none
Windows Defender, MSRT and Root Certificate Inclusion in WSUS Updates

    Pregunta

  • Hello:

    I'm running WSUS [Version: 3.2.7600.226] to push Microsoft updates to my Windows clients, but for whatever reason, the clients aren't receiving monthly Windows Defender or Malicious Software Removal Tool updates and the occassional Root Certificate update from the WSUS server, so I'm trying to determine if my WSUS server isn't configured to include these items or if there is some other reason for this situation.

    I have selected the following classifications for download on the WSUS server:

    - Critical updates
    - Security upadates
    - Tools
    - Update roll-ups
    - Updates

    Is there any documentation referencing what packages are associated with the above classifications?

    I suspect, I haven't included the proper classification [e.g. definitions], but want to have an understanding of what else mayu be included in this classification to avoid any potential updating "issues".

    Any suggestions would be greatly appreciated.

    Thanks,

    Robert Lindholm
    University of Rochester
    miércoles, 10 de febrero de 2010 15:45

Respuestas

  • based on your comments above, the WSUS server/clients should be receiving the MSRT and Root Certificate updates, as I have subscribed to the Updates and Update Rollups packages.
    The WSUS server certainly should list several instances of the Malicious Software Removal Tool (all the way back to July 2009) and three instances of the "Update for Root Certificates" (May '09, Sept '09, Nov '09).

    The WSUS clients won't have a chance of seeing any of those updates until they're actually Approved for Installation at the WSUS server, and the applicable binary package content is successfully downloaded from Microsoft to the WSUS server.

    Do you know it the WSUS Deployment/Operations guides outline the process in determining if the WSUS server is receiving the MSRT and Root Certificate updates and assuming that it is, why the WSUS clients are not receiving them from the WSUS server or can make an alternative recommnedation?
    No, this sort of implementation-specific malfunction would not be documented. :-)

    The process for determining that they're being received is to set the appropriate filter options on the "All Updates" update view (Approval=Any Except Declined; Status=Any), Refresh, and Sort by Update Title. If they're not listed there, set the filter for Approval=Declined, and refresh again. If you see zero of those updates listed, then I'd be inclined to believe you have an incomplete initial synchronization event (or a corrupted database), and my suggestion would be to initiate a manual synchronization after confirming that the correct Product Categories have been selected.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    jueves, 11 de febrero de 2010 21:59
    Moderador

Todas las respuestas

  • - Windows Defender definition updates are not "monthly", they're published several times per week, and they're published in the Definition Updates classification, which it appears you do not have selected for synchronization.

    - The Root Certificates updates published via WSUS (and WU) only apply to Windows XP systems, and are only published in the Windows XP product category. They are published in the Updates classification.

    - The MSRT is published in the Update Rollups classification.

    Update Classifications are documented in the WSUS Operations Guide: Overview of Updates.

    Generally speaking, I recommend selecting ALL Update Classifications (except Drivers), and filtering your synchronization selections by PRODUCT.

    As for "avoid[ing] potential updating issues...", that should be handled at the Update APPROVAL step, not at the synchronization step. Merely synchronizing a product category or update classification will have zero impact on your environment except to add one more row to the WSUS database for each update definition.

    You might also exclude Service Packs if you have no intention of distributing service packs via WSUS; however, I will share that this was also my original thought process, and since making that initial decision, I have found occasion to deploy a service pack here and there for special cases, so I'd suggest leaving it selected, and not worry about the extra hundred-or-so rows it adds to the database.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    miércoles, 10 de febrero de 2010 16:09
    Moderador
  • Lawrence:

    Thank you for your detailed explanation and the update classification documentation reference; I'll subscribe to the definitions classification to start acquiring the Windows Defender definition updates; however, based on your comments above, the WSUS server/clients should be receiving the MSRT and Root Certificate updates, as I have subscribed to the Updates and Update Rollups packages.  Do you know it the WSUS Deployment/Operations guides outline the process in determining if the WSUS server is receiving the MSRT and Root Certificate updates and assuming that it is, why the WSUS clients are not receiving them from the WSUS server or can make an alternative recommnedation?

    Bob
    jueves, 11 de febrero de 2010 14:37
  • based on your comments above, the WSUS server/clients should be receiving the MSRT and Root Certificate updates, as I have subscribed to the Updates and Update Rollups packages.
    The WSUS server certainly should list several instances of the Malicious Software Removal Tool (all the way back to July 2009) and three instances of the "Update for Root Certificates" (May '09, Sept '09, Nov '09).

    The WSUS clients won't have a chance of seeing any of those updates until they're actually Approved for Installation at the WSUS server, and the applicable binary package content is successfully downloaded from Microsoft to the WSUS server.

    Do you know it the WSUS Deployment/Operations guides outline the process in determining if the WSUS server is receiving the MSRT and Root Certificate updates and assuming that it is, why the WSUS clients are not receiving them from the WSUS server or can make an alternative recommnedation?
    No, this sort of implementation-specific malfunction would not be documented. :-)

    The process for determining that they're being received is to set the appropriate filter options on the "All Updates" update view (Approval=Any Except Declined; Status=Any), Refresh, and Sort by Update Title. If they're not listed there, set the filter for Approval=Declined, and refresh again. If you see zero of those updates listed, then I'd be inclined to believe you have an incomplete initial synchronization event (or a corrupted database), and my suggestion would be to initiate a manual synchronization after confirming that the correct Product Categories have been selected.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    jueves, 11 de febrero de 2010 21:59
    Moderador
  • As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.

    If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

    Thanks!
    lunes, 22 de febrero de 2010 2:29
    Moderador