Monthly Cumulative Updates RELEVANCE QUESTION

Why has HCL taken the approach to no longer add relevance inspecting file versions (as a minimum), favoring only the 1 reg key check to determine if the cumulative updates are required/have been installed.

BigFix’s approach to taker a deeper inspection was key factor in leveraging this technology opposed to pretty much all competitors who only do this by design.

If I wanted to bypass installing a patch (making it appear as non-relevant), I would simply edit 1 reg value now.

Example -

AND ((it as integer < 19747) of value “UBR” of key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” of native registry))

This is the same for all platform cumulative updates, not application specific for example .NET etc

1 Like

I suspect much of it is due to MS changing to the cummulative update model where 1 update applied what used to be numerous MSYY-nnnn bulletins and client efficiency. Checking 1 reg key for the UBR that the current would apply has to be much more efficient on the agent cycles than the pontentially hundreds of file checks for all the files updated by a CU. :slight_smile:

I’ll see whether I can find some background on the relevance check changes, but I do think it’s likely for performance as @SLB says.

Is this registry tampering a problem you’ve seen, or a theoretical exercise?

If you want to do a full-file validation I could probably help with that; but now that rollups are thousands of files, I would avoid checking them in relevance directly. Instead it would be an action to run DISM with one of the scan-health options.

File validation in addition to reg checks always set BigFix a side from it’s competitors. Appreciate the efficient evaluation argument but speaking with my security hat on, challenging Microsoft with a 3rd party patch validation tool has kept BigFix well respected in our environment, if you take that away and tell me to use DISM, then the pressure to favor Microsoft for validation purposes of Microsoft products significantly increases.
Not expecting relevance to validate every file change, but a small subset would go a long way in winning this argument.