Description
This article describes that Windows Critical and Security Updates Scan Appears to Hang and not complete.
The Windows Update tool is used to check for Critical Updates and Security Updates during an operating system scan. Depending upon the configuration of the scan in the Endpoint Compliance Policy, the agent on the endstation will try to connect to one of the following:
- Microsoft Windows Update website and any other associated sites.
- An internal server that is providing the Windows Updates.
If there are communication issues between the endstation and the Microsoft Windows Update sites, the scan can appear to hang and not complete. As of this writing, the agent does not timeout if the update sites cannot be reached. Consequently, the scan will remain in a hung state until the scan is canceled.
Scope
FortiNAC -F v7.x, v9.x, v8.x, Agent v9.x, v5.x.
Solution
- Allowed Domains List has the appropriate entries for Windows Security Updates. Refer to the document Domains to Add to Allowed Domains List (zones. common).
- Once the Allowed Domains list has been updated, verify those domains and any CNAMEs are resolving to the actual IP address and not the isolation IP. To identify which names are resolving to the isolation IP address, see the KB article Troubleshooting domain resolution in the captive portal.
- The firewall allows traffic to these sites. Even though the client is in an Isolation network, it is necessary to allow access to the internet at least for the Microsoft Update. repository. To achieve it, use the Internet Service Database of the Microsoft-Update in FortiGate as the destination.
- Wireshark trace taken during scan.
- Agent debug logs from endstation. See related KB articles below.
- WindowsUpdate.log from endstation. C:WindowsWindowsUpdate.log
- Application and System logs under the Windows Logs folder in Windows Event Viewer.
Related articles:
Technical Note: Windows Persistent Agent logs
Technical Note: Enable Windows Dissolvable Agent debug logging
