Mike,

Microsoft's official way to check if a machine is patched is the
Microsoft Baseline Security Analyzer at
http://www.microsoft.com/technet/security/tools/mbsahome.mspx, not the
Windows Update site

I have been trying to get our techs to use this before CCA gets the
blame.

Bruce Osborne
Liberty University

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Mike Diggins
Sent: Friday, June 22, 2007 1:44 PM
To: [log in to unmask]
Subject: [CLEANACCESS] Windows Updates - Again

Without doubt, the single biggest problem we face with Clean Access is
it 
disagreeing with Microsoft Update, as to the patch level of a Windows 
computer. MS Update says it's all patched, Clean Access says otherwise. 
It's a real burden on our support staff (and me - because they complain
to 
me).

One of our Technical Staff suggested part of the problem might be
'rollup' 
updates from Microsoft, where a number of patches are packaged into one 
update. He suggested that the registry might not be updated in the same 
way applying an individual patch does. My question is - do the Clean 
Access rule sets supplied by Cisco take this into consideration? I've 
never been able to explain why re-installing the SUPPOSEDLY missing
patch, 
updates the missing registry entries and fixes the issue.

-Mike