locked
Update missing on a compliant client RRS feed

  • Question

  • I am testing DHCP NAP with WSUS. I have approved a patch that is required by the client. The SHV setting is to restrict access for clients that do not have all security updates installed. The Automatic Updates is set to "Automatic". In the windowsupdate.log I can see that the patch has been discovered and downloaded and is ready for installation. When I release and renew the IP address I am hoping for the client to be quarantined and install the missing update immediately, which is not happening. The client is still in compliant state. Am I missing something?

    Thanks!
    Mayur
    Tuesday, August 18, 2009 11:55 PM

Answers

All replies

  • Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WSHA Logger]
    "FileName"="%SystemRoot%\\System32\\LogFiles\\WindowsSHALog.etl"
    "Start"=dword:00000001
    "GUID"="{BEA92B5A-8806-4b6c-804E-1566C4A0ABE6}"
    "Status"=dword:00000000
    "LogFileMode"=dword:00000004
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WSHA Logger\{789e8f15-0cbf-4402-b0ed-0e22f90fdc8d}]
    "Enabled"=dword:00000001
    "Status"=dword:00000000
    "EnableFlags"=dword:000000ff
    Thanks for reproting the issue. Please try the following:-

    Copy the above data in a text file and save it as trace.reg
    run the trace.reg from an elevated command prompt.
    reboot the machine.

    Repro the scenario and send me the "WindowsSHALog.etl" log file located at

    %SystemRoot%\System32\LogFiles\WindowsSHALog.etl


    Also send us the NAP stat UI screen shot  and
    The build Information(HKLM\Software\Microsoft\Windows NT\CurrentVersion\BuildLab"),


    Here is my email alias prasnal@microsoft.com ,Please let me know if you have any questions.

    Thanks,
    Prasanth. 


    Wednesday, August 19, 2009 1:49 AM
  • Please ignore the post I sent before. I was missing the first line in the script. I ran it and just rebooted the client. I will send you the long in few minutes.
    Mayur
    Wednesday, August 19, 2009 1:12 PM
  • I checked to make sure that the registry has been modified with the changes in the script and rebooted the client twice. There is no WindowsSHALog.etl file.

    Similarly, I am seeing the same behavior on the client. Interesting thing is, after reboot the SHA detects the missing patch, restricts the access and installs the patch immediately.  Strange.
    Mayur
    Wednesday, August 19, 2009 1:44 PM
  • Hopefully this will answer your question:

    There are two different kind of patch scans that WSHA does. These are the Online scan (checked directly against WSUS) or Offline scan (checked against the downloaded update catalog.) Online scans are usually performed whenever WSHA re-initializes, which happens whenever the machine restarts. Offline scans are performed hourly against the downloaded update catalog. The catalog is updated by the  WUA (Windows Update Agent) every now and then. If the current catalog on the client machine does not contain the "new update" that WUA has downloaded, WSHA will not detect it and hence will happily report healthy state. Rebooting the machine is most likely forcing WUA to update the catalog and immediately thereafter WSHA detects the update and restricts the machine and installs the patch immediately.

    Wednesday, August 19, 2009 5:45 PM
  • Will wuauclt \detectnow download a latest copy of catalog? I have tried issuing a wuauclt \detectnow command, which works, the client detects that there is an update available, which is downloads too.
    Mayur
    Wednesday, August 19, 2009 5:57 PM
  • Hi,

    Here is a link that helps to explain how the WSHA works with windows updates. I think ds_II's answer is correct as to why ipconfig /release and /renew doesn't work the same as rebooting the client.

    http://blogs.technet.com/nap/archive/2008/04/24/nap-faq-enforcing-security-updates-out-of-the-box-2.aspx

    -Greg
    • Marked as answer by Mayurkirti Wednesday, August 19, 2009 9:47 PM
    Wednesday, August 19, 2009 9:02 PM
  • Greg, I found the answer in the post that you mentioned. I can have WUA check for the new updates by sending a \detectnow command. A new catalog will be downloaded and WUA will know that the client is missing an update. BUT, it's SHA that polls WUA for this information every hour. So you have to wait for SHA to find out that a patch is missing before it can take any action.

    This makes me wonder, how am I going to demo it if I have to wait an hour for it to find out a missing update. Is there a registry value that controls this interval. Is it "HKLM\Software\Microsoft\MSSHA\"? If it is, why cant I find this entry on my client?

    Thanks guys. Your help is very much appreciated and lets me keep going.

    Mayur
    Wednesday, August 19, 2009 9:55 PM
  • Hi,

    Try issuing the following at an elevated command prompt:

    net stop napagent && net start napagent

    I haven't tested this, but restarting the napagent service should force all SHAs to baseline state.

    -Greg
    Wednesday, August 19, 2009 10:07 PM
  • Is that to fix the registry issue? I am on XP. I can drill down to HKLM\Software\Microsoft\, but I dont see a MSSHA key. I tried restarting the napagent with no effect.

    Mayur
    Wednesday, August 19, 2009 10:11 PM
  • Hi,

    Hmm restarting NAP agent doesn't affect the WU registry values that are stored, so it probably won't help you. You might try using a script such as the one at http://msmvps.com/blogs/athif/pages/66375.aspx

    Sorry, I'm outside my area of expertise here. Perhaps someone else can provide better advice on how to demo this without waiting an hour.

    -Greg

    Wednesday, August 19, 2009 10:26 PM
  • I think everything has been addressed, but I wanted to give the answer from the WSHA team:
    The WSHA does an offline scan soon after the NAP agent is started and then on a defined interval (default in XPSP3 is one hour).  Generating a new SoH will not generate a new offline scan.  Restarting the NAP agent should.

    The scanning interval can be changed.  You have to manually create the regkey HKLM\Software\Microsoft\MSSHA\ and then define the value ScanInterval and set its value to the desired scan time in minutes.  There is a min and max value - I don't have those off hand, but I think it can be set as low as 2 or 3.
    You can also create the ScanStartsAfterInterval value.  This is the time after the WSHA starts before the first offline scan.  Its default is 5 minutes but it can be set between 2 and 10. 
    I think both values are DWORDs.

    Mike
    Thursday, August 20, 2009 12:17 AM
  • Is there documentation on how to edit those registry values? I google searched it but nothing came up.

    Since the SHA scan interval is set to 1 hour right now, is that the reason why it does not immediately detect that the AV software is disabled too? When I tested this few weeks ago, SHA quarantined the client as soon as I turned off the AV software (the timing might have been just a co-incidence), which does not happen any more.
    Mayur
    Thursday, August 20, 2009 1:22 PM
  • AV software disable should be detected immediately. Please make sure that Windows Security Center has the disabled state noted. WSHA gets the AV state off of Windows Security Center, so whatever is reflected there will be reflected by WSHA.
    Friday, August 21, 2009 12:35 AM
  • I figured it out. Symantec Endpoint Protection client, when disabled from system tray icon, only disables the firewall. Since I am not monitoring firewall with SHA, this change in state is not seen as a non-compliance. However, when I stop Symantec Endpoint Service from Services, SHA immediately quarantines the client.

    I am surprised that there is not much discussion going on regarding this on Internet; especially with NAP being out for so long now. 

    I am still trying to find out documentation on how to manipulate SHA offline scan interval time in registry for demo purposes.
    Mayur
    Friday, August 21, 2009 1:12 PM
  • Hi Mayur,

    Mike Burk provided information about scan intervals above.

    If you look in HKLM\Software\Microsoft\Windows\CurrentVersion\MSSHA there should be several keys. Documentation of their functions seems scant right now unfortunately. All keys are REG_DWORD except the one REG_BINARY that is mentioned below. The keys that Mike described are:

    ScanStartsAfterInterval (time to wait after WSHA starts before the first offline scan is initiated)
    ScanInterval (how often to repeat scans)

    The other keys that I see are:

    LastSuccessTime (REG_BINARY)
    PollingDuration
    RemediationCheck
    RemediationTimeout
    WuStopTimeOut

    If I find out what these keys do I'll post that information also.

    -Greg
    Friday, August 21, 2009 9:52 PM