Windows Updates and CVE Secuirty

Question

Hi, need to clarify whether Microsoft Windows Updates also include recent CVE security patch releases. This has been brought more into focus with a customer with the recent impact of the Microsoft exchange vulnerability. However installing a few hundred CVE updates is difficult as there are so many patches being released such as what is shown here: https://msrc.microsoft.com/update-guide Would a SIEM /WSUS solution be required to manage this. What is the best way to apply constant security cve updates to clients and servers. Should we just wait for them to appear on Windows Updates?

Answer 1

Hi Ash73,

Thanks for your posting on Q&A.

whether Microsoft Windows Updates also include recent CVE security patch releases.
Yes. All the hotfixes will be included in the Cumulative Updates.

Would a SIEM /WSUS solution be required to manage this. What is the best way to apply constant security cve updates to clients and servers. Should we just wait for them to appear on Windows Updates?
Deploying the latest Cumulative Updates and Service Stack Updates for the clients will be OK. The clients can get updates from WSUS Server or connect to the Internet to get updates from Windows Update.

Hope the above will be helpful. Please feel free to keep us in touch if you have any questions.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Rita,

Thanks for your reply. So just to confirm windows updates will always be sufficient to obtain the latest security patches providing the original security prerequisite is present. If it isn't we will need to download a cve update first?

wsus has been causing problems on the network with connection dropouts to remotely connected clients pc, so has temporally been removed. Clients get updates direct using windows update and the network issues that we were experiencing have virtually gone - so what is the best way to monitor if clients and servers are missing critical patches?

I'm not seeing cumulative updates for server 2012r2 for example - only exchange software?

Regards
Ash

Answer 3

Hello Ash,

Thanks for your reply. So just to confirm windows updates will always be sufficient to obtain the latest security patches providing the original security prerequisite is present. If it isn't we will need to download a cve update first?
In my opinion, all the security updates and non-security updates are included into the latest cumulative updates. There is no need to download the cve updates individually and deploy the latest CUs for the clients.

wsus has been causing problems on the network with connection dropouts to remotely connected clients pc, so has temporally been removed. Clients get updates direct using windows update and the network issues that we were experiencing have virtually gone - so what is the best way to monitor if clients and servers are missing critical patches?
Deploying the latest updates for the clients will be OK.

I'm not seeing cumulative updates for server 2012r2 for example - only exchange software?
The cumulative Updates are named as Monthly Rollup in windows server 2012R2. Please refer to the below link to install Monthly Rollup:
https://support.microsoft.com/en-us/topic/windows-8-1-and-windows-server-2012-r2-update-history-47d81dd2-6804-b6ae-4112-20089467c7a6

Hope the above will be helpful.

Regards,
Rita

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.