A security update was superseded by a non-security update...
We use KACE to push OS security patches to Windows 7, 8, and 10. Until recently, this has worked very well.
Security patches are collected using a smart label with the following settings:
Type is Security
Publisher contains Microsoft
Category is OS
The Windows 10 May Cumulative Update (KB4016871) has been superseded by the Windows 10 June Cumulative Update (KB4022725). The problem is that the May update is listed by KACE as "type: Security", while the June update is listed by KACE as "type:Non-Security". Consequently, the new patch is not captured by our existing label. Windows 10 PCs which were not patched prior to the release of the June update (newly imaged PCs, etc.) are now left vulnerable to several security flaws, such as CVE-2017-0222.
Why is a security patch being superseded by a non-security patch? How can I get security updates installed without subscribing to non-security patches going forward? If this is not going to be an option, I'm not sure of the long term value of using KACE to push patches.
Security patches are collected using a smart label with the following settings:
Type is Security
Publisher contains Microsoft
Category is OS
The Windows 10 May Cumulative Update (KB4016871) has been superseded by the Windows 10 June Cumulative Update (KB4022725). The problem is that the May update is listed by KACE as "type: Security", while the June update is listed by KACE as "type:Non-Security". Consequently, the new patch is not captured by our existing label. Windows 10 PCs which were not patched prior to the release of the June update (newly imaged PCs, etc.) are now left vulnerable to several security flaws, such as CVE-2017-0222.
Why is a security patch being superseded by a non-security patch? How can I get security updates installed without subscribing to non-security patches going forward? If this is not going to be an option, I'm not sure of the long term value of using KACE to push patches.
4 Comments
[ + ] Show comments
Answers (0)
Please log in to answer
Be the first to answer this question
Now, there might be some logic behind that, because when I searched for all my cumulative patches, some are classified as Security and some are not.
For example KB4015219, is a Cumulative from April (for Win10 1511), the Impact is Critical, but the Type is Non-Security, so this is not something new, and I guess there is a reason why.
I haven't seen this myself because I patch both types.
You might want to add another AND line to your label like: "Where name contains "KB4022725"" to cover your holes for June.
Then contact support and post the reason why here. - Channeler 7 years ago
I'm finding a similar issue with Windows 8 patches, also. June's KB4022726 supersedes May's KB4019215. In this case, both have type set to Security, so the June one does install. However, when we run our security scan on a system which has the June update, but not May's, they still show as vulnerable to CVE-2017-0222 (and several other vulnerabilities patched by the May update.) If the June update doesn't patch the vulnerabilities patched by the May update, it seems to me it shouldn't supersede that patch. - MichaelMc 7 years ago
Oh well, how bad can it be if my systems are missing a few security patches. </sarcasm> - MichaelMc 7 years ago