While create custom copy of 2016 patches to the custom sites it's not getting applicable

while create custom copy of 2016 patches to the custom sites it’s not getting applicable. Hence unable to view the patches and unable to deploy on desktops and laptops.

Please any one suggests this to resolve the issue…

Note-- patches for windows is getting applicable but when we create custom copy to custom site the patches not getting applicable.

Can you take a screenshot and upload of Site subscription of the custom site?

-jgo

1 Like

Please find the snapshot for your reference

Are your endpoints subscribed to your custom site? They need to be subscribed in order to evaluate whether they are relevant or not.

2 Likes

All of the machines saying “0 / 0” is a good sign that there arent computers subscribed to the site. You’ll need to click on the custom site on the left navigation bar and adjust the subscription relevance.

On a slightly related note – why are you copying Patches into a custom site?

1 Like

Yes It is subscribed. 2015 patches reflecting and showing applicable. Only issues with 2016 patches.

as per organization audit, we follow the patches which needs to be deployed and hence we created a custom site like organization approved patches and copy those patches to custom site. issue is happening with 2016 patches only and not with 2015 patches or below.

What is the scope of subscription for the custom site you have created? What computers are you subscribing to the site? All computers? Or some computers? If some computers, then what is the subscription criteria/relevance you are using in your custom site?

The issue with doing this is you lose the ability to “Sync” updated fixlets – when IBM publishes a fix for a patch your copies won’t have the fix.

You may be better off subscribing the computers to the Patches for Windows Site and only grant your operators access to a, “Content” site where you publish approved baselines – operators then can only patch with the approved baselines and will not have access to push out the patches individually

2 Likes

I agree with @strawgate

This isn’t a good idea to do generally as it will be much less efficient for your endpoints and infrastructure. It will also cause major issues when fixlets are updated by IBM.

Using baselines in a custom site as @strawgate recommends is probably the best option, but honestly you should be patching through baselines anyway, and those baselines would be the mechanism to know which are approved, so you shouldn’t need to limit access to the patches for windows site if operators know and can be trusted to use the baselines.

What industry is this? This process does not sound fun.

I agree, but as per our security advisory we create custom copy of windows patches which are shared by security team and accordingly we deploy the patches from custom created site.

I think the issue is you are introducing a lot of unintended liability that definitely wasn’t considered when the policy was made.

You are using original revisions of patches without ever updating then when IBM releases a new version

1 Like

Yes I agree with your statements even I doubt on this. …

Why can’t you just create a baseline that the security team would use instead? They could remove patches that they don’t approve, or you could remove them.

Please guide me the steps to create the baseline. I would be happy to assist my team.

Here is a video for making a baseline: https://www.youtube.com/watch?v=YEy8IdKb1BE&feature=youtu.be

And here are some best practices: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Baselines%20-%20Best%20Practices

Essentially you’ll make the baseline and share that baseline with your security team instead of copying whole patches. That way you can be sure that all of your security team is using the same set of patching baselines which will make troubleshooting much easier.

2 Likes

Thank you all for your support.