Microsoft SSU - Why Does it Matter for Cybersecurity?

We continue to talk about the importance of patch management for your corporate systems. In fact, we’ve said it often enough: ”Up to 60 percent of all data breaches are related to unpatched vulnerabilities,” that we could easily apply a stat to how often we’ve stated that stat.

No matter how often we say it, the fact remains that unpatched vulnerabilities are one of the top threats to security. Operating system patch management is critical for keeping your organization secure, up to date, and compliant with security regulations. Realizing the many important elements of good patch management is imperative to assure your success.

One key piece for patching and updating Windows-based computing systems are Microsoft servicing stack updates, or SSUs for short. This article takes a closer look at the purpose of SSUs, their importance, and the best practices IT admin should use in implementing SSUs.

Microsoft Servicing Stack Updates (SSUs)

The servicing stack is the name of a specific component in the Windows operating system. Its responsibility involves processing and deploying any patches or updates to both the OS and its applications. Because the servicing stack plays such a huge role in installing Windows updates, it must receive periodic updates itself.

These servicing stack updates ensure that the updating process itself remains free of potential issues. Without up-to-date SSUs, a given device may not be able to receive the latest Microsoft security and performance fixes. SSUs also contain a component known as the component-based servicing stack, or CBS, which governs various aspects of Windows deployment.

There is no set schedule for SSU releases. Rather, updates occur sporadically as Microsoft developers identify and resolve potential vulnerabilities in the current SSU iteration. SSU updates should always be installed prior to any other patches in your cue, since you may not be able to implement those patches without the latest SSU.

SSUs vs cumulative updates

Servicing stack updates often get confused with the cumulative update mechanism used by both Windows 10 and Windows Server. These cumulative updates include many different fixes designed to improve the security and performance of Windows.

Cumulative updates get their name from the fact that every new update includes all of the fixes from previous updates, making it possible to install the most recent cumulative update even if you missed previous ones. In this regard, cumulative and SSUs have something in common, since SSUs also contain the full servicing stack.

In all other regards, however, administrators must realize that cumulative updates are not the same thing as SSUs. Nor are SSUs included in cumulative updates, for the simple reason that an SSU updates the processes used to install cumulative updates. In other words, you must always install the most recent SSU before installing the latest cumulative update, otherwise it may not work.


Installing Microsoft SSUs

Since November 2018, Microsoft has chosen to classify their SSUs as "Security" and to assign them a severity rating of "Critical." This measure is meant to underscore the importance of giving the highest priority to SSUs.

SSUs can be installed either through Windows Update, or by downloading the standalone update packages available on the Microsoft Update Catalog website. When it comes to installing network-wide SSUs, administrators and IT staff can also implement mass deployments via the Windows Server Update Services, or WSUS.

SSUs are considered minimally disruptive, since they do not require devices to be restarted after installation. Like quality updates, SSU releases are specific to the particular operating system version. Thus, IT staff must also be conscientious about ensuring that all devices in the network share the same OS. Alternately, multiple SSUs will need to be deployed to account for variant OS versions being used.

Using automated patch management to manage SSUs

When you assign the Automox “Patch All” policy on your Windows endpoints, you don’t have to worry about installing the SSU outside of your current patching automation.

Automox patching policies install exclusive patches released by Windows Update before installing non-exclusive patches. Since the SSU release is an exclusive patch, Automox applies this patch before installing any other software updates that may be available to the endpoint. Once Automox installs the exclusive SSU patch, then it installs the latest cumulative update at the next scheduled policy execution. This process ensures that the SSU is installed before the cumulative update installation is attempted.

Managing patch updates doesn't pose too much of a problem when it comes to a single computer. Yet the task grows exponentially more difficult when it comes to updating all of the devices that connect to a company's network. To learn more about how the Automox patch management platform can make it easier to implement SSUs and other necessary patches, connect with us at

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.