Clarification of Baseline Synchronisation and Deployment

system · April 8, 2009, 5:02pm

(imported topic written by ErinC91)

Hi all,

I currently create a monthly baseline of the Microsoft security updates for deployment to our workstations, which I routinely re-synchronise.

Question 1 - Do I need to stop the existing deployment and re-deploy the Newly synchronised baseline ?

Question 2 - When a component of the Baseline (after re-sync) shows as “Superseded”, should I remove this from the Baseline ?

We add all critical updates to the monthly Baseline as rated by Microsoft and the SANS Internet Storm Center (http://isc.sans.org/)

Any information or opinions on this strategy appreciated, thanks.

BenKus · April 9, 2009, 8:27am

(imported comment written by BenKus)

Hi Erin,

Answers:

Yes. By design your baseline actions don’t change if the underlying baseline changes (to prevent you from accidentally updating things you didn’t mean to update).
I don’t think there is any real compelling reason to enforce removing superseded Fixlets from the baseline, but it is nice to do as a general cleanup (since by-definition, there is a newer/better patch that should be deployed in place of the superseded patches).

Ben

system · April 9, 2009, 3:58pm

(imported comment written by ErinC91)

Thanks for the clarification Ben, I’ll modify my procedures accordingly. I agree it’s nicer to keep it tidy by removing un-necessary superseded fixlets.