How to check if CVE vulnerabilty has been patched on multipe workstations?

Magladroth 1 Reputation point
2020-12-11T13:38:53.033+00:00

Hello,

I recently read an article concerning a variety of cve vulnerabilities and the necessity to install the corresponding patches.

We are a small it service provider and manage about 200 workstations, so its rather time consuming to check each pc for all the patches mentioned in the individual cve articles.
Additionally, some of the patches mentioned are a few years old, so I´m thinking they have been replaced by newer security updates/rollups with different IDs. I know in MSs update catalog you can see the updates which replaced the previous ones, but it still sounds like a lot of micromanaging to do that for every single workstation.

Does anyone have experience with a similar situation? Any advice would be much appreciated.

Regards

Mag

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,730 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Dave Patrick 426.1K Reputation points MVP
    2020-12-11T15:05:41.653+00:00

    Updates are now cumulative so installing the latest SSU, followed by the latest cumulative update should cover it.
    https://support.microsoft.com/en-us/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history

    also for ESU
    https://support.microsoft.com/en-us/help/4522133/procedure-to-continue-receiving-security-updates

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Joy Qiao 4,886 Reputation points Microsoft Employee
    2020-12-14T02:58:07.42+00:00

    Hi Mag,

    Yes, as latest system update will replace previous released update, so just keep all workstations installed latest update package will avoid this issue.

    We could deploy update with WSUS which is a role in Server or manage update with SCCM (a management tool need to pay for), so that it would more convenient to keep them update.

    We could refer to official article for deploy update: Step 3: Approve and Deploy Updates in WSUS

    We also could check system version with command "winver" and compare OS build number with Windows update history left navigation panel below to know if it is the latest version.

    Bests,

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments