I’m just wondering what people’s thoughts about this process are.
In many cases we need to be deploy older patches (released before the current year) to clients on our network. What I’ve done is created a site called “Old Patches”, and have created baselines broken down by year for years that don’t have many patches, or by quarter for years that have a lot of patches. This keeps the number of baseline components to a reasonable level.
In our regular patch site, there is a policy that looks for a custom setting called Last_Patch_Baseline. If it doesn’t exist, or if it exists and is set to 0 the relevant computer is automatically subscribed to the Old Patches site.
Each of the baselines in the Old Patches site has the “baseline will be relevant…” setting disabled for every component except the last one, which is a task that sets the value of Last_Patch_Baseline. For the first baseline (the one with the oldest patches) the relevance is set so if Last_Patch_Baseline doesn’t exist or is set to 0 it becomes relevant. The last task that sets the Last_Patch_Baseline value sets it to the name of the baseline.
The next baseline (next oldest patches) checks the value of Last_Patch_Baseline and if it’s set to the name of the previous baseline, it becomes relevant. Again, the last task sets the Last_Patch_Baseline to the name of the baseline.
Back in the regular patching site there is a policy that looks for the value of Last_Patch_Baseline to be the name of the very last Old Patches baseline, when a computer becomes relevant it unsubscribes that computer from the Old Patches site.
I also have a task in the regular patching site to reset the Last_Patch_Baseline to 0, this will force any computer that has already gone through the old patching process to become relevant again.
With this process any new computer that comes onto the network will first install any old patches that may be applicable so when it comes time to do our regular patching they will be close to being up to date.