Solved

Need MS patch in WSUS server to patch automated instead of manual but not there

Posted on 2013-02-05
6
629 Views
Last Modified: 2013-02-06
i have a few MS updates that our IT Security scanners say are needed to remediate some vulnerabilities, but wsus says we don't need them.  i've already looked in products and classifications and there's nothing particular to them.  been through this before with the scanners saying we need something and wsus doesn't, and i ended up having to load em manually.  not fun.

my question is this - is there a way to force wsus to get an update even though it thinks it don't need it so i can have an automated/managed way of applying an update without having to do it manually?  don't wanna go over whether or not we need the patch cause i have to apply them, just wondering is this possible, or another good alternate way to push out (don't have SCCM nor will we) via group policy, something :-)
0
Comment
Question by:JodyBear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 38856681
Wsus reports information based each system's reported need.
The vulnerability you might be seeing is an absence of an update that was skipped a installing a superseding update.
I.e. kb123456 is issued in September 2012 to address a vulnerability. For one reason or another it was not approved, it was withdrawn/expired by MS, etc. an update kb123457 was released in its place addressing the same vulnerabilities and some additional ones.

You can run a search on your wsus to check the status of the update that is missing to make sure it was not inudvertaintly declined meaning no system will have it offered and thus will not be reported as needed.
0
 

Author Comment

by:JodyBear
ID: 38856731
understood, and thank you.  i agree with the assessment, however i've ran into this problem before with the scanners and even though the patch was saying that it was not needed, the scanner appliances said there's a vulnerability, so i ended up having to manually install some updates as i have to go by our vulnerability assessment done by the IT Security appliance.

understanding of course WSUS/automatic updates works with the WSUS server to decide what is needed, is there a way to force application of an update through WSUS to automate a need as i'm describing, or am i out of luck as i assume?

if not, what may be an alternate way to automate the update push understanding we don't have/won't have a SCCM program to use instead?  any ideas?
0
 
LVL 79

Expert Comment

by:arnold
ID: 38857559
Wsus makes no determination. The client requests available updates (not approved and approved) then it installs those that it needs that are approved.
The only way to hide an update from the client n the wsus is to decline the update.
Search the update list for the patch that is claimed as missing and check its status.
If it is declined you could change its status to not approved or approved and use the client that s missing it to test whether it needs it (wuault /detectnow) when the client completes It will indicate whether it needs the update and if the update is approved, will install it.

The issue might also be with the tool used to analyze I.e. it is not up to date with the most recent patches such that if MS-123 is addressed by kb123456 and kb1234567 it only knows about the one and not the other.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:JodyBear
ID: 38861214
i understand and agree with everything you said, and have already done as you suggest.  nothing was declined, wsus said client didn't need it, etc, and also agree with the eval of the scanner, however that one is out of my juristiction if you will.  i'm stuck trusting the security department on the update issue with their scanner.  can't always win a fight.

i didn't think i could "fenangle" wsus to do what i was hoping for, thought i'd pose the question though.

i'll resort to my previous caveat: is there an alternate way to automate the update/push understanding we don't have/won't have a SCCM program to use instead?  any ideas how i could automate a push for particular/multiple patches without wsus or SCCM available?  one last stab if anyone has an idea.
0
 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 38861249
There is not in the situation you find your self in. Not sure if you have autoapproval configurated i.e. critical/security should be auto approved as well as revision of previously approved updates should be auto approved as well.

Just to correct your question, you are looking for a way to force a client system to download and install an update that it does not see itself as needing.

One option you might want to test is using a software deployment/computer startup script to install the missing update.

Try notifying the external security vendor that their check might be missing important patch/update releases/revisions from MS which lead to this false positive (detection of a vulnerability where one might not exist.)
0
 

Author Comment

by:JodyBear
ID: 38861271
no autoapproval is done on our network, it's in support of a government network so constraints are pretty tight.

i could use a script via GPO to push it - it's a exe and that could be done.  was tryin not to do it that way, but it is what it is.

IT Security looks at it as "if it says it, it needs it" type of thing.  kind of stuck on that one.

thanks for your input.  it was worth a shot.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Learn about cloud computing and its benefits for small business owners.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question