/build/static/layout/Breadcrumb_cap_w.png
06/22/2017 1251 views
We use KACE to push OS security patches to Windows 7, 8, and 10. Until recently, this has worked very well.
Security patches are collected using a smart label with the following settings:
Type is Security
Publisher contains Microsoft
Category is OS

The Windows 10 May Cumulative Update (KB4016871) has been superseded by the Windows 10 June Cumulative Update (KB4022725). The problem is that the May update is listed by KACE as "type: Security", while the June update is listed by KACE as "type:Non-Security". Consequently, the new patch is not captured by our existing label. Windows 10 PCs which were not patched prior to the release of the June update (newly imaged PCs, etc.) are now left vulnerable to several security flaws, such as CVE-2017-0222.

Why is a security patch being superseded by a non-security patch? How can I get security updates installed without subscribing to non-security patches going forward? If this is not going to be an option, I'm not sure of the long term value of using KACE to push patches.
4 Comments   [ + ] Show comments

Comments

  • Might be an error in regards how the patch was published in the KACE catalog....

    Now, there might be some logic behind that, because when I searched for all my cumulative patches, some are classified as Security and some are not.

    For example KB4015219, is a Cumulative from April (for Win10 1511), the Impact is Critical, but the Type is Non-Security, so this is not something new, and I guess there is a reason why.

    I haven't seen this myself because I patch both types.

    You might want to add another AND line to your label like: "Where name contains "KB4022725"" to cover your holes for June.

    Then contact support and post the reason why here.
  • Thanks, I'll give that a try. I'm not sure that will work since the superseded patch is marked inactive. Isn't that usually exactly what is wanted? KB4022726 supersedes 94 different patches alone. I think I'm going to have a different set of problems if I have to activate superseded patches.

    I'm finding a similar issue with Windows 8 patches, also. June's KB4022726 supersedes May's KB4019215. In this case, both have type set to Security, so the June one does install. However, when we run our security scan on a system which has the June update, but not May's, they still show as vulnerable to CVE-2017-0222 (and several other vulnerabilities patched by the May update.) If the June update doesn't patch the vulnerabilities patched by the May update, it seems to me it shouldn't supersede that patch.
  • I would also be interested in hearing how the classification was made. It's possible that Quest will say that the Type is determined by their upstream vendor (it used to be Lumension but the name changed, I think).
  • I forgot to post to update about the status on this since it took well over a week to get a resolution. Kace did make a request to the upstream provider (whatever Lumension is called now) and they were able to modify the classification. In spite of the delay, I was satisfied with the outcome. That is until I noticed today that this has happened AGAIN. KB4025339 (type security, severity critical, impact critical) has been superseded by KB4025334 (type non-security, severity unspecified, impact recommended).
    • Just got a response back from KACE support stating that this is just the way the patches were flagged by Microsoft so there is nothing they can do.

      Oh well, how bad can it be if my systems are missing a few security patches. </sarcasm>
    • I had this experience as well, MichaelMC. It causes me issues because my intention is to use Kace to receive and deliver critical security patches to our Windows Servers. But I also have it set so superseded patches get set to inactive. So having a security patch superseded by a non-security patch really throws off my patch logic workflow. From my perspective, a security patch should not be able to be superseded unless it is superseded by another security patch. Maybe I'll post that in the Kace user voice.

There are no answers at this time

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share