Client Management Suite

Believe it or not I just recently changed the 'Release date From:' other than the deault in the Windows Compliance by computer report. (see screenshot). After thinking a load of machines were 100% compliant - i changed this from 1 years previous patches (which it seems to default to ) to patches from 2000. Doh! it now updates reports with a sh*tload of patches I didn't know about. whats the point in this field? Your machine is either fully patched or not. Why have a default that only goes back 1 year and shows machines 100% compliant if they have that years patches when old patches might not be in compliance.!

so, my question is - I have a load of patches that have not been staged and downloaded. I have downloaded and staged a few and tested on a few servers. Now because they aren't all neatly sequential/together Its difficult to combine a lot into the one policy. I also notices that when applied to a server they seem to update some, want a reboot, install more patches later on at random times, require a reboot, same again. Just when I thought this software couldn't get worse, and belive me, ITS BUGTASTIC,...

Anyone any ideas on resolving this quickly..... OTHER THAN GET SCCM and ms tools!

Joe.

bump!

That's a pretty quick bump

I also notices that when applied to a server they seem to update some, want a reboot, install more patches later on at random times, require a reboot, same again.

Yip, that is the nature of Windows and patching. You can't chain all patches & then do one reboot. MS has defined a sequence for some patches and some patches can't be installed simultaneously. SCCM is not going to help with that.

As to the randomness, you have to remember that newer patches are already available, so your client will do a config & inventory update, see that new patches are now applicable and download them as network throughput and policies allow. Thankfully, in Altiris 7 you have the concept of maintenance windows to minimise this randomness

My understanding of this field is that by limiting it to a default of one year previous, it minimises the load on the server when running the report.

Using that field as the start date of when the OS was released makes no difference. Win2008 did not exist in 2005, so zero patches apply & will not skew the numbers.

Another thing to keep in mind, do you disable superceded patches? THAT can really mess with your compliance. Have you compared those non-compliant servers with MS Baseline Security Analyser?

We have lots of old WinXP and server 2003 machines though that were showing as 100% compliant.... until I changed those dates..

I run BSA on one of the servers and see the difference.

Thanks

Joe.

I assume you have a test-pilot-production method for patches.  I also imagine a lot of these older patches are on some servers, but not all, which somewhat proves that they work in your environment.

During your next patch window in July, you might want to exclude July's updates and only deploy old updates. A month at a time, or however you create your policies, create new Software Update policies and include the missing bulletins.  Use your Compliance by Bulletin report and set a cut-off, like all bulletins with more than 10 computers vulnerable -- or maybe your cut-off is "with at least 1 vulnerable."  Then select these bulletins for policies and apply them to your test group.  

After you apply all the policies (likely around 50 if you have current operating systems and Service Packs, but were missing everything but last year from a policy perspective), test the whole group of 50 policies all at once.  Once it passes testing, move to pilot, then production, according to the procedures at your company.  Then report and monitor for success.  Exporting the Compliance by Bulletin report to Excel and using Conditional Formatting to find the worst bulletins by % and worst bulletins by count is a helpful process.

Report to management for accountability.  You will be the hero for finding the issue and resolving it.

This is how I would resolve it without SCCM or Microsoft tools.

"You will be the hero for finding the issue and resolving it." - lol - i like that.

More than likely I would be the villain for not spotting it in the first place. Thanks for the suggestion. I've already pushed out to the 5 altiris package servers we have and all is fine. I had to create a lot of policies so will just apply them to the servers when patch time comes. 

Cheers

Joe.