Solved

Need MS patch in WSUS server to patch automated instead of manual but not there

Posted on 2013-02-05
6
627 Views
Last Modified: 2013-02-06
i have a few MS updates that our IT Security scanners say are needed to remediate some vulnerabilities, but wsus says we don't need them.  i've already looked in products and classifications and there's nothing particular to them.  been through this before with the scanners saying we need something and wsus doesn't, and i ended up having to load em manually.  not fun.

my question is this - is there a way to force wsus to get an update even though it thinks it don't need it so i can have an automated/managed way of applying an update without having to do it manually?  don't wanna go over whether or not we need the patch cause i have to apply them, just wondering is this possible, or another good alternate way to push out (don't have SCCM nor will we) via group policy, something :-)
0
Comment
Question by:JodyBear
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 38856681
Wsus reports information based each system's reported need.
The vulnerability you might be seeing is an absence of an update that was skipped a installing a superseding update.
I.e. kb123456 is issued in September 2012 to address a vulnerability. For one reason or another it was not approved, it was withdrawn/expired by MS, etc. an update kb123457 was released in its place addressing the same vulnerabilities and some additional ones.

You can run a search on your wsus to check the status of the update that is missing to make sure it was not inudvertaintly declined meaning no system will have it offered and thus will not be reported as needed.
0
 

Author Comment

by:JodyBear
ID: 38856731
understood, and thank you.  i agree with the assessment, however i've ran into this problem before with the scanners and even though the patch was saying that it was not needed, the scanner appliances said there's a vulnerability, so i ended up having to manually install some updates as i have to go by our vulnerability assessment done by the IT Security appliance.

understanding of course WSUS/automatic updates works with the WSUS server to decide what is needed, is there a way to force application of an update through WSUS to automate a need as i'm describing, or am i out of luck as i assume?

if not, what may be an alternate way to automate the update push understanding we don't have/won't have a SCCM program to use instead?  any ideas?
0
 
LVL 78

Expert Comment

by:arnold
ID: 38857559
Wsus makes no determination. The client requests available updates (not approved and approved) then it installs those that it needs that are approved.
The only way to hide an update from the client n the wsus is to decline the update.
Search the update list for the patch that is claimed as missing and check its status.
If it is declined you could change its status to not approved or approved and use the client that s missing it to test whether it needs it (wuault /detectnow) when the client completes It will indicate whether it needs the update and if the update is approved, will install it.

The issue might also be with the tool used to analyze I.e. it is not up to date with the most recent patches such that if MS-123 is addressed by kb123456 and kb1234567 it only knows about the one and not the other.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:JodyBear
ID: 38861214
i understand and agree with everything you said, and have already done as you suggest.  nothing was declined, wsus said client didn't need it, etc, and also agree with the eval of the scanner, however that one is out of my juristiction if you will.  i'm stuck trusting the security department on the update issue with their scanner.  can't always win a fight.

i didn't think i could "fenangle" wsus to do what i was hoping for, thought i'd pose the question though.

i'll resort to my previous caveat: is there an alternate way to automate the update/push understanding we don't have/won't have a SCCM program to use instead?  any ideas how i could automate a push for particular/multiple patches without wsus or SCCM available?  one last stab if anyone has an idea.
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 38861249
There is not in the situation you find your self in. Not sure if you have autoapproval configurated i.e. critical/security should be auto approved as well as revision of previously approved updates should be auto approved as well.

Just to correct your question, you are looking for a way to force a client system to download and install an update that it does not see itself as needing.

One option you might want to test is using a software deployment/computer startup script to install the missing update.

Try notifying the external security vendor that their check might be missing important patch/update releases/revisions from MS which lead to this false positive (detection of a vulnerability where one might not exist.)
0
 

Author Comment

by:JodyBear
ID: 38861271
no autoapproval is done on our network, it's in support of a government network so constraints are pretty tight.

i could use a script via GPO to push it - it's a exe and that could be done.  was tryin not to do it that way, but it is what it is.

IT Security looks at it as "if it says it, it needs it" type of thing.  kind of stuck on that one.

thanks for your input.  it was worth a shot.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question