Unapproved Critical Security Updates check
Applies To: Forefront Client Security
The Unapproved Critical Security Updates check determines whether unapproved critical security updates are missing on a scanned computer. Unapproved critical security updates are critical updates that are available for download on Microsoft Update (MU) but are not available for download through the update service that is registered with Windows Update Agent (WUA).
Note
While it is possible that scanned computers could have missing unapproved updates with a Microsoft Security Response Center (MSRC) severity of low, moderate, or important, this check reports specifically on updates with a MSRC severity of critical.
A computer can download updates from a variety of sources. The update service registered through WUA determines the source that Automatic Updates (AU) uses to download updates. Common sources are WSUS, Windows Update, MU, and Systems Management Server.
For example, if you use WSUS to deploy product updates, updates need to be approved for installation before they are made available to client computers. If the update service registered with WUA is WSUS, client computers will detect only approved updates.
The Critical Security Updates check searches for missing critical updates based on the update service that is registered with WUA. However, if the new updates have not been approved, the client computer is still at risk (for the vulnerabilities that would be resolved by the new updates). The Unapproved Critical Security Updates check, then, determines which critical security updates are missing.
Important
Internet connectivity is required for this check, and Microsoft Update must be registered with Automatic Updates.
Results are grouped by product family and Microsoft Security Bulletin ID.
There are three types of updates:
Security update—An update that has a Security Bulletin ID and has been assigned a MSRC Severity value.
Cumulative security update—An update with no Security Bulletin ID and no assigned MSRC Severity, and it supersedes one or more security updates. For example, Windows XP Service Pack 2 (SP2) is a cumulative security update.
Non-security update—An update with no Security Bulletin ID and no assigned MSRC Severity, and it does not supersede any security updates. This SSA check does not include this type of update in scoring.
There are four MSRC Severity values:
Critical
Important
Moderate
Low
For more information about these values, see Responding to detected vulnerabilities.
Resolutions for potentially unacceptable scores
Review the results message associated with the score.
If there are Microsoft security updates missing, it is recommended that you review and approve the security updates.
If the scanned computer requires a restart to complete an update, restart the computer.
Scoring and results
This check generates scores on three levels:
Overall
Product family
Per update
Overall scoring
The following table shows how Client Security determines the overall score.
| Score | One or more critical security updates not installed or requiring restart | One or more critical security updates (superseding security updates) not installed or requiring restart | One or more critical cumulative security updates (superseding security updates) not installed or requiring restart | Results message |
|---|---|---|---|---|
High |
Yes |
Yes or no |
Yes or no |
Number of unapproved security updates requiring installation or system restart on the scanned computer: number of missing updates (include both security updates and cumulative security updates). |
Medium |
Yes |
No |
Yes |
Number of unapproved cumulative security updates requiring installation or system restart on the scanned computer: number. |
Low |
Yes |
No |
No |
No updates are missing and no system restart is required on the scanned computer. |
Informational |
No |
Yes or no |
Yes or no |
Scanned computer failed to connect to the update service. |
Product family scoring
The following table shows how Client Security determines the score for a product family.
| Score | One or more critical security updates (within product family) not installed or requiring restart | One or more critical cumulative security updates (within product family, superseding security updates) not installed or requiring restart | Results message |
|---|---|---|---|
High |
Yes |
Yes or no |
Number of updates requiring installation or system restart on the scanned computer: number of missing updates (include both security updates and cumulative security updates). |
Medium |
No |
Yes |
Number of cumulative security updates requiring installation or system restart on the scanned computer: number. |
Low |
No |
No |
No updates are missing and no system restart is required on the scanned computer. |
Per-update scoring
The criteria for scoring per update differ depending on whether the update is a security update or a cumulative security update.
Security update scoring
The following table shows how Client Security determines the score for a specific security update.
| Score | Security update is installed | Security update requires restart to complete | Results message |
|---|---|---|---|
High |
No |
Not applicable |
This security update is not installed on the scanned computer. MSRC severity: severity. |
High |
Yes |
Yes |
This security update was installed on the scanned computer, but the installation required a system restart that has not yet taken place. MSRC severity: severity. |
Low |
Yes |
No |
This security update was successfully installed on the scanned computer. MSRC severity: severity. |
Cumulative security update scoring
The following table shows how Client Security determines the score for a specific cumulative security update.
| Score | Cumulative security update is installed | Cumulative security update requires restart to complete | Results message |
|---|---|---|---|
Medium |
No |
Not applicable |
This cumulative security update supersedes one or more security updates and is not installed on the scanned computer. |
Medium |
Yes |
Yes |
This cumulative security update supersedes one or more security updates and was installed on the scanned computer, but the installation required a system restart that has not yet taken place. |
Low |
Yes |
No |
This cumulative security update supersedes one or more security updates and was successfully installed on the scanned computer. |
Related Topics
Other Resources
Microsoft Security Bulletin Search
WSUS overview
Windows Update, Microsoft Update, and Automatic Updates for IT Professionals