1

TL;DR: install MS patch requires previous patches, how to determine needed patches in an isolated network?

I have this Windows 2008R2 SP1 machine in a isolated network, the machine hasn't been patched since 2015, which means a lot of patches are missing.

Directly installing latest patche proved to be unfeasible, the WUSA will check and then report 'Patch Not Applicable', however as to my knowledge, 'Patch Not Applicable' has only 3 reasons:

  • system architecture mismatch (not the case, easily checked)

  • newer patch which integrated previous patch was installed. (not the case, not patched since 2015)

  • patch pre-requisite not satisfied.

How do I determine the exact pre-requisite patches (a chain of patches)? (preferably from querying WSUS server programmatically? )

Sajuuk
  • 121
  • 6

2 Answers2

1

That sounds super annoying. Setup a WSUS box, connect it to the internet and update it, then bring it to the isolated network and query against that? That's what I would do. Anything else would be so time consuming it's not worth the trouble. Plus you wouldn't really know if you missed something.

thelanranger
  • 139
  • 7
  • problem is, when you query the WSUS server, it would only return the currently needed patch for querying machine, no patch route to target patch is explicitly given. – Sajuuk Apr 29 '19 at 05:13
  • I was more so referring to this scenario as a means to run all the updates on a specific OS without actually have internet. WSUS would allow you to download the updates giving the machine/VM running WSUS internet connectivity and then pre-downloading the updates. Once you query the WSUS server then your 'offline' server could be brought up to date using that data. You would not need to do it onesy-twosy. That seems like a waste of time to me. – thelanranger May 02 '19 at 21:32
  • that's neat, however the core of this problem lies in determining the minimum viable patch path. not how to upgrade a machine to its newest state. – Sajuuk May 05 '19 at 01:56
  • Ah, so you're just trying to find the 1 or 2 patches you can install to get an application to run, not get the system patched up to current? That could prove an insanely complex task. Your application could have libraries that need to be installed, those libraries could have prerequisites, those prerequisites could have prerequisites, etc. Generally why apps use installers to deploy or give you their prerequisite list of "Server 2008 R2 SP1 + .NET 4.0" or something. – thelanranger May 05 '19 at 21:10
  • well I'm talking about security patch here, so that I could install one security patch to defend against some vulnerability without install all the other unnecessary patches. – Sajuuk May 06 '19 at 01:52
  • For security purposes I see that as bad practice. It's not effective to defend against a single vulnerability. You need to patch EVERYTHING to current. That's the point. Malicious software does not get in by attacking a specific door, it is typically a crazy swiss army knife that attacks hundreds of doors looking for poor locks/broken windows. Locking a single door doesn't protect you from that. – thelanranger May 30 '19 at 00:01
  • well, that's standard textbook answer. but in reality one does not simply walks into mordor, or..patches everything at once. how do you think microsoft test their patches? anyway, please view this question as a technical one, I was not seeking best practices. – Sajuuk May 30 '19 at 02:00
0

Run a mbsa scan and see the list of missing patches, there's a list of patches released by ms ( huge excel file). Cross reference that and you can manually download the patches and install them.

Hari Prasad
  • 1