Catch up on Microsoft patching fast

Last Updated on April 24, 2017 by Dave Farquhar

Last week, Microsoft quietly released its convenience update pack for Windows 7, 8.1., and Server 2008R2. This is a great opportunity to catch up on Microsoft patching, as it incorporates all of Microsoft’s OS-level updates from the release of Service Pack 1 to April 2016.

Here’s how to use this to clear your corporation’s backlog of Microsoft patches. No, I haven’t seen your corporate network, but I’ll bet you have one.

First, scan your network and see if your vulnerability scanner can pick up any pending reboots. Qualys will–it will be in the “information gathered” or “IG” category, not flagged as a pure vulnerability. Reboot any of the systems with that finding.

If your vuln scanner doesn’t detect pending reboots, you can check two registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

Or, if you’d rather just brute-force it, reboot all of the systems that are missing a patch from before April 2016. Pending reboots are a common cause of patch backlogs. Another one is low disk space.

Next, deploy the Microsoft convenience update pack to all of your systems and reboot them. Deploy your May 2016 and/or June 2016 updates, and your backlog will be cleared–or very nearly so. At that point it will be much easier to find the stragglers, which will likely be missing a handful of files that you can manually copy into place. Use your vulnerability scanner to find those stragglers.

My recommendation at that point is, rather than fight the updates, to find your very best systems administrator and have that person copy just those files into place. Forget deployment tools, just go old-school. When I pushed patches for a living, passing score was 100 percent and my continued employment depended on staying at 100 percent, manual file manipulation was how I got that last percentage point or two.

Deploying a few dozen updates and getting them all down is hard. Deploying 200 updates and getting them all down is much harder. Deploying the update pack will get you caught up at the OS level, so you can concentrate on getting caught up on Internet Explorer, .NET, MS Office, and third party apps.

I have some more tips on patch management if you need them.

If you found this post informative or helpful, please share it!