Hello everyone! We created the session relevance below to retrieve all applicable patches in our environment. However, we would like to retrieve only the latest updates and not all prior ones, such as old cumulative updates or updates of third-party apps (i.e. Zoom 5.15.7.20303, Zoom 6.6.10.22255, Zoom 6.6.11.23272).
The goal is to use this for reporting initially, but eventually automate patching with RestAPI. We do not use patch policies or manual baselines. Baselines do not allow us to stop a problematic patch and require the entire action group to be stopped. Web Reports is also cleaner for us with individual actions.
unique values of names of bes fixlets whose (
(
(display name of site of it contains "Patches for Windows") OR
(display name of site of it contains "Updates for Windows Applications")
)
AND
(exists applicable computers whose (
operating system of it starts with "Win7" OR
operating system of it starts with "Win8" OR
operating system of it starts with "Win10" OR
operating system of it starts with "Win11"
) of it)
AND
(name of it does not contain regex ("Superseded|Update Preview|Windows 10 Business Editions|Windows 11 Business Editions"))
)
This is the relevance used by the Patch domain to show content less than 30 days old.
set of fixlets whose (current date - first 16 of mime field "x-fixlet-first-propagation" of it as date < 30*day AND name of it does not contain "Superseded") of all bes sites whose (name of it contains &domainSitename;)
So, perhaps adding this bit of relevance to your whose filter, adjusted for the number of days back you require, of course.
current date - first 16 of mime field "x-fixlet-first-propagation" of it as date < 30*day
I think much of our content would not have the kind of metadata attached to reliably identify it as a specific Product, so I think you'll have difficulty determining which is the latest patch for any given product.
A couple of things you should be able to rely on though are 'supersedence' (a Security/Patch Fixlet should be marked as 'superseded' when it is replaced by a newer fixlet), and Relevance (installation of a higher version, should cause an older version to become non-relevant).
Where it gets tricky is when a vendor does not tag an update as a 'security' update. We only do supersedence for 'security' updates. In the specific case you mentioned (Zoom), only the latest versions of 5.x and of 6.x are not 'superseded'. Apparently the last version of 5.x (from 2023) was not tagged as a 'Security' update, so it is not superseded by the 6.x fixlets. This may be an edge case.
In general though I'd update the bes fixlets filter to include
and name of it as lowercase does not contain 'superseded'
That will remove a lot of the bulk for fixlets that are no longer needed. For the remainder, like in this Zoom case, installing the 6.x fixlet will make the 5.x fixlet non-Relevant so it will naturally drop out of your list over time.
Thank you, Jason. This is what I feared. We are looking for a filter that is currently not possible. I am already removing (Superseded|Update Preview|Windows 10 Business Editions|Windows 11 Business Editions) using regular expressions.