install.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

AVmcclint
Honored Contributor

Apple released Security Update 2018-003 for High Sierra yesterday. I successfully installed it on a Mac this morning, but it was a Mac that took 002 without problem anyway. As my users come in, I'll try to apply 003 to a Mac that I know still refuses to install 002 and see what happens.

AVmcclint
Honored Contributor

No luck. I've tried softwareupdate -i -a and the Mac App Store app, and IF the update shows up and downloads, it never actually installs. Either it hangs forever at shutting down or it reboots as if nothing ever happened. Same problems as before. Reinstalling the OS on 100+ macs is not an option. It's just so frustrating that it installs perfectly fine on some Macs that are configured identically to all the others that are failing.