Clarification of Baseline Synchronisation and Deployment

(imported topic written by ErinC91)

Hi all,

I currently create a monthly baseline of the Microsoft security updates for deployment to our workstations, which I routinely re-synchronise.

Question 1 - Do I need to stop the existing deployment and re-deploy the Newly synchronised baseline ?

Question 2 - When a component of the Baseline (after re-sync) shows as “Superseded”, should I remove this from the Baseline ?

We add all critical updates to the monthly Baseline as rated by Microsoft and the SANS Internet Storm Center (http://isc.sans.org/)

Any information or opinions on this strategy appreciated, thanks.

(imported comment written by BenKus)

Hi Erin,

Answers:

  1. Yes. By design your baseline actions don’t change if the underlying baseline changes (to prevent you from accidentally updating things you didn’t mean to update).

  2. I don’t think there is any real compelling reason to enforce removing superseded Fixlets from the baseline, but it is nice to do as a general cleanup (since by-definition, there is a newer/better patch that should be deployed in place of the superseded patches).

Ben

(imported comment written by ErinC91)

Thanks for the clarification Ben, I’ll modify my procedures accordingly. I agree it’s nicer to keep it tidy by removing un-necessary superseded fixlets.