I have hit yet another obsticle..
My company runs two separate Patch Management Committees (Workstation & Server) that:
- Review each newly released security bulletin
- Determine each updates applicability
- Approve each update for testing
- Approve each update for production deployment.
As with this months bulletin.. 13 updates released. The server committee only approved 9 of the updates for testing:
MS09-050, 54, 55, 57, 58, 59, 60, 61, 62. The remaining updates (51, 52, 53 & 56) were determined to be not applicable to our server environment.
Whereas the Workstation committee approved all 13 for testing.....
This leads us to the ultimate question.....
Through the "Manage Software Updates" task, I, representing the servers go in and "mark" updates 51, 52, 53 & 56 as not applicable. This will affect the workstation correct?
Can this be managed separetly
I don't really understand
I don't really understand what you mean by "mark as not applicable". Patch Management automatically determines, if a patch is applicable or not. It's up to the admin to decide, if a patch should be "staged" (=downloaded) and if it should be included in a software update task.
If you want to bundle all of the software updates of a month into one software update policy, then the easiest way would be to have two separate software update tasks.
One software update task which contains all of the bulletins which have been approved for workstations. This should be targeted against a workstation filter.
The other software update task which contains all of the bulletins which have been approved for servers. This is then targeted against a server filter.
If you want to make sure that all of the required software updates are installed on workstations and servers, then you can have one single software update task which is targeted against workstations and server filters, as (mentioned above) Patch Management will only roll-out patches to systems which it has (automatically) determined to be applicable.
Multiple Filters
You would not want to mark the patches as not applicable if you wanted to use them within on of your group: Test, Workstations, Servers.
I would set up multiple filters (collections if still in the 6 environment) to facilitate your needs. With what you described about, you could have three or more filters. Something like:
Test machines with software update agent installed
All Workstations with software update agent installed
All Servers with software update agent installed
I would set your default patch group to be your "Test machines with..." filter. That way, if something accidentally gets enabled, it won't get blasted everywhere. You can now distribute a group of patches to one or more filters. If the patch policy you create applies only to the workstations, then only add the workstation filter to the distribution policy. If it goes to both, servers and workstations, add both filters.
RS
I could be way off
however, I've always thought the custom reporting labels were essentially cosmetic. They assited with reporting and classifying, but don't actually impede or constrict the creation and distribution of patches. So, if you follow the above advice (both posts) you should be fine.
Jim Harings
Technical Solutions Consultant
Xcend Group
http://xcendgroup.com
Would you like to reply?
Login or Register to post your comment.