Wsus under Integrity

[aussie_in]

Hi,

We are planning to implement Microsoft Wsus for patch distribution and management. Can you guys share your experiences on this ?

How to detect the presence of particular patch level on client in case of wsus implementation.

Thanks in advance.

Aussie_in

[RobertGraham]

The only way is to use enforcement rules to check either certain registry keys, file versions, or file ages. You'd have to research each individual patch, but this can be done easily by reading the tech section of the MS advisories that accompany each patch issued.

[aussie_in]

Hi Robert,

Thanks for your reply. That means we have to modify the rules as new patches are implemented. Is there any other neat way ?

Aussie_in

[RobertGraham]

I don't know that much about WSUS unfortunately. If there is a process, you could check for that, but this would be circumstantial. Just because the client side service is running, doesn't mean that it's successfully updated the patches.

My suggestion is to use the sandbagging approach. Enter checks for your most significant patches. This shouldn't be too often, and you could consider the MS critical update notifications as your guideline.

Otherwise, if you have the resources, you might try doing registry snap-shots of clients that are updated vs. those that aren't and try to isolate any regkeys that indicate the WSUS is happy.

Good luck.

[justin.knox]

If you're looking at using WSUS, might I recommend the Shavlik mailinglists at
http://www.patchmanagement.org/
Other great sites:
http://wsus.editme.com and http://www.wsus.info
There is a client process: "%WINDIR%\System32\wuauclt.exe"
As well as a service:
Automatic Updates: path to exe: "C:\WINDOWS\system32\svchost.exe -k netsvcs"
Logs on via LocalSystem.

That info is from my own Windows XP Pro SP2 machine.

I'm not all that familiar with Integrity. But a log is maintained locally on each machine:
%WINDIR%\SoftwareDistribution\ReportingEvents.log
This log details all actions taken by the Automatic Updates service as well as the Windows Update Automatic Updates Client (wuauclt.exe).

I'm not sure if that will help you in defining checks or not. On occassion I have had to delete the \SoftwareDistribution folder entirely to remedy an apparent local database corruption issue. This has the effect of trashing that log file, so if you've got a remote user who had to take that kind of drastic action you've just lost your ability to check.

You could also use WMIC to query the machine for current updates installed, that might be a more robust solution since it does not rely on WSUS at all. Stay tuned I can find some info on that for you.

[aussie_in]

Hi Justin and Robert,

Many thanks for your support.

Best regards

Naveen