This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Patch Tuesday - December 2025

2 weeks ago

December Patch Tuesday lands with 132 fixes, including 2 critical and 1 actively exploited.

This month’s highlights:

  • Cloud Files Mini Filter Driver EoP (CVE-2025-62221) is actively exploited and grants SYSTEM.
  • Two critical Office RCEs (CVE-2025-62557, CVE-2025-62554) require no interaction and can trigger via Preview Pane.
  • Exchange EoP (CVE-2025-64666) enables admin escalation; fixes for 2016/2019 require ESU or migration.

Get the full breakdown and run the audit to find outdated devices in your network

https://www.lansweeper.com/blog/patch-tuesday/microsoft-patch-tuesday-december-2025/

1 Comment
Mister_Nobody
Honored Sweeper III
2 weeks ago
2 weeks ago

I have remastered report via AI code generator.

With BuildNumbers As (Select tblAssets.AssetID,
      Case
        When IsNumeric(tblAssets.BuildNumber) = 1 Then
          Try_Cast(tblAssets.BuildNumber As bigint)
        Else Null
      End As Buildnumber
    From tblAssets
    Where tblAssets.Assettype = -1),
  RequiredPatches As (Select Distinct qfe.AssetID
    From tblQuickFixEngineering qfe
      Inner Join tblQuickFixEngineeringUni qfeu On qfeu.QFEID = qfe.QFEID
    Where qfeu.HotFixID In (N'KB5071505', N'KB5071503')),
  SSUPatches As (Select qfe.AssetID,
      Max(Case
        When qfeu.HotFixID = N'KB5071813' Then 1
        Else 0
      End) As HasSSU2012,
      Max(Case
        When qfeu.HotFixID = N'KB5068783' Then 1
        Else 0
      End) As HasSSU2012R2
    From tblQuickFixEngineering qfe
      Inner Join tblQuickFixEngineeringUni qfeu On qfeu.QFEID = qfe.QFEID
    Group By qfe.AssetID),
  PatchStatusCTE As (Select a.AssetID,
      bn.Buildnumber,
      os.OSname,
      os.Image,
      os.OScode,
      op.Caption,
      os.OScode + N'.' + Try_Cast(bn.Buildnumber As nvarchar(50)) As FullOSCode,
      Case
        When os.OSname = N'Win 2008' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OSname In (N'Win 7', N'Win 7 RC', N'Win 2008 R2') Then
          N'❌ EOL, update to a higher Windows version'
        When os.OSname = N'Win 8' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OSname = N'Win 2012' And rp.AssetID = a.AssetID And
          ssu.HasSSU2012 = 1 Then N'✅ Up to date'
        When os.OSname = N'Win 8.1' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OSname = N'Win 2012 R2' And rp.AssetID = a.AssetID And
          ssu.HasSSU2012R2 = 1 Then N'✅ Up to date'
        When os.OScode Like N'10.0.10240%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.10586%' Then
          N'❌ EOL, update to a higher Windows version'
        When (os.OScode Like N'10.0.14393%' Or
          os.OSname = N'Win 2016') And bn.Buildnumber >= 8688 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.15063%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.16299%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.17134%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.17763' And op.Caption Not Like N'%LTSC%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.17763' And op.Caption Like N'%LTSC%' And
          bn.Buildnumber >= 8146 Then N'✅ Up to date'
        When os.OScode Like N'10.0.18362%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.18363%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.19041%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.19042%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.19043%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.19044%' And bn.Buildnumber >= 6691 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.19045%' And bn.Buildnumber >= 6691 Then
          N'✅ Up to date'
        When os.OSname = N'Win 2019' And bn.Buildnumber >= 8146 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.20348%' And bn.Buildnumber >= 4467 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.22000%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.22621%' Then
          N'❌ EOL, update to a higher Windows version'
        When os.OScode Like N'10.0.22631%' And bn.Buildnumber >= 6345 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.25398%' And bn.Buildnumber >= 2025 Then
          N'✅ Up to date'
        When os.OSname Like N'Win 2025' And bn.Buildnumber >= 7392 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.26100%' And bn.Buildnumber >= 7392 Then
          N'✅ Up to date'
        When os.OScode Like N'10.0.26200%' And bn.Buildnumber >= 7392 Then
          N'✅ Up to date'
        Else N'⚠️ Out of date'
      End As [Patch status],
      Case
        When os.OSname = N'Win 2008' Then N'❌ EOL'
        When os.OSname In (N'Win 7', N'Win 7 RC', N'Win 2008 R2') Then N'❌ EOL'
        When os.OSname = N'Win 8' Then N'❌ EOL'
        When os.OSname = N'Win 8.1' Then N'❌ EOL'
        When os.OSname = N'Win 2012' And (rp.AssetID Is Null Or
          ssu.HasSSU2012 != 1) Then N'⚠️ KB5071505 + KB5071813'
        When os.OSname = N'Win 2012 R2' And (rp.AssetID Is Null Or
          ssu.HasSSU2012R2 != 1) Then N'⚠️ KB5071503 + KB5068783'
        When os.OScode Like N'10.0.10240%' Then N'❌ EOL'
        When os.OScode Like N'10.0.10586%' Then N'❌ EOL'
        When (os.OScode Like N'10.0.14393%' Or
          os.OSname = N'Win 2016') And bn.Buildnumber < 8688 Then
          N'⚠️ KB5071543'
        When os.OScode Like N'10.0.15063%' Then N'❌ EOL'
        When os.OScode Like N'10.0.16299%' Then N'❌ EOL'
        When os.OScode Like N'10.0.17134%' Then N'❌ EOL'
        When os.OScode Like N'10.0.17763' And op.Caption Not Like N'%LTSC%' Then
          N'❌ EOL'
        When os.OScode Like N'10.0.17763' And op.Caption Like N'%LTSC%' And
          bn.Buildnumber < 8146 Then N'⚠️ KB5071544'
        When os.OScode Like N'10.0.18362%' Then N'❌ EOL'
        When os.OScode Like N'10.0.18363%' Then N'❌ EOL'
        When os.OScode Like N'10.0.19041%' Then N'❌ EOL'
        When os.OScode Like N'10.0.19042%' Then N'❌ EOL'
        When os.OScode Like N'10.0.19043%' Then N'❌ EOL'
        When os.OScode Like N'10.0.19044%' And bn.Buildnumber < 6691 Then
          N'⚠️ KB5071546'
        When os.OScode Like N'10.0.19045%' And bn.Buildnumber < 6691 Then
          N'⚠️ KB5071546'
        When os.OScode Like N'10.0.19045%' And bn.Buildnumber >= 6691 Then N''
        When os.OSname = N'Win 2019' And bn.Buildnumber < 8146 Then
          N'⚠️ KB5071544'
        When os.OScode Like N'10.0.20348%' And bn.Buildnumber < 4467 Then
          N'⚠️ KB5071547 (KB5071413 for Azure)'
        When os.OScode Like N'10.0.22000%' Then N'❌ EOL'
        When os.OScode Like N'10.0.22621%' Then N'❌ EOL'
        When os.OScode Like N'10.0.22631%' And bn.Buildnumber < 6345 Then
          N'⚠️ KB5071417'
        When os.OScode Like N'10.0.25398%' And bn.Buildnumber < 2025 Then
          N'⚠️ KB5071542'
        When os.OSname = N'Win 2025' And bn.Buildnumber < 7392 Then
          N'⚠️ KB5072033 (KB5072014 for Azure)'
        When os.OScode Like N'10.0.26100%' And bn.Buildnumber < 7392 Then
          N'⚠️ KB5072033 (KB5072014 for Azure)'
        When os.OScode Like N'10.0.26200%' And bn.Buildnumber < 7392 Then
          N'⚠️ KB5072033 (KB5072014 for Azure)'
        Else N''
      End As [Install one of these updates],
      Case
        When os.OSname = N'Win 2008' Then 3
        When os.OSname In (N'Win 7', N'Win 7 RC', N'Win 2008 R2') Then 3
        When os.OSname = N'Win 8' Then 3
        When os.OSname = N'Win 2012' And rp.AssetID = a.AssetID And
          ssu.HasSSU2012 = 1 Then 1
        When os.OSname = N'Win 8.1' Then 3
        When os.OSname = N'Win 2012 R2' And rp.AssetID = a.AssetID And
          ssu.HasSSU2012R2 = 1 Then 1
        When os.OScode Like N'10.0.10240%' Then 3
        When os.OScode Like N'10.0.10586%' Then 3
        When (os.OScode Like N'10.0.14393%' Or
          os.OSname = N'Win 2016') And bn.Buildnumber >= 8688 Then 1
        When os.OScode Like N'10.0.15063%' Then 3
        When os.OScode Like N'10.0.16299%' Then 3
        When os.OScode Like N'10.0.17134%' Then 3
        When os.OScode Like N'10.0.17763' And op.Caption Not Like N'%LTSC%' Then
          3
        When os.OScode Like N'10.0.17763' And op.Caption Like N'%LTSC%' And
          bn.Buildnumber >= 8146 Then 1
        When os.OScode Like N'10.0.18362%' Then 3
        When os.OScode Like N'10.0.18363%' Then 3
        When os.OScode Like N'10.0.19041%' Then 3
        When os.OScode Like N'10.0.19042%' Then 3
        When os.OScode Like N'10.0.19043%' Then 3
        When os.OScode Like N'10.0.19044%' And bn.Buildnumber >= 6691 Then 1
        When os.OScode Like N'10.0.19045%' And bn.Buildnumber >= 6691 Then 1
        When os.OSname = N'Win 2019' And bn.Buildnumber >= 8146 Then 1
        When os.OScode Like N'10.0.20348%' And bn.Buildnumber >= 4467 Then 1
        When os.OScode Like N'10.0.22000%' Then 3
        When os.OScode Like N'10.0.22621%' Then 3
        When os.OScode Like N'10.0.22631%' And bn.Buildnumber >= 6345 Then 1
        When os.OScode Like N'10.0.25398%' And bn.Buildnumber >= 2025 Then 1
        When os.OSname Like N'Win 2025' And bn.Buildnumber >= 7392 Then 1
        When os.OScode Like N'10.0.26100%' And bn.Buildnumber >= 7392 Then 1
        When os.OScode Like N'10.0.26200%' And bn.Buildnumber >= 7392 Then 1
        Else 2
      End As StatusColor
    From tblAssets a
      Inner Join tsysOS os On os.OScode = a.OScode
      Inner Join tblOperatingsystem op On op.AssetID = a.AssetID
      Left Join BuildNumbers bn On a.AssetID = bn.AssetID
      Left Join RequiredPatches rp On a.AssetID = rp.AssetID
      Left Join SSUPatches ssu On a.AssetID = ssu.AssetID),
  LatestPatches As (Select qfe.AssetID,
      Max(Case
        When IsNumeric(Right(qfeu.HotFixID, 7)) = 1 Then
          Try_Cast(Right(qfeu.HotFixID, 7) As bigint)
        Else Null
      End) As PatchIDMax,
      Max(Try_Cast(qfe.installedon As date)) As InstalledOn
    From tblQuickFixEngineering qfe
      Inner Join tblQuickFixEngineeringUni qfeu On qfeu.QFEID = qfe.QFEID
    Where Right(qfeu.HotFixID, 7) Not Like N'%[^0-9]%' And
      IsDate(qfe.installedon) = 1
    Group By qfe.AssetID),
  QuickFixScans As (Select Distinct ls.AssetID,
      ls.Lasttime As QuickFixLastScanned
    From TsysWaittime wt
      Inner Join TsysLastscan ls On wt.CFGCode = ls.CFGcode
    Where wt.CFGname = N'QUICKFIX'),
  ScanErrors As (Select e.AssetID,
      Max(e.Teller) As ErrorID
    From tblErrors e
    Group By e.AssetID),
  LastReboot As (Select rankedEvents.AssetId,
      rankedEvents.EventTime
    From (Select tblUptime.AssetId,
          tblUptime.EventTime,
          Row_Number() Over (Partition By tblUptime.AssetId Order By
          tblUptime.EventTime Desc) As rn
        From tblUptime
        Where tblUptime.EventType = 1 And IsDate(tblUptime.EventTime) =
          1) As rankedEvents
    Where rankedEvents.rn = 1)
Select Distinct Top 1000000 Coalesce(ps.Image, [at].AssetTypeIcon10) As icon,
  a.AssetID,
  a.AssetName,
  a.Domain,
  ps.[Patch status],
  Case
    When cs.Domainrole > 1 Then N'Server'
    Else N'Workstation'
  End As [Workstation/Server],
  ps.OSname As OS,
  a.SP,
  a.Version As hyperlink_name_Version,
  N'./report.aspx?det=Web50GetOSVersion&title=' + ps.OSname +
  N' computers with version ' + a.Version + N'&@OS=' + ps.OSname +
  N'&@version=' + a.Version As hyperlink_Version,
  ps.FullOSCode As hyperlink_name_Buildnumber,
  N'./report.aspx?det=Web50GetOSBuild&title=' + ps.OSname +
  N' computers with build ' + ps.FullOSCode + N'&@OS=' + ps.OSname +
  N'&@build=' + ps.FullOSCode As hyperlink_Buildnumber,
  Try_Cast(lp.PatchIDMax As nvarchar(50)) As
  hyperlink_name_HighestKBPatchInstalled,
  N'/hardware.aspx?AssetID=' + Try_Cast(a.AssetID As nvarchar(max)) +
  N'&maindet=windows&cfgname=quickfix&subdet=quickfix' As
  hyperlink_HighestKBPatchInstalled,
  Format(lp.InstalledOn, 'yyyy-MM-dd') As hyperlink_name_InstalledOn,
  N'/hardware.aspx?AssetID=' + Try_Cast(a.AssetID As nvarchar(max)) +
  N'&maindet=windows&cfgname=quickfix&subdet=quickfix' As hyperlink_InstalledOn,
  ps.[Install one of these updates],
  Case
    When ps.StatusColor = 1 Then N''
    When Try_Cast(lr.EventTime As date) = Try_Cast(lp.InstalledOn As date) Then
      N'⚠️ Reboot might be required'
    When Try_Cast(lr.EventTime As date) < Try_Cast(lp.InstalledOn As date) Then
      N'🔴 Reboot is required'
    Else N''
  End As [Reboot Status],
  a.Userdomain,
  a.Username As hyperlink_name_Username,
  N'/User.aspx?username=' + a.Username + N'&userdomain=' + a.Userdomain As
  hyperlink_Username,
  a.IPAddress,
  ipl.IPLocation,
  ac.Manufacturer,
  ac.Model,
  s.Statename As State,
  a.Lastseen,
  a.Lasttried,
  Format(qfs.QuickFixLastScanned, 'yyyy-MM-dd HH:mm:ss') As
  hyperlink_name_QuickFixLastScanned,
  N'/hardware.aspx?AssetID=' + Try_Cast(a.AssetID As nvarchar(max)) +
  N'&maindet=windows&cfgname=quickfix&subdet=quickfix' As
  hyperlink_QuickFixLastScanned,
  Case
    When e.ErrorText Is Not Null And LTrim(RTrim(e.ErrorText)) != N'' Then
      N'❌ Scanning Error: ' + aet.ErrorMsg
    Else N''
  End As ScanningErrors,
  Try_Cast(DateDiff(day, qfs.QuickFixLastScanned, GetDate()) As nvarchar(10)) +
  N' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When DateDiff(day, qfs.QuickFixLastScanned, GetDate()) > 3 Then
      N'⚠️ Windows update information may not be up to date. We recommend rescanning this machine.'
    Else N''
  End As Comment,
  Case
    When ps.StatusColor = 1 Then N'LightGreen'
    When ps.StatusColor = 3 Then N'LightCoral'
    When Try_Cast(lr.EventTime As date) < Try_Cast(lp.InstalledOn As date) Then
      N'SandyBrown'
    When Try_Cast(lr.EventTime As date) = Try_Cast(lp.InstalledOn As date) Then
      N'LightGoldenRodYellow'
    When ps.StatusColor = 2 Then N'LightYellow'
    When DateDiff(day, qfs.QuickFixLastScanned, GetDate()) > 3 Then
      N'LightSalmon'
    Else N'White'
  End As backgroundcolor,
  N'Black' As foregroundcolor
From tblAssets a
  Inner Join tblAssetCustom ac On a.AssetID = ac.AssetID
  Inner Join tsysAssetTypes [at] On [at].AssetType = a.Assettype
  Inner Join tblState s On s.State = ac.State
  Inner Join tblComputersystem cs On a.AssetID = cs.AssetID
  Inner Join PatchStatusCTE ps On a.AssetID = ps.AssetID
  Left Join LatestPatches lp On a.AssetID = lp.AssetID
  Left Join QuickFixScans qfs On a.AssetID = qfs.AssetID
  Left Join ScanErrors se On a.AssetID = se.AssetID
  Left Join tblErrors e On se.ErrorID = e.Teller
  Left Join tsysasseterrortypes aet On aet.Errortype = e.ErrorType
  Left Join LastReboot lr On a.AssetID = lr.AssetId
  Left Join tsysIPLocations ipl On a.IPNumeric >= ipl.StartIP And
      a.IPNumeric <= ipl.EndIP
Where ps.OSname != N'Win 2000 S' And ps.OSname Not Like N'%XP%' And
  ps.OSname Not Like N'%2003%' And ac.State = 1 And
  [at].AssetTypename Like N'Windows%'
Order By a.Domain,
  a.AssetName

Report Enhancements Overview

 

The report has been enhanced with the following new features for improved usability and faster analysis:

 

  1. Advanced Color-Coding System: The report now uses a sophisticated background color system to provide an immediate visual status for each asset. The colors are:

    • LightGreen: Indicates the system is fully up-to-date and in a healthy state.
    • LightCoral: Flags critical issues, such as End-of-Life (EOL) operating systems.
    • SandyBrown: Highlights that a system reboot is required after updates.
    • LightGoldenRodYellow: Indicates a reboot might be required.
    • LightYellow: Shows that installed patches are out of date.
    • LightSalmon: Warns that the Windows update information is stale and may not be current.

  2. Interactive Links for Deep-Dive Analysis: Key data points are now clickable hyperlinks, allowing for quick navigation to detailed reports. These links have been added to:

    • Version: Opens a report of all computers with that specific OS version.
    • Buildnumber: Opens a report of all computers with that specific OS build.
    • Patch and Scan Information: Three separate columns all provide a direct shortcut to the same destination: the detailed patch history page for that specific asset. The linked columns are:
      • Highest KB Patch installed
      • Installed On
      • QuickFixLastScanned
    • Username: Opens the page for that specific user.

  3. Emojis for Instant Visual Assessment: Emojis have been integrated into key status columns to provide a quick, at-a-glance summary without needing to read the full text. You will find them in:

    • Patch status: for "Up to date", for "EOL", and ⚠️ for "Out of date".
    • Install one of these updates: ⚠️ to draw attention to required patches.
    • Reboot Status: 🔴 for "Reboot is required" and ⚠️ for "Reboot might be required".
    • Scanning Errors & Comments: To quickly identify and highlight issues.

 

About the author

Mister_Nobody
Honored Sweeper III
440 933 109
View Profile

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now
Popular Articles