Sunday, April 7, 2024

Vulnerability Management - Applied Microsoft patches not getting detected

Recently tools like MECM, which are used for patch management in environments where Windows OS is used, are showing status as compliant when patches are pushed via them. But when scanned using a vulnerability management solution, the same systems are showing missing patches.

Now that the context is set, I would like to discuss the cause.

It is because of UBR (Update Build Revision) number. VM solutions are looking for UBR number to check if the latest patch is applied or not. UBR can be read from registry at key "HKLM:\SOFTWARE\Microsoft\Windows". Microsoft always changes the UBR value and updates it when there is a new patch. So ensure, whenever patches are pushed using patching solutions, UBR numbers are updated accordingly.

Following are some troubleshooting steps I found using simple Google search 😬:

  1. Check for updates: Make sure that systems are configured to check for updates automatically and that they are connected to the internet. You can check for updates manually by going to Settings > Update & Security > Windows Update and clicking “Check for updates”.
  2. Restart the Windows Update service: If the Windows Update service is not functioning properly, you can try restarting the service. To do this, open the Services console (services.msc) and locate the Windows Update service. Right-click on the service and select “Restart”.
  3. Reset the Windows Update components: If restarting the service does not resolve the issue, you can try resetting the Windows Update components. Microsoft provides a script that can automate this process.
  4. Manually install updates: If the UBR value is still not updating properly, you can try manually installing the updates on the affected server. You can download the updates from the Microsoft Update Catalog and install them manually.
  5. Check for errors in the event logs: Check the Event Viewer logs for any errors or warnings related to the Windows Update service or the installation of updates. These logs may provide additional clues about the cause of the issue.
  6. If using MECM, you can try reinstalling the MECM clients on affected servers.

Please refer the below URLs for more details:
https://www.vcloudinfo.com/2020/12/how-to-decode-windows-version-numbers.html

https://community.spiceworks.com/t/windows-ubr-value-not-updating-after-windows-update/948275

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0094555

Happy Learning
vulnerabilitymanagement cybersecurity
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Vulnerability Management - Understanding vulnerability posture

Understanding the vulnerability posture of an organisation at a basic level helps you drive remediation efforts. So, I don't know what t...