Mike, My understanding is that you need the stub installed both to check as well as update against WSUS. Please note that we will be eliminating the additional stub requirement for non-admins in an upcoming NAC release.
-Prem -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Mike Diggins Sent: Monday, April 06, 2009 12:22 PM To: [email protected] Subject: Re: Windows Update Services Requirement I'm not. I thought that was just to allow the Agent to update? Does it allow non-administrator accounts to login using the WUA method as well? -Mike On Mon, 6 Apr 2009, Prem Ananthakrishnan (prananth) wrote: > Hi Mike, > > Are you using the agent stub? You will need the agent stub for the WSUS > to work > > -Prem > > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[email protected]] On Behalf Of Mike Diggins > Sent: Monday, April 06, 2009 9:32 AM > To: [email protected] > Subject: Re: Windows Update Services Requirement > > I discovered the source of at least some of the failed logins. You can't > > run WUA if you're not an Administrator of that machine, and we have > several (that I know about), that do just that. > > Considering that Best Practise is not to run as an Administrator, is > there > any work around to this, short of exempting it from the checks? > > -Mike > > > On Sun, 5 Apr 2009, Atif Azim (atif) wrote: > >> Mike D, >> >> Mike S is correct in that this typically happens when the update > service >> on that machine is broken, however to ascertain this you should take a >> look at the agent logs. >> >> When you do have access to the clients, can you look at the agent logs >> and see if there is any information there. In order to set the > loglevel >> to debug, please refer to the following link: >> > http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/ >> 45rn.html#wp607061 >> >> Please send the agent log to myself and I can have one of our > technical >> folks take a look and get back to you. Alternatively you can also >> forward the logs to TAC and they will follow up with you. >> >> Regards, >> Atif >> >> -----Original Message----- >> From: Cisco Clean Access Users and Administrators >> [mailto:[email protected]] On Behalf Of Stanclift, > Michael >> Sent: Saturday, April 04, 2009 11:22 PM >> To: [email protected] >> Subject: Re: Windows Update Services Requirement >> >> We run our checks like this as well, when students get those errors it >> usually is because the update service on their machine is either > broken >> or somehow disabled. >> >> Michael Stanclift >> Network Analyst >> Rockhurst University >> >> http://help.rockhurst.edu >> (816) 501-4231 >> ________________________________________ >> From: Cisco Clean Access Users and Administrators >> [[email protected]] On Behalf Of Mike Diggins >> [[email protected]] >> Sent: Saturday, April 04, 2009 1:27 PM >> To: [email protected] >> Subject: Windows Update Services Requirement >> >> I'm testing the Windows Update Service in place of the Cisco checks > for >> Windows patches. I created a new requirement for this (using the >> Microsoft update servers, and the Updates to be installed set to >> Critical. >> >> Enforce Type: Mandatory >> Priority: 3 >> Remediation Type: Manual, Interval 0, Retry Count 0 >> Windows Updates Validation by Severity >> Windows Updates to be Installed: Critical >> (Not checked) Upgrade to Latest OS Service Pack >> Windows Update Installation Sources: Microsoft Servers >> Installation Wizard Interface: Show UI >> Requirement Name: Windows Update Services >> Description:Critical Windows Updates are missing from your >> computer. Click on the Update button to launch >> Windows >> Update. >> >> Operating System: Windows XP (ALL), Windows Vista (All) >> >> Most users appear to be passing the check successfully. However, > several >> are not, and when I look at their report, it shows the following: >> >> 3. Windows Update Services (Mandatory) >> * Passed Checks: >> * Failed Checks: >> * Not executed Checks: >> * Description: >> >> Nothing under the failed checks, yet they're failing the check!? Some >> other failed reports do show the missing patches. I don't have access > to >> the clients today, so I'm wondering what this failure status means? >> >> -Mike >> > > > _________________________________________ > > Mike Diggins Voice: 905.525.9140 Ext. 27471 > Network Analyst, Enterprise Networks FAX: 905.522.0511 > University Technology Services E-Mail: [email protected] > McMaster University, Hamilton, Ontario > _________________________________________ Mike Diggins Voice: 905.525.9140 Ext. 27471 Network Analyst, Enterprise Networks FAX: 905.522.0511 University Technology Services E-Mail: [email protected] McMaster University, Hamilton, Ontario
