Windows Update categories
Hello
It’s Rafal Sosnowski from Microsoft Dubai Security PFE Team. I want to talk about different types of our Windows Updates.
Microsoft has following categories of updates:
- Critical Update
- Security Update
- Definition Update
- Update Rollup
- Service Pack
- Tool
- Feature Pack
- Update
Critical Update – is an update which fixes specific, non-security related, critical bug. That bug can cause for example serious performance degradation, interoperability malfunction or disturb application compatibility.
Security Updates – is an update which fixes security vulnerability. Security updates have their own severity defined by Microsoft Security Response Center. There are 5 levels of the security update severity defined by MSRC:
Critical - The update fixes a vulnerability whose exploitation could allow for the propagation of an Internet worm without user action.
Important - The update fixes a vulnerability whose exploitation could result in the compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources.
Low - The update fixes a vulnerability whose exploitation is extremely difficult, or whose impact is minimal.
Moderate - The update fixes a vulnerability whose exploitation is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.
Unspecified - The update does not have a severity rating.
Every security update has also Exploitation Index which is not presented to the user in Windows Update or WSUS. https://technet.microsoft.com/en-us/security/cc998259
The main confusion seen in the field regarding update categories is within WSUS, Windows Update and MBSA.
WSUS
Windows Server Update Services (WSUS) can synchronize updates based on the category but not based on severity (see below). Selecting “Critical Updates” in the WSUS Configuration\Options\Products and Classifications will only synchronize and download Critical updates that fix critical bugs (for example hardware or driver compatibility). These Critical Updates have nothing to do with Critical Security Updates.
If you want to synchronize Security updates you need to select “Security Updates” in the Classification tab. It will download critical, important, moderate, low and unspecified security related updates.
Critical Updates (as opposed to Critical Security Updates) have no MSRC severity set (WSUS will display it as “Unspecified”):
Windows Update
Windows Update will display simplified categories to the end user as usually they don’t need to know about severity ratings or exact type of update:
Important - include all Security Updated regardless of MCRS severity, Critical Updates, Definition Updates, Update Rollup and Service Pack
Optional/Recommended - include Feature Pack and standard Updates.
If we want to match exact types of updates to simplified version used by Windows Update in control panel you can use below table:
MBSA
Microsoft Baseline Security Analyzer - provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA is a basic vulnerability scanner which can run locally or remotely. MBSA will scan for missing Security Updates (critical, important, moderate, low) and display their maximum MSRC severity rating.
Hope this blog post helped you to understand different categories and severity levels of Microsoft updates.
Main takeaway:
Critical update is an update which fixes critical non-security related bug.
Critical Security Update is an update which fixes critical security vulnerability.
Important update is category displayed by Windows Update and include all Security updates regardless of the MCRS severity rating as well as other update categories like Critical Updates, Definition updates etc.
Important Security Update is an update which fixes important security vulnerability.
Comments
- Anonymous
February 19, 2017
This is incredibly helpful, thank you. I want to add one thing. "Recommended" seems like a low level of update which maybe could be skipped. Don't. "Recommended" updates include updates to the Windows Update process itself, If you skip these you may find that Windows Update works incorrectly, and as a result, you are unable to download updates that are Critical or Security Critical. Even worse, you might not even be informed that these updates are available. - Anonymous
May 21, 2017
I updated my windows server and I forgot that my update should be only Important. Not optional. Now, I want to uninstall the optional update but on my update history, I cannot differentiate which are important and which are optional. Can you help me? I have an example below. Help me identify Please.Update KB977239 Update KB2830477 Update KB2592687 Update KB981390 Update KB2574819 Update KB2685811 Update KB2685813 Update KB2719857 Update KB2726535 Update KB2732059 Update KB2750841 Update KB2761217 Update KB2763523 Update KB2791765 Update KB2800095 Update KB2808679 Update KB2843630 Update KB2852386 Update KB2853952 Update KB2857650 Update KB2891804 Update KB2893519 Update KB2908783 Update KB2919469 Update KB2966583 Update KB2970228 Update KB2985461 Hotfix KB3006137 Update KB3020370 Update KB3054205 Update KB3054476 Update KB3068708 Update KB3078667 Update KB3080079 Update KB3080149 Update KB3092627 Update KB3102429 Update KB3107998 Update KB3121255 Update KB3133977 Update KB3137061 Update KB3140245 Update KB3147071 Update KB3172605 Update KB3179573 Update KB3181988 Update KB982018 Update KB4019265 - Anonymous
December 15, 2017
Hello, I would like to know if it is recommended to install all updates on Windows server in production , or just consider installing critical updates, definition updates and security updates ? And discard "standard" updates, tool , updates rollups? - Anonymous
January 09, 2018
@ Roy78 For all production machines most important updates are security updates. Lack of security updates can lead to system or infrastructure compromise. As always we recommend to review KB and understand all changes that particular update brings. - Anonymous
June 26, 2018
For the sake of completeness, it could be useful adding the definition of Cumulative Update too.