Two layers: OS and third-party software
Windows Update handles OS patches, drivers (partially), and Microsoft apps. It does not handle Chrome, Firefox, Acrobat, VLC, 7-Zip, Node.js, Java, or the hundred other programmes installed on a real machine. That second layer is where most unpatched vulnerabilities live. Browsers are a particularly high-value target because they execute untrusted code by design.
Short version: you need to cover both layers. One without the other is not enough.
Windows Update: enable automatic updates
Open Settings, go to Windows Update, and click Advanced options. Two toggles matter here:
- Enable "Receive updates for other Microsoft products" so that Office, Edge, and similar apps stay current.
- Enable "Download updates over metered connections" if you work from a laptop on mobile data.
Windows Update distinguishes between two types of updates. Feature updates are new Windows versions (e.g. 23H2 to 24H2). You can safely defer those by 1-5 weeks. Security updates are a different matter. Do not defer them. These are the patches attackers look at the day after Microsoft publishes what they fixed.
To check update status from PowerShell, you need the PSWindowsUpdate module. It is not installed by default:
# Install the PSWindowsUpdate module (once)
Install-Module PSWindowsUpdate -Force
# Check pending updates
Get-WindowsUpdate
# Or via winget
winget upgrade --include-unknownInstall-Module requires running PowerShell as administrator. The module is fetched from PowerShell Gallery and is a third-party module, not from Microsoft.
Find vulnerable third-party software with VulnDetect
VulnDetect is made by SecTeer ApS, a Danish cybersecurity company. It scans all installed applications against the CVE database and flags what needs patching, including CVSS severity scores. It is free for private users and has replaced Secunia PSI as the go-to tool for this job.
Download it from vulndetect.com. Run a scan. The results show CVE IDs, CVSS scores, and which version fixes the issue.
CVSS (Common Vulnerability Scoring System) is a 0-10 scoring system from NIST. All scores are public at nvd.nist.gov for every CVE. VulnDetect shows the score next to each finding. Use it to prioritise:
- 9.0-10.0 (Critical): patch today.
- 7.0-8.9 (High): patch within the week.
- 4.0-6.9 (Medium): next maintenance window.
- Below 4.0 (Low): when convenient.
Scores below 7 are not ignorable, but they are not on fire. Scores above 9 are.
Patch third-party software with winget
winget is built into Windows 10 and 11 via App Installer. One command updates everything:
# See what can be updated
winget upgrade
# Update all installed software
winget upgrade --all
# Update a specific app
winget upgrade --id Google.ChromeNot all apps are in winget's repository. VulnDetect identifies exactly what winget misses. Those you update manually or through the app's own updater.
Chocolatey is an alternative, primarily used in IT-professional setups and scripts. For a single Windows machine at home, winget is the simpler choice because it comes pre-installed.
When is good enough actually good enough?
No machine is ever fully patched. New CVEs are published daily. The realistic goal is eliminating High and Critical findings and having a process for the rest. A machine with no CVSS 7+ findings is not a soft target. Do not chase perfection. Chase the top of the list.
winget upgrade --all. 30 minutes.
Checklist
- Windows Update is on, automatic, no exceptions for security updates.
- "Other Microsoft products" is enabled in Windows Update.
- VulnDetect scan has been run and no Critical/High findings are unresolved.
winget upgrade --allhas been run.- Browsers are up to date. Chrome, Firefox, and Edge update themselves, but verify that this is actually happening.
Sources
- Verizon Data Breach Investigations Report 2024: annual report with data from over 30,000 security incidents, covering attack types and exploited vulnerabilities.
- NIST National Vulnerability Database: NIST's official CVE database with CVSS scores for all known vulnerabilities.
- CVSS v3.1 Specification Document, FIRST.org: the official specification behind the scoring system VulnDetect uses to rate severity.
- VulnDetect / SecTeer ApS: the free scanning tool used in this guide to find unpatched third-party software.