WSUS says: not needed, but MBSA says: install this update

As the subject says, I'm having a problem updating some of my servers with
WSUS.

Some windows 2003 servers have been added to a group and all security
updates have been set to install for members of this server group. Some
servers report that, for example, KB900725 doesn't need to be installed but
MBSA (rightly) reports the opposite.

Here's a log of one of the servers in question:

2005-11-02 12:55:50 1036 448 Agent *********** Agent: Refreshing global
settings cache ***********
2005-11-02 12:55:50 1036 448 Agent * WSUS server: http://bianco (Unchanged)
2005-11-02 12:55:50 1036 448 Agent * WSUS status server: http://bianco
(Unchanged)
2005-11-02 12:55:50 1036 448 Agent * Target group: servers (Changed)
2005-11-02 12:55:50 1036 448 Agent * Windows Update access disabled: No
(Unchanged)
2005-11-02 12:55:50 1036 448 AU ########### AU: Policy change processed
###########
2005-11-02 12:55:50 1036 448 AU # Policy changed, AU restart required = No
2005-11-02 12:55:50 1036 448 AU # WSUS server: http://bianco
2005-11-02 12:55:50 1036 448 AU # Detection frequency: 12
2005-11-02 12:55:50 1036 448 AU # Target group: servers
2005-11-02 12:55:50 1036 448 AU # Approval type: Pre-install notify (Policy)
2005-11-02 12:55:50 1036 448 AU # Auto-install minor updates: No (User
preference)
2005-11-02 12:55:50 1036 448 AU AU setting next detection timeout to
2005-11-02 23:39:14
2005-11-02 12:55:50 1036 448 AU #############
2005-11-02 12:55:50 1036 448 AU ## START ## AU: Search for updates
2005-11-02 12:55:50 1036 448 AU #########
2005-11-02 12:55:50 1036 448 AU <<## SUBMITTED ## AU: Search for updates
[CallId = {3B07418C-C281-40D0-9265-EF12883C4E0C}]
2005-11-02 12:55:50 1036 4bc Agent *************
2005-11-02 12:55:50 1036 4bc Agent ** START ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2005-11-02 12:55:50 1036 4bc Agent *********
2005-11-02 12:55:50 1036 4bc Setup *********** Setup: Checking whether
self-update is required ***********
2005-11-02 12:55:50 1036 4bc Setup * Inf file:
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wusetup.inf
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\cdm.dll: target version = 5.8.0.2469, required version =
5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\iuengine.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuapi.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuauclt.exe: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuauclt1.exe: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaucpl.cpl: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaueng.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaueng1.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wucltui.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wups.dll: target version = 5.8.0.2469, required version =
5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wups2.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuweb.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 12:55:50 1036 4bc Setup * IsUpdateRequired = No
2005-11-02 12:55:51 1036 4bc PT +++++++++++ PT: Synchronizing server
updates +++++++++++
2005-11-02 12:55:51 1036 4bc PT + ServiceId =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://bianco/ClientWebService/client.asmx
2005-11-02 12:55:51 1036 4bc PT Initializing simple targeting cookie,
clientId = 7c543d6a-051e-48ed-b3f5-d435e0795fc0, target group = servers, DNS
name = dovizioso.nuffic.nl
2005-11-02 12:55:51 1036 4bc PT Server URL =
http://bianco/SimpleAuthWebService/SimpleAuth.asmx
2005-11-02 12:55:51 1036 4bc Agent * Found 0 updates and 8 categories in
search
2005-11-02 12:55:51 1036 4bc Agent *********
2005-11-02 12:55:51 1036 4bc Agent ** END ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2005-11-02 12:55:51 1036 4bc Agent *************
2005-11-02 12:55:51 1036 4bc AU >>## RESUMED ## AU: Search for updates
[CallId = {3B07418C-C281-40D0-9265-EF12883C4E0C}]
2005-11-02 12:55:51 1036 4bc AU # 0 updates detected
2005-11-02 12:55:51 1036 4bc AU #########
2005-11-02 12:55:51 1036 4bc AU ## END ## AU: Search for updates [CallId
= {3B07418C-C281-40D0-9265-EF12883C4E0C}]
2005-11-02 12:55:51 1036 4bc AU #############
2005-11-02 12:55:51 1036 4bc AU AU setting next detection timeout to
2005-11-02 22:05:55
2005-11-02 12:55:56 1036 4bc Report REPORT EVENT:
{35A20AA9-F40F-43AB-920B-BCA9B93E42EA} 2005-11-02
12:55:51+0100 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Agent has finished detecting items.
2005-11-02 12:55:56 1036 4bc Report REPORT EVENT:
{D70A54C3-18C7-4786-B8FC-29C050F69D5B} 2005-11-02
12:55:51+0100 1 153 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
2005-11-02 12:58:14 1036 438 Report Uploading 4 events using cached cookie,
reporting URL = http://bianco/ReportingWebService/ReportingWebService.asmx
2005-11-02 12:58:14 1036 438 Report Reporter successfully uploaded 4 events.

I'm sure that I've selected the Windows server 2003 version of this patch
and it is listed with install permission in the server's status tab.

So far, I haven't experienced any problems updating my XP clients...

Any assistance with solving this problem would be much appreciated!

thanks,


Wanne de Kler

 

(a) What is reported by the WSUS server console?

(b) Is KB900725 listed in the client's
%windir%\SoftwareDistribution\ReportingEvents.log as successfully installed?

Note: If you're using MBSA v2.0, it should report identical data as WUA/WSUS.

Are you sure the update has been properly approved for all servers,
specifically the 'servers' target group?

I noticed from this log snippet that you /just/ changed this server into the
'servers' target group:

 

a) I'm not sure what you want to know? This update is listed as not needed
under reports for this server.

b) The update is not listed in this logfile

c) Previously, I had set this computer manually to point to the WSUS server
by copying a registry file. Yesterday, I applied the settings via a policy as
it should be. However, this server has been member of the SERVERS group from
the beginning (it was added 2 weeks ago). Also, another Windows 2003 server
has exactly the same problem and it has only been added to WSUS via a policy
change.

I'm sure that the Windows 2003 version of this patch has been set to install
(for both all computers and the Servers group). It's status is ready for
installation.


thanks for looking into this!


Wanne de Kler.

Here's the most recent windows update.log

2005-11-02 23:05:56 1036 448 AU #############
2005-11-02 23:05:56 1036 448 AU ## START ## AU: Search for updates
2005-11-02 23:05:56 1036 448 AU #########
2005-11-02 23:05:56 1036 448 AU <<## SUBMITTED ## AU: Search for updates
[CallId = {911C7B30-816A-4C6E-963D-D994DC5141F4}]
2005-11-02 23:05:56 1036 4bc Agent *************
2005-11-02 23:05:56 1036 4bc Agent ** START ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2005-11-02 23:05:56 1036 4bc Agent *********
2005-11-02 23:05:56 1036 4bc Setup *********** Setup: Checking whether
self-update is required ***********
2005-11-02 23:05:56 1036 4bc Setup * Inf file:
C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\wusetup.inf
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\cdm.dll: target version = 5.8.0.2469, required version =
5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\iuengine.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuapi.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuauclt.exe: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuauclt1.exe: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaucpl.cpl: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaueng.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuaueng1.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wucltui.dll: target version = 5.8.0.2469, required
version = 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wups.dll: target version = 5.8.0.2469, required version =
5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wups2.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup Update NOT required for
C:\WINDOWS\system32\wuweb.dll: target version = 5.8.0.2469, required version
= 5.8.0.2469
2005-11-02 23:05:56 1036 4bc Setup * IsUpdateRequired = No
2005-11-02 23:05:57 1036 4bc PT +++++++++++ PT: Synchronizing server
updates +++++++++++
2005-11-02 23:05:57 1036 4bc PT + ServiceId =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL =
http://bianco/ClientWebService/client.asmx
2005-11-02 23:05:57 1036 4bc PT Initializing simple targeting cookie,
clientId = 7c543d6a-051e-48ed-b3f5-d435e0795fc0, target group = servers, DNS
name = dovizioso.nuffic.nl
2005-11-02 23:05:57 1036 4bc PT Server URL =
http://bianco/SimpleAuthWebService/SimpleAuth.asmx
2005-11-02 23:05:57 1036 4bc Agent * Found 0 updates and 8 categories in
search
2005-11-02 23:05:57 1036 4bc Agent *********
2005-11-02 23:05:57 1036 4bc Agent ** END ** Agent: Finding updates
[CallerId = AutomaticUpdates]
2005-11-02 23:05:57 1036 4bc Agent *************
2005-11-02 23:05:57 1036 4bc AU >>## RESUMED ## AU: Search for updates
[CallId = {911C7B30-816A-4C6E-963D-D994DC5141F4}]
2005-11-02 23:05:57 1036 4bc AU # 0 updates detected
2005-11-02 23:05:57 1036 4bc AU #########
2005-11-02 23:05:57 1036 4bc AU ## END ## AU: Search for updates [CallId
= {911C7B30-816A-4C6E-963D-D994DC5141F4}]
2005-11-02 23:05:57 1036 4bc AU #############
2005-11-02 23:05:57 1036 4bc AU AU setting next detection timeout to
2005-11-03 09:50:10
2005-11-02 23:06:02 1036 4bc Report REPORT EVENT:
{3F69B3AB-0AFC-490A-9FC7-C25A265DFB91} 2005-11-02
23:05:57+0100 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Software Synchronization Agent has finished detecting items.
2005-11-02 23:06:02 1036 4bc Report REPORT EVENT:
{C9776714-9B14-4F5A-921F-83615F5A8DC8} 2005-11-02
23:05:57+0100 1 153 101 {00000000-0000-0000-0000-000000000000} 0 0 AutomaticUpdates Success Pre-Deployment Check Reporting client status.
2005-11-02 23:13:29 1036 4bc Report Uploading 2 events using cached cookie,
reporting URL = http://bianco/ReportingWebService/ReportingWebService.asmx
2005-11-02 23:13:29 1036 4bc Report Reporter successfully uploaded 2 events.

 

The absence of any reference to the update in the ReportingEvents.log is a
strong indicator that the update has /never/ been installed. This can also be
corroborated by the absence of a KB900724.log file in the \WINDOWS directory.

Now, again, this could easily be a function of the approval being configured
incorrectly. A computer will only report an update as "Needed" on the WSUS
server /IF/ that update has been set to allow detection. If the update is "Not
Approved" or "Declined", the WSUS server will never report that update as
needed.

This is different from MBSA, which scans directly using the catalog, and will
trap an update as 'not installed', regardless of the approval settings on the
WSUS server. (This is one of the benefits of using MBSA v2 in conjunction with
WSUS.)

So.. if MBSA says its missing, and the client shows no record that it has ever
been detected, downloaded, installed, unstalled, or whatnot, then that tends
to point a pretty sharp finger at the approval configuration on the WSUS
server.

As a final test, point the client to WindowsUpdate. Does WindowsUpdate say the
update is needed? If so, you have a definitive answer. Now the only chore is
to determine exactly why the WUA cannot see the availability of the update
from the WSUS server.

 

I had already checked both the existence of an uninstall directory and the
Windowsupdate site which both confirm that the update has not been installed.

I've made some additional checks to make sure the update is configured
correctly:

List all the declined updates: It's not there
List all the approved updates: Present
List all the updates set to install: Present

And I've also set the update to install for all groups. Still, it's being
listed as not needed.

I've copied these two lines straight from the status report screen:

Agent has finished detecting items. 11/4/2005 9:15 AM

Security Update for Windows Server 2003 (KB900725) Install Not needed

IMHO it proves that I set WSUS correctly to install this update for this
server?

thanks,

Wanne de Kler.

 

Wanne, it does look like you have an issue that is producing inconsistent
results.

Can you please /email/ me a screen capture of the WSUS Admin Console showing
the Computer status for this update, as well as a screen capture of the MBSA
v2 showing the status for that update. Also, please go to www.belarc.com and
run the Belarc Advisor on this system, and send me the output html report so
that I can provide the /exact/ system configuration and patch specifications
for this system with the screen caps.

I will forward the data to internal resources at Microsoft and ask them to
follow up and see if they can confirm the cause. There may be a detection
logic flaw in the WSUS metadata for this update.

My email address is: l r g a r v i n @ s w b e l l . n e t