Re: Patch Deployment
From: Ryan Talley (ryan.talley_at_gtri.gatech.edu)
Date: Thu, 12 Aug 2004 16:30:54 -0400
I am totally with you on this stuff. There has got to be a
way that we can get the patches not detected by MBSA to push out with
the DSUW. I would really rather not have to create my own Software
Distribution package every time I find a critical patch that MBSA
doesn't detect. I'm sitting here right now looking at one of my
machines that needs KB870669 installed on it and SMS/MBSA know nothing
about that patch. That patch is a "attacker could gain complete
control over machine" warning. Come on, there is no way MBSA 1.2
should be missing critical patches like this one. Anyone from
Microsoft have any insight on this?? How can I get SMS 2003 to push
out patches such as this one that MBSA won't detect?
On Thu, 12 Aug 2004 22:07:15 +0200, Kim Oppalfens
>> Does Microsoft consider the critical patches the MBSA
>> (mssecure.xml) does not detect (e.g. Q823353, Q839643) to
>> be rated as medium or low level patches?
>I can obviously not speak in name of microsoft, but I don't think SMS
>considers patches not detected by mbsa as less critical. They are
>working pretty hard on having all products supported in Wus 2.0. So for
>now we will have to live with it, once wus 2.0 is out we can most likely
>expect a feature pack for SMS.
>> Can you edit the mssecure.xml to add the critical and/or
>> recommended updates that the MBSA does not detect?
>You can edit the mssecure.xml, it is a text file after all, but I think
>it will pretty dificult ot get it to do what you want this way. You
>would have to know the files affected, their versions and their
>> If I send the critical patches that the MBSA does not
>> detect (e.g. Q823353, Q839643) as a regular Distribute
>> Software, choose the collection based on the OS (e.g. All
>> Windows 2000 Professional Computers), set the OS on the
>> Requirements Tab (e.g. All x86 Windows 2000), would the
>> computers that have the patch already installed, install
>> the patch again or ignore the patch?
>That would depend on the patch I guess, the patch itself would
>definitely run, since it would be the program that you advertise.
>Whether this program installs completely or just checks whether it was
>already installed would be logic builtin to the patch.
>In the case of software updates being deployed it is the patchinstall
>exe that delivers this form of intelligence.