MS16-xxx and later patches are being shown as 'Not Applicable' while evaluating Windows 2012 R2 assets using Control Compliance Suite 11.x Patch Assessment Standard.
Note: On Windows 2012 R2 server, there is dependency on particular KB(2919355) for detecting latest patches. We need to install the patch from KB2919355 and then it detects all the later patches on the system and also installs them. Refer following link: https://support.microsoft.com/en-in/kb/3057448 Here are excerpts from the webpage:
"Missing prerequisite update Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed". To install KB 2919355, there is pre-requisite of installing KB2919442. Here are links for the downloads:
The issue exists despite having the aforesaid patch installed along with latest Patch Assessment Content Update (PACU)
Check if file named ‘DomainName_Machinename.zip’ can be seen at ‘%CCS_INSTALL_DIRECTORY%\Reporting and Analytics\DPS\control\Windows\Data'. If yes, delete this file and do data collection again. It’s cached data collection file which stores stale patch assessment data of the target. This is default product behavior and can be overridden by altering the platform setting for windows snap-in. Here are the steps:
1. Open ConfigurationSettings.xml at location <CCS_INSTALL_DIR>\DPS\Control\Windows folder.
2. Add below mentioned platform setting at the end of the xml:
3. Restart CCS Manager and DPS services.
4. Run patch assessment job and it will always fetch fresh data from the target instead of referring it from the <CCS_INSTALL_DIR>\DPS\Control\Windows\Data folder