Baseline Management

Hi all,

We currently use monthly baselines to patch our systems, recently we have been running in a problem where a subset of machines break after a certain patch is installed (e.g systems with a certain application). I am reaching out to see how you guys manage such scenario? The solutions that have come to mind so far is to exclude that patch from the global monthly baseline and then take another action on just that patch to all systems excluding the ones that will break. However, this can be a nightmare if we have multiple groups of systems with different patches needing exclusion. Another idea was to modify the fixlet to check for a property value (to be present on excluded machines) and abort installation if it exist but that will mean the fixlet will be out of sync and might need modification on monthly basis. Have anyone run in a similar issue and if so, any other ideas on how to handle this problem?

Thanks,
Hani

Can you please more elaborate the problem?

I would put the problematic patches in a separate baseline or baselines with additional relevance to exclude installing them on systems with the software installed that it conflicts with.

So as an example:

Name_Of_Baseline: Patches that cannot be installed on systems with Adobe Acrobat
Additional_Relevance: ( not exists regapps “Acrobat.exe” )

We use a monthly baseline that contains all relevant fixlets to patch all of our clients after testing. So effectively one action that targets the all clients group. Now with some fixlets in the baseline breaking certain machines we will no longer be able to patch with one action to the all system group. We will need to modify the baseline to exclude these troubling patches and target the all clients group. We will also need to take subsequent actions on each of the fixlets excluded from the global baseline to target a new group that exclude systems experiencing problems with that patch. Therefore, we might go from one action to dozens to accommodate for these systems which can become a management nightmare to keep track of what group gets what action.

Hope I didn’t cause more confusion.

Hani

Wouldn’t that cause the fixlets to become out of sync it they were modified after their initial release?

Hani

You don’t modify the fixlets at all. You create a new baseline and you put that relevance in the baseline itself, not the fixlets. Then you include only the patches in that baseline that cause problems with that particular program.

That is great as we can still target the same “all clients” group with these baselines. Unfortunately, it would still mean management dozens of baselines a month.

1 Like

Do you think there is a way to have a fixlet with the relevance to check for certain apps existence but make it always dynamically use the latest version of that fixlet as well?

Yes, you can still target “all clients”

Yes, you would need to manage separate baselines for any problematic patches, but they should be relatively small. You could automatically generate a monthly baseline that contains all patches not in an exclusion list, but you would still need to add to your exception baselines over time.

Thanks, I should have clarified my latter question. What I meant was, can we have one baseline will all relevant fixlets but somehow have these troubling fixlets check for existence of certain application and abort if they exist and at the same time have the fixlet dynamically use the latest version of the fixlet from the external site (e.g. patches for windows) since the modified fixlet will have to be a copy.

Hani

Sorry. I know what you were asking, and it is not possible as far as I know. You would need to use the REST API and some fancy programming to maintain that relationship automatically on your own.

Thanks for the help, will share if we come up of any other solutions to this issue.

1 Like

Related:

1 Like