I’ve read about patches and baselines in the threads related to multiple baseline and I understood the part where I keep a flag for
Baseline is Progress
Baseline 1 has finished flag (as post action flag
but I can’t help wondering about what happens if after I apply a baseline ( I want to apply only critical and important windows patches) to a machine and then other baselines and by some chance a fixlet that should have become relevant will not run simply because of a flag.
for short, I would like to have baselines run from the oldest relevant > newest relevant (in linear/chronic fashion not parallel) and if suddenly a patch from older baseline become available to have it re-apply,
can someone be kind enough as to provide me with some solid info on how its done?
will it use “pre/post actions” or will it target a custom client managed property, etc.
I believe the system will automatically prevent multiple baselines from executing simultaneously if they are all executed from the same site. If they are from different sites, then some manual protections are in order.
The way we do this is that baseline 1 sets a flag at the end saying it has completed and baseline 2 won’t start until it sees that flag. In our case we create a file of a particular name, but you could use a client setting or registry entry, or many other options. None of the baselines’ relevance checks for the non-existence of the flag that it sets itself, only the flag for the previous baseline. This means that all of the baselines will execute in sequence until completed, then once finished, any newly relevant component of any of the baselines will re-execute.
You can also have “initial provisioning baselines” that are separated from your patching baselines. You can have a flag that is set at you last provisioning baseline that is “provisioning complete” of some sort, then all other baselines could be dependant upon this flag existing. This is helpful to separate software installation from patching.
You can even go a step further and create an automatic group that is all computers that either have the “provisioning complete” flag set, or have their OS install date at least 10 days in the past. Then you could add to the relevance of all patching baselines that it should only run against members of this automatic group. This allows you to decouple this relevance from the patching baselines themselves and allows you to tune it as you see fit. This also would allow things to function as they are currently without having to artificially set a flag on all existing machines in your deployment. I frequently find it helpful to decouple certain kinds of relevance from the item itself and instead place it in an automatic group. This can be dangerous however if many open actions are targeted against an automatic group and you accidentally alter the relevance of the automatic group in a way to include computers unintentionally.
actually besclient will run only one action at a time, but when there are multiple baselines that are relevant and have an action it will alternate between baselines, for example: fixlet 1 baseline 1 > fixlet 2 baseline 1 request download / wait >fixlet 1 baseline 2
as for the flags, I tried to do it, I made a pre/post-execution action that does the following:
regset “[HKEY_LOCAL_MACHINE\SOFTWARE\Patches]” “Baseline In Progress”=dword:00000001
Post-Action:
regset “[HKEY_LOCAL_MACHINE\SOFTWARE\Patches]” “Baseline In Progress”=dword:00000000
and the relevance on all baselines:
if(exist(key “HKEY_LOCAL_MACHINE\SOFTWARE\Patches” ofnative registry) AND exist(value “Baseline In Progress” ofkey “HKEY_LOCAL_MACHINE\SOFTWARE\Patches” ofnative registry)) then( if(value “Baseline In Progress” ofkey “HKEY_LOCAL_MACHINE\SOFTWARE\Patches” ofnative registry asstring = “1”) then false else true) else true
and so far it looks good, I gave up on the linear fashion since I do want baselines to become relevant if a patch is needed (after fixlet site updates to relevance etc.)
It is possible to have them execute linearly but still apply again if needed if you set a different flag for each baseline and each subsequent baseline will not execute until that flag exists, but that same baseline does not check for its own flag. This would be complex to setup every time you do patching, but it would be possible.
I could see setting a flag along the lines of PatchingBaselineYYYYMM_01
One issue with this method applied to patching is that there are patch interdependencies and they are superseded in the future. Another issue is that a problem could stall out patching completely.
You can edit a baseline to specify the relevance in the “relevance” tab.
You can also check a box at the bottom of the components tab “Use custom action settings for this baseline.” and then click the “set action settings” link. This will allow you to specify defaults for most of these “take action” config items.
yes, I know but that would not allow to set or pre-populate the pre/post-execution action script.
i’m trying to think what would happen if I create these action scripts as tasks and add 1 at the beginning and one at the end, have their relevance as needed (example if the "baseline in progress !=1 for the pre)
and uncheck “Baseline will be relevant on applicable computers where this component is relevant” so it doesn’t effect the relevance.
going to try it, thanks jgstew for all the help here.