Re: Windows Update Services Requirement

[Mike Diggins]

Thanks, that's good to know.

-Mike


On Tue, 7 Apr 2009, Prem Ananthakrishnan (prananth) wrote:

Mike,

My understanding is that you need the stub installed both to check as
well as update against WSUS. Please note that we will be eliminating the
additional stub requirement for non-admins in an upcoming NAC release.

-Prem



-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:cleanacc...@listserv.muohio.edu] On Behalf Of Mike Diggins
Sent: Monday, April 06, 2009 12:22 PM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: Windows Update Services Requirement

I'm not. I thought that was just to allow the Agent to update? Does it
allow non-administrator accounts to login using the WUA method as well?

-Mike

On Mon, 6 Apr 2009, Prem Ananthakrishnan (prananth) wrote:

Hi Mike,

Are you using the agent stub? You will need the agent stub for the

WSUS

to work

-Prem

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:cleanacc...@listserv.muohio.edu] On Behalf Of Mike Diggins
Sent: Monday, April 06, 2009 9:32 AM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: Windows Update Services Requirement

I discovered the source of at least some of the failed logins. You

can't

run WUA if you're not an Administrator of that machine, and we have
several (that I know about), that do just that.

Considering that Best Practise is not to run as an Administrator, is
there
any work around to this, short of exempting it from the checks?

-Mike


On Sun, 5 Apr 2009, Atif Azim (atif) wrote:

Mike D,

Mike S is correct in that this typically happens when the update

service

on that machine is broken, however to ascertain this you should take

a

look at the agent logs.

When you do have access to the clients, can you look at the agent

logs

and see if there is any information there. In order to set the

loglevel

to debug, please refer to the following link:

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/

45rn.html#wp607061

Please send the agent log to myself and I can have one of our

technical

folks take a look and get back to you. Alternatively you can also
forward the logs to TAC and they will follow up with you.

Regards,
Atif

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:cleanacc...@listserv.muohio.edu] On Behalf Of Stanclift,

Michael

Sent: Saturday, April 04, 2009 11:22 PM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: Windows Update Services Requirement

We run our checks like this as well, when students get those errors

it

usually is because the update service on their machine is either

broken

or somehow disabled.

Michael Stanclift
Network Analyst
Rockhurst University

http://help.rockhurst.edu
(816) 501-4231
________________________________________
From: Cisco Clean Access Users and Administrators
[cleanacc...@listserv.muohio.edu] On Behalf Of Mike Diggins
[mike.digg...@mcmaster.ca]
Sent: Saturday, April 04, 2009 1:27 PM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Windows Update Services Requirement

I'm testing the Windows Update Service in place of the Cisco checks

for

Windows patches. I created a new requirement for this (using the
Microsoft update servers, and the Updates to be installed set to
Critical.

       Enforce Type: Mandatory
       Priority: 3
       Remediation Type: Manual, Interval 0, Retry Count 0
       Windows Updates Validation by Severity
       Windows Updates to be Installed: Critical
       (Not checked) Upgrade to Latest OS Service Pack
       Windows Update Installation Sources: Microsoft Servers
       Installation Wizard Interface: Show UI
       Requirement Name: Windows Update Services
       Description:Critical Windows Updates are missing from your
                   computer. Click on the Update button to launch
Windows
                   Update.

       Operating System: Windows XP (ALL), Windows Vista (All)

Most users appear to be passing the check successfully. However,

several

are not, and when I look at their report, it shows the following:

  3. Windows Update Services (Mandatory)
          * Passed Checks:
          * Failed Checks:
          * Not executed Checks:
          * Description:

Nothing under the failed checks, yet they're failing the check!? Some
other failed reports do show the missing patches. I don't have access

to

the clients today, so I'm wondering what this failure status means?

-Mike

            _________________________________________

Mike Diggins                            Voice:  905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks    FAX:    905.522.0511
University Technology Services          E-Mail:

mike.digg...@mcmaster.ca

McMaster University, Hamilton, Ontario

            _________________________________________

Mike Diggins                            Voice:  905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks    FAX:    905.522.0511
University Technology Services          E-Mail: mike.digg...@mcmaster.ca
McMaster University, Hamilton, Ontario

            _________________________________________

Mike Diggins                            Voice:  905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks    FAX:    905.522.0511
University Technology Services          E-Mail: mike.digg...@mcmaster.ca
McMaster University, Hamilton, Ontario