I’ve got a customer, that have a Patching Policy every 3 months.
He configured a Patch Policies for:
- Security Patches from Patches for Windows
- Browser Patches from Updates for Windows Applications
Each Patch Policy not configured with Auto-Refresh
He configured all of the schedules (Deployment Rings)
And he configured all of his machines to evaluate Superseded Content.
Before each Cycle, he manually “Refresh” the Patch Policy List and gets all of the Relevant Patches that are not Superseded and got Default Action
The cycles starts , and then as expected some of the Patches are turning to Superseded
- Security Patches from Patches for Windows - When a Patch become Superseded , The Default Action is removed - It will still be shown on the External Content - but when the Schedule arrives - It won’t be added as a Sub-Action
- Browser Patches from Updates for Windows Applications - All Superseded Content is still being deployed - because it still got a Default Action
This behavior - “The default/existing remediation action will be disabled, and a new remediation action added to prevent superseded patches from deploying automatically during a baseline sync; but to still allow for the patch to be deployed, if desired.” - Supersedence handling change for Windows Patches - Patch (Release Announcements) - From June 2017
causing the “Deployment Rings” to be non-consistent
And much worse, it is causing the Servers to be unpatched.
And the weird thing is, you are allowing Superseded content from other content sites to be deployed through WebUI Patch Policy - so the following statement “Superseded patches are flagged but not deployed” is False - Content (Custom/External) Tab
What I Expect:
While Refreshing Patch Policy content - It will only contain Fixlets that have a default action
When Content from the Patches for Windows becomes Superseded it will just be tagged as Superseded but will not remove the Default Action
I’ve already opened a Support Ticket about this and got the following workaround:
I should Copy all of the Relevant Fixlets to a Custom Site and change the behavior of the Patch Policy to Custom content and not External content.
This is quite absurd, because the only reason the patch is not being deployed - is the removal of the Default Action for the Fixlet - and this behavior is being done from HCL side.
What do you think?
I would like to hear more opinions about his matter.
I’ve already seen an Idea about this - https://bigfix-ideas.hcltechsw.com/ideas/BFPTCH-I-272 - Please also vote