This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 52%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
For patching against CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability, the relevant update for security only updates is:
W2012R2 KB4571723 Security Only - However this is superceeded by KB4578013 which is an out of band update which includes two other CVE patches. It specifically doesn’t mention CVE-2020-1472, but superceeds KB4571723 therfore none of the R2servers will scan against KB4571723 so i assume that KB4571723 is no longer required if KB4578013 is available/ installed
When i manually installed KB4571723 on a server that has installed KB4578013, the patch is accepted and installed.
I assumed it would be deemed not required (as it is in the MEM console)
does that mean that
Basically what i'm wanting to know is if KB4578013 includes the patch for CVE-2020-1472 (because it doesnt say) and now starting to wonder about other superceeded updates that get replaced and whether they are still actually required (but on scan are deemed not to be)
Using v1906
Thanks
I've added the Windows Server Security tag to this thread as the question isn't really specific to or governed by ConfigMgr by is instead a Windows update specific issue.
Hi @JG
As the official article says, CVE-2020-1472 for Windows Server 2012 R2 need to install monthly roll up KB4571703 or security only KB4571723 for avoid Netlogon Elevation of Privilege Vulnerability.
As KB4571703 was replaced by KB4578013, so KB4578013 must contains updated system files for avoid Netlogon Elevation of Privilege Vulnerability.
However, KB4578013 was released on 8/18/2020 which is later than KB4571703 (8/10/2020) and KB4571723 (8/10/2020), and CVE-2020-1472 article released date ((8/11/2020), so that is why it was not recorded in this article. By the way, as Windows Update is cumulative, KB4571703 and KB4571723 are all replaced by the latest monthly rollup package KB4577066. So we just need to install the latest update package.
Even if you install the latest update package, it will available to install previous replaced update manually, but windows update agent can't search for them and will not install them automatically. It is the default behavior.
So there is no need to worry about these things, just keep your system latest.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the explanation
You are welcome. I am appreciate you could accept my reply as answer and also glad to help you.
If you have any other issue or question about Windows system, welcome back to Microsoft Q&A.
Bests,
For 2012 R2 the Initial Deployment Phase comes with August 11, 2020—KB4571703 (Monthly Rollup) It will also be a part of any later cumulative updates listed here.
https://support.microsoft.com/en-us/help/4009470
The Enforcement Phase will come with the Feb 2021 cumulative update
--please don't forget to Accept as answer if the reply is helpful--
Thanks but i was talking specifically about the intial phase- those patches, the 'required' issue and only using security only updates, not rollups. Thanks
Ok, for 2012 R2 the Initial Deployment Phase also comes with August 11, 2020—KB4571723 (Security-only update) It will also be a part of any later security-only updates listed here.
https://support.microsoft.com/en-us/help/4009470
The Enforcement Phase will come with the Feb 2021 cumulative and security-only update
--please don't forget to Accept as answer if the reply is helpful--
Thanks but (to my understanding) monthly 'security only' updates are not cumulative so KB4571723 will not be part of later security only updates. I also think you are missing my point about the patch being superceeded (by KB4578013 although not included in the info) and KB4571723 no longer being required. Thanks
According to this one it is part of the August 11, 2020—KB4571723 (Security-only update)
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
KB4571723 has been superseded by KB4577066 (Package Details tab)
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=41841c9a-956c-4b83-a626-58a1848f515b
--please don't forget to Accept as answer if the reply is helpful--