March Patch Tuesday Frequently Asked Questions
Happy March! This Patch Tuesday was especially exciting because it fell over Ivanti’s Interchange Madrid conference. We hosted our monthly Patch Tuesday analysis webinar live as a breakout session during Interchange. You can listen to it on-demand here.
Read on to hear some of the most frequently asked questions from this month’s Patch Tuesday.
Q: What version of Ivanti Patch for Windows/Security Essentials is required to support SHA2 change?
A: Any currently supported versions of Ivanti Protect/PWS/ISeC will work with SHA2. The one caveat is for Windows 7. The SHA2 patch will be required for those endpoints to function: https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus
Q: What will happen after October 8, 2019 for Windows 10 Version 1703? No more patches or only security updates for this version?
A: On that date, no more patches will be provided to that version of Windows 10 on Education and Enterprise editions as Home and Pro have already been unsupported. See the lifecycle fact sheet for further clarification: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Q: Is Windows 10 1809 stable enough to move to yet? I want to make sure we don’t run into some of the issues I’ve read in the news.
A: 1809 is far more stable than it was initially, but according to Microsoft’s servicing document (https://docs.microsoft.com/en-us/windows/windows-10/release-information), 1809 is still only recommended for the “Semi-Annual Channel (Targeted)” branch. I would recommend delaying this rollout until the “Semi-Annual Channel” is included in the servicing options.
Q: Is there an issue with 1809 update disabling the built-in administrator account?
A: In our internal testing of feature upgrades we discovered this issue on previous releases. Interestingly enough, “BleepingComputer” did an article on this for the 1809 release, so this issue appears to be more common than before.
Q: What is the KB number for the Windows 10 1607/Server 2016 IE Patch? Is it part of the security cumulative patches?
A: The details for this is available at the following link: https://support.microsoft.com/en-us/help/4489882. Unlike legacy operating systems, Internet Explorer is not separated out and is only available in the cumulative updates.
Q: Instead of Monthly Rollup every month, is it ok to do Monthly Rollup every other month, with Security-Only in between?
A: That strategy should be just fine as it will ensure all Patch Tuesday vulnerabilities are remediated while reducing the impact of updates on the Security-Only months.
Q: There are security updates for Office and then security updates for the individual applications (Word, Access, etc). If let’s say we do not rollout access to our users, it is a problem to just deploy the Office patches?
A: In our investigation on office applicability, a Word patch for example still applies to the office suite as well as numerous applications due to shared components, so you may see far more office patches apply to an endpoint that expected. These other components are still required to ensure your Office instances are fully patched.
Q: What do you recommend for users that have Java 8 installed will this be patched anymore?
A: Java 8 will still be patched for the future releases, but one caveat is that proper licensing will need to be purchased through Oracle to stay in compliance for those updates. See our support article for further details: https://forums.ivanti.com/s/article/Oracle-SE-Java-8-support-changes-and-how-it-effects-deployments-through-Ivanti-Patch-Management-solutions
Q: We just updated Chrome to Version 72.0.3626.121 to remediate the most recent Zero day, how urgent is it now to go to Chrome v73?
A: Google did state that there were nearly 60 security fixes in this latest release, but none that are actively exploited as far as I know. If this patch is not included in your most recent patch cycle, I would still recommend updating as soon as possible.