In scenarios where SCCM is used to manage all updates on the network, the Windows Update Agent on local Clients ends up in a dead-end when it queries for Microsoft patches as it attempts to look for updates against the Software Update Point which is not authoritative being under the SCCM, however.
As patches are copied by SCCM and re-created for deployment in the form of SCCM objects, all MS entries in the WSUS remain unapproved to Clients which then blocks the Windows Update Agent service of fetching particular information on Microsoft entries.
This sets a requirement for SCCM-based-networks to either allow the Windows Update Agents on clients to seek update information against the official public Microsoft website, or if the network is closed-down for Clients, then the use of offline CAB file detection could become the only remaining option for evaluating the security state of Windows OS components and programs.
This guide helps you configure the detection of missing Microsoft security updates on machines scanned by SVM's Single-host Agents via the use of offline cabinet (.CAB) database files as provided by Microsoft. The following scenarios may require the detection of missing MS security updates via offline cabinet files:
You maintain a secure network where local software deployment server is not available, neither local systems are permitted to look for updates online.
You use SCCM to deploy patches while Client machines are disallowed to search for updates online on their own.
Below we listed the steps you need to take to enable offline detection of missing MS security updates: (before taking actions, please review the entire article first)
Download the official MS Offline Cabinet (.cab) file from this link.
Deploy the CAB file to _all systems_ that need to report back missing MS security updates.
The CAB file must be stored in _easily accessible local machine directory_ on each system.
Open SVM and navigate to Configuration > Settings > Windows Update Settings.
Enable the setting "use offline method: path to.CAB file".
Insert the local path where the CAB file was placed including its full name and extension.
Click Save Windows Update Settings.
Enable 'Do Not use a proxy server for the Windows Update Agent' below.
Click Save Windows Update Settings.
The prerequisites for querying the offline CAB file should be configured properly now. Your Agents will check-in to their SVM server and download the instructions from there.
Let's confirm that the configuration is working as expected now. The next steps will help you confirm the outcome of the procedures you performed:
Go to one machine of your choice where you have a Single Host Agent installed.
Open CMD or PowerShell with Administrator privileges.
Browse to C:\Program Files (x86)\Flexera Software\Corporate Software Inspector Agent\
Run 'csia.exe -c -d cab_scan.txt -v' and wait until the scan is completed.
Go to the Agent directory and open the 'cab_scan.txt' log file (use WordPad)
Press Ctrl+F and search for the exact name of the directory you placed your CAB file at.
Under --Scan options-- you should be able to see similar output like the below screen displays.
Go back to SVM and review the machine results of the manual scan you launched earlier.
You should now be able to confirm the insecure program instances on your machine(s).
Maintaining the file updated at all times? Many times users expect to see many different versions of the official cab file, but in reality, there is only one and it is being updated by Microsoft regularly. To ensure maximum efficiency of the scans, you should consider re-downloading the file from the same download location minimum once a month and re-deploying it to your hosts. Feel free to overwrite the old file, as all you need is the newest file downloaded most recently (also to avoid confusion and mistakes).
How to deploy the CAB file to all machines? To deploy the cabinet file to each machine, you can use GPO distribution or you can do it via a custom script. In all cases, performing the automatic distribution of the file in any way would save you time and effort in the long term.
Where to store the offline .cab file? You need to make sure the file ends up in the same directory location on each system. SVM will look only at one single URL path and it is therefore important not to place the file in different locations on the different systems to be scanned. "C:\wsuscab\" could be a good option.
Setting up the CAB file to a network-shared location - not a workaround! Don't put the CAB file on a shared drive because this is very unlikely to work. Windows Update Agent does not support this option.