Need MS patch in WSUS server to patch automated instead of manual but not there

i have a few MS updates that our IT Security scanners say are needed to remediate some vulnerabilities, but wsus says we don't need them.  i've already looked in products and classifications and there's nothing particular to them.  been through this before with the scanners saying we need something and wsus doesn't, and i ended up having to load em manually.  not fun.

my question is this - is there a way to force wsus to get an update even though it thinks it don't need it so i can have an automated/managed way of applying an update without having to do it manually?  don't wanna go over whether or not we need the patch cause i have to apply them, just wondering is this possible, or another good alternate way to push out (don't have SCCM nor will we) via group policy, something :-)
JodyBearAsked:
Who is Participating?
 
arnoldCommented:
There is not in the situation you find your self in. Not sure if you have autoapproval configurated i.e. critical/security should be auto approved as well as revision of previously approved updates should be auto approved as well.

Just to correct your question, you are looking for a way to force a client system to download and install an update that it does not see itself as needing.

One option you might want to test is using a software deployment/computer startup script to install the missing update.

Try notifying the external security vendor that their check might be missing important patch/update releases/revisions from MS which lead to this false positive (detection of a vulnerability where one might not exist.)
0
 
arnoldCommented:
Wsus reports information based each system's reported need.
The vulnerability you might be seeing is an absence of an update that was skipped a installing a superseding update.
I.e. kb123456 is issued in September 2012 to address a vulnerability. For one reason or another it was not approved, it was withdrawn/expired by MS, etc. an update kb123457 was released in its place addressing the same vulnerabilities and some additional ones.

You can run a search on your wsus to check the status of the update that is missing to make sure it was not inudvertaintly declined meaning no system will have it offered and thus will not be reported as needed.
0
 
JodyBearAuthor Commented:
understood, and thank you.  i agree with the assessment, however i've ran into this problem before with the scanners and even though the patch was saying that it was not needed, the scanner appliances said there's a vulnerability, so i ended up having to manually install some updates as i have to go by our vulnerability assessment done by the IT Security appliance.

understanding of course WSUS/automatic updates works with the WSUS server to decide what is needed, is there a way to force application of an update through WSUS to automate a need as i'm describing, or am i out of luck as i assume?

if not, what may be an alternate way to automate the update push understanding we don't have/won't have a SCCM program to use instead?  any ideas?
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
arnoldCommented:
Wsus makes no determination. The client requests available updates (not approved and approved) then it installs those that it needs that are approved.
The only way to hide an update from the client n the wsus is to decline the update.
Search the update list for the patch that is claimed as missing and check its status.
If it is declined you could change its status to not approved or approved and use the client that s missing it to test whether it needs it (wuault /detectnow) when the client completes It will indicate whether it needs the update and if the update is approved, will install it.

The issue might also be with the tool used to analyze I.e. it is not up to date with the most recent patches such that if MS-123 is addressed by kb123456 and kb1234567 it only knows about the one and not the other.
0
 
JodyBearAuthor Commented:
i understand and agree with everything you said, and have already done as you suggest.  nothing was declined, wsus said client didn't need it, etc, and also agree with the eval of the scanner, however that one is out of my juristiction if you will.  i'm stuck trusting the security department on the update issue with their scanner.  can't always win a fight.

i didn't think i could "fenangle" wsus to do what i was hoping for, thought i'd pose the question though.

i'll resort to my previous caveat: is there an alternate way to automate the update/push understanding we don't have/won't have a SCCM program to use instead?  any ideas how i could automate a push for particular/multiple patches without wsus or SCCM available?  one last stab if anyone has an idea.
0
 
JodyBearAuthor Commented:
no autoapproval is done on our network, it's in support of a government network so constraints are pretty tight.

i could use a script via GPO to push it - it's a exe and that could be done.  was tryin not to do it that way, but it is what it is.

IT Security looks at it as "if it says it, it needs it" type of thing.  kind of stuck on that one.

thanks for your input.  it was worth a shot.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.