2 Replies Latest reply on Mar 3, 2015 3:44 AM by Steffen Kreis

    Issues with Office Patching

    Steffen Kreis



      we are using BSA (8.3.2) to do all Patch Management and Deployment on our Windows Targets.

      We currently maintain a dedicated catalog just for MS Office Patching, but unfortunately this creates a lot of follow-up work.


      The bank also operates a Sec-Ops Team that uses McAffee Foundstone to scan the servers for any vulnerabilities as well as some local teams double-check their servers using MBSA.


      Very often these tools report Office Patches as Missing, while BSA states the server is fully patched.

      In the past, very often it turned out that we/BSA had not reflected the affected MS Office editions that where installed on the targets, so we had to update our product_categories.xml manually to get those patches detected as well.


      Besides that the second most appearing issue is that tools like MBSA report a patch as missing (normally Foundstone then as well), but BSA doesn't show that patch at all.

      On further investigation (review shavlik_results.xml from debug mode) we see items like this:


      <Item class="Patch" BulletinID="MS11-072" SQNumber="Q2553091" Superseded="false" PatchName="office2010-kb2553091-fullfile-x64-glb.exe" Applicable="false" Status="Effectively Installed" Reason="Patch does not apply under the current configuration but may apply if some option is turned on."/>


      Can someone explain to me, how that reason (does not apply) is figured out, as clearly Microsoft and MBSA think different on that.

      What's a bit frustrating is that these items don't show up in the Patch-Anaylsis results of the console at all , which i can only guess may be due to the Applicable="false".

      Has somebody made similiar experiences and has found solutions around these type of things ?