Issues with new Msft patching process - BigFix relevance issues

How are IBM addressing the detection issues with the security only updates versus monthly rollup’s.
According to this article, Microsoft have addressed this on the WSUS side however i am still seeing security only updates as relevant when the latest monthly rollup has been installed (Win7)
See article - specifically last couple of comments

Subsequent testing confirms that after installing the December monthly rollup fixlet, the December security only update is no longer relevant (in addition to the December monthy rollup) however the previous November security only update is still relevant.
By (Msft) design, surely the installation of the December monthly rollup should make the November security only update not relevant in BigFix ?

Can anyone from IBM explain ?

1 Like

Hi nicksberger,

Thanks for reporting the issue! We are looking into it and will update this forum post with progress.

Thanks for looking into this.
Just to add, I would expect component patches to behave in the same way. For example, MS16-155 which is for .NET Framwork has a monthly rollup and security only patch.
Should installing the monthly rollup make the security only patch not-relevant as the security updates are included in the rollup ?

Continuing on from this… looking for example at the .NET updates for Windows 7; monthly rollup -v- security only:

Here we see four .NET monthly rollups that appear to have a corresponding security only update. However, we are then left with 6 monthly rollups that do not appear to have a corresponding security only update. In our environment, we only require security updates to be installed, so we have filtered out monthly rollups… But is there a scenario whereby the security content contained within a monthly rollup is not available anywhere else; e.g. in a security only OS update, or a security only .NET update, etc. If this is the case, we would need to amend our filtering to take this into account (which would not be easy). However, it was my understanding that the new Microsoft servicing model contained monthly rollups which are comprised of security updates + enhancements, and corresponding security only updates are then always made available offline. Is this the case or are some corresponding security only updates missing from BigFix?

The fundamental difference between BigFix and a system like SCCM is that BigFix focuses on the underlying vulnerability; not just whether a patch has been deployed not. With this new servicing model from Microsoft, we need to make sure that IBM maintains its granular level of vulnerability detection, regardless of which patch content is deployed (i.e. monthly rollup, security update, etc.).

Hi @BaiYunfei,

Just as an FYI, I have a PMR open for pretty much the same issue; 70530.L6Q.000
It looks like IBM were hoping that Microsoft’s recent supersedence adjustments would resolve this issue, but from the testing done by @nicksberger, it looks like it may not.
Further testing will be completed on my org soon - we had a freeze in December - so I should be able to provide more testing results in a few days…

Hi all,

The kernel security-only Fixlets for Oct and Nov 2016 have been updated: Content Modification in Patches for Windows

Kindly reply this post if the latest version works / does not work for you.

We will take another look at the .NET security-only Fixlets.


Hi @it_cat,

If you have a look at the MS16-155 security bulletin in Microsoft Catalog or security bulletin page, you will notice that Microsoft hasnt released security only patch for each monthly rollup patch. So, in short there isnt a 1-1 mapping between security only and monthly rollup.
For each supported security only patch that is released we do have a fixlet for them and like wise for monthly rollup.


Hi @nicksberger,

To answer - Should installing the monthly rollup make the security only patch not-relevant as the security updates are included in the rollup ?

Yes, installing the same month’s monthly roll-up should make the security only patch not applicable. Please refer to this Microsoft blog in which these recent changes by Microsoft are outlined.


@SameerK - ok so there isn’t a one-to-one relationship between all monthly rollups and security only updates. However as I mentioned, we filter out monthly rollups (because we don’t want machines to show as non-compliant for updates that contain non-security content).So my query was:

“But is there a scenario whereby the security content contained within a monthly rollup is not available anywhere else; e.g. in a security only OS update, or a security only .NET update, etc.?”

Hi @it_cat,
Per Microsoft documentation, No, there shouldn’t be a scenario that a security content contained within a monthly rollup is not available anywhere else. Microsoft each month will release “security only” and “monthly rollups”. The monthly roll up includes security only as well as fixes from all previous monthly rollups.

You may want to read through the Microsoft blog for understanding Microsoft policy on security only and monthly rollups.

Below are few selected snippets from the Microsoft blog post:

“A security only quality update
A single update containing all new security fixes for that month”

"A security monthly quality rollup A single update containing all new security fixes for that month (the same ones included in the security only update released at the same time), as well as fixes from all previous monthly rollups. This can also be called the “monthly rollup.”" "For organizations that typically deploy only security fixes, you will now find that instead of approving or deploying a set of fixes each Update Tuesday, you will approve or deploy just a single update. Since the security only update and the monthly rollup both are published using the “Security Updates” classification, existing automatic approval rules in WSUS would approve both the security only and the monthly rollup each month. The same is also true with Configuration Manager automatic deployment rules. This will require either manually approving or deploying updates each month, or in the case of Configuration Manager, adjusting existing automatic deployment rules. See the previous section for details. You install all security updates as we release them, and some non-security fixes to address specific problems Since the organization will typically be deploying only the security only fix, see the previous section for full details. In cases where there is a need to deploy one or more non-security fixes, manually approve the latest monthly rollup that contains the needed fixes. This monthly rollup will contain other fixes as well, so the entire package must be installed."



1 Like

@BaiYunfei It appears the update to the relevance for the security update only fixlets has worked. We’ll continue to test and feedback issues. Thanks !


@SameerK - yes, this is what we understood. Hence I expected that every monthly rollup should have a corresponding security only update (one-to-one mapping). However as you have stated; with .NET updates, this is not the case.

So is there a discrepancy here?

Hi @it_cat,
I rechecked the content for MS16-155 for .NET, and there does not seem to be any discrepancy between the Microsoft released patches for MS16-155 and fixlets for them in BigFix.
Are you seeing any discrepancy or missing fixlets?


@SameerK I was referring more to my screenshot above… I just wanted to verify that the MS16-155 rollups that appear to be without a corresponding security only update* do not contain security content that is not also contained within a security only update. I understand this is more Microsoft-based than IBM, but we need to understand the process within BigFix.

*In the BigFix console - showing non-relevant content - I see 29 monthly rollups for MS16-155 but only 6 security only updates.

For example, fixlet# 1615501 (MS16-155: Security Update for .NET Framework - Monthly Rollup - Windows 7 SP1 / Windows Server 2008 SP2 / Windows Server 2008 R2 SP1 / Windows Vista SP2 - .NET Framework 4.5.2 - KB3210139 (x64)) does not seem to have a corresponding security only update… am I mistaken?

Hi @it_cat,

You are right that there is no corresponding security only update for this, but then Microsoft hasnt released one for .NET framework 4.5.2.
Infact if you see for MS16-155, Microsoft has released security-only update only for .NET 4.6.2. For the rest of the .NET versions monthly roll-ups were released. Also adding to this you can see they have released corresponding monthly rollup for .NET 4.6.2.

As far as BigFix is concerned, we release fixlets for the every supported patch (KB number) that Microsoft releases, only that in most cases we have a separate fixlet for each of OS version. And as far as MS16-155 is concerned there is no fixlet missing for any KB.

Microsoft classifies both “Security-Only” and “Monthly roll up” as security updates and as you might have read in the Microsoft blog applying security only updates should take care of security updates. Beyond that I would suggest posting a query to Microsoft about Monthly rollups who do not have corresponding security only updates for the month does infact have any security patches included in them.


1 Like

January patches are the same (MS17-004)… After applying the quality rollup only, my machines still are relevant for security only…And vice versa… I ended up adding both to a baseline, as redundant as it seems, and both apply…Even when quality is first, security still applies and completes ! That makes no sense to me…

I see 1.5% failures for the quality upgrade, but those PCs take it upon reboot and reapplication - that’s with security having completed. That’s really strange after MS briefed us to push one or the other only, turns out if we don’t do both we look unpatched in the eyes of bigfix :wink:

Makes no sense (your post does)
@it_cat Do you see this behaviour ? I will be testing tomorrow.

I am not seeing this behaviour; once the rollup is installed, the security only update is not relevant.
If the security only update is installed, the rollup is relevant. This is expected behaviour.
NOTE: I have only conducted limited testing against two workstations.

1 Like

@nicksberger - same here… Limited testing but after applying the rollup on a machine - that had both the rollup and security only update outstanding - neither was outstanding/applicable post-reboot.

@GregD - which OS were you deploying the MS17-004 rollup to; Windows 7 SP1?
And maybe a silly question, but did you give the machine(s) some time to reevaluate to see if the security only update was still relevant?