I published a longer essay on my Substack this week, built around a story I have carried for a long time. Long ago, a bank did not properly patch a set of servers. An attack reached them, nothing could stop it, and the servers went down and stayed down. My team hand-rebuilt them, one at a time, working beside the customer. Proper patching would have made those servers immune. And that team was not careless; they were hardworking, dedicated people. That is what makes the lesson uncomfortable, and worth repeating.
Read the full essay on Substack: The unpatched machine is the one that gets you
The high points
- Machines miss patches three ways. The machine no console can see because it was never enrolled; the enrolled machine that silently fails (reboots that never happen, broken update plumbing, conflicting policy, safeguard holds); and the patch nobody knew to send (out-of-band fixes, servers outside the rings, re-released updates).
- Configuration Manager and Intune are excellent deployment engines, not complete patch managers. They cannot see machines they are not on, and servers and Intune remain an awkward pair.
- The biggest breaches were mostly unpatched machines, not wizardry. WannaCry, Equifax, the 2021 Exchange cleanup, and this month's exploited SharePoint zero-day all share the same root cause.
- Patching by priority is the answer at today's scale. With a record 622 CVEs in one month, the working doctrine is: keep up as you can, but avoid the crisis first. Exploited first (CISA KEV), likely-exploited next (EPSS), then Severity and your own exposure.
The pages that put this into practice
All free, no sign-up, refreshed three times a day: the Patch Tuesday page, the Microsoft patch tracker, the Microsoft CVE reference, Exploited this week, and Senserva Live. And if you want to know which of your machines did not get the memo, Siemserva's first scan shows exactly that.
The full story, and why it keeps repeating across the decades, is on Substack.