Solved

Need MS patch in WSUS server to patch automated instead of manual but not there

Posted on 2013-02-05
6
623 Views
Last Modified: 2013-02-06
i have a few MS updates that our IT Security scanners say are needed to remediate some vulnerabilities, but wsus says we don't need them.  i've already looked in products and classifications and there's nothing particular to them.  been through this before with the scanners saying we need something and wsus doesn't, and i ended up having to load em manually.  not fun.

my question is this - is there a way to force wsus to get an update even though it thinks it don't need it so i can have an automated/managed way of applying an update without having to do it manually?  don't wanna go over whether or not we need the patch cause i have to apply them, just wondering is this possible, or another good alternate way to push out (don't have SCCM nor will we) via group policy, something :-)
0
Comment
Question by:JodyBear
  • 3
  • 3
6 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 38856681
Wsus reports information based each system's reported need.
The vulnerability you might be seeing is an absence of an update that was skipped a installing a superseding update.
I.e. kb123456 is issued in September 2012 to address a vulnerability. For one reason or another it was not approved, it was withdrawn/expired by MS, etc. an update kb123457 was released in its place addressing the same vulnerabilities and some additional ones.

You can run a search on your wsus to check the status of the update that is missing to make sure it was not inudvertaintly declined meaning no system will have it offered and thus will not be reported as needed.
0
 

Author Comment

by:JodyBear
ID: 38856731
understood, and thank you.  i agree with the assessment, however i've ran into this problem before with the scanners and even though the patch was saying that it was not needed, the scanner appliances said there's a vulnerability, so i ended up having to manually install some updates as i have to go by our vulnerability assessment done by the IT Security appliance.

understanding of course WSUS/automatic updates works with the WSUS server to decide what is needed, is there a way to force application of an update through WSUS to automate a need as i'm describing, or am i out of luck as i assume?

if not, what may be an alternate way to automate the update push understanding we don't have/won't have a SCCM program to use instead?  any ideas?
0
 
LVL 77

Expert Comment

by:arnold
ID: 38857559
Wsus makes no determination. The client requests available updates (not approved and approved) then it installs those that it needs that are approved.
The only way to hide an update from the client n the wsus is to decline the update.
Search the update list for the patch that is claimed as missing and check its status.
If it is declined you could change its status to not approved or approved and use the client that s missing it to test whether it needs it (wuault /detectnow) when the client completes It will indicate whether it needs the update and if the update is approved, will install it.

The issue might also be with the tool used to analyze I.e. it is not up to date with the most recent patches such that if MS-123 is addressed by kb123456 and kb1234567 it only knows about the one and not the other.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:JodyBear
ID: 38861214
i understand and agree with everything you said, and have already done as you suggest.  nothing was declined, wsus said client didn't need it, etc, and also agree with the eval of the scanner, however that one is out of my juristiction if you will.  i'm stuck trusting the security department on the update issue with their scanner.  can't always win a fight.

i didn't think i could "fenangle" wsus to do what i was hoping for, thought i'd pose the question though.

i'll resort to my previous caveat: is there an alternate way to automate the update/push understanding we don't have/won't have a SCCM program to use instead?  any ideas how i could automate a push for particular/multiple patches without wsus or SCCM available?  one last stab if anyone has an idea.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 38861249
There is not in the situation you find your self in. Not sure if you have autoapproval configurated i.e. critical/security should be auto approved as well as revision of previously approved updates should be auto approved as well.

Just to correct your question, you are looking for a way to force a client system to download and install an update that it does not see itself as needing.

One option you might want to test is using a software deployment/computer startup script to install the missing update.

Try notifying the external security vendor that their check might be missing important patch/update releases/revisions from MS which lead to this false positive (detection of a vulnerability where one might not exist.)
0
 

Author Comment

by:JodyBear
ID: 38861271
no autoapproval is done on our network, it's in support of a government network so constraints are pretty tight.

i could use a script via GPO to push it - it's a exe and that could be done.  was tryin not to do it that way, but it is what it is.

IT Security looks at it as "if it says it, it needs it" type of thing.  kind of stuck on that one.

thanks for your input.  it was worth a shot.
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now