Patching old MS fixlets automatically

(imported topic written by cstoneba)

we currently create 1 baseline per month of Microsoft patches, then deploy that baseline for our servers when their maintenace window occurs.

The problem we are having is in our SMS deployment, we had the ability to okay various updates, regardless of when they were released, and then they would be deployed when the device started patching. No need to worry about not getting old patches deployed.

We need the ability to deploy patches older than 1 month old that are not in our current baseline. However, I don’t want to have a baseline of some 1200 fixlets that are applicable. I thought about starting to create a cumulative baseline per OS, but I am seeing some 500 applicable fixlets for just Win2003.

I feel that the baseline concept is the biggest obstacle with deploying BigFix in an entperise environment. How are other people overcoming this issue? thanks

(imported comment written by SystemAdmin)

We run with the baseline concept as well. However we have them built per quarter, instead of monthly. Note this isn’t every patch Microsoft ever released either, we have certified OS patches that we build into the baselines for each quarter. if we hit 100 components, we create a 2nd baseline for that quarter.

It does requirea bit of maintenance, but we have found it works pretty well. Our baselines date back to 2006 patches as well.

(imported comment written by cstoneba)

How many quaterly baselines do you have for 2010?

(imported comment written by SystemAdmin)

for 2010, we have 6 baselines.

(imported comment written by cstoneba)

so if someone uninstalls a patch, do you manually run a report or something that says that “okay, now I need to queue up 2010 baseline #3 for these assets”.?

(imported comment written by SystemAdmin)

More or less, yes. If a patch is uninstalled, then it the baseline will show relavant again, and we would re-deploy that baseline with an action.

(imported comment written by cstoneba)

what I would like to remove is that manual part where you have to notice that a patch has been removed and then queue up the baseline again. I want someone for it to redeploy the “approved” patches, regardless if they are in baseline #1 or baseline #6. Maybe it isn’t possible, but it currently is something that SMS does, and we are trying to find a solution.

(imported comment written by SystemAdmin)

You could play around with making a policy for that baseline I would supect. We don’t use policies for baselines yet, since we are working to get our environment compliant first.

(imported comment written by cstoneba)

I’'m not considering making a custom site with all my baselines running as policies withis in this custom site. This would resolve my cumulative patching issue. However, i currently have a reboot at the end of each baseline. How could I have a single reboot at the end of all my baselines being applied?