Which Microsoft Updates have been tested for compatibility with SIMATIC PCS 7?
To ensure that SIMATIC PCS 7 is secure you have to install updates with the patch classifications "Security Updates", "Critical Updates", "Update Rollups", "Updates" and "Definition Updates".
For this reason, a test system has been set up in order to test the compatibility of the updates with the PCS 7 software on a regular basis. This system always features the very latest of the supported versions of PCS 7 and Microsoft products released for operating these versions of PCS 7. In this test system, all available Microsoft updates of the described classifications are regularly imported to ensure a consistent update status of all released Microsoft products.
The attached table in xls format provides precise information about the Microsoft updates that are tested for compatibility. As far as possible, this is updated within three weeks after publication of the latest updates of the designated classification. It reflects the Microsoft products installed in the PCS 7 test configuration. Therefore, a discrepancy between this list and the products installed in the project cannot be excluded. If a system requires more updates than contained in the published list, these updates are requested according to the additional installed products/software components. In this case, it is up to the user to install these updates.
We recommend installing regulary all the available updates of the named classifications to ensure that the system is protected.
However, we cannot say anything about the compatibility of updates that we have not tested. Therefore, we recommend installing all the updates in the separate project-specific test environment prior to rolling out the updates in the productive environment.
Notes on Microsoft products with status End of Extended Support
Microsoft updates that are published as part of the Extended Security Update (ESU) program for Microsoft software products with the status End of Extended Support are not tested for compatibility with SIMATIC PCS 7.
Microsoft products with End of Extended Support status may show the end of the lifecycle by showing a popup. This can overlay the WinCC Runtime.
List of Microsoft Updates tested for compatibility
|Excel file in compliance with IEC 62443-2-3||security_patches_iec.xls (1,9 MB)|
|Packed XML and model files in compliance with IEC 62443-2-3|| security_patches_iec.zip (235,8 KB)|
Only the current patches are listed. These are cumulative and contain all previous updates.
In rare cases it might happen that in our tests an update has a negative influence on our software. This is noted in the "Comment" field in the list above. Furthermore, we inform you as fast as possible by newsletter of any indications and the resulting remedies.
Recommended procedure for patch management with the Microsoft Windows Server Update Services (WSUS)
These instructions assume that you have a WSUS installed for your PCS 7 plant. The WSUS version to be installed depends on the latest operating system used in the plant. It is always recommended to use the latest available WSUS version. How to proceed with the WSUS is described in Entry ID: 38621083.
- WSUS configuration
In the "Products and Classifications" dialog you select the "Products" tab and then all the Microsoft products relevant for the plant.
In the "Products and Classifications" dialog you select the "Classifications" tab and then "Definition Updates", "Security Updates", "Update Rollups", "Updates" and "Critical Updates".
- WSUS configuration
Create the project-specific groups for distribution of the updates in the plant.
- Download the "security_patches_iec.xls" Excel table above onto your computer.
Open the table. The table is sorted by the "ReleaseDate" column. The current release date corresponds to the top entry. This date is relevant in the further procress (from point 7). For PCS 7, for example, select "PCS7Vxy".
Check and note the informations in the "Comments" column.
Select all available and not yet approved updates (of the above categories) up to the release date mentioned under point 5 and then deselect only the non-released patches as in the Excel table above.
Only updates that are not newer than the date specified in the "ReleaseDate" column should be selected.
Approve the selected patches for the installation in the created groups.
- Log in on the clients connected to the WSUS using an administrative account. Check whether updates for the client are available (the clients have been configured to receive updates from the WSUS).
- Make sure that the PCS 7 Runtime has ended. Install all the available updates. Restart the computer and check whether more updates are offered for installation.
- PCS 7 Compendium Part F - Industrial Security V9.0
- SIMATIC Process Control System PCS 7 Patch Management and Security Updates
Further explanations about Microsoft Updates and the WSUS are available on the following Microsoft pages:
- Microsoft Security Bulletins (English)
- Microsoft WSUS (English)
- To find out which Microsoft Patches are installed on the PC, refer to Entry ID: 48844294.
- These guidelines apply for the version PCS 7 V7.0 SP3 and higher.
The procedure described above does not apply for new Microsoft Service Packs which still require an explicit release for use. If the patches require a higher version of the Microsoft software, then refer to the "PCS 7 readme" file or Entry ID 64847781, to check whether these higher versions of the software or Service Packs are released for SIMATIC PCS 7.
Windows Update Service, Security Patch
- You have a technical question / problem: Ask the Technical Support
- You want to discuss in our forum and exchange experiences with other users
- You want to create CAx data for one or more products
- You would like to send us feedback on this Entry