WSUS says: not needed, but MBSA says: install this update

Discussion in 'Update Services' started by Wanne de Kler., Nov 2, 2005.

  1. As the subject says, I'm having a problem updating some of my servers with
    WSUS.

    Some windows 2003 servers have been added to a group and all security
    updates have been set to install for members of this server group. Some
    servers report that, for example, KB900725 doesn't need to be installed but
    MBSA (rightly) reports the opposite.

    Here's a log of one of the servers in question:

    2005-11-02 12:55:50 1036 448 Agent *********** Agent: Refreshing global
    settings cache ***********
    2005-11-02 12:55:50 1036 448 Agent * WSUS server: http://bianco (Unchanged)
    2005-11-02 12:55:50 1036 448 Agent * WSUS status server: http://bianco
    (Unchanged)
    2005-11-02 12:55:50 1036 448 Agent * Target group: servers (Changed)
    2005-11-02 12:55:50 1036 448 Agent * Windows Update access disabled: No
    (Unchanged)
    2005-11-02 12:55:50 1036 448 AU ########### AU: Policy change processed
    ###########
    2005-11-02 12:55:50 1036 448 AU # Policy changed, AU restart required = No
    2005-11-02 12:55:50 1036 448 AU # WSUS server: http://bianco
    2005-11-02 12:55:50 1036 448 AU # Detection frequency: 12
    2005-11-02 12:55:50 1036 448 AU # Target group: servers
    2005-11-02 12:55:50 1036 448 AU # Approval type: Pre-install notify (Policy)
    2005-11-02 12:55:50 1036 448 AU # Auto-install minor updates: No (User
    preference)
    2005-11-02 12:55:50 1036 448 AU AU setting next detection timeout to
    2005-11-02 23:39:14
    2005-11-02 12:55:50 1036 448 AU #############
    2005-11-02 12:55:50 1036 448 AU ## START ## AU: Search for updates
    2005-11-02 12:55:50 1036 448 AU #########
    2005-11-02 12:55:50 1036 448 AU <<## SUBMITTED ## AU: Search for updates
    [CallId = {3B07418C-C281-40D0-9265-EF12883C4E0C}]
    2005-11-02 12:55:50 1036 4bc Agent *************
    2005-11-02 12:55:50 1036 4bc Agent ** START ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2005-11-02 12:55:50 1036 4bc Agent *********
    2005-11-02 12:55:50 1036 4bc Setup *********** Setup: Checking whether
    self-update is required ***********
    2005-11-02 12:55:50 1036 4bc Setup * Inf file:
    C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wusetup.inf
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\cdm.dll: target version = 5.8.0.2469, required version =
    5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\iuengine.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuapi.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuauclt.exe: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuauclt1.exe: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaucpl.cpl: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaueng.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaueng1.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wucltui.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wups.dll: target version = 5.8.0.2469, required version =
    5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wups2.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuweb.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 12:55:50 1036 4bc Setup * IsUpdateRequired = No
    2005-11-02 12:55:51 1036 4bc PT +++++++++++ PT: Synchronizing server
    updates +++++++++++
    2005-11-02 12:55:51 1036 4bc PT + ServiceId =
    {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
    http://bianco/ClientWebService/client.asmx
    2005-11-02 12:55:51 1036 4bc PT Initializing simple targeting cookie,
    clientId = 7c543d6a-051e-48ed-b3f5-d435e0795fc0, target group = servers, DNS
    name = dovizioso.nuffic.nl
    2005-11-02 12:55:51 1036 4bc PT Server URL =
    http://bianco/SimpleAuthWebService/SimpleAuth.asmx
    2005-11-02 12:55:51 1036 4bc Agent * Found 0 updates and 8 categories in
    search
    2005-11-02 12:55:51 1036 4bc Agent *********
    2005-11-02 12:55:51 1036 4bc Agent ** END ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2005-11-02 12:55:51 1036 4bc Agent *************
    2005-11-02 12:55:51 1036 4bc AU >>## RESUMED ## AU: Search for updates
    [CallId = {3B07418C-C281-40D0-9265-EF12883C4E0C}]
    2005-11-02 12:55:51 1036 4bc AU # 0 updates detected
    2005-11-02 12:55:51 1036 4bc AU #########
    2005-11-02 12:55:51 1036 4bc AU ## END ## AU: Search for updates [CallId
    = {3B07418C-C281-40D0-9265-EF12883C4E0C}]
    2005-11-02 12:55:51 1036 4bc AU #############
    2005-11-02 12:55:51 1036 4bc AU AU setting next detection timeout to
    2005-11-02 22:05:55
    2005-11-02 12:55:56 1036 4bc Report REPORT EVENT:
    {35A20AA9-F40F-43AB-920B-BCA9B93E42EA} 2005-11-02
    12:55:51+0100 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Agent has finished detecting items.
    2005-11-02 12:55:56 1036 4bc Report REPORT EVENT:
    {D70A54C3-18C7-4786-B8FC-29C050F69D5B} 2005-11-02
    12:55:51+0100 1 153 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
    2005-11-02 12:58:14 1036 438 Report Uploading 4 events using cached cookie,
    reporting URL = http://bianco/ReportingWebService/ReportingWebService.asmx
    2005-11-02 12:58:14 1036 438 Report Reporter successfully uploaded 4 events.

    I'm sure that I've selected the Windows server 2003 version of this patch
    and it is listed with install permission in the server's status tab.

    So far, I haven't experienced any problems updating my XP clients...

    Any assistance with solving this problem would be much appreciated!

    thanks,


    Wanne de Kler
     
    Wanne de Kler., Nov 2, 2005
    #1
    1. Advertisements

  2. (a) What is reported by the WSUS server console?

    (b) Is KB900725 listed in the client's
    %windir%\SoftwareDistribution\ReportingEvents.log as successfully installed?

    Note: If you're using MBSA v2.0, it should report identical data as WUA/WSUS.

    Are you sure the update has been properly approved for all servers,
    specifically the 'servers' target group?

    I noticed from this log snippet that you /just/ changed this server into the
    'servers' target group:

     
    Lawrence Garvin [MVP], Nov 2, 2005
    #2
    1. Advertisements

  3. a) I'm not sure what you want to know? This update is listed as not needed
    under reports for this server.

    b) The update is not listed in this logfile

    c) Previously, I had set this computer manually to point to the WSUS server
    by copying a registry file. Yesterday, I applied the settings via a policy as
    it should be. However, this server has been member of the SERVERS group from
    the beginning (it was added 2 weeks ago). Also, another Windows 2003 server
    has exactly the same problem and it has only been added to WSUS via a policy
    change.

    I'm sure that the Windows 2003 version of this patch has been set to install
    (for both all computers and the Servers group). It's status is ready for
    installation.


    thanks for looking into this!


    Wanne de Kler.

    Here's the most recent windows update.log

    2005-11-02 23:05:56 1036 448 AU #############
    2005-11-02 23:05:56 1036 448 AU ## START ## AU: Search for updates
    2005-11-02 23:05:56 1036 448 AU #########
    2005-11-02 23:05:56 1036 448 AU <<## SUBMITTED ## AU: Search for updates
    [CallId = {911C7B30-816A-4C6E-963D-D994DC5141F4}]
    2005-11-02 23:05:56 1036 4bc Agent *************
    2005-11-02 23:05:56 1036 4bc Agent ** START ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2005-11-02 23:05:56 1036 4bc Agent *********
    2005-11-02 23:05:56 1036 4bc Setup *********** Setup: Checking whether
    self-update is required ***********
    2005-11-02 23:05:56 1036 4bc Setup * Inf file:
    C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wusetup.inf
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\cdm.dll: target version = 5.8.0.2469, required version =
    5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\iuengine.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuapi.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuauclt.exe: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuauclt1.exe: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaucpl.cpl: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaueng.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuaueng1.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wucltui.dll: target version = 5.8.0.2469, required
    version = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wups.dll: target version = 5.8.0.2469, required version =
    5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wups2.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
    C:\WINDOWS\system32\wuweb.dll: target version = 5.8.0.2469, required version
    = 5.8.0.2469
    2005-11-02 23:05:56 1036 4bc Setup * IsUpdateRequired = No
    2005-11-02 23:05:57 1036 4bc PT +++++++++++ PT: Synchronizing server
    updates +++++++++++
    2005-11-02 23:05:57 1036 4bc PT + ServiceId =
    {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
    http://bianco/ClientWebService/client.asmx
    2005-11-02 23:05:57 1036 4bc PT Initializing simple targeting cookie,
    clientId = 7c543d6a-051e-48ed-b3f5-d435e0795fc0, target group = servers, DNS
    name = dovizioso.nuffic.nl
    2005-11-02 23:05:57 1036 4bc PT Server URL =
    http://bianco/SimpleAuthWebService/SimpleAuth.asmx
    2005-11-02 23:05:57 1036 4bc Agent * Found 0 updates and 8 categories in
    search
    2005-11-02 23:05:57 1036 4bc Agent *********
    2005-11-02 23:05:57 1036 4bc Agent ** END ** Agent: Finding updates
    [CallerId = AutomaticUpdates]
    2005-11-02 23:05:57 1036 4bc Agent *************
    2005-11-02 23:05:57 1036 4bc AU >>## RESUMED ## AU: Search for updates
    [CallId = {911C7B30-816A-4C6E-963D-D994DC5141F4}]
    2005-11-02 23:05:57 1036 4bc AU # 0 updates detected
    2005-11-02 23:05:57 1036 4bc AU #########
    2005-11-02 23:05:57 1036 4bc AU ## END ## AU: Search for updates [CallId
    = {911C7B30-816A-4C6E-963D-D994DC5141F4}]
    2005-11-02 23:05:57 1036 4bc AU #############
    2005-11-02 23:05:57 1036 4bc AU AU setting next detection timeout to
    2005-11-03 09:50:10
    2005-11-02 23:06:02 1036 4bc Report REPORT EVENT:
    {3F69B3AB-0AFC-490A-9FC7-C25A265DFB91} 2005-11-02
    23:05:57+0100 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Agent has finished detecting items.
    2005-11-02 23:06:02 1036 4bc Report REPORT EVENT:
    {C9776714-9B14-4F5A-921F-83615F5A8DC8} 2005-11-02
    23:05:57+0100 1 153 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
    2005-11-02 23:13:29 1036 4bc Report Uploading 2 events using cached cookie,
    reporting URL = http://bianco/ReportingWebService/ReportingWebService.asmx
    2005-11-02 23:13:29 1036 4bc Report Reporter successfully uploaded 2 events.
     
    Wanne de Kler., Nov 3, 2005
    #3
  4. The absence of any reference to the update in the ReportingEvents.log is a
    strong indicator that the update has /never/ been installed. This can also be
    corroborated by the absence of a KB900724.log file in the \WINDOWS directory.

    Now, again, this could easily be a function of the approval being configured
    incorrectly. A computer will only report an update as "Needed" on the WSUS
    server /IF/ that update has been set to allow detection. If the update is "Not
    Approved" or "Declined", the WSUS server will never report that update as
    needed.

    This is different from MBSA, which scans directly using the catalog, and will
    trap an update as 'not installed', regardless of the approval settings on the
    WSUS server. (This is one of the benefits of using MBSA v2 in conjunction with
    WSUS.)

    So.. if MBSA says its missing, and the client shows no record that it has ever
    been detected, downloaded, installed, unstalled, or whatnot, then that tends
    to point a pretty sharp finger at the approval configuration on the WSUS
    server.

    As a final test, point the client to WindowsUpdate. Does WindowsUpdate say the
    update is needed? If so, you have a definitive answer. Now the only chore is
    to determine exactly why the WUA cannot see the availability of the update
    from the WSUS server.


     
    Lawrence Garvin [MVP], Nov 3, 2005
    #4
  5. I had already checked both the existence of an uninstall directory and the
    Windowsupdate site which both confirm that the update has not been installed.

    I've made some additional checks to make sure the update is configured
    correctly:

    List all the declined updates: It's not there
    List all the approved updates: Present
    List all the updates set to install: Present

    And I've also set the update to install for all groups. Still, it's being
    listed as not needed.

    I've copied these two lines straight from the status report screen:

    Agent has finished detecting items. 11/4/2005 9:15 AM

    Security Update for Windows Server 2003 (KB900725) Install Not needed

    IMHO it proves that I set WSUS correctly to install this update for this
    server?

    thanks,

    Wanne de Kler.
     
    Wanne de Kler., Nov 4, 2005
    #5
  6. Wanne, it does look like you have an issue that is producing inconsistent
    results.

    Can you please /email/ me a screen capture of the WSUS Admin Console showing
    the Computer status for this update, as well as a screen capture of the MBSA
    v2 showing the status for that update. Also, please go to www.belarc.com and
    run the Belarc Advisor on this system, and send me the output html report so
    that I can provide the /exact/ system configuration and patch specifications
    for this system with the screen caps.

    I will forward the data to internal resources at Microsoft and ask them to
    follow up and see if they can confirm the cause. There may be a detection
    logic flaw in the WSUS metadata for this update.

    My email address is: l r g a r v i n @ s w b e l l . n e t
     
    Lawrence Garvin [MVP], Nov 4, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.