2

If I have a Windows 10 workstation, I can use something like wmic qfe list or Get-Hotfix to show all the installed updates on that system. How can I prove, that the list of updates installed, are really all that is a available to be installed? I'm running into questions from compliance about how do I know Windows hasn't screwed up when it says there are no other available updates and how can I match a master list of available updates against a list of what's installed. Thanks for the help.

Ben Sooter
  • 141
  • 6
  • 2
    It's an interesting question, but if Windows screwed this up, then many millions of people have a problem, not just you. – Michael Hampton Jul 05 '19 at 21:42
  • Yeah, but at the same time, surely I can't have the only internal audit department to ask the question. Somewhere some HIPAA, or PCI, or whatever person wanted to see this. I've been pouring through documentation for days, its' weird how hard this has been to answer. – Ben Sooter Jul 05 '19 at 23:01
  • If you have a budget for this, you might investigate third-party solutions. (I know Shavlik used to make a product that did this, though I see they've now been subsumed by Ivanti and I'm not sure whether that particular product still exists. No doubt there are other vendors doing the same thing.) – Harry Johnston Jul 06 '19 at 20:16

2 Answers2

2

The Microsoft Security Update Guide can be used to acquire a list of security KB articles indicating security updates for a specific windows build.

Almost all security updates installed on the system are part of a Latest Cumulative Update (LCU).

By searching the KB articles found in the Security Update Guide, against the Microsoft Update Catalog a list of all cumulative update patches, that have been replaced by other cumulative update patches can be found. In this way, a specific KB article mentioned in the Microsoft Security Update Guide can be traced back to a current cumulative update.

When querying Windows 10 for hotfixes using wmic qfe list or Get-Hotfix the behavior appears to be to only list the latest cumulative update package installed.

Ben Sooter
  • 141
  • 6
0

You can refer to the offical product documentation: https://docs.microsoft.com/en-us/windows/release-information.

Unfortunately, it seems to be quite difficult to find a list of all minor updates apart from major product releases; however, there are several unofficial pages which track them, such as this one: https://pureinfotech.com/windows-10-version-release-history.

There is also the Microsof Update Catalog (https://catalog.update.microsoft.com), where you can look up all available updates for a given Windows version; but you need to pinpoint a specific Windows 10 release. F.e. if you search for "Windows 10 1903" (current version), this is what you get: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=windows%2010%201903.

Generally speaking, the latest cumulative update for a given Windows 10 release should include all previous updates; but some updates are released outside the CU line and need to be applied separately.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • So I found the [Microsoft Security Update Guide](https://portal.msrc.microsoft.com/en-us/security-guidance) which you can plug in Windows 10, 1709 x64, as an example, and it returns all the CVEs and their related KBs. What you'll find with an up to date 1709 system though is running Get-Hotfix or something similar will give you like 2 Windows OS security updates as installed, but there appears to be like 9 more, and I can't find anything that indicates the others are rolled up or superseded by the ones installed. – Ben Sooter Jul 05 '19 at 22:56
  • 2
    If you are in an unmanaged environment, just have Windows check for updates; if something is missing, Windows will detect and install it. If you instead are managing updates via WSUS and/or SCCM, use your chosen tool to deploy updates and generate reports about their installation status. – Massimo Jul 05 '19 at 23:46
  • Historically, isn't hasn't always been true that Windows will always detect missing updates. In the aftermath of Meltdown/Spectre, Windows Update would refuse to detect updates containing the new mitigations (including the main monthly security updates!) if it detected signs of out-of-date anti-virus software. In our environment, that included lots of machines that used to have Symantec installed, because there were some registry settings left over. IIRC, there have also been cases where updates wouldn't detect on certain CPUs. The OP's audit department actually do have a point. – Harry Johnston Jul 06 '19 at 20:14
  • @BenSooter If you are targeting Windows 1709, you have a problem (it's two years old). – Massimo Jul 07 '19 at 04:14
  • And yes, I know the new servicng model is quite heavy on IT departments, because it assumes you are going to deploy major updates every six months. But that's the way Microsoft wants it. There's nothing much you can do apart from sticking with old releases (which are going to become unsupported quite quickly, and anyway are a pain to manage, when a newer release includes all updates for all previous ones), – Massimo Jul 07 '19 at 04:17
  • And this is even worse for servers, which *should* be supported and patched for a while after a major release. But MS' current approach seems to be "just update it as soon as a major release appears". Service packs where actually a lot more thrustworty. – Massimo Jul 07 '19 at 04:20
  • If the OP is on 1709 Enterprise then he still has nine months of support left. – Harry Johnston Jul 07 '19 at 04:30
  • So the segment of the systems that are still 1709 are a great example. They show fully patched. You run `Get-Hotfix` and they show like 2 Windows OS security hotfixes installed. You look up the list of hotfixes on the [Microsoft Security Update Guide](https://portal.msrc.microsoft.com/en-us/security-guidance) and there are like 11. I can't for the life of me reconcile why the other 9 don't know installed. – Ben Sooter Jul 07 '19 at 18:09
  • I can't quite figure out how you're getting a list of 11 updates, but can you provide an example of one of the updates that seems to be missing? – Harry Johnston Jul 08 '19 at 01:25
  • In the Security Update Guide search I'm doing a search from 01/01/2018 - 07/05/2019, Product Categories - Windows, Product - Windows 10 1709 for 64based systems. – Ben Sooter Jul 08 '19 at 01:57
  • Then I download the CSV from the link on the right. Filtering the data in excel and sorting on the KB Article number actually yields 22 KB articles. (KB4056892, KB4074588, KB4088776, KB4093112, KB4103727, KB4284819, KB4338825, KB4343897, KB4345420, KB4457142, KB4462918, KB4465661, KB4467686, KB4471329, KB4480978, KB4486996, KB4487021, KB4489886, KB4493441, KB4499179, KB4500641, KB4503284) The only OS security patches I show installed from Get-Hotfix is (KB503284, KB4500641, KB4465661) – Ben Sooter Jul 08 '19 at 01:57
  • Ok, I just found that the [windows update catalog site](https://www.catalog.update.microsoft.com) actually lists cumulative updates, that include multiple security hotfixes, but the cumulative updates are not listed by the security update guide. I'd say I was getting closer, but first glance, I'm not seeing the cumulative updates installed either. – Ben Sooter Jul 08 '19 at 01:59
  • KB4056892, KB4074588, and KB4088776 are all cumulative updates, and therefore included in KB4503284. I expect the rest of the updates on your list are the same. See https://support.microsoft.com/en-nz/help/4043454 for the complete list of cumulative updates to date. (Found by Googling KB4056892, it was the first result.) – Harry Johnston Jul 08 '19 at 02:04