Clarification of Baseline Synchronisation and Deployment

(imported topic written by ErinC91)

Hi all,

I currently create a monthly baseline of the Microsoft security updates for deployment to our workstations, which I routinely re-synchronise.

Question 1 - Do I need to stop the existing deployment and re-deploy the Newly synchronised baseline ?

Question 2 - When a component of the Baseline (after re-sync) shows as “Superseded”, should I remove this from the Baseline ?

We add all critical updates to the monthly Baseline as rated by Microsoft and the SANS Internet Storm Center (

Any information or opinions on this strategy appreciated, thanks.

(imported comment written by BenKus)

Hi Erin,


  1. Yes. By design your baseline actions don’t change if the underlying baseline changes (to prevent you from accidentally updating things you didn’t mean to update).

  2. I don’t think there is any real compelling reason to enforce removing superseded Fixlets from the baseline, but it is nice to do as a general cleanup (since by-definition, there is a newer/better patch that should be deployed in place of the superseded patches).


(imported comment written by ErinC91)

Thanks for the clarification Ben, I’ll modify my procedures accordingly. I agree it’s nicer to keep it tidy by removing un-necessary superseded fixlets.