Export (0) Print
Expand All

Unapproved Critical Security Updates check

Published: December 16, 2009

Applies To: Forefront Client Security

The Unapproved Critical Security Updates check determines whether unapproved critical security updates are missing on a scanned computer. Unapproved critical security updates are critical updates that are available for download on Microsoft Update (MU) but are not available for download through the update service that is registered with Windows Update Agent (WUA).

noteNote:
While it is possible that scanned computers could have missing unapproved updates with a Microsoft Security Response Center (MSRC) severity of low, moderate, or important, this check reports specifically on updates with a MSRC severity of critical.

A computer can download updates from a variety of sources. The update service registered through WUA determines the source that Automatic Updates (AU) uses to download updates. Common sources are WSUS, Windows Update, MU, and Systems Management Server.

For example, if you use WSUS to deploy product updates, updates need to be approved for installation before they are made available to client computers. If the update service registered with WUA is WSUS, client computers will detect only approved updates.

The Critical Security Updates check searches for missing critical updates based on the update service that is registered with WUA. However, if the new updates have not been approved, the client computer is still at risk (for the vulnerabilities that would be resolved by the new updates). The Unapproved Critical Security Updates check, then, determines which critical security updates are missing.

ImportantImportant:
Internet connectivity is required for this check, and Microsoft Update must be registered with Automatic Updates.

Results are grouped by product family and Microsoft Security Bulletin ID.

There are three types of updates:

  • Security update—An update that has a Security Bulletin ID and has been assigned a MSRC Severity value.

  • Cumulative security update—An update with no Security Bulletin ID and no assigned MSRC Severity, and it supersedes one or more security updates. For example, Windows XP Service Pack 2 (SP2) is a cumulative security update.

  • Non-security update—An update with no Security Bulletin ID and no assigned MSRC Severity, and it does not supersede any security updates. This SSA check does not include this type of update in scoring.

There are four MSRC Severity values:

  • Critical

  • Important

  • Moderate

  • Low

For more information about these values, see Responding to detected vulnerabilities.

Resolutions for potentially unacceptable scores

Review the results message associated with the score.

If there are Microsoft security updates missing, it is recommended that you review and approve the security updates.

If the scanned computer requires a restart to complete an update, restart the computer.

Scoring and results

This check generates scores on three levels:

  • Overall

  • Product family

  • Per update

Overall scoring

The following table shows how Client Security determines the overall score.

 

Score One or more critical security updates not installed or requiring restart One or more critical security updates (superseding security updates) not installed or requiring restart One or more critical cumulative security updates (superseding security updates) not installed or requiring restart Results message

High

Yes

Yes or no

Yes or no

Number of unapproved security updates requiring installation or system restart on the scanned computer: number of missing updates (include both security updates and cumulative security updates).

Medium

Yes

No

Yes

Number of unapproved cumulative security updates requiring installation or system restart on the scanned computer: number.

Low

Yes

No

No

No updates are missing and no system restart is required on the scanned computer.

Informational

No

Yes or no

Yes or no

Scanned computer failed to connect to the update service.

Product family scoring

The following table shows how Client Security determines the score for a product family.

 

Score One or more critical security updates (within product family) not installed or requiring restart One or more critical cumulative security updates (within product family, superseding security updates) not installed or requiring restart Results message

High

Yes

Yes or no

Number of updates requiring installation or system restart on the scanned computer: number of missing updates (include both security updates and cumulative security updates).

Medium

No

Yes

Number of cumulative security updates requiring installation or system restart on the scanned computer: number.

Low

No

No

No updates are missing and no system restart is required on the scanned computer.

Per-update scoring

The criteria for scoring per update differ depending on whether the update is a security update or a cumulative security update.

Security update scoring

The following table shows how Client Security determines the score for a specific security update.

 

Score Security update is installed Security update requires restart to complete Results message

High

No

Not applicable

This security update is not installed on the scanned computer. MSRC severity: severity.

High

Yes

Yes

This security update was installed on the scanned computer, but the installation required a system restart that has not yet taken place. MSRC severity: severity.

Low

Yes

No

This security update was successfully installed on the scanned computer. MSRC severity: severity.

Cumulative security update scoring

The following table shows how Client Security determines the score for a specific cumulative security update.

 

Score Cumulative security update is installed Cumulative security update requires restart to complete Results message

Medium

No

Not applicable

This cumulative security update supersedes one or more security updates and is not installed on the scanned computer.

Medium 

Yes

Yes

This cumulative security update supersedes one or more security updates and was installed on the scanned computer, but the installation required a system restart that has not yet taken place.

Low

Yes

No

This cumulative security update supersedes one or more security updates and was successfully installed on the scanned computer.

Related Topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft