Scanning for missing Microsoft patches

[lorddicranius]

I was wondering if anybody might be able to help explain this result.

Trend Micro shows a computer is missing 3 security updates.  I log into the computer, check Automatic Updates, and it's configured to run every night at 3am.  I run Windows Update and there's no updates pending.  I install Microsoft Baseline Security Analyzer 2.2 and scan the machine: 27 security updates missing, 3 service packs or update rollups are missing.

I can see how Trend Micro may differ in scanning a Windows machine for patches that are or aren't installed, but I can't explain the difference between Windows Update and Microsoft Baseline Security Analyzer showing such varied results.  Especially after reading this from the MBSA 2.2 download page:

Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS), System Center Configuration Manager (SCCM) 2007, and Small Business Server (SBS).

Anybody have any ideas   I'm trying to get a patch management system implemented here, but the varying results from Microsoft tools themselves isn't helping my case much haha.

[eth3real]

Is this computer use a WSUS server for updates? If so, that WSUS server may not be set to automatically approve those patches. Just a thought.

Also make sure the computer is set to automatically update other Microsoft products, not just Windows, maybe those patches are for Office or something.

[l33t5h@rk]

I'm not sure how much control you have (and obv. proceed w/ caution) but I would try installing the Service Packs then re-running. Sometimes the patches are out of band from the service packs and may not show up until they are installed. Something kludgy like that.

[lorddicranius]

Also make sure the computer is set to automatically update other Microsoft products, not just Windows, maybe those patches are for Office or something.

Bingo!  Microsoft Update wasn't installed so when I clicked on "Windows Update", it wasn't checking for updates for everything else.  Installing Microsoft Update and running the check again shows all the updates.  Thanks!

I wish I had an WSUS server (or a domain environment).  It would make ensuring Microsoft Update is on these other 51 computers go so much faster/easier...

[eth3real]

Is this a work network? It would probably make things a lot easier to have a Domain Controller and WSUS. You could probably get away with having them on the same box. It would at least relieve some of the traffic from each computer downloading it's own updates, and definitely make things more manageable for you.

[3xban]

Should be able to run WSUS on a DC so long as you aren't using it for anything else.  Hell I've had Small Business Servers running Exchange, DC activity and WSUS along with file and print servers.  Of course this goes against everything MS says to do with Servers but then again that is their own product doing it.  Ugh, I hate SBS, but it proves how much a single box can do in a small environment.  Not to mention it is very affordable for Small Business.  Even more so if you are a non-profit.  A friend of mine gets enterprise class licensing for a fraction of the cost that a big enterprise would pay.  Yay for non-profits!

Once you go with WSUS, you will need to tweak and also make sure you only bring down the languages you need, by default it downloads ALL language packs of the patches.

[lorddicranius]

Is this a work network? It would probably make things a lot easier to have a Domain Controller and WSUS. You could probably get away with having them on the same box. It would at least relieve some of the traffic from each computer downloading it's own updates, and definitely make things more manageable for you.

Yep, it's a work network.  I'd love to use WSUS and have actually been trying to get this going (among everything else going on here haha).  Does this require the machines to log into an Active Directory domain to get the updates?  We have a domain setup, but I haven't been able to do anything with policies to prepare it for widespread use (it's currently only used by a few computers in our warehouse for a specific shipping application).  A domain environment is something else I've been trying to get going, but it's been difficult with so many personally owned computers being used for business on the network.

Once you go with WSUS, you will need to tweak and also make sure you only bring down the languages you need, by default it downloads ALL language packs of the patches.

That's good to know, thanks!

[eth3real]

Typically, once you setup a Domain Controller and WSUS server, you would make a Group Policy that tells all the workstations on the domain to get updates only from the WSUS server. If many of the computers on your network are personally owned, then it may be difficult to get each person to agree to putting it on the Windows domain, and then there's also the fact that they would not be able to get updates except when they have access to your WSUS server.

Technically, they wouldn't have to login to Active Directory. The workstations could be joined to the domain, make use of the Group Policies, and still use local logins. However, in that case, you could probably just make a registry change on each computer to get updates from your WSUS server instead of going through all the trouble of joining a domain and setting up Group Policies.

It's a matter of "choose your battle."

[3xban]

Microsoft has a good write-up on setting WSUS up as far as the GPO.  The GPO is pretty simple though, the hardest part is ensuring the systems report properly.  Windows Firewall tends to interfer a little and sometimes if the clients are not patched to a certain level, they don't report properly.

Also there is a server and client troubleshooting tool which comes in very handy when checking your configurations.  If you get around to it and need a hand feel free to hit me up directly.

[lorddicranius]

If many of the computers on your network are personally owned, then it may be difficult to get each person to agree to putting it on the Windows domain...

This is exactly why a domain environment hasn't been approved.  It's not so much how many personally owned laptops, but who uses them...

Typically, once you setup a Domain Controller and WSUS server, you would make a Group Policy that tells all the workstations on the domain to get updates only from the WSUS server. If many of the computers on your network are personally owned, then it may be difficult to get each person to agree to putting it on the Windows domain, and then there's also the fact that they would not be able to get updates except when they have access to your WSUS server.

Technically, they wouldn't have to login to Active Directory. The workstations could be joined to the domain, make use of the Group Policies, and still use local logins. However, in that case, you could probably just make a registry change on each computer to get updates from your WSUS server instead of going through all the trouble of joining a domain and setting up Group Policies.

I think I've come across how to make the changes in the registry to have them use a WSUS server for updates, but changing registry settings on each and every computer on the network (nearly 200 of them) doesn't sound like much fun.  Plus, I've been told that we'll eventually get to a domain environment, so I will be able to end up using a GPO to configure WSUS settings, it's just a matter of "when".

As for getting updates when machines are unable to access a WSUS server.  How does this work for mobile users who use business laptops that are configured for a domain?  Are you able to configure them to get updates directly from Microsoft if it's unable to access your WSUS?  I have this capability with our anti-virus software, that'd be great if a domain-enabled Windows laptop would do that same...

It's a matter of "choose your battle."

Exactly

Microsoft has a good write-up on setting WSUS up as far as the GPO.  The GPO is pretty simple though, the hardest part is ensuring the systems report properly.  Windows Firewall tends to interfer a little and sometimes if the clients are not patched to a certain level, they don't report properly.

Also there is a server and client troubleshooting tool which comes in very handy when checking your configurations.  If you get around to it and need a hand feel free to hit me up directly.

Thanks for all these tips on configuring WSUS.  These will definitely come in handy and save me a lot of time/stress when we finally get there

[eth3real]

As for getting updates when machines are unable to access a WSUS server.  How does this work for mobile users who use business laptops that are configured for a domain?

Not that I'm aware of. I believe my users with laptops only get updates when they're on the corporate network. If they're on the network at least once a week, I would think this is adequate.

There is also the option of having people download from your WSUS server over VPN, or open your WSUS server to the internet for your users, but that makes it a lot more dangerous to have to WSUS and Active Directory on the same box, and your bandwidth would take a hit.