11 posts in this topic

Hello,

 

Previously when approving updates in WSUS, I'd type in the security bulletin ID and then it would bring all the associated updates by KB article, i'd then right click approve and set deadlines.

 

This month and from now on Microsoft has removed the security bulletin and is only going for CVE Id's.  Upon searching this in WSUS I get no responses.

 

Any idea why not and should it?  The only other alternative is to search by KB article and approve and set deadlines but this would be in the hundreds!

 

Thanks

1 person likes this

Share this post


Link to post
Share on other sites

Try https://portal.msrc.microsoft.com/en-US/security-guidance

 

you may be able to work out via the KBs linked to CVEs that way.

 

Pain in the rear end, just spent this morning sifting thru it all for Aprils sec fixes. Whoever decided this was the way forward at MS should be strung up!

2 people like this

Share this post


Link to post
Share on other sites

Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles.

 

id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot)

 

then move onto the next kb, one cve i checked had around 25 kb's

 

then when thats done, move onto the next cve and repeat.

 

this new format is grim and what took an hour before is going to take a whole day :(

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

8 minutes ago, Dan~ said:

Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles.

 

id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot)

 

then move onto the next kb, one cve i checked had around 25 kb's

 

then when thats done, move onto the next cve and repeat.

 

this new format is grim and what took an hour before is going to take a whole day :(

Yep, ive fired over what ive found to our DTE team, see if they have any better ways of sifting through all the patches, I need to test each one in the test lab before releasing to production...such a pain in arse. Infact a bigger pain than WSUS has ever been! 

Yet another own goal by MS......best today was the zero day fixes are classed as security updates, not even "critical" most adms only auto-approve criticals....good chance a busy IT dept will miss them. Its being exploited in the wild, therefore ive spent all morning testing, pushed to production with a deadline of 17:00 today. 

 

most systems require 2 reboots to apply the patches.

1 person likes this

Share this post


Link to post
Share on other sites

Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful.

 

The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes.

1 person likes this

Share this post


Link to post
Share on other sites
On 4/20/2017 at 2:46 PM, Chicane-UK said:

Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful.

 

The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes.

Hey Chicane long time no see buddy :) 

 

Ive given up trying to find a better way, looks like its CVE comparing to tied KB and then hunt them down.....pain in rear end.

Share this post


Link to post
Share on other sites

Yeah not been so active on here recently!

 

Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know!

1 person likes this

Share this post


Link to post
Share on other sites
2 hours ago, Chicane-UK said:

Yeah not been so active on here recently!

 

Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know!

Give them hell from us server admins mate! they have taken a horrible labour intensive process, and made it take even longer! 

1 person likes this

Share this post


Link to post
Share on other sites

Spoke to a helpful guy from Microsoft today, and have a follow up call with him tomorrow where he should be running a screen sharing session so I can see some of his suggestions in a little more detail.

 

All of the changes seem to have been made around the information gathering exercise, with no thoughts really given to the approvals of updates. I think Microsoft just assume folks are simply downloading and approving all updates that they push, and not selectively approving them. In our case we simply don't approve versions of updates (for example) for Itanium systems as we simply don't have nor will we ever have Itanium hardware. It sounds to me like you work in a similar way?

 

I plan to explain that for folks like me and you, that the approval process has been made significantly harder. I appreciate that the process of getting information about specific CVE's or KB's has, arguably, been made slightly better.

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

2 hours ago, Chicane-UK said:

Spoke to a helpful guy from Microsoft today, and have a follow up call with him tomorrow where he should be running a screen sharing session so I can see some of his suggestions in a little more detail.

 

All of the changes seem to have been made around the information gathering exercise, with no thoughts really given to the approvals of updates. I think Microsoft just assume folks are simply downloading and approving all updates that they push, and not selectively approving them. In our case we simply don't approve versions of updates (for example) for Itanium systems as we simply don't have nor will we ever have Itanium hardware. It sounds to me like you work in a similar way?

 

I plan to explain that for folks like me and you, that the approval process has been made significantly harder. I appreciate that the process of getting information about specific CVE's or KB's has, arguably, been made slightly better.

Mate, i have no words but you are da bomb!!

 

There are some of us who have to test every patch on every level and combinations for all supported windows os'S and Ms software offerings on a monthly cycle......its now a full time role to multinationals.....im now expediting a network migration for my site to remove the dynamic natting so i can utilise SCCM and upwards patching process to desktops like my servers enjoy, i got site adm and emea projects to spend 9 to 5 in. I cant spend the amount of time it now requires to our granular level.

Share this post


Link to post
Share on other sites

Sorry I never came back over this. In the end, the phone call was a bit of a bust. He didn't really seem to entirely see my point of view about the problems we're having specifically around finding all the updates released for the month, and quickly approving them on the WSUS/SCCM server.

 

I'm working on some powershell scripts to query the new API they released, to obtain a list of patches that match our product critera and dump that out as a list of KB numbers, but my powershell skills are flimsy and it's proving to be a real ballache. I'll let you know if I get there anyway.

1 person likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.