none
WSUS multiple server concerns

    Question

  • We have access to WSUS server to run patch mgmt compliance reports (risk department). However, something I noticed is the server reported in MBSA (baseline security analyzer) scan reports is not the same as the server we access to run reports. Which worries me as to whether we are viewing reports on an old WSUS server or something. To prevent questioning if our 3rd party IT have set this up properly. Why would that be? If you have more than 1 WSUS server in your domain do they report the same thing, or not really? How can I check if the server we access it the correct one to see what machines are out of date?

    Monday, March 26, 2012 10:50 AM

All replies

  • Hi,

    We use MBSA to detect common security misconfigurations and missing security updates on your individual computer systems.And WSUS is the server-side tool to deploy the updates for all the MS product.So the MBSA (baseline security analyzer) scan reports is of course not the same as the server we access to run reports.They are providing different functionalities.

    We usually use MBSA to detect the security issue and health status for the individual.If you found that some updates were not patched during the MBSA reports, this is probably that you were not approving the corresponding update on every patch tuesday,and you are missed to patch them.It is WSUS admin's duty to approve the update.

    As for WSUS,they need to sync with the MU to get the metadata, and get the approval of all the coming updates in order to deploey them,and also collect the info of clients to see whether they are needed according to the metadata synced from MU.


    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, March 27, 2012 6:21 AM
    Moderator
  • Hi,

    We use MBSA to detect common security misconfigurations and missing security updates on your individual computer systems.And WSUS is the server-side tool to deploy the updates for all the MS product.So the MBSA (baseline security analyzer) scan reports is of course not the same as the server we access to run reports.They are providing different functionalities.

    We usually use MBSA to detect the security issue and health status for the individual.If you found that some updates were not patched during the MBSA reports, this is probably that you were not approving the corresponding update on every patch tuesday,and you are missed to patch them.It is WSUS admin's duty to approve the update.

    As for WSUS,they need to sync with the MU to get the metadata, and get the approval of all the coming updates in order to deploey them,and also collect the info of clients to see whether they are needed according to the metadata synced from MU.


    Best regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    What I was getting at was, if you open an MBSA scan report, at the top of report, below "security report name" it lists "WSUS server". The WSUS server I am logging into to run reports is not the same as the WSUS server quoted in the MBSA report.
    • Edited by cf090 Tuesday, March 27, 2012 8:15 AM
    Tuesday, March 27, 2012 8:15 AM