- What is Patch Supercedence?
- Why scanning only for the latest patches is a good thing
- Viewing replaced patch definition rules
- Partial Replaced patch definition rules
- Viewing rules inside a patch definition
- Manually Disabling replaced rules
- Using the Disable replaced rules tool
- Automatically replacing disabled rules
What is Patch Supercedence?
Patch supercedence is when a newer patch completely replaces an older patch. It is usually the best practice to only apply the latest patches rather than all of the patches. This is mostly due to the time needed to scan for older patches, install, reboot, and re-scan if you were to install all the patches.
Why scanning only for the latest patches is a good thing
It is much quicker and easier to only apply the latest patch that will contain all the fixes in the replaced patches. In tests, disabling replaced rules has cut the scan time in half. Another benefit is that you will have fewer patch install failures if you only install the latest patch. Many Microsoft patches will fail to install if there has been a newer patch installed.
Viewing replaced patch definition rules
To view which patches have been replaced or replace other patches:
- In the LDMS Console go to Tools - Security and Compliance - Patch and Compliance
- Expand Scan
- Click on Replaced
The Replaced group shows patches that have been replaced by a newer patch.
You will see which patch replaces it by looking at the "Replaced by" column.
It is also possible that the replaced patch itself had replaced a previous patch. You will see that by looking at the "Replaces" column.
For example, in the above screenshot the patch 2661254v2 replaces patch 2661254 and all of it's rules are replaced by MS13-095.
You can move all of these rules to the "Do Not Scan" group and this would be the as effective as disabling the individual rules inside these patch definitions. Be aware however that the Replaced folder is a subfolder of the Scan group. Vulnerabilities that are replaced will only show up here if they are still set to Scan status. If you move them to Do Not Scan, they will no longer show up in the replaced folder.
In LDMS 2016, when all rules within a vulnerability are replaced, the console automatically moves that vulnerability to the do not scan folder. This is done so that vulnerabilities with no active rules are not still trying to scan during vulnerability scans.
Partial Replaced patch definition rules
It's also possible that only some of the rules in a definition have been replaced.
To view the partially replaced patches, click on the "Partially replaced" group
In the above screenshot you will see that the "Replaced by" column now says "Some:" instead of "All". This indicates that only some of the rules in the definition have been replaced.
Viewing rules inside a patch definition
If we double-click MS14-035 it will open and we can view the rules inside the patch definition.
Here we can see the three rules have not been replaced and six rules have been replaced by MS14-037.
Until all the rules are replaced it would be best to leave the patch definition for MS14-035 in the scan group.
Manually Disabling replaced rules
There are two ways to manually disable replaced rules.
First, you can open a definition and right-click on the replaced rule and disable it.
Right-click on the replaced rule and click "Disable Scan"
This will change the Icon on the rule to a red cross on it.
You can also multi-select the rules and disable them all at once.
Using the Disable replaced rules tool
The other way to manually disable rules is to use the disabled replaced rules tool.
Click on the icon highlighted in red.
This brings up the Disable replaced rules tool as seen in the above screenshot on the right.
You can either select patch definitions or have the tool run against all rules.
How To: Use the Disable Replaced Rules Tool in Security and Compliance Manager - Video
Automatically replacing disabled rules
It is also possible to disable all replaced rules when a new patch definition is downloaded.
Click on the Download Updates icon from the Patch and Compliance toolbar.
- From the Download updates tool, click the "Definition group settings" button.
![2014-07-26 11_30_29-blah-96 - VMware Workstation.png]()
This will open up the Definition group settings tool. - Click on New.
![DefGroupTab1.jpg]()
- Set the Definition Type to Vulnerabilities
- Set Severity to Any
- On the "Scan" tab select "Assign scan status" and "Disable any rules this definition replaces"
![DefGroupTab2.jpg]()
- Click OK.
This rule will cause any replaced rules to be disabled when their replacement is downloaded. This way the replaced rules are automatically handled and only the latest patch definitions are used.