June Windows Security Patch Blocked for Some Configuration Manager WSUS Users
Microsoft this week warned users of Microsoft Endpoint Configuration Manager in conjunction with Windows Server Update Services (WSUS) about a "known issue" that blocks the installation of a June Windows security patch.
Microsoft released Windows security update (KB5003637) as part of its June monthly bundle. However, this June update has a dependency on having a May Servicing Stack Update (SSU), KB5003173, being installed first. A Servicing Stack Update is simply a patch for Microsoft's patching system. It used to be the case that SSUs needed to be applied first before cumulative updates, but that condition was dropped years ago.
Users of Microsoft Endpoint Configuration Manager with WSUS could experience a trip-up on installing this June Windows patch if they made a change to the default supersedence rule setting for security updates.
In such cases, it's possible that the June Windows security patch won't install. IT pros will get a message that KB5003637 is "not applicable." The system treats the May SSU as being expired, and so the June patch doesn't install.
If the June patch is blocked in this way, it's possible to recover the May SSU that's deemed to be expired. The recovery steps are described in this announcement.
This sort of patch problem shouldn't be an issue anymore, but it appears that modifying the default supersedence rule setting just throws things out of whack.
Years ago, Microsoft made all of its monthly security updates "cumulative," which means they contain patches from previous months. So the June patches would also be expected to contain the May patches, for instance. Later, in 2018, Microsoft pushed its SSUs into its monthly latest cumulative updates (LCUs), which presumably removed the burden on IT pros on having to install SSUs first before the cumulative updates.
Those improvements were acknowledged in the known issues blurb for the June security update. Here's what it indicated:
If you use Windows Server Update Services (WSUS) to manage and deploy your monthly cumulative updates, you must install the May 11, 2021 update (KB5003173) before you install the latest cumulative update.
Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.
So based on those improvements, IT pros shouldn't be experiencing this patch problem. Modifying the default supersedence rule setting, though, seems to be the exception.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.