Windows Update - Part 3: Patch Management

The Four Phases of Patch Management:

1. Assess
2. Identify
3. Evaluate and Plan
4. Deploy

2014 ~ 2025: cloud-first, WaaS decade

Windows as a Service

Servicing channels

• General Availability Channel
• Long-Term Servicing Channel
• Insider Program

Options

• Windows Update (WU): Consumer devices
• Windows Update for Business (WUfB): Non mission critical systems
  • Distribution rings, Maintenance windows, Peer to peer delivery, Integration with existing tools
  • Features include setting up device groups with staggered deployments and scaling deployments with network optimizations.
  • Windows Update for Business has been renamed to Windows Update client policies. -- 2025
• Windows Server Update Services (WSUS): Special System
  • WSUS allows companies not only to defer updates but also to selectively approve them, choose when they're delivered, and determine which individual devices or groups of devices receive them.
  • no longer actively developed -- 2024

Servicing tools

• WSUS - no longer actively developed
• Configuration Manager
  • System Center Configuration Manager (2007) -> Microsoft Endpoint Configuration Manager (2019) -> Microsoft Configuration Manager (2023)
  • Configuration Manager is part of the Microsoft Intune family of products. - 2023
• Group Policy Management Console
• Microsoft Intune
• Windows Autopatch
  • Windows Hotpatch
  • Windows Update for Business Deployment Service, woven into Windows Autopatch
• Azure Update Manager

Initiative

• Secure Future Initiative - 2023

2007 ~ 2013

Component Based Servicing

Information

• Windows Update, http://update.microsoft.com
• Microsoft Update, http://update.microsoft.com/microsoftupdate
• Microsoft Update Catalog, http://catalog.update.microsoft.com
• Office Update Web Site, http://officeupdate.microsoft.com/, until Aug 2009
• Microsoft Security Respnse Center, http://www.microsoft.com/security/
  • Microsoft Security Bulletin, http://www.microsoft.com/security/bulletin.htm
  • Microsoft Security Advisories
• Microsoft Knowledge Base (KB) article
• Microsoft Download Center
• Vulnerability identifier: CVE-xxxx-xxxx, https://cve.mitre.org/

Individual

• Windows Update (Control Panel)
  • Windows Vista, Windows 7, Windows 8 / 8.1

Corporate

• MBSA 2.x
• WSUS 3.0
• SMS 2.0
  • Microsoft discontinued support for SMS 2.0 on April 12, 2011.
• SMS 2003
  • SUS Feature Pack
    • For SMS 2003, Microsoft also discontinued support for the Security Update Inventory Tool (SUIT) on April 12, 2011. 
    • Microsoft discontinued support for Office Update and the Office Update Inventory Tool as of August 1, 2009.
  • ITMU
• System Center Suite
  • System Center Configuration Manager (SCCM) 2007, uses WSUS 3.0 for detection of updates
  • SCCM 2012 / R2
• WSUS for Windows Server 2012 / R2

Tool

• MBSA 2.x
• Application Compatibility Toolkit

Initiative

• Black Hat security conference in Las Vegas, 2008
  • Microsoft Active Protections Program (MAPP)
  • Microsoft Vulnerability Research (MSVR)
  • Microsoft Exploitability Index

2002 ~ 2006

Bill Gates "Trustworthy Computing" Memo - Jan 15, 2002

Information

• Patch Tuesday, Oct 2003
• Windows Update Web Site
  • http://windowsupdate.microsoft.com
• Windows Update Catalog Web site
  • http://windowsupdate.microsoft.com/catalog
• Office Update Web Site
  • http://officeupdate.microsoft.com/
• Microsoft Security Respnse Center, http://www.microsoft.com/security/
  • Microsoft Security Bulletin, http://www.microsoft.com/security/bulletin.htm
  • Microsoft Security Advisories, 2005
  • Microsoft Product Security Notification Service
• Microsoft Knowledge Base (KB) article
• Microsoft Download Center
• Vulnerability identifier: CVE/CAN-xxxx-xxxx, https://cve.mitre.org/

Individual

For non-corporate scenarios, we recommend you use automatic updating or the Microsoft Update website.

• Windows Update + Automatic Update
  • Windows 2000 SP3, Windows XP SP1, and Windows Server 2003
• Microsoft Update

Corporate

Meanwhile, users of the different products get different results, due to each tool's reliance on different methods to determine whether an update is present.

• Microsoft Baseline Security Analyzer (MBSA), scan for missing hotfixes and vulnerabilities, Apr 2002
  • 1.x, 2.x.
• SUS 1.0, Jun 2002; SUS 1.0 SP1.
  • support until Dec 6, 2006; extension, until July 10, 2007
  • SUS 1.0 Client - Automatic Update
• WSUS 2.0, Jun 2005; WSUS 2.0 SP1.
• SMS 2.0 with SUS Feature Pack - Nov 2002 - EOF Apr 12, 2011
  • Distribute Software Updates Wizard, Software Updates Installation Agent, Web Reporting tool
  • Security Update Inventory Tool (SUIT)
    • Security Hotfix Checker scan tool: S_scan.exe 
    • originally used HFNetChk v3.32.
    • uses MBSA; updated Jan 2003 KB 814906.
    • uses MBSA v1.2.1, until Oct 2007.
  • Office Update Inventory Tool
    • Scan tool: O_scan.exe
    • Invcm.exe, Invcif.exe
    • Microsoft Office Detection Tool
  • Extended Security Update Inventory Tool, SMS version of the Enterprise Scan Tool
• Microsoft Systems Management Server (SMS) 2003, RTM October 22, 2003
  
  • Security Update Inventory Tool, based on MBSA, until April 12, 2011
    • SecurityPatch_XXX.exe, mssecure.cab (MSSecure.XML)
    • MBSA 1.2, KB867832, KB306460, KB842432
    • MBSA 2.0, 
  • Office Update Inventory Tool
    • OfficePatch_XXX.exe, Invcif.exe
    • KB888743
  • Extended Security Update Inventory Tool, SMS version of the Enterprise Scan Tool, KB894154, Apr 12, 2005
  • Inventory Tool for Microsoft Updates (ITMU), replaces many legacy scan tools with a single scan tool, 2005
    • Maintenance of the earlier version of the Windows Updates Catalog (Wsusscan.cab) stopped in March 2007.
• Enterprise Scan Tool (Enterprise Update Scan Tool / Enterprise Update Scanning Tool), only created when the MBSA or the ODT do not offer detection for a bulletin.
  • The current version of this tool provides cumulative support for most updates not detected by MBSA starting with MS04-028.

Tool

• MBSA - Microsoft Baseline Security Analyzer
  • www.microsoft.com/technet/security/tools/Tools/mbsahome.asp 
  • 1.0 - Apr 8, 2002 - Q320454
  • 1.1, Dec 4 2002, support for SUS, compatibility with SMS 2.0 SUS Feature Pack
  • 1.1.1, Jun 5, 2003, adds support for Windows Server 2003, MS03-020, until April 20, 2004
  • 1.2, Jan 19, 2004, more accurate security update detection and supports additional products
  • 1.2.1, Aug 4, 2004, 320454, adds support for Windows XP SP2, Office Detection Tool (ODT) local scan integration, originally until Mar 31, 2006; extend until Apr 30, 2007.
  • 2.0, Jul 22, 2005; uses wsusscan.cab.
• Qfecheck.exe - Feb 1996 - Update Information Tool
  • Q145990, win95 version 
  • Q282784_WXP_SP1_x86_ENU.exe - Jan 18, 2002
  • Q282784_W2K_spl_X86_EN.exe - Jan 18, 2002
• Shavlick's HFNetChk
  • Nshc33.exe - Jan 22, 2002

Initiative

• Stay Secure phase - Strategic Technology Protection Program (STPP)
  • In February 2002, Valentine reaffirmed that the STPP initiative is alive and well but, predictably, behind schedule.
  • This week at the first Microsoft Management Summit in Las Vegas, Microsoft officials detailed the “Systems Management Server 2.0 Value Pack” and a separate “Software Update Services” for customers not using SMS or Active Directory. -- May 2002
    • "Customers asked us to be a little more modular about it. Hence we ended up splitting out two feature packs," Hamilton says.
• Windows Security Push - 2001 ~ 2003

Notes

• New architecture for wsusscan.cab begins since November 2006
• Support for existing wsusscan.cab architecture ends on March 2007

1998 ~ 2001

Information

• Windows Update Web Site
  • http://windowsupdate.microsoft.com
  • http://v4.windowsupdate.microsoft.com
• Office Update Web Site
  • http://officeupdate.microsoft.com/
  • Q192021: OFFUP - Word Components Available on Office Update Web Site
• Microsoft Security Respnse Center, http://www.microsoft.com/security/
  • Microsoft Security Bulletin, http://www.microsoft.com/security/bulletin.htm
  • Microsoft Product Security Notification Service
• Microsoft Anonymous FTP Server, ftp://ftp.microsoft.com/
• Microsoft Knowledge Base (KB) article - Qxxxxxx
• Microsoft Download Center
• Microsoft TechNet, http://www.microsoft.com/technet/
• Microsoft Technical Support
• Vulnerability identifier: CVE/CAN-xxxx-xxxx, https://cve.mitre.org/

Individual

• Windows 98, Windows Update
  • 5.00.1788.1, Wupdmgr.exe, WUpdInfo.dll, wum.htm
• Windows 98 SE, Critical Update, Critical Update Notification Utility
  • Wucrtupd.exe
• Windows 2000, Windows Update
  • 5.00.2134.1, WUpdMgr.exe, WUpdInfo.dll
• Windows Me, Windows Update + AutoUpdates feature
  • 5.4.1083.9, auhook.dll, wuauboot.exe, wuauclt.exe, wuaucpl.cpl, wuaupd98.dll, wuaures.dll, wum.htm
  • 5.4.29.0 WUV3is.dll, 5.00.2013.1 WUpdMgr.exe, 5.00.2128.1 WUpdInfo.dll, wum.htm
• Windows XP, Windows Update + Automatic Update
  • 5.4.2600.0, wuaueng.dll, wuauclt.exe, wuauserv.dll, iuctl.dll, iuengine.dll
  • WUV3is.dll, WUpdMgr.exe, WUpdInfo.dll
  • BITS, qmgr.dll, qmgrprxy.dll

Corporate

• Systems Management Server 2.0 (SMS), Feb 11, 1999
• Windows Update Corporate Edition
  
  • Windows Update Corporate Edition Beta - 2001, www.betaplace.com
  • http://www.microsoft.com/technet/ittasks/support/corpwu.asp
• Windows Update Corporate Site
  • beta, 1999; live, Sep 2000; retired, Feb 2002.
  • http://corporate.windowsupdate.microsoft.com

Tool

• Qfecheck.exe - Feb 1996 - Update Information Tool
• Microsoft Personal Security Advisor (MPSA) Web site, http://www.microsoft.com/security/mpsa - Aug 2001
• Shavlick's HFNetChk - Aug 2001 - Microsoft Network Security Hotfix Checker
  • Nshc32.exe - Oct 26, 2001
  • mssecure.cab
    • XML-formatted hotfix catalog
    • http://download.microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab
• URLScan - Sep 2001
• Qchain.exe, install multiple Windows updates or hotfixes with only one reboot

Initiative

• Get Secure phase - Strategic Technology Protection Program (STPP) - Oct 2001
  • Microsoft Security Tool Kit for Windows 2000 & NT 4.0 - Oct 2001
    • Service Pack, Security Rollup Package, Hotfix
    • IIS Lockdown Wizard, HFNetCheck, Qchain, Qfecheck.exe
    • Windows 2000 Critical Update Notification Tool
  • Free Virus Support, 1-866-PC SAFETY
• Windows Security Push - 2001 ~ 2003
• Introduces Security Bulletin Severity Rating System

Hotfix Installer

• self-extracting package program file, Qxxxxxx.exe
• hotfix.exe, hotfix installer, for NT4.0, W2K SP3 or earlier
• update.exe, for W2k SP4, XP, 2003
• other: MSDAIPP installer

For further reading

Windows Update

• https://www.helpwithwindows.com/techfiles/winup-errors.html
• https://members.tripod.com/Richard_Mask/w98tsa.htm
• AutoUpdate in Windows Millennium Edition - Content Developer

Windows Update Web Site

• http://v4.windowsupdate.microsoft.com
• http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true - (XP USERS) / (corporate Windows Update Catalog) - Jan 2002
• http://v4.windowsupdate.microsoft.com/catalog/en/default.asp - Aug 2002
• http://v5.windowsupdate.microsoft.com - 2004, with SP2
• http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en-us
• http://update.microsoft.com/microsoftupdate/
• http://v6.windowsupdate.microsoft.com - 2005
• http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
• http://catalog.update.microsoft.com/ - Aug 2007
  • MMS 2006, This new catalog will replace the current Windows Update Catalog (https://v4.windowsupdate.microsoft.com/catalog)
  • http://catalog.update.microsoft.com/v7/site/Home.aspx

Office Update Web SIte

• http://officeupdate.microsoft.com/, until Aug 2009.
  • Office 2000 Support Ends in July, 2009.

RESOURCES

• Windows Server resources
• Windows Server 2003 documentation, http://technet.microsoft.com/en-us/library/cc758523.aspx
  • Windows Server 2003/2003 R2 Retired Content
  • Installation, Product Evaluation, Getting Started, Planning and Architecture, Deployment.
• Detection and deployment guidance articles - KB 910723, KB 918734
• Transforming our approach to patch management at Microsoft - May 15, 2025

Reference

• Microsoft Corporation. Microsoft Windows Server 2003 Deployment Kit: A Microsoft Resource Kit. Microsoft Press, 2003.
• Honeycutt, Jerry, and Microsoft Corporation. Microsoft Windows Desktop Deployment Resource Kit. Microsoft Press, 2005.
• Windows Server Team at Microsoft. Windows Server 2008 Resource Kit. Microsoft Press, 2008.
• Della Monica, Andre, et al. Microsoft System Center Software Update Management Field Experience. Microsoft Press, 2015.

Appendix A: 2003~2005 Patch Management

• http://www.microsoft.com/technet/security/topics/patchmanagement/patchmanagement.mspx
• https://download.microsoft.com/documents/uk/technet/learning/downloads/security/03_Patch_Management.ppt
• https://download.microsoft.com/documents/uk/resources/techroadshow/security-track/3_Implementing_Security_Patch_Management.ppt
• Security, Patch Management, and the Future - Paul Thurrott - June 25, 2003
• Microsoft's Plan to End the Patch Management Nightmare - Paul Thurrott - July 2, 2003
• One Last Follow-up: The Future of Patch Management - Paul Thurrott - July 8, 2003

 

However some key events occured in 2003 that caused us to re-set those schedules – the Slammer virus in February and Blaster in August.

A patch management taskforce (that I got the luck to lead) was set up in February that year to look at how to address patch management from a holistic perspective. One of the key recommendations was to unify the patch management toolset on a common infrastructure and have a range of solutions leveraging the infrastructure for all customer segments.

-- WSUS Goes Live at TechEd 2005, Microsoft Windows Server Team

 

From a scheduling standpoint, Microsoft has many patch-management milestones in the months ahead.

Later this month, the company will standardize its Knowledge Base articles, making them easier to read, and will release a new version of the Microsoft.com Search tool that will be geared toward searching for security patches, which the company says is the number-one reason customers visit the site.

Also in July, Microsoft will release updated best-practices guides for patch management.

In first quarter 2004, Microsoft will deliver its common-patch architecture, update its patch installers, and release a new version of Windows Update that's geared toward all Microsoft products.

In second quarter 2004, Microsoft will upgrade MBSA, SUS, and SMS 2003 to work with this new architecture.

In late 2004, Microsoft will convert from eight patch-installer types to just two (Windows Installer--MSI--3.0 and Update.exe),

and in early 2005 the company will move to a common-patch distribution infrastructure with the release of SMS 2005, Microsoft System Center, and a new SUS version.

-- Microsoft's Plan to End the Patch Management Nightmare, Paul Thurrott, July 2003

 

-- Implementing Security Patch Management - TechNet, Thomas Lee