8 posts in this topic

Hello,

 

Previously when approving updates in WSUS, I'd type in the security bulletin ID and then it would bring all the associated updates by KB article, i'd then right click approve and set deadlines.

 

This month and from now on Microsoft has removed the security bulletin and is only going for CVE Id's.  Upon searching this in WSUS I get no responses.

 

Any idea why not and should it?  The only other alternative is to search by KB article and approve and set deadlines but this would be in the hundreds!

 

Thanks

1 person likes this

Share this post


Link to post
Share on other sites

Try https://portal.msrc.microsoft.com/en-US/security-guidance

 

you may be able to work out via the KBs linked to CVEs that way.

 

Pain in the rear end, just spent this morning sifting thru it all for Aprils sec fixes. Whoever decided this was the way forward at MS should be strung up!

2 people like this

Share this post


Link to post
Share on other sites

Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles.

 

id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot)

 

then move onto the next kb, one cve i checked had around 25 kb's

 

then when thats done, move onto the next cve and repeat.

 

this new format is grim and what took an hour before is going to take a whole day :(

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

8 minutes ago, Dan~ said:

Hi yeah I was looking at that earlier and if I look at one cve id it would come back with a number of different kb articles.

 

id then have to go to wsus, type in the kb seperately approve and set deadlines (we have about 30 different wsus groups with different times for when a server is safe to reboot)

 

then move onto the next kb, one cve i checked had around 25 kb's

 

then when thats done, move onto the next cve and repeat.

 

this new format is grim and what took an hour before is going to take a whole day :(

Yep, ive fired over what ive found to our DTE team, see if they have any better ways of sifting through all the patches, I need to test each one in the test lab before releasing to production...such a pain in arse. Infact a bigger pain than WSUS has ever been! 

Yet another own goal by MS......best today was the zero day fixes are classed as security updates, not even "critical" most adms only auto-approve criticals....good chance a busy IT dept will miss them. Its being exploited in the wild, therefore ive spent all morning testing, pushed to production with a deadline of 17:00 today. 

 

most systems require 2 reboots to apply the patches.

1 person likes this

Share this post


Link to post
Share on other sites

Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful.

 

The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes.

Share this post


Link to post
Share on other sites
On 4/20/2017 at 2:46 PM, Chicane-UK said:

Glad it's not just me hitting my head against the wall on this. They've axed the (useful, to the point) security bulletin, axed the MSxx-xxx numbers by which vulnerabilities were grouped, so left no way of actually searching for an entire group of patches in WSUS in a simple way. As has been said, if you could at least search on the CVE ID, it'd be a bit less painful.

 

The process of approving patches just went from taking like 15 minutes to an hour at least. I don't understand their logic sometimes.

Hey Chicane long time no see buddy :) 

 

Ive given up trying to find a better way, looks like its CVE comparing to tied KB and then hunt them down.....pain in rear end.

Share this post


Link to post
Share on other sites

Yeah not been so active on here recently!

 

Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know!

1 person likes this

Share this post


Link to post
Share on other sites
2 hours ago, Chicane-UK said:

Yeah not been so active on here recently!

 

Anyway - I've got a call with my Technical Account Manager and a 'Senior Risk Manager' from Microsoft tomorrow - so I will explain my process to them, and why this has caused significantly more work for me and some other WSUS users I know!

Give them hell from us server admins mate! they have taken a horrible labour intensive process, and made it take even longer! 

1 person likes this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.