is it possible that since installing SEP 14 WSUS updates are being blocked from running ??

I need a solution

Hello all

Since installing SEP 14 on our servers and computers a few months ago we have noticed that computers servers are not downloading the WSUS updates.

the computerserver are notifying that there are new updates available but but when clicking on download the update nothing happens/

the reason i’m thinking that this is due to the SEP install is since this is the only change that we have done to the network

we had an old 2003 server running Sep 12
it was replaces with a new 2012 R2 server and a clean installation of SEP 14
on the client side old sSep was removed using the cleanwipe utility and only then was the new 14 version installed
we get the following error  Code 8024402C ( please see picture attached )

Any help with this issue would be very appreciated



  • No Related Posts

Windows 10 compatibility support?

I need a solution

Currently, Symantec Encryption Desktop does not seem to support Windows 10 feature updates.  With feature updates being released twice a year, and only supported for 18 months from the release of the feature update, this presents an issue for clients that are not reimaged every 18 monthes.

It seems we can update Windows 10 by decrypting the computer first, but this seems an untenable solution for many hundreds of clients.  I found an article referring to a feature request to push the Anniversary update form WSUS, but it says “Support has worked directly with Product Management and has determined this feature will not be included at this time.”  I have also found an article referring to some scripts for creating installation media for upgrades, but many of our users are remote workers.

Does this mean Symantec has no plans at this time to make the ability to upgrade Windows 10 without decryption possible?  

Or can someone provide information I may have missed explaining the procedure to update Windows 10 clients without decrypting first?

Thank you.




Event ID 41 — WUA Update Download

Event ID 41 — WUA Update Download

Updated: December 13, 2007

Applies To: Windows Server 2008

Windows Update Agent downloads updates from Windows Update, Microsoft Update, or Windows Server Update Services. Windows Update Agent can be configured to automatically detect and download updates or can be set to manually download updates by the user.

Event Details

Product: Windows Operating System
ID: 41
Source: Microsoft-Windows-WindowsUpdateClient
Version: 7.0
Message: An update was downloaded.


This is a normal condition. No further action is required.

Related Management Information

WUA Update Download

Windows Update


Update Management Process

Update Management Process

Updated : June 1, 2007

On This Page

In This Module


Applies To

How To Use This Module

Update Management Overview

Security Terminology

How Microsoft Fixes Software After Release

The Importance of Proactive Update Management

Requirements for Successful Update Management

Effective Operations

Tools and Technologies

Effective Project Management Processes

The Four-Phase Approach to Update Management

Related Resources

Give Us Your Feedback

In This Module

This module provides an introduction to update management and explains why update management is essential for enterprise systems. It will introduce security terminology, together with descriptions of common vulnerabilities and types of threat. This module also describes the processes used within Microsoft to develop and release software updates, and shows how these relate to the steps you should take for proactive security update management. Finally, the four-phase approach update management process that Microsoft recommends is introduced, with more details presented in the following modules.

The purpose of this module is to introduce the key issues for update management in a Microsoft Windows operating system—based environment, and to describe the main tools, technologies, and processes that Microsoft recommends to support this task.

Top Of Page


Use this module to:

  • Review secure IT management and the costs of weak security.

  • Understand the term “update management” and key security terminology.

  • Analyze key vulnerabilities and how these relate to Microsoft severity ratings, threat categories, and the types of threat agents that currently exist.

  • Look at how Microsoft fixes software after release, and at the Microsoft terminology for software updates.

  • See examples of the importance of proactive security update management.

  • Determine the most appropriate update management tools and technologies for your environment.

  • Describe the basic elements of the four-phase approach to update management.

Top Of Page

Applies To

This module applies to all Microsoft products and technologies.

Top Of Page

How To Use This Module

This module provides an introduction to security update management, covering the key terms and concepts, tools and technologies, and an overview of the recommended four-phase update management process. Examples of historical attacks are provided, together with the ways in which these attacks could have been avoided, had appropriate proactive security update management been carried out.

To gain the most from this module, you should:

Top Of Page

Update Management Overview

Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. It helps you to maintain operational efficiency and effectiveness, overcome security vulnerabilities, and maintain the stability of your production environment.

If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities, which, if exploited, could lead to a loss of revenue and intellectual property. Minimizing this threat requires you to have properly configured systems, to use the latest software, and to install the recommended software updates.

You should consider the following areas when determining the potential financial impact of poor update management:

  • Downtime:

    What is the cost of computer downtime in your environment? What if critical business systems are interrupted? Determine the opportunity cost of lost end-user productivity, missing transactions on critical systems, and lost business during an incident. Downtime is caused by most attacks, either by the attack itself or by the corresponding remediation required when recovering. Some attacks have left computers down for several days.

  • Remediation time:

    What is the cost of fixing a wide-ranging problem in your environment? How much does it cost to reinstall a computer? What if you had to reinstall all your computers? Many security attacks require a complete reinstallation to be certain that back doors (permitting future exploits) were not left by the attack.

  • Questionable data integrity:

    In the event that an attack damages data integrity, what is the cost of recovering that data from the last known good backup, or confirming data correctness with customers and partners?

  • Lost credibility:

    What does it cost if you lose credibility with your customers? How much does it cost if you lose one or more customers?

  • Negative public relations:

    What is the impact to your organization from negative public relations? How much could your stock price or company valuation fall if you are seen as an unreliable company with which to do business? What would be the impact of failing to protect your customer’s personal information, such as credit card numbers?

  • Legal defenses:

    What might it cost to defend your organization from others taking legal action after an attack? Organizations providing important services to others have had their update management process (or lack of one) put on trial.

  • Stolen intellectual property:

    What is the cost if any of your organization’s intellectual property is stolen or destroyed?

Assessing and maintaining the integrity of software in a networked environment through a well-defined update management program is the key first step toward successful information security, regardless of any restrictions to physical access to a computer.

Top Of Page

Security Terminology

This section introduces key terminology that you should understand when participating in the security update management process. Table 1 describes the key security terms that are used throughout these modules.

Table 1: Important Security Terms




Software, hardware, a procedural weakness, a feature, or a configuration that could be a weak point exploited during an attack. Also called an exposure.


A source of danger.

Threat agent

The person or process attacking a system through vulnerability in a way that violates your security policy.


A threat agent attempting to take advantage of vulnerabilities for unwelcome purposes.


Software configurations, hardware, or procedures that reduce risk in a computer environment. Also called a safeguard or mitigation.


There are various ways through which software can become vulnerable to attack. Table 2 lists several typical software vulnerabilities.

Table 2: Software Vulnerabilities



Buffer overrun (overflow)

An unchecked buffer in a program that can overwrite the program code with new data. If the program code is overwritten with new executable code, the effect is to change the program’s operation as dictated by the attacker.

Privilege elevation (escalation)

Allows users or attackers to attain higher privileges in certain circumstances.

Validation error (source code)

Allows malformed data to have unintended consequences.

MSRC Vulnerability Severity Ratings

The Microsoft Security Response Center (MSRC) uses severity ratings to help you determine the urgency of vulnerabilities and related software updates. Table 3 lists the ratings used by MSRC to categorize the severity of a vulnerability.

Table 3: Vulnerability Severity Ratings




A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.


A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data, or of the integrity or availability of processing resources.


Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.


A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

For more information about MSRC vulnerability severity ratings, see the Microsoft Security Response Center Security Bulletin Severity Rating System:

Threat Categories

Microsoft has developed the STRIDE model, summarized in Table 4, to categorize software threats. These categories are often used in Microsoft security bulletins to describe the nature of a security vulnerability.

Table 4: STRIDE Model of Threat Categories



Spoofing identity

Illegally obtaining access and use of another person’s authentication information, such as a user name or password.

Tampering with data

The malicious modification of data.


Associated with users who deny performing an action, yet there is no way to prove otherwise.(Non-repudiation refers to the ability of a system to counter repudiation threats, and includes techniques such as signing for a received parcel so that the signed receipt can be used as evidence.)

Information disclosure

The exposure of information to individuals who are not supposed to have access to it, such as accessing files without having the appropriate rights.

Denial of service

An explicit attempt to prevent legitimate users from using a service or system.

Elevation (Escalation) of privilege

Where an unprivileged user gains privileged access. An example of privilege elevation would be an unprivileged user who contrives a way to be added to the Administrators group.

Note: For more information about the STRIDE model and how Microsoft trains developers to write secure code, see Howard, Michael and David LeBlanc, Writing Secure Code, Second Edition, Redmond, WA: Microsoft Press, 2002. (

You can also find the additional information, as well as useful readings from an alliance web site:

Threat Agents

Malicious threats are attacks from inside or outside a network that have the intent to harm or disrupt an organization. Non-malicious threats usually come from untrained employees, who are unaware of security threats and vulnerabilities. Table 5 describes several malicious threat agents.

Table 5: Threat Agents




An intrusive program that infects computer files by inserting copies of self-replicating code, and deletes critical files, makes system modifications, or performs some other action to cause harm to data on the computer or to the computer itself. A virus attaches itself to a host program.


A self-replicating program, often malicious like a virus, that can spread from computer to computer without infecting files first.

Trojan horse

Software or e-mail that professes to be useful and benign, but which actually performs some destructive purpose or provides access to an attacker.

Mail bomb

A malicious e-mail sent to an unsuspecting recipient. When the recipient opens the e-mail or runs the program, the mail bomb performs some malicious action on their computer.


A person or organization carrying out an attack.


Any software application or program in which advertising banners are displayed or Pop-up windows appear while the program is running. Adware is considered “Spyware” and is installed without the user’s knowledge.


Any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with Spyware. Once installed, the Spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users unwittingly install the product when they install something else. A common way to become a victim of Spyware is to download certain peer-to-peer file swapping products that are available today.

Note: While automated threats such as viruses are written to take advantage of specific vulnerabilities, an attacker who is targeting your organization has no such limitations. An attacker will try to compromise an environment by any means available.

Directed attacks can be carried out locally or remotely, and can include an exhaustive search for one of many possible vulnerabilities, including software vulnerabilities, weak passwords, weak security configurations, and security policy or training vulnerabilities.

Top Of Page

How Microsoft Fixes Software After Release

Microsoft is committed to protecting customers from security vulnerabilities. As part of this effort, Microsoft makes available periodic releases of software updates. For more information on this effort, see the “Trustworthy Computing” white paper, located at

Every Microsoft product group includes a sustaining engineering team, which develops software updates for problems that are discovered after the product has been released.

When Microsoft is made aware of a security vulnerability, the issue is evaluated and verified by the MSRC and the appropriate product groups. The product group’s sustaining engineering team then creates and tests a security update to remedy the issue, while the MSRC works with the reporter of the vulnerability to coordinate the release of public information in the form of a security bulletin that has the security update details.

Microsoft then distributes the software update through the Microsoft Download Center and other services, including:

Automatic Updates:

  • Microsoft Windows Update

  • Microsoft Office Update

  • Microsoft Update

User Initiated (defined) Updates

  • Microsoft Systems Management Server (SMS) 2003

  • Microsoft Windows Server Update Service (WSUS)

Just as the software update is about to be released, the MSRC sends out a related security bulletin.

Note: Security updates are developed for multiple versions of the operating system and applications. To understand the support levels that you can expect for different software versions, you can review the Microsoft product support life cycle policies at:;[LN];lifecycle.

Typically, security updates are made available for supported products not only on the current service pack, but also the one previous. However, this is not always the case, so you should check the product support life cycle policies for your products to be sure.

Microsoft recommends that customers use the update management solution that best meets their needs. In general, WSUS addresses simple update management scenarios, while Systems Management Server (SMS) 2003 supports advanced update management needs. Table 6 shows typical customer choices for various organizational size segments:

Table 6: Organizational Size Segments

Customer Type


Customer Choice

Large or Medium Enterprise

The organization wants a single, flexible update management solution with an extended level of control that enables them to update (and distribute) all Windows operating systems and applications and also includes an integrated asset management solution.

SMS 2003

Large or Medium Enterprise

The organization wants a solution for update management only that provides simple updating for Microsoft software—initially supporting Windows 2000 and later supporting Office 2003, Office XP, Exchange Server 2000 and later, SQL Server 2000 and later.


Small Business

The business has at least one Windows server and one IT administrator.


Small Business

All other scenarios

Microsoft Update or Windows Update2


All other scenarios

Microsoft Update or Windows Update2

1Customers can use another update tool, or a manual update process, for operating system versions and applications not supported by WSUS or Microsoft Update.

2Microsoft Update is the new Web-hosted update service that will deliver updates for additional Microsoft software. Microsoft Update will be available in conjunction with the release of WSUS. Windows Update will continue to be available.

Software Update Terminology

Table 7 lists the current Microsoft standard terms for software updates, which became effective from June 30, 2003. Note that the term patch is no longer used by Microsoft to describe a software update, except as part of the term security patch or when describing the process of update management (which is well understood terminology in the software industry).

Table 7: Microsoft Terminology for Software Updates



Security patch

A broadly released fix for a specific product, addressing a security vulnerability. A security patch is often described as having a severity, which actually refers to the MSRC severity rating of the vulnerability that the security patch addresses.

Critical update

A broadly released fix for a specific problem, addressing a critical, non-security related bug.


A broadly released fix for a specific problem, addressing a non-critical, non-security related bug.


A single package composed of one or more files used to address a problem in a product. Hotfixes address a specific customer situation, are only available through a support relationship with Microsoft, and may not be distributed outside the customer organization without written legal consent from Microsoft. The terms QFE (Quick Fix Engineering update), patch, and update have been used in the past as synonyms for hotfix.

Update rollup

A collection of security patches, critical updates, updates, and hotfixes, which are released as a cumulative offering or targeted at a single product component, such as Microsoft Internet Information Services (IIS) or Microsoft Internet Explorer. Allows for easier deployment of multiple software updates.

Service pack

A cumulative set of hotfixes, security patches, critical updates, and updates since the release of the product, including many resolved problems that have not been made available through any other software updates. Service packs may also contain a limited number of customer-requested design changes or features. Service packs are broadly distributed and tested by Microsoft more than any other software updates.

Integrated service pack

The combination of a product with a service pack in one package.

Feature pack

A new feature release for a product that adds functionality. Usually rolled into the product at the next release.

Note: Because these definitions are new, several existing resources and tools do not use the terms as they are defined in the table above.

Top Of Page

The Importance of Proactive Update Management

There have been several widely-publicized attacks and vulnerabilities related to Microsoft software. Many organizations with proactive update management in place were not affected by these attacks, because they acted on information that Microsoft made available in advance of the attack.

In Table 8, several historical attacks are identified, along with the date of the attack. In each case, an MSRC bulletin had previously been released that identified the vulnerability and described how to prevent future exploits of it (through software updates and other countermeasures). The last column in the table, Days Available Before Attack, lists the number of days that organizations had to implement the MSRC recommendations and avoid the future attack.

Table 8: Historical Attack Examples and Related MSRC Bulletins

Attack Name

Date Publicly Discovered

MSRC Severity

MSRC Bulletin

MSRC Bulletin Date

Days Available Before Attack


August 14, 2005



August 9, 2005



May 5, 2003



Mar 17, 2003


SQL Slammer

Jan 24,2003



Jul 24, 2002



May 1, 2004



May 15, 2004



Aug 12, 2003



Aug 27, 2003



Jan 17, 2002



Mar 29, 2001



Sept18, 2001



Oct 17, 2000


Code Red

Jul 16, 2001



Jun 18, 2001


*Bulletins released before MSRC severities in place.

These modules are designed to help you prevent future attacks like these, specifically focusing on the Days Available Before Attack column in the table.

Note: Proactive update management is an effective way to limit attacks that target known software vulnerabilities. The preceding table does not capture directed, intentional attacks performed by people inside or outside the target organization, who searched for and exploited security vulnerabilities with criminal intent.

To provide a better understanding of the relationship between MSRC bulletins and the opportunities they give to organizations that want a secure environment, the following sections briefly describe two historical attacks:

  • Code Red

  • SQL Slammer worms

Avoiding Attacks, Example 1: Code Red

Code Red is a worm that spread very quickly and had the potential for great impact. On July 16, 2001, the original Code Red worm spread to 250,000 computers in only nine hours. The various effects of the worm included slower Internet speeds, Web page outages and defacements, and disruption of business and personal applications, such as e-mail and ecommerce.

Code Red exploited a buffer overrun vulnerability within IIS to execute code on Web servers. IIS is installed by default with Microsoft Windows Server 2000 and is used by many applications.

Some organizations avoided Code Red by following the directions of MS01-033, an MSRC security bulletin released on June 18, 2001, 28 days before Code Red was released.

For more information on this security bulletin, including technical aspects and countermeasures, see:

Avoiding Attacks, Example 2: SQL Slammer

SQL Slammer (or Sapphire) is a worm that targets Microsoft SQL Server 2000 and Microsoft Data Engine (MSDE) 2000 systems, resulting in a high volume of network traffic on both the Internet and private internal networks, acting (some might say unintentionally) as an effective denial of service attack.

At approximately 9:30 P.M. Pacific Time on Friday, January 24, 2003, SQL Slammer caused a dramatic increase in network traffic worldwide. An analysis of the SQL Slammer worm shows:

  • The worm required roughly 10 minutes to spread worldwide, making it by far the fastest worm to date.

  • In the early stages, the number of compromised hosts doubled in size every 8.5 seconds.

  • At its peak, (achieved approximately three minutes after the worm was released), it scanned the net at over 55 million Internet Protocol (IP) addresses per second.

  • It infected at least 75,000 servers and probably considerably more.

SQL Slammer exploited a buffer overrun vulnerability, which was first identified by Microsoft in security bulletin MS02-039 (July 2002), 184 days before the attack, and was identified again in security bulletin MS02-061. With each bulletin, a security patch was offered as well as appropriate countermeasures.

For more information on this security bulletin, including technical aspects and countermeasures, see:

Lessons Learned from SQL Slammer

One of the challenges organizations faced in avoiding SQL Slammer was the ubiquitous nature of MSDE and even SQL Server, because they are installed and used by many other products.

The SQL Slammer attack highlighted three important lessons on the nature of security vulnerabilities:

  • Having an accurate sense of all the computers, products, and technologies that are present in your environment is an important prerequisite for successful update management.

  • An effective attack does not require vulnerabilities on high-value assets. SQL Slammer effectively interrupted mission-critical operations through low-value, vulnerable computers on the same network.

  • Deploying a security patch once may not be sufficient to eliminate a vulnerability. Regular scanning to identify the recurrence of vulnerabilities, coupled with incident management to address them, is equally important.

Top Of Page

Requirements for Successful Update Management

Because update management is designed to give an organization control over the software updates it deploys, any organization planning to update its operational environment should ensure that it has:

  • Effective operations, including people who understand their roles and responsibilities.

  • Tools and technologies that are most appropriate for effective update management.

  • Effective project management processes.

Top Of Page

Effective Operations

MOF, the MOF Process Model, the MOF Service Management Functions (SMFs), and the MOF Team Model provide guidance for effective IT operations. Three of the SMFs—Change Management, Configuration Management, and Release Management—are especially crucial to update management.

Top Of Page

Tools and Technologies

This section will examine the automated tools that organizations of all sizes can use to manage and control software update installation. There are three principal Microsoft technologies available for enterprise update management of Windows-based systems.

  • Windows Server Update Services

  • Systems Management Server 2003

Windows Server Update Services (WSUS)

WSUS is a free tool that allows you to install a service to download all critical updates, security updates, and service packs as they are posted to the Microsoft Update Web site at

When you have approved these updates, WSUS will automatically make them available to all preconfigured servers running Microsoft Windows Server 2003 and Windows 2000, as well as to desktops running Windows XP Professional and Windows Vista.

The priority of security updates is established by the Microsoft Security Response Center (MSRC). For an overview of MSRC and the set of rules used in the decision-making process, see

WSUS provides the following:

  • More updates for Microsoft products, in more categories

  • Ability to automatically download updates from Microsoft Update by product and type.

  • More language support for customers worldwide.

  • Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0. (BITS 2.0 is not installed by Update Services and is available on Microsoft Update.)

  • Ability to target updates to specific computers and computer groups.

  • Ability to verify that updates are suitable for each computer before installation – a feature that runs automatically for critical and security updates.

  • Flexible deployment options.

  • Reporting capabilities.

  • Flexible database options.

  • Data migration and import/export capabilities.

  • Extensibility through the application programming interface (API).

WSUS’s features can be divided into two components – Server-side and client-side. The following chart depicts features on each side of WSUS:

Server-Side Features

Client-Side Features

Updates for Windows, Office, Exchange Server, and SQL Server, with additional product support over time

Powerful and extensible management of the Automatic Updates service

Specific updates can be set to download automatically

Self-updating for client computers

Automated actions for updates determined by administrator approval

Automatic detection of applicable updates

Ability to determine the applicability of updates before installing them




Replica synchronization






WSUS enables information technology administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2003 and Windows 2000, as well as to desktops running Windows XP Professional and Windows Vista. By using WSUS, you can fully manage the distribution of updates that are released through Microsoft Update to computers in your network.

The WSUS server component is installed on a computer running a Windows 2000 Server with Service Pack 4 (SP4) or Windows Server 2003 operating system inside the enterprise’s firewall. The WSUS server provides the features that administrators need to manage and distribute updates through a Web-based tool for WSUS, which can be accessed from Internet Explorer on any Windows computer in the corporate network or via MMC for WSUS 3.0 which can be accessed from the MMC Snapin on any Windows Computer in the corporate network. Note WSUS 3.0 requires MMC 3.0. In addition, a Windows Server Update Services server can be the update source for other Windows Server Update Services servers.

The WSUS client computer component runs on Windows Vista, Windows XP, Windows 2000 with SP3, and Windows Server 2003 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a server running WSUS.

WSUS does not provide scanning and auditing functionality, so a WSUS-based update management solution also requires the use of the Microsoft Baseline Security Analyzer 2.0 tool.

Note: This page includes a summary of the WSUS product overview. You can also read the full product overview for WSUS 3.0 here.

Related Links

Summary information on the use of WSUS and MBSA to support update management is given in the following modules:

For detailed information on using WSUS and MBSA to support update management, see Windows Server Update Services (WSUS) Technical Library.

Microsoft Baseline Security Analyzer (MBSA) 2.0.1

Microsoft Baseline Security Analyzer (MBSA) 2.0.1 is an easy-to-use tool that helps small and medium-sized businesses evaluate their security according to Microsoft security recommendations. This article discusses the availability of MBSA 2.0.1.

MBSA 2.0.1 detects products that are currently supported by Microsoft Update, the central catalog of updates for Microsoft products. Microsoft Update replaces Windows Update. Windows Update only updates Microsoft Windows operating system products. Microsoft Update hosts the detection logic for MBSA 2.0.1 and other tools.

MBSA 2.0.1 scans for missing security updates and reports on a computer’s adherence to common security best practices (such as strong passwords), and identifies any configuration options that leave the computer open to potential security vulnerabilities. MBSA can also be configured to report on updates that have already been approved on a WSUS server, but have not yet been installed.

MBSA 2.0.1 performs scanning for identifying administrative vulnerabilities on Microsoft Windows Vista; Windows 2000; Windows XP; Windows Server 2003; Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0; Microsoft Internet Explorer 5.01, 5.5, and 6.0 (including Internet Explorer 6.0 for Windows XP SP2 and Internet Explorer 6.0 for Windows Server 2003); Microsoft SQL Server 7.0 and SQL Server 2000; and Microsoft Office 2000, Office XP, and Office 2003. Note that MBSA 2.0.1 only supports remote scans for Windows Vista. The upcoming MBSA version 2.1 will support local scans of Windows Vista systems.

MBSA 2.0.1 includes many improvements and new features from the prior 1.2.1 version. We recommend that most customers use MBSA 2.0. To download MBSA, visit the MBSA home page at the following Microsoft Web site:

MBSA 2.0.1 includes the following key features:

  • Severity ratings

  • Local and remote scans for Microsoft Office XP and later security updates

  • Additional guidance for locating updates and taking appropriate action

  • CVE-IDs for supported updates

  • Improved help content

  • Compatibility with Windows Server Update Services

  • Automatic Microsoft Update registration and agent update

  • Detection of updates on Windows XP Embedded and on 64-bit versions of Microsoft Windows

Although MBSA offers the capability to identify on a domain level/subnet level what is required to secure a particular computer, it does not provide any method for distributing the updates to those computers or configuring the computers. For this reason, MBSA should be used in combination with WSUS to provide a update management solution. MBSA does, however, provide information on how to remediate any vulnerabilities found, including links to Knowledge Base articles and white papers.

MBSA 2.0.1 provides a graphical interface for viewing reports generated for each computer, and can also be command-line scripted. MBSA copies an XML file stored on the Microsoft Download Center to ensure it uses a current list of assessment details for new security-related software updates.

More information on MBSA can be found at

Systems Management Server 2003

Microsoft Systems Management Server (SMS) 2003 is the preferred mechanism for deploying and managing the distribution of software updates to a large number of clients. It provides the following functionality, which is essential for successful deployment:

  • Inventory functions to determine how many computers have been deployed and to identify their locations and roles.

  • Inventory functions to identify which software applications and software updates have been installed and which need to be installed on the deployed computers.

  • Scheduling functions that allow an organization to deploy software updates outside regular working hours, or at a time that has the least impact on business operations.

  • Status reporting that allows administrators to monitor installation progress.

The SMS 2003 inventory scanning programs are key to the effective management of software updates. They are used to create an inventory of applicable and installed updates for each client computer, using an automated source of detection logic. The resulting data is included in the Systems Management Server inventory and a comprehensive view of the status is provided through the Web-based reporting capabilities. Typically, the inventory data will be limited to those items that are released by Microsoft as security bulletins.

SMS 2003 includes the following tools (also available in the SMS 2.0 Software Update Services Feature Pack):

  • Security Update Inventory Tool

  • Microsoft Office Inventory Tool for Updates

  • Distribute Software Updates Wizard

  • Inventory Tool for Microsoft Updates

Note: Beta 2 of the next release of SMS, entitled System Center Configuration Manager 2007, is now available for download at With major investments in simplicity, configuration, deployment and security, Configuration Manager 2007 dramatically simplifies system deployment, task automation, compliance management, and policy based security management allowing for increased business agility.

Security Update Inventory Tool

The Security Update Inventory Tool builds on SMS inventory capabilities and takes advantage of the power of MBSA to scan each client for security updates. The resulting data is included in the SMS inventory, and a comprehensive status is provided through Web-based reports. This tool is not installed on SMS sites by default, but it is part of the SMS 2003 Software Update Scanning Tools, and can be downloaded from

Microsoft Office Inventory Tool for Updates

The Microsoft Office Inventory Tool for Updates uses the existing Microsoft Office Inventory Tool to carry out automated, ongoing scans of SMS clients for installed or applicable Office updates. This tool is part of SMS 2003 SP1 Scan tools. This data is converted and included in the SMS inventory, and can also be viewed through Web-based reports. This tool is not installed on SMS sites by default, but it is part of the SMS 2003 Software Update Scanning Tools, and can be downloaded from

Distribute Software Updates Wizard

The Distribute Software Updates Wizard compares available updates with the inventory of client computers to determine missing and previously-installed updates. Only the necessary updates are installed, whereas redundant or unnecessary updates are ignored or postponed, thus reducing system overhead.

The Distribute Software Updates Wizard provides the following capabilities:

  • Addition to the inventory of the software update status of all clients, based on new security update information.

  • Review and authorization of updates identified as missing.

  • Tailoring of packages and advertisements to each update or set of updates.

  • Distribution of update advertisements to computers using SMS software distribution capabilities.

  • Windows Update style notifications and a rich end-user experience.

  • Use of timers to allow users to save and close applications, and optionally to enable users to postpone updates or to choose not to restart their system.

More information on SMS 2003 can be found at

Summary information on the use of SMS 2003 to support update management is given in the following modules:

For detailed information on using SMS 2003 to support update management, see Technical Library for Systems Management Server 2003.

Tools and Technologies Comparison

Table 10 compares the capabilities provided by SMS 2003 and WSUS.

Table 10: Update Management Capabilities



SMS 2003

Supported Platforms for Content

Windows 2000, Windows Server 2003, Windows XP

Windows NT 4.0, Windows 2000, Windows Server 2003, Windows XP, Windows 98

Supported Content Types

Windows 2000+, Exchange 2000+, SQL Server 2000+, Office XP+ with expanding support

All security patches, Service Packs, and updates for the above platforms. Also supports security patch, update, and application installations for Microsoft and other applications.

Targeting Content to Systems

Yes, for Microsoft content


Network Bandwidth Optimization

Yes, for update deployment

Yes, for update deployment and server synchronization

Patch Distribution Control



Patch Installation and Scheduling Flexibility

Controlled by administrator (automatic) or user (manual)

Administrator-controlled with granular scheduling capabilities

Patch Installation Status Reporting

Yes, for Microsoft content

Comprehensive: Installation status, result, and compliance details

Deployment Planning

Not Applicable


Inventory Management

Not Applicable


Compliance Checking



Top Of Page

Effective Project Management Processes

In order to get the best results, you should treat your use of the update management process outlined in this module as a project, using an effective project management process.

Many organizations have their own methodologies, all of which should be compatible with the guidance provided in this module. Microsoft recommends using Microsoft Solutions Framework (MSF) for project management guidance. For more information about MSF, see

Top Of Page

The Four-Phase Approach to Update Management

The update management process that Microsoft recommends is a four-phase approach to managing software updates, which is designed to give your organization control over the deployment and maintenance of interim software releases into your production environment.

The four phases are:


The process starts with an assessment of what you have in your production environment, what security threats and vulnerabilities you might face, and whether your organization is prepared to respond to new software updates.

For more detailed information on the Assess phase, see the module, “Update Management Phase 1 – Assess.”


Your goal during the Identify phase is to discover new software updates in a reliable way, determine whether they are relevant to your production environment, and determine whether an update represents a normal or emergency change.

For more detailed information on the Identify phase, see the module, “Update Management Phase 2 – Identify.”

Evaluate and Plan

Your goal during the Evaluate and Plan phase is to make a go/no-go decision to deploy the software update, determine what is needed to deploy it, and test the software update in a production-like environment to confirm that it does not compromise business critical systems and applications.

For more detailed information on the Evaluate and Plan phase, see the module, “Update Management Phase 3 – Evaluate and Plan.”


Your goal during the Deploy phase is to successfully roll out the approved software update into your production environment so that you meet all of the requirements of any deployment service level agreements (SLAs) you have in place.

For more detailed information on the Deploy phase, see the module, “Update Management Phase 4 – Deploy.”

Figure 1 illustrates the process and its four phases.

Figure 1. The Microsoft-recommended four-phase update management process

See full-sized image

This four-phase process is based on the MOF Change Management, Release Management, and Configuration Management service management functions (SMFs), which can be found at

Top Of Page

Related Resources

Read other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team.

Top Of Page

Give Us Your Feedback

The Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions.

Have an opinion? Let us know on the Security Solutions Blog for the IT Professional.

Or e-mail your feedback to the following address: We respond often to feedback that is sent to this mailbox.

We look forward to hearing from you.

Top Of Page


The catalog was last synchronized successfully %1 or more days ago.

Product: .NET Framework
Event ID: 10021
Source: Windows Server Update Services
Version: 2.0.50727
Symbolic Name: HealthCoreCatalogSyncYellow
Message: The catalog was last synchronized successfully %1 or more days ago.
WSUS catalog synchronization depends on connectivity to the upstream server or Microsoft Update.
User Action
Old Catalog Synchronization

The last catalog synchronization happened some time ago or was never performed.

  1. This is a reminder to synchronize the server on a regular
    basis if the synchronization schedule is set to manual.
  2. Start WSUS 3.0: Click Start, click Administrative Tools, then click Microsoft Windows Server Update Services v3.0.
  3. Click Synchronization Results.
  4. In the Action pane, click Synchronize Now.


Look for the corresponding error event.

  1. Open a command window.
  2. Type cd <WSUSInstallDir>\Tools
  3. Type wsusutil checkhealth
  4. Type eventvwr
  5. Review the Application log for the most recent events from
    source Windows Server Update Services and event id 10020.


Client computers are installing updates with a higher than %1 percent failure rate. This should be monitored.

Product: .NET Framework
Event ID: 13001
Source: Windows Server Update Services
Version: 2.0.50727
Symbolic Name: HealthClientsInstallUpdatesYellow
Message: Client computers are installing updates with a higher than %1 percent failure rate. This should be monitored.
Updates need to be installed properly on client computers.
User Action
Failed to Install Updates

See How to
troubleshoot Windows Update, Microsoft Update, and Windows Server Update
Services installation issues


  • You are offered an update for a product, but the update is not
    installed on your computer.
  • You are repeatedly offered an update, even if you have already installed it.
  • Installation fails for a particular update.
  • To verify the actual error:
    1. Open a command window.
    2. Type cd <WSUSInstallDir>\Tools
    3. Type wsusutil checkhealth
    4. Type eventvwr
    5. Review the Application log for the most recent events from source Windows Server Update Services and event id 13000.
  • Related:

    The Windows Server Update Server Service has stopped.

    Product: .NET Framework
    Event ID: 502
    Source: Windows Server Update Services
    Version: 2.0.50727
    Symbolic Name: WsusServiceStopped
    Message: The Windows Server Update Server Service has stopped.
    The WSUS service must be running.
    User Action
    WSUS Service

    The WSUS service “Update Services” is stopped.

    Possible resolutions include:

    • The Update Services service has been manually stopped. Start the service.
    1. Open a command window.
    2. Type sc start wsusservice
  • The Update Services service is set to manual and is stopped.
    1. Open a command window.
    2. Type sc config wsusservice start= auto
    3. Type sc start wsusservice
  • The Update Services service failed to start. Review the NT event log for issues that occurred before this event (for example, the SQL database or IIS) and resolve them. Then start the service.
    1. Open a command window.
    2. Type sc start wsusservice


    Look for the corresponding error event.

    1. Open a command window.
    2. Type cd <WSUSInstallDir>\Tools
    3. Type wsusutil checkhealth
    4. Type eventvwr
    5. Review the Application log for the most recent events from
      source Windows Server Update Services and event id 501.


    The Windows Server Update Server Service has started.

    Product: .NET Framework
    Event ID: 501
    Source: Windows Server Update Services
    Version: 2.0.50727
    Symbolic Name: WsusServiceStarted
    Message: The Windows Server Update Server Service has started.
    The WSUS service must be running.
    User Action

    This message is for informational purposes only. No user action is required.