Dan~ Posted April 12, 2017 Share Posted April 12, 2017 Hello, Previously when approving updates in WSUS, I'd type in the security bulletin ID and then it would bring all the associated updates by KB article, i'd then right click approve and set deadlines. This month and from now on Microsoft has removed the security bulletin and is only going for CVE Id's. Upon searching this in WSUS I get no responses. Any idea why not and should it? The only other alternative is to search by KB article and approve and set deadlines but this would be in the hundreds! Thanks goretsky 1 Share Link to comment Share on other sites More sharing options...
Mando Posted April 12, 2017 Share Posted April 12, 2017 Try https://portal.msrc.microsoft.com/en-US/security-guidance you may be able to work out via the KBs linked to CVEs that way. Pain in the rear end, just spent this morning sifting thru it all for Aprils sec fixes. Whoever decided this was the way forward at MS should be strung up! goretsky and Danielx64 2 Share Link to comment Share on other sites More sharing options...
Dan~ Posted April 12, 2017 Author Share Posted April 12, 2017 Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles. id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot) then move onto the next kb, one cve i checked had around 25 kb's then when thats done, move onto the next cve and repeat. this new format is grim and what took an hour before is going to take a whole day goretsky 1 Share Link to comment Share on other sites More sharing options...
Mando Posted April 12, 2017 Share Posted April 12, 2017 (edited) 8 minutes ago, Dan~ said: Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles. id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot) then move onto the next kb, one cve i checked had around 25 kb's then when thats done, move onto the next cve and repeat. this new format is grim and what took an hour before is going to take a whole day Yep, ive fired over what ive found to our DTE team, see if they have any better ways of sifting through all the patches, I need to test each one in the test lab before releasing to production...such a pain in arse. Infact a bigger pain than WSUS has ever been! Yet another own goal by MS......best today was the zero day fixes are classed as security updates, not even "critical" most adms only auto-approve criticals....good chance a busy IT dept will miss them. Its being exploited in the wild, therefore ive spent all morning testing, pushed to production with a deadline of 17:00 today. most systems require 2 reboots to apply the patches. goretsky 1 Share Link to comment Share on other sites More sharing options...
Chicane-UK Veteran Posted April 20, 2017 Veteran Share Posted April 20, 2017 Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful. The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes. Mando 1 Share Link to comment Share on other sites More sharing options...
Mando Posted April 21, 2017 Share Posted April 21, 2017 On 4/20/2017 at 2:46 PM, Chicane-UK said: Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful. The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes. Hey Chicane long time no see buddy Ive given up trying to find a better way, looks like its CVE comparing to tied KB and then hunt them down.....pain in rear end. Link to comment Share on other sites More sharing options...
Chicane-UK Veteran Posted April 24, 2017 Veteran Share Posted April 24, 2017 Yeah not been so active on here recently! Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know! Mando 1 Share Link to comment Share on other sites More sharing options...
Mando Posted April 24, 2017 Share Posted April 24, 2017 2 hours ago, Chicane-UK said: Yeah not been so active on here recently! Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know! Give them hell from us server admins mate! they have taken a horrible labour intensive process, and made it take even longer! Chicane-UK 1 Share Link to comment Share on other sites More sharing options...
Chicane-UK Veteran Posted April 25, 2017 Veteran Share Posted April 25, 2017 Spoke to a helpful guy from Microsoft today, and have a follow up call with him tomorrow where he should be running a screen sharing session so I can see some of his suggestions in a little more detail. All of the changes seem to have been made around the information gathering exercise, with no thoughts really given to the approvals of updates. I think Microsoft just assume folks are simply downloading and approving all updates that they push, and not selectively approving them. In our case we simply don't approve versions of updates (for example) for Itanium systems as we simply don't have nor will we ever have Itanium hardware. It sounds to me like you work in a similar way? I plan to explain that for folks like me and you, that the approval process has been made significantly harder. I appreciate that the process of getting information about specific CVE's or KB's has, arguably, been made slightly better. Mando 1 Share Link to comment Share on other sites More sharing options...
Mando Posted April 25, 2017 Share Posted April 25, 2017 (edited) 2 hours ago, Chicane-UK said: Spoke to a helpful guy from Microsoft today, and have a follow up call with him tomorrow where he should be running a screen sharing session so I can see some of his suggestions in a little more detail. All of the changes seem to have been made around the information gathering exercise, with no thoughts really given to the approvals of updates. I think Microsoft just assume folks are simply downloading and approving all updates that they push, and not selectively approving them. In our case we simply don't approve versions of updates (for example) for Itanium systems as we simply don't have nor will we ever have Itanium hardware. It sounds to me like you work in a similar way? I plan to explain that for folks like me and you, that the approval process has been made significantly harder. I appreciate that the process of getting information about specific CVE's or KB's has, arguably, been made slightly better. Mate, i have no words but you are da bomb!! There are some of us who have to test every patch on every level and combinations for all supported windows os'S and Ms software offerings on a monthly cycle......its now a full time role to multinationals.....im now expediting a network migration for my site to remove the dynamic natting so i can utilise SCCM and upwards patching process to desktops like my servers enjoy, i got site adm and emea projects to spend 9 to 5 in. I cant spend the amount of time it now requires to our granular level. Link to comment Share on other sites More sharing options...
Chicane-UK Veteran Posted May 9, 2017 Veteran Share Posted May 9, 2017 Sorry I never came back over this. In the end, the phone call was a bit of a bust. He didn't really seem to entirely see my point of view about the problems we're having specifically around finding all the updates released for the month, and quickly approving them on the WSUS/SCCM server. I'm working on some powershell scripts to query the new API they released, to obtain a list of patches that match our product critera and dump that out as a list of KB numbers, but my powershell skills are flimsy and it's proving to be a real ballache. I'll let you know if I get there anyway. Mando 1 Share Link to comment Share on other sites More sharing options...
Steven Posted August 2, 2017 Share Posted August 2, 2017 On 5/9/2017 at 5:48 AM, Chicane-UK said: Sorry I never came back over this. In the end, the phone call was a bit of a bust. He didn't really seem to entirely see my point of view about the problems we're having specifically around finding all the updates released for the month, and quickly approving them on the WSUS/SCCM server. I'm working on some powershell scripts to query the new API they released, to obtain a list of patches that match our product critera and dump that out as a list of KB numbers, but my powershell skills are flimsy and it's proving to be a real ballache. I'll let you know if I get there anyway. ADRs would be the solution, I believe. Have you used them before? Link to comment Share on other sites More sharing options...
Recommended Posts