MS17-004 False Positive

@BaiYunfei + Content team, please check fixlet ID 1700403 against Microsofts description summary - https://support.microsoft.com/en-us/help/3212642

•The security fixes that are listed in Security Only Quality Update 3212642 are also included in January 2017 Security Monthly Quality Rollup 3212646 . Installing either update 3212642 or 3212646 installs the security fixes that are listed here.

We have machines that have had the monthly rollup applied however this fixlet is still showing as relevant.

I cannot raise PMRs for these every month, please advise …

I’m seeing a number of cases whereby the Security Only Quality Update is outstanding but the Security Monthly Quality Rollup isn’t, indicating the same thing.

Hi nicksberger, Catherine,

Thanks for reporting this to us. The content team is investigating it and will provide an update to this thread by the end of this week.

Thank you!

1 Like

Hi nicksberger, Catherine,

We have updated Fixlets for MS17-004 to address the above mentioned issue; they are published to site Patches for Windows, version 2684. Also we have enhanced our internal framework to include similar logic in future Security-only Fixlets released.

Please allow me to update with a few more details. While we perform our internal testing, we don’t see the behavior mentioned above - i.e. the original security-only Fixlets evaluates false after monthly rollups are installed. I believe nicksberger you have also observed similar issues for Dec patches: Issues with new Msft patching process - BigFix relevance issues In addition, for customers who have Security-only Fixlet still applicable after monthly rollup, they are actually still able to install the patch (although it might seem unnecessary).

Since this issue is re-occuring for Jan 2017 Security-only patches, and the fact that MBSA is not reporting it makes BigFix detection result a mismatch. I believe it would be better to keep that logic in place regardless of whether we can observe the behavior in our test bed, while these Fixlets still pass all our internal testings.

@BaiYunfei thanks for your reply.
I’m confused why any customer would want the security only update to be applicable when the monthly rollup has been installed, this contradicts Microsofts documented and published new service model.
BigFix (although far superior) will always be compared to SCCM, so regardless of customer needs, the detection logic should be accurate according to Microsoft.
There are instances where SCCM is incorrectly not offering a patch where BigFix is, this is a good thing.

Hi nicksberger, thanks for sharing your feedback! We value your opinion and point of view as a very experienced customer. Also I fully agree with your point that BigFix should match SCCM (or MBSA) in security update detection results, and Security-only should not be relevant after corresponding Monthly Rollups are installed.

That being said, we seek your understanding of us acting slow on certain changes. Given the large customer base and the huge and critical deployment that relies on our content, it sometimes takes extra consideration to change some logic that we have been using for long.

(p.s. yes, some customers do hold a different point of view that the Fixlet should be relevant as long as the patch still appear installable when manually executed.)