none
MBSA 2.2 Cannot Contact Windows Update Agent

    Question

  • Hello, I was wondering if anyone out there has experienced the same issues with MBSA 2.2 and remote scanning 64bit OS's. Namely, Windows 7 and Windows 2008 machines. Here are the details of my issue, I run a remote scan using the latest and greatest MBSA version 2.2 to a remote Windows 7 or Windows 2008 64bit machine on our domain. After the scan runs, I receive the following result:

    "Cannot contact Windows Update Agent on target computer, possibly due to firewall settings."

    I do NOT receive these results when remotely scanning a Windows XP or Windows 2003 machine. Also, I did find that the "Remote Registry" service needs to be set to automatic and started. I wrote a GPO to start and set the service to automatic, tested the GPO, and found that the GPO itself is working fine. Now with the "Remote Registry" services set properly I still receive the result:

    "Cannot contact Windows Update Agent on target computer, possibly due to firewall settings."

    To troubleshoot, I manually installed the x64 WSUS client to a problem machine, checked registry settings for "remote registry" and WSUS, and I made sure that file and print sharing is on, network discovery is on, and that the firewall settings are properly configured. We do NOT implement Windows firewall. Instead, we are currently using Symantec Endpoint Protection for our anti virus and firewall needs.

    I don't believe that the Symantec firewall is the issue as our 32bit Windows XP and 2003 machines also have SEP clients installed on them, and have no issues being scanned remotely. All of our machines employ the same Symantec firewall policy. As a "grasping at straws" attempt to resolve this issue, I did disable a client on a problem PC and ran a remote scan. Still, I received the same result. At this point, I am at the point of giving up. I would have some time ago however, we do need to re mediate this issue as we are audited regularly.

    There is very little out there when it comes to any information regarding MBSA 2.2 with remote scanning to 64bit Windows 7 or Windows 2008 machines. Someone out there has surely come across this same problem. If this is a known issue then that is fine, I just need a Microsoft blessing saying something to that effect. Thank you in advance to anyone who may have some information out there for me!


    Thursday, May 26, 2011 6:05 PM

Answers

  • Please be sure to check the MBSA FAQ.  Check under the section titled, "How can I scan a computer that is protected by a firewall?"

     

    As a domain administrator, you may want to also consider the following steps: 

    1. Configures the ACL on HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} via Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry.  You need to specifically add “NT Service\TrustedInstaller” with Full Control into the ACL via the policy as it’s not there by default and without doing so, it’s removed.  You also need to add “NT Authority\SYSTEM” with Full Control so that the following Startup Script can apply the new registry key.

    2. Configures a Startup script as suggested in the FAQ that contains

    reg add HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} /v Endpoints /t REG_MULTI_SZ /d ncacn_ip_tcp,0,n /f

    (where n is the port number you have decided to use).

    3. Configures a firewall port exclusion for the port specified in step 2.

    If you are not the domain administrator but you are the local machine administrator on the scanned machine, you should do the below steps on the registry key HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}:
    1. Replace the owner from TrustedInstaller to the account you used

    2. Grant the full control to your account

    3. Configures a firewall port exclusion for the port specified in step 2.

     

     


    Doug Neal - Microsoft Update and MBSA
    Thursday, June 09, 2011 11:45 PM

All replies

  • Please be sure to check the MBSA FAQ.  Check under the section titled, "How can I scan a computer that is protected by a firewall?"

     

    As a domain administrator, you may want to also consider the following steps: 

    1. Configures the ACL on HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} via Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Registry.  You need to specifically add “NT Service\TrustedInstaller” with Full Control into the ACL via the policy as it’s not there by default and without doing so, it’s removed.  You also need to add “NT Authority\SYSTEM” with Full Control so that the following Startup Script can apply the new registry key.

    2. Configures a Startup script as suggested in the FAQ that contains

    reg add HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492} /v Endpoints /t REG_MULTI_SZ /d ncacn_ip_tcp,0,n /f

    (where n is the port number you have decided to use).

    3. Configures a firewall port exclusion for the port specified in step 2.

    If you are not the domain administrator but you are the local machine administrator on the scanned machine, you should do the below steps on the registry key HKEY_LOCAL_MACHINE\Software\Classes \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}:
    1. Replace the owner from TrustedInstaller to the account you used

    2. Grant the full control to your account

    3. Configures a firewall port exclusion for the port specified in step 2.

     

     


    Doug Neal - Microsoft Update and MBSA
    Thursday, June 09, 2011 11:45 PM
  • Doug,

    I want to thank you. I've been working on this one for days. You saved my potatoes! I was trying to change the ACL's within a startup script and it wasn't working. Using the GPO worked great!

     

    Thanks again!

     

    Steve

    Thursday, September 22, 2011 6:15 PM
  • Hi Doug,

    After having read your suggestion over and over again, I'm still having a bad time with this.

    Corporate policy mandates that all new servers (2008R2) remain with Firewall turned on, exceptions made for older Os's (2003 & 2008-32/64).

    I have created a rule in Advanced FW so the MBSA scanning server has unlimited access to destination servers.

    I'm still getting the "Cannot contact Windows Update Agent on target computer" message.

    Heres a screen shot of the FW rules:

    Any suggestions ???

    Thank you.


    Team is a group in which members work together to achieve a common goal.


    I have changed the local address to "Any IP", so any scanned server can be contacted and send a reply.
    • Edited by Ice4Fire Wednesday, March 21, 2012 4:25 PM
    Wednesday, March 21, 2012 4:15 PM
  • Microsoft strongly recommends the firewall remain enabled to protect your machines.

    MBSA has two scanning engines: The Vulnerability Assessment (VA) checks and the Windows Update Security Update checks.

    For VA checks, the services and ports indicated in the MBSA FAQ and the MBSA Help file installed with MBSA must be enabled - these include the Workstation, Server, File and Print and Remote Registry services.  These allow access to the registry and the C$ share necessary for VA scans to be performed.

    For security scans performed via the Windows Update Agent (WUA), a DCOM connection is needed through the firewall as well as an authentication file sent to the target WUA client to authorize the WUA client to reply to MBSA requests.  The easiest way to ensure your target machines have the most up-to-date WUA client and MUAUTH.CAB authentication file is to click the option to "Configure computers for Microsoft Update and scanning prerequisites."  Alternatively, you can follow the steps in the MBSA FAQ under the heading "How can I scan a computer that is protected by a firewall?" - specifically Step 2 - to establish a DCOM port opening for your more secure Windows Server 2008/2008 R2 servers.



    Step 2: Configure Unmanaged Computers

    DCOM allocates a dynamic
    port by default
    , but a firewall blocks access to these
    ports unless explicitly opened by using the following procedure:

    1. Open port 135 and a custom port in your firewall (some firewalls
      may allow port 135 by default). The port you select should be checked to ensure
      it is appropriate, or not associated with other applications.
    2. Configure Windows Update Agent to use this static custom port by
      setting a registry key as follows: HKEY_LOCAL_MACHINE\Software\Classes
      \AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}\Endpoints
      REG_MULTI_SZ
      “ncacn_ip_tcp,0,n” (where nis the port number you have decided
      to use.) You may also configure the endpoint using the Component Services
      application in Control Panel. The Windows Update Agent - Remote Access
      endpoint is located under the path Component Services\Computers\My
      Computer\DCOM Config
      . Right-click and select Properties, then use
      the Endpointstab on the Properties page to configure the static port.

    I hope that helps...

    Doug Neal - Microsoft Update and MBSA

    Wednesday, March 21, 2012 6:53 PM
  • hi Doug,

    there is something I cannot understand

    I've got several servers on W2K8R2 with exchange 2010 installed on them

    firewall for domain profile is ON for all servers

    - for servers with HUB & CAS roles, I can ran succesfully remotly MBSA on these servers

    > reg query "HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}"

    HKEY_LOCAL_MACHINE\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}
        (Default)    REG_SZ    Windows Update Agent - Remote Access
        AccessPermission    REG_BINARY    010004803400000044000000000000001400000002002000010000000000180007000000010200000000000520000000200200000102000000000005200000002002000001020000000000052000000020020000
        LaunchPermission    REG_BINARY    01000480340000004400000000000000140000000200200001000000000018001F000000010200000000000520000000200200000102000000000005200000002002000001020000000000052000000020020000
        AuthenticationLevel    REG_DWORD    0x6
        DllSurrogate    REG_SZ    

    - for servers with Mailbox role, I cannot ran succesfully remotly MBSA on these servers

    > reg query "HKLM\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}"

    HKEY_LOCAL_MACHINE\Software\Classes\AppID\{B366DEBE-645B-43A5-B865-DDD82C345492}
        (Default)    REG_SZ    Windows Update Agent - Remote Access
        AccessPermission    REG_BINARY    010004803400000044000000000000001400000002002000010000000000180007000000010200000000000520000000200200000102000000000005200000002002000001020000000000052000000020020000
        LaunchPermission    REG_BINARY    01000480340000004400000000000000140000000200200001000000000018001F000000010200000000000520000000200200000102000000000005200000002002000001020000000000052000000020020000
        AuthenticationLevel    REG_DWORD    0x6
        DllSurrogate    REG_SZ    

    according the registry settings I think no static port is set for WUA on all servers

    but why remote mbsa scan ran successfully on my CAS & HUB servers ?

    thanks a lot

    Thursday, December 06, 2012 7:47 PM
  • This is so complex as to be practically unusable. OK if your whole job centers on Windows Updates it's worth mastering this fix but for the rest of us the product is now broken unless locally installed (on the scan target). Microsoft need to patch the product so that it works with either the standard remote management/file & print firewall policies, or powershell remoting. 
    Wednesday, December 09, 2015 9:19 AM