How do you handle Service Stack updates?

During our current implementation, we ran into an issue where there were Service Stack updates required on some systems before they could accurately report outstanding patches/apply patches.

An update to the SSU on the given systems proved to solve the discrepancies, but leaves us with an interesting gap to fill…

How can we maintain (preferably automate) updated SSU on our endpoints? Should this be automation attached as a ‘pre-step’ that needs to be executed before our scheduled patch windows? Or can this be rolled out as a daily check policy that will auto-execute whenever a new update becomes relevant (since this doesn’t require a reboot, but will our customers align)?

How are you handling Service Stack updates?


Hi. You could try setting up a patch only policy that runs everyday before anything else is allowed to patch. Something like this should work. If you have any questions feel free to hit us up at


I’d echo Jason Goode’s recommendation. I’ve done that for both the servicing stack updates and windows defender. If memory serves, I recall Microsoft highly recommending the servicing stack updates are installed prior to installing the cumulative update. I think by doing a daily patch for those two, that by the time my device start the regularly scheduling patching, they are good to go on both.