Client Management Suite

MSWU-603 (Description of an update rollup for the printing core components in Windows 7) and MSWU-599 (FIX: .NET Framework 3.5 SP1 application) are both showing up on my compliance reports as applicable on all of my machines, but when I run windows update the updates don't show as needing to be installed (not under optional updates either).

I read about the bulletins and see they are for win7 but I am not sure why I wouldn't see them as needing to be installed under windows update if my machines really need the updates?

I've been patching for 6 months now and thus far every update Altiris said I was applicable for did show under windows update (or versions checked out for Adobe, etc).  Anyone else seen anything like this before?  I have a ticket in as well. 

We are CMS 7.1 SP2.

I've generally found the opposite to be true.  Windows Update usually has more.  According to support that was because MS sometimes releases patches through WU that don't have a severity rating, and therefore aren't included with Patch.

If I open the Compliance by Computer report, and go with the defaults,

Release date 3/24/2010 to 3/23/2012 (2 years worth)

Vendor=Microsoft

Operating System=Any

Category= Security Update

Distribution Status= Active

I do not see "MSWU" updates.

But If I change the Category from Secutiry Updates to --Any--

I see alot of MSWU bulletins my PCs need installed.

 Someone correct me if I'm wrong. I guess if they're not security related they are named MSWU and do not have a severity level associated with them.

It seems you're right adude, MSWU aren't necessarily security related.  Many of the MSWU bulletins I've pushed contain office fixes, which we also like to stay on top of.  We have a relatively small environment, so as far as MS bulletins go I'll push whatever Altiris makes available that I can confirm through win updates my machines actually need (after testing internally).

Every month I run win updates on my test machines and record how many critical/optional updates there are and get those numbers back to as low as possible using Altiris Patch.

This is not a security vs. non-security issue.  In 7.1 SP1 and later (Sally is running 7.1 SP2), all updates released by Microsoft are also released by Symantec.  The issue is that Microsoft uses different rules than Symantec to determine if an update is installed.  In this case, it's probably seeing some .cab files or something and deciding that the update is installed.  Meanwhile, Symantec is looking for .dll versions or registry entries and not finding them, or not finding all of them, so it's marking the system as vulnerable.

In cases like these, if you haven't already deployed it using Symantec, I download the redistributable and run it manually on the system to see whether it completes or whether it reports it was already installed, or some other error (e.g. "This does not apply to your system!").  This informs next steps, such as opening a case with Symantec if Altiris is suggesting your computers need an update that is actually not applicable.  They will work with you to resolve the issue, and if a problem is found with their detection or applicability rules, the source files, command lines, etc., they will typically resolve the issue and release it with the next PMImport release.

Does this answer your question on why you might be seeing different results?

Thanks, Mike, this is pretty much what I thought as well.  I do have a ticket in but haven't heard back yet.