×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 18490004, Entry date: 09/07/2021
(32)
Rate

Which Microsoft Updates have been tested for compatibility with SIMATIC PCS 7?

  • Entry
  • Associated product(s)
Microsoft regularly rectifies security gaps in its products and makes these fixes available to users via product updates.

General notes

The latest updates are usually issued every second Tuesday of the month. Microsoft groups the updates into numerous different classifications: 

support.microsoft.com/help/824684

To ensure that SIMATIC PCS 7 is secure you have to install updates with the patch classifications "Security Updates", "Critical Updates", "Update Rollups", "Updates" and "Definition Updates". 
    
For this reason, a test system has been set up in order to test the compatibility of the updates with the PCS 7 software on a regular basis. This system always features the very latest of the supported versions of PCS 7 and Microsoft products released for operating these versions of PCS 7. In this test system, all available Microsoft updates of the described classifications are regularly imported to ensure a consistent update status of all released Microsoft products.

The attached table in xls format provides precise information about the Microsoft updates that are tested for compatibility. As far as possible, this is updated within three weeks after publication of the latest updates of the designated classification. It reflects the Microsoft products installed in the PCS 7 test configuration. Therefore, a discrepancy between this list and the products installed in the project cannot be excluded. If a system requires more updates than contained in the published list, these updates are requested according to the additional installed products/software components. In this case, it is up to the user to install these updates.

We recommend installing regulary all the available updates of the named classifications to ensure that the system is protected.

However, we cannot say anything about the compatibility of updates that we have not tested. Therefore, we recommend installing all the updates in the separate project-specific test environment prior to rolling out the updates in the productive environment.


Notes on Microsoft products with status End of Extended Support

Microsoft updates that are published as part of the Extended Security Update (ESU) program for Microsoft software products with the status End of Extended Support are not tested for compatibility with SIMATIC PCS 7.

Microsoft products with End of Extended Support status may show the end of the lifecycle by showing a popup. This can overlay the WinCC Runtime.

Please note the information and options within the popup for permanent suppression. This setting may have to be carried out separately for each user.

List of Microsoft Updates tested for compatibility

DescriptionDownload
Excel file in compliance with IEC 62443-2-3  security_patches_iec.xls (1,9 MB) 
Packed XML and model files in compliance with IEC 62443-2-3  security_patches_iec.zip (235,8 KB)
Table 1 

Only the current patches are listed. These are cumulative and contain all previous updates.

In rare cases it might happen that in our tests an update has a negative influence on our software. This is noted in the "Comment" field in the list above. Furthermore, we inform you as fast as possible by newsletter of any indications and the resulting remedies.

Recommended procedure for patch management with the Microsoft Windows Server Update Services (WSUS)

These instructions assume that you have a WSUS installed for your PCS 7 plant. The WSUS version to be installed depends on the latest operating system used in the plant. It is always recommended to use the latest available WSUS version. How to proceed with the WSUS is described in Entry ID: 38621083.
  
Procedure 

  1. WSUS configuration
    In the "Products and Classifications" dialog you select the "Products" tab and then all the Microsoft products relevant for the plant.

  2. WSUS configuration

    In the "Products and Classifications" dialog you select the "Classifications" tab and then "Definition Updates", "Security Updates", "Update Rollups", "Updates" and "Critical Updates".  



    Fig. 1
     
  3. WSUS configuration
    Create the project-specific groups for distribution of the updates in the plant.

  4. Download the "security_patches_iec.xls" Excel table above onto your computer.

  5. Open the table. The table is sorted by the "ReleaseDate" column. The current release date corresponds to the top entry.  This date is relevant in the further procress (from point 7). For PCS 7, for example, select "PCS7Vxy".


  6. Check and note the informations in the "Comments" column.

  7. WSUS administration

    Select all available and not yet approved updates (of the above categories) up to the release date mentioned under point 5 and then deselect only the non-released patches as in the Excel table above.


    Only updates that are not newer than the date specified in the "ReleaseDate" column should be selected.

    Approve the selected patches for the installation in the created groups.

  8. Log in on the clients connected to the WSUS using an administrative account. Check whether updates for the client are available (the clients have been configured to receive updates from the WSUS).

  9. Make sure that the PCS 7 Runtime has ended. Install all the available updates. Restart the computer and check whether more updates are offered for installation.

Further Information

More information about the MS Patch Management and the WSUS Configuration is available at the following links:

Further explanations about Microsoft Updates and the WSUS are available on the following Microsoft pages:

Notes

  • To find out which Microsoft Patches are installed on the PC, refer to Entry ID: 48844294.
  • These guidelines apply for the version PCS 7 V7.0 SP3 and higher.

Warning
The procedure described above does not apply for new Microsoft Service Packs which still require an explicit release for use. If the patches require a higher version of the Microsoft software, then refer to the "PCS 7 readme" file or Entry ID 64847781, to check whether these higher versions of the software or Service Packs are released for SIMATIC PCS 7.

Additional keywords
Windows Update Service, Security Patch

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.
Rate entry
no rating
Requests and feedback
What do you want to do?
Note: The feedback always relates to the current entry / product. Your message will be forwarded to our technical editors working in the Online Support. In a few days, you will receive a response if your feedback requires one. If we have no further questions, you will not hear from us.