Solved

Need MS patch in WSUS server to patch automated instead of manual but not there

Posted on 2013-02-05
6
621 Views
Last Modified: 2013-02-06
i have a few MS updates that our IT Security scanners say are needed to remediate some vulnerabilities, but wsus says we don't need them.  i've already looked in products and classifications and there's nothing particular to them.  been through this before with the scanners saying we need something and wsus doesn't, and i ended up having to load em manually.  not fun.

my question is this - is there a way to force wsus to get an update even though it thinks it don't need it so i can have an automated/managed way of applying an update without having to do it manually?  don't wanna go over whether or not we need the patch cause i have to apply them, just wondering is this possible, or another good alternate way to push out (don't have SCCM nor will we) via group policy, something :-)
0
Comment
Question by:JodyBear
  • 3
  • 3
6 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Wsus reports information based each system's reported need.
The vulnerability you might be seeing is an absence of an update that was skipped a installing a superseding update.
I.e. kb123456 is issued in September 2012 to address a vulnerability. For one reason or another it was not approved, it was withdrawn/expired by MS, etc. an update kb123457 was released in its place addressing the same vulnerabilities and some additional ones.

You can run a search on your wsus to check the status of the update that is missing to make sure it was not inudvertaintly declined meaning no system will have it offered and thus will not be reported as needed.
0
 

Author Comment

by:JodyBear
Comment Utility
understood, and thank you.  i agree with the assessment, however i've ran into this problem before with the scanners and even though the patch was saying that it was not needed, the scanner appliances said there's a vulnerability, so i ended up having to manually install some updates as i have to go by our vulnerability assessment done by the IT Security appliance.

understanding of course WSUS/automatic updates works with the WSUS server to decide what is needed, is there a way to force application of an update through WSUS to automate a need as i'm describing, or am i out of luck as i assume?

if not, what may be an alternate way to automate the update push understanding we don't have/won't have a SCCM program to use instead?  any ideas?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Wsus makes no determination. The client requests available updates (not approved and approved) then it installs those that it needs that are approved.
The only way to hide an update from the client n the wsus is to decline the update.
Search the update list for the patch that is claimed as missing and check its status.
If it is declined you could change its status to not approved or approved and use the client that s missing it to test whether it needs it (wuault /detectnow) when the client completes It will indicate whether it needs the update and if the update is approved, will install it.

The issue might also be with the tool used to analyze I.e. it is not up to date with the most recent patches such that if MS-123 is addressed by kb123456 and kb1234567 it only knows about the one and not the other.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:JodyBear
Comment Utility
i understand and agree with everything you said, and have already done as you suggest.  nothing was declined, wsus said client didn't need it, etc, and also agree with the eval of the scanner, however that one is out of my juristiction if you will.  i'm stuck trusting the security department on the update issue with their scanner.  can't always win a fight.

i didn't think i could "fenangle" wsus to do what i was hoping for, thought i'd pose the question though.

i'll resort to my previous caveat: is there an alternate way to automate the update/push understanding we don't have/won't have a SCCM program to use instead?  any ideas how i could automate a push for particular/multiple patches without wsus or SCCM available?  one last stab if anyone has an idea.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
There is not in the situation you find your self in. Not sure if you have autoapproval configurated i.e. critical/security should be auto approved as well as revision of previously approved updates should be auto approved as well.

Just to correct your question, you are looking for a way to force a client system to download and install an update that it does not see itself as needing.

One option you might want to test is using a software deployment/computer startup script to install the missing update.

Try notifying the external security vendor that their check might be missing important patch/update releases/revisions from MS which lead to this false positive (detection of a vulnerability where one might not exist.)
0
 

Author Comment

by:JodyBear
Comment Utility
no autoapproval is done on our network, it's in support of a government network so constraints are pretty tight.

i could use a script via GPO to push it - it's a exe and that could be done.  was tryin not to do it that way, but it is what it is.

IT Security looks at it as "if it says it, it needs it" type of thing.  kind of stuck on that one.

thanks for your input.  it was worth a shot.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now