Patch Management Solution

Anyone see this already? We have a few Windows 10 boxes in production and using the CSWU patches for them. Seems MS is taking that and applying it to Windows 7 and 8 which will be a problem. We have a vendor that has already told us of an issue with a patch and asked us to not apply it yet. So in the future you will either patch nothing or you will patch ALL...

https://www.neowin.net/news/microsoft-is-switching-windows-7-and-81-to-monthly-cumulative-updates-windows-10-style

There's a Symantec Info article placeholder on this, subscribe to keep up to date:

http://www.symantec.com/docs/INFO3895

thx will definitely do

Looking forward to it - will help clean up my Patch Remediation Center as I always like pushing 1 bulletin per patch policy to make disabling and deleting the superseded updates cleaner.

yeah we have 1 policy per patch now and yes there are tons... so while it will cleanup it will create other issues...

Our InfoSec team creates the priority of the patches from Sev Low (90d) to Sev High (5d)

..... If 1 patch out of the list becomes a High then now the entire package is listed as High

..... We typically dont deploy ALL patches thus why M$ is forcing hands but in our area that can and WILL break things. We deal with a non standard image where vendors supply machines with their OS and sw. We just got an email last month to not deploy 1 patch as it will break their software. Then we couldnt deploy ANY patches to ANY machine!

Bumping this thread since this month is the first month of the Win7/Win8 servicing changes (more info from MS) 

From Symantec's info 3895

"Advisory: Because Monthly Rollups and monthly security updates are packages as a single update; administrators will not be able to pick and choose which individual fixes will be deployed/installed.

​​Symantec Corp. is consulting directly with Microsoft Corp. on this matter.  The Patch Management Solution is expected to support the monthly security updates and Monthly Rollups from Day 1."

yes i Saw those updates. I hope something works... this is totally going to mess with our process...

I was having a hard time finding the right details for the latest updates. Here is the page with the links:

https://support.microsoft.com/en-us/help/22801

https://support.microsoft.com/en-us/help/24717

Thanks @Brandon - that was helpful.

For Win7, it looks like 

October 11, 2016 — KB 3192391 (Security only update) is in SB16-001
October 11, 2016 — KB 3185330 (Monthly rollup) is in CR16-001

My machines are scoped to both.  I'm installing CR16-001 now in testing scope and assuming computers will fall out of scope for SB16-001, but will confirm.

Edit: Confirmed once machines got CR16-001 they fell out of scope for SB16-001 in my testing as expected.

this months patches are in... and it looks business as usual. where they are individual downloads...

Not for me TeleFragger - what OS are you downloading updates for?

The bulletins I got today were

CR16-001 (monthly rollup)
SB16-001 (I skipped this one, covered in monthly rollup)
MS16-121 (office)
MS16-120 (silverlight/lync) - I had one install error on this one, I don't know if it is fighting with the rollup, it resolved itself on restart, I'm trying to get to the bottom of it.
 

Under import patch data for windows - in terms of Windows product suites we only have Win10 Ent (x64) & a few versions of Win 7 selected.  

im downloading for ALL... 

what I did notice is in my 3 environments on 2 had all the patches... and of course the 3rd is my production environment.

I re-ran the pmimport.. waited for it to finish then went in and ran scheduled tasks. I will confess I dont know which scheduled tasks but any that said patch... and then they showed up 15 minutes later...

so now all 3 of my environments are showing all the patches for this month on CMS 7.6 HF7

We're 7.6 too.  My best guess is one of the OS products you have checked isn't moving to the combined updates.

"As we previously announced, we are moving to a rollup model for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 updates."

I am seeing SB16-001, CR16-001, and MS16-118 through MS16-127. Super confused. Do I need to deploy both SB16-001 and MS16-118 through MS16-127 then to cover security updates only? What a mess. It would be helpful if Symantec would provide real guidance rather than links to Microsoft.

OK...after lots of reading and looking at what systems show vulnerable to what, I'm finally starting to figure this out. NOT happy. These rollups are HUGE and frequently fail in download requiring manual intervention. Because of our environment, I will likely end up sending CR16-001 to desktops. SB16-001 to servers. MS16-118 through MS16-127 to everything. All after as much testing as possible. This will triple my work for awhile. In addition, sounds like I will have to disable automatic download of pmimports and handle that manually. Plus a lot more WAN traffic since not every branch has site servers. ...and what happens, seriously, when the rollup breaks something?

The advantages listed by Symantec for using Patch Management with this new MS model are not impressive...seriously -I can make monthly rollups hang around longer? This is not simpler, it's stupider. Yes it's on Microsoft...but it's also on Symantec for not anticipating the needs of its customers. Why in the world don't we have the ability to easily pull off a security patch (now rollup) yet? We've been asking for it for years. Our agency has been tilting toward new products for a very long time helped along by Symantec's removal of functionality we used...I've been fighting to keep ITMS because our tiered server patch, reboot, and check (with task scripts) process was highly dependent upon it. I suspect our already scheduled upgrade to ITMS8 will be our last.

MS16-120, https://technet.microsoft.com/en-us/library/security/ms16-120.aspx, includes "Microsoft .NET Framework – Security Only Release" and "Microsoft .NET Framework – Monthly Rollup Release" patches. This is just like the Window ones where one is security only and the other is security and non-security.

For the Windows patches, Shavlik created CR16-001 and SB16-001 for the Windows patches. I believe they need to do the same for the .NET Framework patches.

When creating the package, I believe we need to uncheck which ones we don’t want. If all are checked, both patches will try to install which I don’t think it’s a good idea.

So, has anyone else figured this one out yet?  I'm trying to stage patches for our company's patch week next week and the fact that BOTH the rollup and the regular MS patches are in there is incredibly confusing.  Worse still, I have a group of specialized servers that cannot be patched by ITMS and have to be patched manually for specific (MS Sharepoint associated) patches.  I'm not sure how to proceed.  Can I get away with just ignoring the SB patches and going with the MS ones?  They appear to download normally.  Is there something I am missing by NOT using the SB patches?

Symantec needs to get on the ball and clearly and in plain language explain how this works.

EDIT:  After discussing it with our desktop patch manager  (we split desktop and server patching duties.)  We are going to ignore the SB and CR patches for now and continue to patch using our existing method with the MS patches, since it appears that the SB and CR patches are entirely optional.  At least for now.  We will be watching for any changes to this.

matthew_mooney,

SB and CR are optional if you don't want to patch this month. Those *are* the new style of patches. I would think at a minimum you should be doing SB16-001. If you want to include hotfixes do CR16-001 then you don't need to enable SB16-001. We split the roles as well and so you should stage one then each add your filter to the policy independently when you are ready.

The one that is a hot mess is whatever is going on in MS16-120. I agree with previous comments that .NET should get its own bulletin.

Here is how I see it:

SB16-001 All Windows (7 SP1 x86 and 64, 2008 R2, 8.1, 2012 R2) Security Only Update
-OR-
CR16-001 All Windows (7 SP1 x86 and 64, 2008 R2, 8.1, 2012 R2) Monthly Update

CSWU-036 All Windows 10 (Gold, 1511, 1607) and Windows Server 2016 Monthly Update

MS16-121 Office 2007, 2010, 2013(RT), 2016 Monthly Update

MS16-123 All Windows Kernel Monthly Update

MS16-124 All Windows Registry Monthly Update

MS16-127 Windows (8.1(RT), 2012(R2), Windows 10) Flash Monthly Update

MS16-120 All Windows Silverlight/Lync Monthly Update
MS16-120 Windows 8.1 and Server 2012 R2 .NET 3.5 Monthly Update

MS16-126 All Desktop Windows Intstant Messaging Monthly Update

I think there will be some tweaking in the future especially with the non SB/CR bulletins and the way those are handled. I'm totally with you on a new product, but the process is really the same on the Altiris side of things. For your WAN bandwidth you might want to re-evaluate your agent throttling settings and blackouts so it isn't noticable. The SB/CR's are what use to be a lot of MS16's, and now it seems the MS16's are optional, meaning driven by your environment and patching policies. If you disable pmimport you better subscribe and watch the releases careful: https://support.symantec.com/en_US/article.HOWTO73079.html

Brandon,

From what I can see I'm not convinced that the SB and CR patches are required.

Yet.

I did a quick comparison of what the MS patches downloaded and it appears to match what the MS patches are listed as containing from Microsoft.  IE:  they are already complete.  Our Desktop Patch Manager has a call in with Symantec now and he's trying to get to the bottom of it, but at this moment it does appear that you can patch with JUST the MS patches as previously.

Again, take that with a large grain of salt. It probably couldn't hurt to roll out the other patches as well (perhaps separately)  but I'm really thinking they aren't yet necessary.

Here's hoping that Symantec has worked out a deal with Microsoft to offer both going forward.  (Apparently that was in the works?)

It is a little confusing why some don't seem to be available separately for me like 101. The pmimport release notes are broken at the moment. I am curious to hear what information you find.

We are Win7 Ent x64 in production and have had good success pushing the following updates.  I'm not seeing other separate updates as some of you are seeing (we only download limited OS updates in the PMImport though).

CR16-001 (monthly rollup)
MS16-121 (office)
MS16-120 (silverlight/lync) - I had one install error on this one, I don't know if it is fighting with the rollup, it resolved itself on restart, I'm trying to get to the bottom of it.

You are the second person reporting this issue with MS16-120. The reason that it's fighting is because MS16-120 by default includes "Microsoft .NET Framework – Security Only Release" and "Microsoft .NET Framework – Monthly Rollup Release" among other patches affecting Office, Lync, and Silverlight. I didn't have the issue because I unchecked every patch that was for "Microsoft .NET Framework – Security Only Release".

wow this is totally confusing...

we have never patched "everything" and due to windows 10 and CSWU - patch ALL... we took that approach and went backwards in April to do all Important/Critical patches. no optional and no office. I am trying to catch the environment up before attempting to even look at Office!

so this month I will be deploying:
MS16-118, MS16-122, MS16-123, MS16-124, MS16-126 and MS16-127. What would appear to be a typical month for me... however..

I have to figure this SB16-001 and CR16-001 out!

I guess the big guess will be next month if I do not see any MS16's then I am SOL... hah..

on a side note all these patches screw another thing up... our InfoSec team made MS16-119 - Update for Edge - Critical. Which has to be deployed in 5 days. I had to hit im up and explain to him that this just meant I had to deploy ALL patches to Win10. Now of course he doesnt care as he expects all patches to be deployed..  but I had to explain to him that once this happens in Win7/8.1 and if he does this... and if there is no way to seperate out patches for Win7... that means I have to hit my 4,000 machines I manage and the SCCM side of our Co has to slam ohhh 36,000 !!!!!! This caught him off guard... 

ooooh the fun! We having fun yet?!?!?!?!?!

so here is something I just caught on... very interesting..

if I click Actions> Software> Patch Remediation Settings I get...

now if I go Home> Patch Management I get a totally different screen with All the patches I am missing in that first pic...

@telefragger

Looks like I see some extra bulletins under software bulletin details too.  Weird.  I only every work out of remediation center and then compare to what win update on test machines say I need.  So far so good just pushing the updates I outlined above.

Patch Remediation only looks for patches that have machines where they apply.  If you look at the Software Bulletin page under Applies To you see a bunch of 0's.  You won't see them on the Patch Remediation page because you have no machines needing those updates.  The Software Bulletin page shows everything including Bulletins that have been superceded.  However, you will not see those updates or bulletins on any of the Compliance Reports. 

From what I have read the new cumulative updates are not optional if you want to stay up-to-date.  If you dig into the MS-XXX for October you will see there are differences.  I hav been setting a custom severity, but determining if it is for clients, servers, XEN servers, etc....  I have not seen any duplication of updates by bulletin.  So, I think if you do the MS-xxx updates only you may end up missing security updates for Win 7/ server 2008.

wow I so overlooked the 0's !!!! that is bad! I have to send an email pre and post patch deployment to fda regulated instrument owners... I gave the list but only 1 actually went. This is not bad as I have to give an FYI they will go if applicable and I can say only 1 was (MS16-120) ... just sloppy.. oh well...

cant wait for the fun this month...guess ill just make it simple and deploy SB16-001 and SB16-002 as I believe these are still monthly patches and not just like the CSWU where you need to disable the previous. Unless I am wrong please let me know!

I am truely lost now...

this months patches... Patch remediation center shows ALL individual patches. I was able to download 1 and setup a policy for it. Then if I click the pach from the list and click Targeted... I get 0 .... 

so first question...
Why bother allowing us to download individual patches as we can set them up but they are not going to go anywhere???

Windows compliance by bulletin doesnt even show the new patches yet. Not even SB16-xxx!!!!!

Is there something that has to happen before Compliance bulletins will show this months? I know I am hitting on Symantec Patch thursday @ 7:39am EST.

@telefragger - here's my windows compliance by bulletin.  I am planning on pushing CR16-002 (rollup) & MS16-133 (office) and then comparing against windows update to see what else I'm missing.

so you are only running Windows 7 SP1 and server 2008 R2 SP1?

that is all CR16-002 entails.

yea, sorry we're Windows 7 SP1. we're fortunate enough with our refresh schedule to standardize. 

NICE... yeah we are a mix environment and get machines from vendors too thus we do have a standard image but not as much as we would like.

Does anyone know why last month the security-only bulletin had both Windows6.1 and Windows6.3 together (001) and for November the Windows6.1 (002) and Windows6.3 (004) were split up? Where did 003 go?

I'm also confused why Windows 10 doesn't have a security only and cummulative category and instead everything is together under "CSWU-".

Is this a case of Shavlik still figuring how this is going to work going forward?

With Windows 7 and 8.1, each patch should be downloaded and installed individually, and it is common to see that perhaps a dozen or more of these fixes hit Windows Update at a time, every few weeks. That's not so problematic for systems that are updated regularly, Microsoft 70-741 Exam Dumps but if you have not updated a PC for a while, you may end up having to download scores for these updates at once. If you perform a clean installation of the operating system, you may need to install hundreds of these individual patches to upgrade your system.

The cumulative update model of Windows 10 adds all the previous updates into a single "newer version." Even if a user does a new installation of a much earlier version of Windows 10, they only need to grab the last cumulative update to get all the patches and security fixes released until the most recent versions. This will be the new upgrade model for previous versions of Windows.

As a Windows 10 example:

CSWU-040 Cumulative Security Update for Windows 10: November 8, 2016

CSWU-041 Cumulative update for Windows 10: November 15, 2016

---

CSWU-036 Cumulative Security Update for Windows 10: October 11, 2016

CSWU-037 Cumulative Update for Windows 10 Version 1511: October 18, 2016

It looks like we have patch Tuesday, and reliability Wednesday. Maybe I missed an anouncement.

Here's a link explaining all the new naming conventions in patch.  Monthly updates that were MS-CR-xx  are now MS-MRX-XX.

this new way is just flat out horrible....

I was able to create a report and get some information that I used to email out to our regulated environment. I am trying to critique it to be able to email out with minimal questions from users....

if it helps anyone else... %numdays% is a report parameter... use sql below or dl xml..

​select t1.Name, t0.FirstReleaseDate, t1.Description, t0.Summary, t0.LastRevisionDate, t0.PrimaryInfoURL
from Inv_Software_Bulletin t0
    join vitem t1 on t0._ResourceGuid = t1.Guid
where (datediff(dd,[FirstReleaseDate],getdate()) < %numdays%)
order by  t0.FirstReleaseDate, t1.Name

Attachment(s)

Microsoft Patch Information.xml   10 KB 1 version