Microsoft SSU - Why Does it Matter for Cybersecurity?

We continue to talk about the importance of patch management for your corporate systems. In fact, we’ve said it often enough: ”Up to 60 percent of all data breaches are related to unpatched vulnerabilities,” that we could easily apply a stat to how often we’ve stated that stat. 

No matter how often we say it, the fact remains that unpatched vulnerabilities are one of the top threats to security. Operating system patch management is critical for keeping your organization secure, up to date, and compliant with security regulations. Realizing the many important elements of good patch management is imperative to assure your success.

One key piece for patching and updating Windows-based computing systems are Microsoft servicing stack updates, or SSUs for short. This article takes a closer look at the purpose of SSUs, their importance, and the best practices IT admin should use in implementing SSUs.

Microsoft Servicing Stack Updates (SSUs) 

The servicing stack is the name of a specific component in the Windows operating system. Its responsibility involves processing and deploying any patches or updates to both the OS and its applications. Because the servicing stack plays such a huge role in installing Windows updates, it must receive periodic updates itself.

These servicing stack updates ensure that the updating process itself remains free of potential issues. Without up-to-date SSUs, a given device may not be able to receive the latest Microsoft security and performance fixes. SSUs also contain a component known as the component-based servicing stack, or CBS, which governs various aspects of Windows deployment. 

There is no set schedule for SSU releases. Rather, updates occur sporadically as Microsoft developers identify and resolve potential vulnerabilities in the current SSU iteration. SSU updates should always be installed prior to any other patches in your cue, since you may not be able to implement those patches without the latest SSU.

SSUs vs Cumulative Updates

Servicing stack updates often get confused with the cumulative update mechanism used by both Windows 10 and Windows Server. These cumulative updates include many different fixes designed to improve the security and performance of Windows.

Cumulative updates get their name from the fact that every new update includes all of the fixes from previous updates, making it possible to install the most recent cumulative update even if you missed previous ones. In this regard, cumulative and SSUs have something in common, since SSUs also contain the full servicing stack.

In all other regards, however, administrators must realize that cumulative updates are not the same thing as SSUs. Nor are SSUs included in cumulative updates, for the simple reason that an SSU updates the processes used to install cumulative updates. In other words, you must always install the most recent SSU before installing the latest cumulative update, otherwise it may not work.


Installing Microsoft SSUs

Since November 2018, Microsoft has chosen to classify their SSUs as "Security" and to assign them a severity rating of "Critical." This measure is meant to underscore the importance of giving the highest priority to SSUs.

SSUs can be installed either through Windows Update, or by downloading the standalone update packages available on the Microsoft Update Catalog website. When it comes to installing network-wide SSUs, administrators and IT staff can also implement mass deployments via the Windows Server Update Services, or WSUS.

SSUs are considered minimally disruptive, since they do not require devices to be restarted after installation. Like quality updates, SSU releases are specific to the particular operating system version. Thus, IT staff must also be conscientious about ensuring that all devices in the network share the same OS. Alternately, multiple SSUs will need to be deployed to account for variant OS versions being used. 

Using Automated Patch Management to Manage SSUs

When you assign the Automox “Patch All” policy on your Windows endpoints, you don’t have to worry about installing the SSU outside of your current patching automation. 

Automox patching policies install exclusive patches released by Windows Update before installing non-exclusive patches. Since the SSU release is an exclusive patch, Automox applies this patch before installing any other software updates that may be available to the endpoint. Once Automox installs the exclusive SSU patch, then it installs the latest cumulative update at the next scheduled policy execution. This process ensures that the SSU is installed before the cumulative update installation is attempted.  

Managing patch updates doesn't pose too much of a problem when it comes to a single computer. Yet the task grows exponentially more difficult when it comes to updating all of the devices that connect to a company's network. To learn more about how the Automox patch management platform can make it easier to implement SSUs and other necessary patches, connect with us at

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial