> On Jun 15, 8:55 pm, "Asher_N" <asher...[ at ]gmail.com> wrote:
>> Tila <kilinatt...[ at ]gmail.com> wrote
>> innews:1181908658.085097.241680[ at ]q69g2000hsb.googlegroups.com:
>>
>>
>>
>>
>>
>> > On Jun 15, 5:18 am, "Lawrence Garvin \(MVP\)"
>> > <onsit...[ at ]community.nospam> wrote:
>> >> "Tom" <mqtest...[ at ]gmail.com> wrote in message
>>
>> >>news:OyoCvIprHHA.2240[ at ]TK2MSFTNGP03.phx.gbl...
>>
>> >> > We have a report that is run that is given to our boss and these
>> >> > machines are showing us non-compliant. In truth we are compliant
>> >> > because these machines have all the Approved updates for their
>> >> > Group. It would be nice if they dropped off the list; how do other
>> >> > companies work through this? The only updates that are showing up
>> >> > now are the "Not Approved" ones.
>>
>> >> This is an acknowleged and fundamental flaw in the WSUS 3 reporting
>> >> system.
>>
>> >> You have a couple of options:
>>
>> >> [a] Use MBSA as your compliance analysis tool.
>> >> (Truth be told, your SOX auditors shouldn't accept the
>> >> distribution/installation tool as the only source of compliance
>> >> verification. An independent source should also be used. Using MBSA
>> >> with the standalone catalog will do this.)
>> >> However... here's the reality: MBSA will also report the update
>> >> as
>> >> "Needed" if it's a security update and not installed.
>> >> Also, MBSA only scans for security updates, so it's not a
>> >> comprehensive
>> >> compliance monitoring tool.
>>
>> >> [b] Eminentware (
http://www.eminentware.com) has a WSUS 3 add-on
>> >> package that is currently in beta testing, that offers an alternative
>> >> reporting package that excludes these type of Needed/Not Approved
>> >> updates from the report, thus making your report more consistent with
>> >> your Approval statuses, rather than the Computer statuses.
>>
>> >> [c] Use the WSUS 3 API to write your own report package that ignores
>> >> "Needed/Not Approved" updates.
>>
>> >> [d] Since the list of "updates we ain't gonna install" is generally
>> >> short, and can be enumerated, and you can document the expectation
>> >> that server 'X' will report =three= updates as Needed (e.g. .NET
>> >> Framework v3.0, Internet Explorer 7.0 for Windows Server 2003,
>> >> Windows Server 2003 Service Pack 2), then if your expectation is that
>> >> three will be reported, and three are reported, and the details page
>> >> of the computer report expressly identifies those three updates as
>> >> the ones "Needed, but not Installed", then I'd say it's really just a
>> >> matter of properly interpreting the report, and the report *is*
>> >> showing you compliant.
>>
>> >> Also, consider the alternative scenario to how WSUS 3 currently
>> >> works:
>>
>> >> Consider that the report really did only show the status of the
>> >> updates
>> >> you had APPROVED for Installation. Consider that... ooops... you
>> >> forgot to approve a security update that should have been approved.
>> >> Well, in the alternative, your computer would show 100% GREEN,
>> >> because it's installed all of the =approved= updates, even though it
>> >> has not installed all of the =needed= updates. Now, answer this
>> >> question: The pie chart shows 100% GREEN. Is the computer compliant
>> >> with your security update policy? Or, would you rather see that
>> >> "Missing, but Not Approved" status reflected in the computer's
>> >> report?
>>
>> >> Personally, I'd rather *know* that I have to discount those three
>> >> updates that are making 2% of my pie chart yellow, and that I'm 98%
>> >> compliant BY CHOICE with the =available= updates, than to be misled
>> >> into believing I've installed 100% of the =needed= updates, only to
>> >> find out after a security breach that I missed a critical security
>> >> update that never got installed.
>>
>> >> --
>> >> Lawrence Garvin, M.S., MCTS, MCP
>> >> Independent WSUS Evangelist
>> >> MVP-Software Distribution
>> >> (2005-2007)
https://mvp.support.microsoft.com/profile=30E00990-8F1D-477>> >> 4-BD62-D09...
>>
>> >> Everything you need for WSUS is
>> >> at
http://technet2.microsoft.com/windowsserver/en/technologies/featured>> >> /...
>>
>> >> And, almost everything else is
>> >> at
http://wsusinfo.onsitechsolutions.com....>>
>> > But if you're declining the update, or that update isn't a critical
>> > security (e.g .Net 3.0) than it's better to classify that computer
>> > into another rating.
>>
>> > Tila
>>
>> A declined update will not show up as needed. Updates are either needed
>> or not. Any update that you *know* will not be installed should be
>> declined. Everything else will be updates approved for installation, or
>> in testing.- Hide quoted text -
>>
>> - Show quoted text -
>
> It will show as needed, if you approve for just one group. E.g. you
> approve IE7 for the group "IE7 computers" - all the others will show
> as needed, because you cannot decline for just some groups.
>
> Tila
>