Mike,
My understanding is that you need the stub installed both to check as
well as update against WSUS. Please note that we will be eliminating the
additional stub requirement for non-admins in an upcoming NAC release.
-Prem
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Mike Diggins
Sent: Monday, April 06, 2009 12:22 PM
To: [log in to unmask]
Subject: Re: Windows Update Services Requirement
I'm not. I thought that was just to allow the Agent to update? Does it
allow non-administrator accounts to login using the WUA method as well?
-Mike
On Mon, 6 Apr 2009, Prem Ananthakrishnan (prananth) wrote:
> Hi Mike,
>
> Are you using the agent stub? You will need the agent stub for the
WSUS
> to work
>
> -Prem
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Monday, April 06, 2009 9:32 AM
> To: [log in to unmask]
> Subject: Re: Windows Update Services Requirement
>
> I discovered the source of at least some of the failed logins. You
can't
>
> run WUA if you're not an Administrator of that machine, and we have
> several (that I know about), that do just that.
>
> Considering that Best Practise is not to run as an Administrator, is
> there
> any work around to this, short of exempting it from the checks?
>
> -Mike
>
>
> On Sun, 5 Apr 2009, Atif Azim (atif) wrote:
>
>> Mike D,
>>
>> Mike S is correct in that this typically happens when the update
> service
>> on that machine is broken, however to ascertain this you should take
a
>> look at the agent logs.
>>
>> When you do have access to the clients, can you look at the agent
logs
>> and see if there is any information there. In order to set the
> loglevel
>> to debug, please refer to the following link:
>>
>
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/
>> 45rn.html#wp607061
>>
>> Please send the agent log to myself and I can have one of our
> technical
>> folks take a look and get back to you. Alternatively you can also
>> forward the logs to TAC and they will follow up with you.
>>
>> Regards,
>> Atif
>>
>> -----Original Message-----
>> From: Cisco Clean Access Users and Administrators
>> [mailto:[log in to unmask]] On Behalf Of Stanclift,
> Michael
>> Sent: Saturday, April 04, 2009 11:22 PM
>> To: [log in to unmask]
>> Subject: Re: Windows Update Services Requirement
>>
>> We run our checks like this as well, when students get those errors
it
>> usually is because the update service on their machine is either
> broken
>> or somehow disabled.
>>
>> Michael Stanclift
>> Network Analyst
>> Rockhurst University
>>
>> http://help.rockhurst.edu
>> (816) 501-4231
>> ________________________________________
>> From: Cisco Clean Access Users and Administrators
>> [[log in to unmask]] On Behalf Of Mike Diggins
>> [[log in to unmask]]
>> Sent: Saturday, April 04, 2009 1:27 PM
>> To: [log in to unmask]
>> Subject: Windows Update Services Requirement
>>
>> I'm testing the Windows Update Service in place of the Cisco checks
> for
>> Windows patches. I created a new requirement for this (using the
>> Microsoft update servers, and the Updates to be installed set to
>> Critical.
>>
>> Enforce Type: Mandatory
>> Priority: 3
>> Remediation Type: Manual, Interval 0, Retry Count 0
>> Windows Updates Validation by Severity
>> Windows Updates to be Installed: Critical
>> (Not checked) Upgrade to Latest OS Service Pack
>> Windows Update Installation Sources: Microsoft Servers
>> Installation Wizard Interface: Show UI
>> Requirement Name: Windows Update Services
>> Description:Critical Windows Updates are missing from your
>> computer. Click on the Update button to launch
>> Windows
>> Update.
>>
>> Operating System: Windows XP (ALL), Windows Vista (All)
>>
>> Most users appear to be passing the check successfully. However,
> several
>> are not, and when I look at their report, it shows the following:
>>
>> 3. Windows Update Services (Mandatory)
>> * Passed Checks:
>> * Failed Checks:
>> * Not executed Checks:
>> * Description:
>>
>> Nothing under the failed checks, yet they're failing the check!? Some
>> other failed reports do show the missing patches. I don't have access
> to
>> the clients today, so I'm wondering what this failure status means?
>>
>> -Mike
>>
>
>
> _________________________________________
>
> Mike Diggins Voice: 905.525.9140 Ext. 27471
> Network Analyst, Enterprise Networks FAX: 905.522.0511
> University Technology Services E-Mail:
[log in to unmask]
> McMaster University, Hamilton, Ontario
>
_________________________________________
Mike Diggins Voice: 905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks FAX: 905.522.0511
University Technology Services E-Mail: [log in to unmask]
McMaster University, Hamilton, Ontario
|