Which Microsoft Patches ("Security Patches" and "Critical Patches") have been tested for compatibility with SIMATIC WinCC?
Constantly updated and tested information about the compatibility of Siemens products with the software of third parties is available in the free Compatibility Tool in Entry 64847781.
The Compatibility Tool also provides information about tested Windows versions and the compatibility of Windows updates. This is why you should use the Compatibility Tool to check the compatibility prior to updating your Windows installation.
Note on the Microsoft Updates 2018-01
Microsoft published updates for the Windows operating systems on 03.01.2018 and 08.01.2018 in order to rectify security gaps under the collective names of Meltdown and Spectre. With reference to these updates there are known compatibility problems, see, for example, the notes in the update for Windows Server 2012 R2 (https://support.microsoft.com/en-us/help/4056895/windows-81-update-kb4056895). According to the latest knowledge these compatibility problems also affect SIMATIC products. For this reason we recommend that you do not download these security updates for the time being.
On 17.01.2018 Microsoft provided corrections for the following Windows Updates concerned:
- KB4057401 https://support.microsoft.com/kb/4057401: Solution to clear KB4056895 and KB4056898
- KB4057402 https://support.microsoft.com/kb/4057402: Solution to clear KB4056896 and KB4056899
- KB4057142 https://support.microsoft.com/kb/4057142: Solution to clear KB4056890
- KB4057144 https://support.microsoft.com/kb/4057144: Solution to clear KB4056891
To date, these updates clear the compatibility problems. Siemens is continuing to test the effects of these updates on the SIMATIC software.
Siemens cannot yet provide definitive information about the compatibility of such updates not completely tested by Siemens. For this reason Siemens recommends installing and testing all the updates in a separate project-specific test environment prior to rolling out the updates in the productive environment.
This FAQ response will be updated as soon as new information is available.
Further information is available in entry 109754953.
Siemens continues to recommend implementing the defense-in-depth concept: https://www.siemens.com/industrialsecurity.
List of the Windows updates currently known to be affected:
- KB4056888 https://support.microsoft.com/kb/4056888
- KB4056890 https://support.microsoft.com/kb/4056890 (corrected by KB4057142)
- KB4056891 https://support.microsoft.com/kb/4056891 (corrected by KB4057144)
- KB4056892 https://support.microsoft.com/kb/4056892
- KB4056893 https://support.microsoft.com/kb/4056893
- KB4056894 https://support.microsoft.com/kb/4056894
- KB4056895 https://support.microsoft.com/kb/4056895 (corrected by KB4057401)
- KB4056896 https://support.microsoft.com/kb/4056896 (corrected by KB4057402)
- KB4056897 https://support.microsoft.com/kb/4056897
- KB4056898 https://support.microsoft.com/kb/4056898 (corrected by KB4057401)
- KB4056899 https://support.microsoft.com/kb/4056899 (corrected by KB4057402)
Note for using WinCC V7.4 with Windows 10
Generally speaking, WinCC V7.4 is tested and released for use with Microsoft Windows 10 (64-bit) Professional and Enterprise.
If you are using two Ethernet cards, of which one is configured with a default gateway address and one without, the following behavior might occur. The Ethernet card without default gateway address might, after multiple attempts, stop trying to establish a connection with a communication partner via the IP protocol (when the communication partner is temporarily unavailable, for example). The communication partner then remains unreachable until the ARP cache is reset.
It might therefore happen that connections to PLCs are no longer established automatically after a long disconnection.
Download the Microsoft update KB3156387. This update clears the problem.
If you are using WinCC V7.4 SP1, you can also upgrade to version 1607 of Windows 10 (with the latest available KB). This also clears the problem.
Update/Patches - Patch day
These updates/patches are usually issued every second Tuesday in the month, on so-called "Patch Tuesday". Microsoft divides up the updates into numerous different classifications:
However, you only have to install the following updates to ensure that SIMATIC WinCC operation is secure and stable
- Security Updates
- Critical Updates
- Definition Updates
We recommend installing all the available updates of the named classifications to ensure that the system is protected.
Through any additional software installed on your system, it might happen that you have more updates installed than checked by our tests. Nothing can be said about the compatibility of these additional updates. We recommend the following sequence:
- Installation of all the updates in a separate project-specific test environment
- Roll-out of the updates in the productive environment
Some time ago at various points Microsoft changed the procedure with Windows Updates for Windows 7 and Windows 8.1 and higher. It is no longer the separate updates (KBs) that are delivered, but cumulative roll-up packages, the so-called "Monthly Rollups". Each of these updates includes the updates of the previous month.
Likewise the setting options for the Windows Updates have been changed: by default now you have to install the complete packages and not just specific classifications.
You have to use the Microsoft Windows Server Update Service (WSUS) to install single classifications of your choice.
Recommended procedure for patch management with the WSUS
Go to the Microsoft web pages for detailed instructions for installing and configuring the WSUS.
- Microsoft WSUS: Prepare for Your WSUS Deployment
- Microsoft WSUS: Install the WSUS Server Role
Microsoft WSUS: Configure WSUS
- Microsoft WSUS: Approve and Deploy WSUS Updates
- Microsoft Security Bulletins English
A detailed description of how to install and operate a WSUS in WinCC plants is available in Entry ID: 109754089.
If you wish to continue running your WinCC plant without installing a WSUS, you can do this by disconnecting from the internet. In this case you must nevertheless ensure that the computers receive the necessary updates.
You might experience the consequences below if you do not use WSUS.
- There might be an unscheduled shutdown of the WinCC system.
- There might be unscheduled installation of all the packages provided by Microsoft.
These are reasons why we do not recommend running a continuous production plant without WSUS.
In rare cases it might happen that in our tests an update has a negative influence on our software. This is noted in the following list in the "Test Result" field. Furthermore, we inform you as fast as possible by newsletter of any indications and the resulting remedies.
Excel file updates with negative influence
security_patches_failed.xlsx (13.3 KB)
Important note on SQL server 2014 SP2 (KB3171021)
It is not recommended to install the Service Pack with WinCC version V7.4 or lower. Service Pack 2 is released only for WinCC Version V7.4 SP1 and higher.
- To find out which Microsoft Patches are installed on the PC, refer to Entry ID: 48844294.
- These guidelines apply only for WinCC V6.0 SP4 and higher.
The procedure described above does not apply for new Microsoft Service Packs which still require an explicit release for use. If the patches require a higher version of the Microsoft software, then refer to the "WinCC Install Notes" or Entry ID 64847781, to check whether these higher versions of the software or Service Packs are released for SIMATIC WinCC.
More precise information about Industrial Security in connection with WinCC software in the WinCC Security Concept is available in Entry ID: 60119725.
Windows Update Service, Security Patch, 109482899