/build/static/layout/Breadcrumb_cap_w.png

Microsoft security monthly quality rollups not superseding older monthly rollups

Good morning,

I've noticed that on a PC that has May's security monthly quality rollup for windows (4019264) KACE is reporting that it doesnt have the older rollups installed however, I believe that when the latest rollup is installed on a PC it removes references to the older rollup from a previous update.

Why is KACE not automatically superseding older rollups?

Example, following patches are listed as missing;

1    Cumulative Security Update for Internet Explorer 11 for Windows 7 x64 (KB4018271)    NOTPATCHED
2    April, 2017 Security Only Quality Update for Windows 7 x64 (KB4015546)            NOTPATCHED
3    November, 2016 Security Only Quality Update for Windows 7 x64 (KB3197867)        NOTPATCHED
4    2017-05 Security Only Quality Update for Windows 7 x64 (KB4019263)            NOTPATCHED
5    Microsoft Silverlight 4.0.60129.0 for Windows (See Note) (Rev 2)            NOTPATCHED
6    October, 2016 Security Only Quality Update for Windows 7 x64 (KB3192391)        NOTPATCHED
7    December, 2016 Security Only Quality Update for Windows 7 x64 (KB3205394)        NOTPATCHED
8    March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)            NOTPATCHED
9    MS15-124 Enable the User32 exception handler hardening feature in Internet Explorer    NOTPATCHED
    (KB3125869) for Windows (See Notes)   

When I manually check the PC in question KB4019264 is listed as installed, its my understanding that that should remove the need for the following to be installed;

2    April, 2017 Security Only Quality Update for Windows 7 x64 (KB4015546)            NOTPATCHED
3    November, 2016 Security Only Quality Update for Windows 7 x64 (KB3197867)        NOTPATCHED
4    2017-05 Security Only Quality Update for Windows 7 x64 (KB4019263)            NOTPATCHED
6    October, 2016 Security Only Quality Update for Windows 7 x64 (KB3192391)        NOTPATCHED
7    December, 2016 Security Only Quality Update for Windows 7 x64 (KB3205394)        NOTPATCHED
8    March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)            NOTPATCHED

Yet they are still being shown as missing in the patching status, this is across approx 800 machines. We are not using KACE to push patches to the PCs (which are installed over 850 stores all connected via ADSL or via a private ADSL/MPLS solution, as I believe that KACE pushing patches to all our store level PCs would kill our network .. as it is I think using KACE to report patch install status is potentially causing traffic problems as it is).

Note: we are running an old version of KACE Appliance, 6.2.109330 we are planning to upgrade to the latest soon.

Regards


Asked 7 years ago 3955 views
8 Comments   [ + ] Show comments
  • Are Windows 10 machines having the same issue? We don't use KACE for Windows OS patches so I can't compare my environment. - JasonEgg 7 years ago
    • Will find out soon .. already upgraded to 6.4 but intend to goto 7.1 by next week. - nbs 7 years ago
  • Maybe this article has something to do with it? I would definitely update your server version and see if the issue persists.
    https://support.quest.com/kace-systems-management-appliance/kb/211378 - JasonEgg 7 years ago
  • We are observing exactly the same type of behaviour. Security only quality updates are not marked as superseded, and previous months' updates are being pushed to KACE clients - ager01 7 years ago
  • Confirmed this is still an issue with 7.1.149, i.e.

    machine name, OS, release date, is superceded, title, vendor
    '<machine name>', 'Microsoft Windows 7 Professional x64', '2017-03-14 00:00:00', '0', 'March, 2017 Security Only Quality Update for Windows 7 x64 (KB4012212)', 'Microsoft Corp.'

    surely is_superceded should be set to 1 (or at least not 0) for a roll-up from march?

    Query is (cribbed from another query found on this site :) ;

    SELECT
    M.NAME AS MACHINE_NAME,
    OS_NAME AS WINDOWS_VERSION,
    PP.RELEASEDATE,
    PP.IS_SUPERCEDED,
    PP.TITLE,
    PP.VENDOR
    FROM
    PATCHLINK_MACHINE_STATUS MS
    JOIN KBSYS.PATCHLINK_PATCH PP ON (PP.UID = MS.PATCHUID)
    JOIN PATCHLINK_PATCH_STATUS PPS ON (PPS.PATCHUID = PP.UID)
    JOIN MACHINE M ON (M.ID = MS.MACHINE_ID)
    JOIN MACHINE_LABEL_JT ML ON (M.ID = ML.MACHINE_ID)
    JOIN LABEL L ON (ML.LABEL_ID = L.ID)
    WHERE
    PP.IMPACTID = 'Critical'
    AND PP.IS_SUPERCEDED = 0
    AND PP.RELEASEDATE >= DATE_SUB(NOW(), INTERVAL 1 YEAR)
    AND MS.STATUS='NOTPATCHED'
    GROUP BY M.NAME
    ORDER BY M.NAME - nbs 7 years ago
  • I am having the same issue and running 7.2.10 now. I ran a Report and was shocked to see what wasn't installed. Kace report lists 14 critical updates missing though windows update only shows 3 (+3 optional) pending. Bulk of the ones kace report stating is missing are Security Only Quality Updates. - rleb29 7 years ago
  • I've logged this up with support as was hoping 7.1.149 would resolve when I originally opened this topic. Will provide an update if they find anything useful - nbs 7 years ago
  • Did anybody ever get this resolved? I just opened a ticket for this today and waiting a call back. - cstewy 6 years ago
    • The response I got was due to MS not marking the updates as superseded. I never found a work around but to be honest didnt really have the time. - nbs 6 years ago
  • Hello, I am new to KACE. Can someone please explain how to create a similar report where I can see the machines which have the Security Monthly Quality patching. - AleinsExist9 4 years ago

Answers (0)

Be the first to answer this question

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ