Just wondering if anyone has some good tips for patching some historic security bulletins easily. For our patching process we create a baseline for the current month, and the last few months. We had tried with all old missing patches but we ran into problems with an enormous baseline of 1000+ items.We currently have 7000 Windows servers in our environment, but will be eventually looking at expanding that to 15,000ish.
Our plan right now is to have our standard month baseline, last 3 months remediation baseline, and a “full remediation” baseline that targets only a subset of servers. A server would get either the “standard” or “full” baseline with monthly patching.
Anyone have tips how you have handled older missing patches across thousands of endpoints?
I might be misunderstanding things, but think you don’t want all the content we’ve ever developed in terms of missing older patches.
Most Windows patches that Microsoft releases get superseded by older stuff. Are you trying to apply the old superseded stuff on top of the current stuff?
No, I just want the stuff that hasn’t been superseded that needs to be applied. But when you talk about 7000+ servers it’s over 1000 individual fixlets.
We use a similar strategy. We have a baseline containing just the MSxx-xxx security update fixlets for each month and these typically total less than 250 fixlets so don’t’ run into performance issues. Over time as patches get superseded we roll up the fixlets into quarterly, half yearly or yearly baselines (or as few baseline as possible without going over 250 fixlets) and have those released to the relevant endpoints. Admittedly this does mean you end up administering baselines a bit more frequently, though the baseline dashboard make that part a bit easier, but for us it works quite well for 100k endpoints.
I’ve also heard users say they iteratively build up a baseline over the course of a year. Rebuilding once a month or so.
At end of year it’s got all the patches for a given year.
-Create automatic groups per OS.
-Check each OS group to make sure they have the latest service packs and apply them.
create a baseline per OS
create a custom filter per OS and add all relevant patches ( msxx-xxx if windows) add the patches to your baseline.
-apply the baseline to systems and reboot as needed
Your gonna have get over the hurdle getting all your machines up to date then it’s just a matter of keeping them updated.