Windows Updates and CVE Secuirty

Ash73 21 Reputation points
2021-03-18T18:21:44.49+00:00

Hi, need to clarify whether Microsoft Windows Updates also include recent CVE security patch releases. This has been brought more into focus with a customer with the recent impact of the Microsoft exchange vulnerability. However installing a few hundred CVE updates is difficult as there are so many patches being released such as what is shown here: https://msrc.microsoft.com/update-guide Would a SIEM /WSUS solution be required to manage this. What is the best way to apply constant security cve updates to clients and servers. Should we just wait for them to appear on Windows Updates?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,620 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,838 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Rita Hu -MSFT 9,626 Reputation points
    2021-03-19T06:58:46.79+00:00

    Hi Ash73,

    Thanks for your posting on Q&A.

    whether Microsoft Windows Updates also include recent CVE security patch releases.
    Yes. All the hotfixes will be included in the Cumulative Updates.

    Would a SIEM /WSUS solution be required to manage this. What is the best way to apply constant security cve updates to clients and servers. Should we just wait for them to appear on Windows Updates?
    Deploying the latest Cumulative Updates and Service Stack Updates for the clients will be OK. The clients can get updates from WSUS Server or connect to the Internet to get updates from Windows Update.

    Hope the above will be helpful. Please feel free to keep us in touch if you have any questions.

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Ash73 21 Reputation points
    2021-03-19T22:12:33.577+00:00

    Hi Rita,

    Thanks for your reply. So just to confirm windows updates will always be sufficient to obtain the latest security patches providing the original security prerequisite is present. If it isn't we will need to download a cve update first?

    wsus has been causing problems on the network with connection dropouts to remotely connected clients pc, so has temporally been removed. Clients get updates direct using windows update and the network issues that we were experiencing have virtually gone - so what is the best way to monitor if clients and servers are missing critical patches?

    I'm not seeing cumulative updates for server 2012r2 for example - only exchange software?

    Regards
    Ash

    0 comments No comments

  3. Rita Hu -MSFT 9,626 Reputation points
    2021-03-22T07:23:53.45+00:00

    Hello Ash,

    Thanks for your reply. So just to confirm windows updates will always be sufficient to obtain the latest security patches providing the original security prerequisite is present. If it isn't we will need to download a cve update first?
    In my opinion, all the security updates and non-security updates are included into the latest cumulative updates. There is no need to download the cve updates individually and deploy the latest CUs for the clients.

    wsus has been causing problems on the network with connection dropouts to remotely connected clients pc, so has temporally been removed. Clients get updates direct using windows update and the network issues that we were experiencing have virtually gone - so what is the best way to monitor if clients and servers are missing critical patches?
    Deploying the latest updates for the clients will be OK.

    I'm not seeing cumulative updates for server 2012r2 for example - only exchange software?
    The cumulative Updates are named as Monthly Rollup in windows server 2012R2. Please refer to the below link to install Monthly Rollup:
    https://support.microsoft.com/en-us/topic/windows-8-1-and-windows-server-2012-r2-update-history-47d81dd2-6804-b6ae-4112-20089467c7a6

    Hope the above will be helpful.

    Regards,
    Rita


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments