Re: Patch Deployment

From: Ryan Talley (
Date: 08/12/04

Date: Thu, 12 Aug 2004 16:30:54 -0400

        I am totally with you on this stuff. There has got to be a
way that we can get the patches not detected by MBSA to push out with
the DSUW. I would really rather not have to create my own Software
Distribution package every time I find a critical patch that MBSA
doesn't detect. I'm sitting here right now looking at one of my
machines that needs KB870669 installed on it and SMS/MBSA know nothing
about that patch. That patch is a "attacker could gain complete
control over machine" warning. Come on, there is no way MBSA 1.2
should be missing critical patches like this one. Anyone from
Microsoft have any insight on this?? How can I get SMS 2003 to push
out patches such as this one that MBSA won't detect?


On Thu, 12 Aug 2004 22:07:15 +0200, Kim Oppalfens
<kim@computacenter.nospam> wrote:

>> Does Microsoft consider the critical patches the MBSA
>> (mssecure.xml) does not detect (e.g. Q823353, Q839643) to
>> be rated as medium or low level patches?
>I can obviously not speak in name of microsoft, but I don't think SMS
>considers patches not detected by mbsa as less critical. They are
>working pretty hard on having all products supported in Wus 2.0. So for
>now we will have to live with it, once wus 2.0 is out we can most likely
>expect a feature pack for SMS.
>> Can you edit the mssecure.xml to add the critical and/or
>> recommended updates that the MBSA does not detect?
>You can edit the mssecure.xml, it is a text file after all, but I think
>it will pretty dificult ot get it to do what you want this way. You
>would have to know the files affected, their versions and their
>> If I send the critical patches that the MBSA does not
>> detect (e.g. Q823353, Q839643) as a regular Distribute
>> Software, choose the collection based on the OS (e.g. All
>> Windows 2000 Professional Computers), set the OS on the
>> Requirements Tab (e.g. All x86 Windows 2000), would the
>> computers that have the patch already installed, install
>> the patch again or ignore the patch?
>That would depend on the patch I guess, the patch itself would
>definitely run, since it would be the program that you advertise.
>Whether this program installs completely or just checks whether it was
>already installed would be logic builtin to the patch.
>In the case of software updates being deployed it is the patchinstall
>exe that delivers this form of intelligence.
>Kim Oppalfens

Relevant Pages

  • Re: MS03-026 - are you patched? Windows Update isnt sure!
    ... registry checks to determine if a patch is installed on a given machine. ... Many patches install a registry key to indicate that they have been ...
  • Re: This is Why Consoles are More Popular than PCs for Gaming
    ... Just remembering you needed that faithful floppy disk to install SATA ... > patch downloaded, well the patch took *forever* to install. ... You download patches every time? ... still have patches for games I have uninstalled on CD. ...
  • Re: Patch cluster 10_x86_Recommended fails at 119255-77 (thir one on list)
    ... The patch set will complete installation in this session. ... Application of patches finished: 2010.11.28 17:54:45 ... Aborting due to failure while applying patch 119255-77. ... Install log files written: ...
  • Re: Patching Solaris 9 systems to "current"
    ... Would it be best/safest to get a support case with Sun and ask for the last recommended patch cluster, and just install that? ... The main thing I'm looking for is "safety", by which I mean minimizing the possibility of trashing any of these systems, since all of the people who were involved with the original deployment are apparently long gone:(. ... I'd *strongly* suggest that you make a backup of the system disk on each machine before applying ANY patches! ...
  • Re: Oh no, MicroSoft Blew It Again...
    ... I didn't install it, but I'm on Vista and I think I have Auto-updates turned ... after just recently seeing the "patch in question" ... and FORCE a reboot, then I've just lost thousands of dollars - and maybe ... ZERO patches, and ZERO problems! ...