We have started an internal audit process that scans our endpoint clients using the MBSA utility. The endpoints are all Bigfix clients with the latest critical and important patches as supplied by Bigfix installed. When the MBSA scan completes it lists a good majority of the clients as “Severe Security Risk”. Upon further investigation we see that the MBSA is reporting several missing patches, MS0x-xxx, that need to be applied to the client to bring them into compliance. Using Bigfix we open the fixlets for the perticular MS0x-xxx patch and it indicates that it is not relevant for the client.
Can someone give me some advice on why the MBSA indicates a patch is needed and Bigfix indicates the same patch is not relevant? How do I know which one, the MBSA or Bigfix, is correct? How does Bigfix determine if the patch is needed vs. MBSA?
Mosbey, have you tried to install the patches that wsus shows as being needed? if so, were they indeed relevant - the hotfixes ran, completed successfully and now show as installed locally (add/remove programs) and by wsus?
Sorry for the delay in my response. We do not use WSUS. We use Bigfix to patch microsoft endpoints. We just started using the MBSA to audit to see if the client is not at risk due to uninstalled patches. The MBSA runs on the clients and indicates that the client is at Severe Risk. When you audit the client through Bigfix there are no patches that apply.
How does Bigfix use releavance to determine if the Microsoft patch is needed? Is that analysis different than Microsoft?
You can view the logic that BigFix is using by clicking the fixlet message and scrolling down on the details tab. Typically you will find that it’s using file existence and version in addition to registry key existence, whereas WSUS tends to simply use the registry key that a patch sets when it completes. It’s like the difference between reading labels and looking into the boxes.