Sometimes even I have to install something on an Windows server. Lately one of these things required .NET 3.5. OK, install it via Server Manager and you're done, right?
Wrong. This does install .NET 3.5 – but without any security fixes. These will arrive by the next morning, so the box was vulnerable. The updates don't even force a restart, so the box will remain vulnerable until somebody restarts either the new service or the whole machine. Manually.
Major facepalm, this.