Questions on Patching...
Currently on day... 3 of our trial, and after setting up the server, a test client (XPSP2) and enabling all the appropriate patch subscriptions, I've noticed something I just need clarified...
Not all MS issued patches are included as part of the routine (Patchlink?) updates? Some things, for instance, IE8, I guess I can understand not being deployed (now that I think about it, IE8 kicks off the user-input required upgrade process, so I guess that really makes sense), however, aside from IE8, I'm currently seeing 6 other "High Priority" updates showing as needed according to MS update, while the KBOX insists the client is up to date and happy.. and some of them (KB955759 for instance) seem rather important to have pushed out to clients.
Am I missing something, or is it by design that some things just don't get included when patching via the KBOX? Also, generally, what kind of time-window are we looking at for major MS patch releases, from MS Release to Patchlink to KBOX? I'm just wondering what type of delay we're going to experience when critical updates come out...
I suppose we could keep a WSUS system in place and use that primarily for Windows patching, but it unfortunately doing that will require resources/etc that undercuts the reasons for going with the KBOX... (ie: "The KBOX will let us centralize all of our software management and update processing.. except for MS updates, because we'll still need a WSUS box..." You see what I'm getting at... )
Not all MS issued patches are included as part of the routine (Patchlink?) updates? Some things, for instance, IE8, I guess I can understand not being deployed (now that I think about it, IE8 kicks off the user-input required upgrade process, so I guess that really makes sense), however, aside from IE8, I'm currently seeing 6 other "High Priority" updates showing as needed according to MS update, while the KBOX insists the client is up to date and happy.. and some of them (KB955759 for instance) seem rather important to have pushed out to clients.
Am I missing something, or is it by design that some things just don't get included when patching via the KBOX? Also, generally, what kind of time-window are we looking at for major MS patch releases, from MS Release to Patchlink to KBOX? I'm just wondering what type of delay we're going to experience when critical updates come out...
I suppose we could keep a WSUS system in place and use that primarily for Windows patching, but it unfortunately doing that will require resources/etc that undercuts the reasons for going with the KBOX... (ie: "The KBOX will let us centralize all of our software management and update processing.. except for MS updates, because we'll still need a WSUS box..." You see what I'm getting at... )
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
jkatkace
14 years ago
Lumension Patchlink Update includes only security-related patches from the Microsoft feed. Non-security related patches aren't in this feed, but would eventually get rolled up into service packs, and perhaps cumulative patches.
Software like IE8 is included under "Applications" and "Software Installers", and you should see it on your KBOX if you selected those in your subscription settings.
In general, you should see security critical patches with a day of release.
Software like IE8 is included under "Applications" and "Software Installers", and you should see it on your KBOX if you selected those in your subscription settings.
In general, you should see security critical patches with a day of release.
Posted by:
airwolf
14 years ago
I don't know much about patching via KBOX, because we still use a WSUS server. We were still easily able to justify the purchase of the KBOX to replace our hardware/software inventory system and our helpdesk solution. We do use the KBOX for third party application patching, but we do it manually using software distribution. We do not use the Patching module at all.
I do know that there is a bit of lag between MS patch Tuesday and when Patchlink adds patches to the database. This is for QC purposes, but it does limit the ability to respond to 0-day vulnerabilities. Hopefully someone else here on the forums can give you more specific information about your patching issues, but I just wanted to let you know that other customers are using KBOX and WSUS. Continuing to use WSUS has pros and cons - it's up to you to decide what is best for your organization. The primary reason we continue to use WSUS is because we can update our systems anytime they have an internet connection (no VPN required), but we wouldn't be comfortable putting our KBOX in the DMZ.
I do know that there is a bit of lag between MS patch Tuesday and when Patchlink adds patches to the database. This is for QC purposes, but it does limit the ability to respond to 0-day vulnerabilities. Hopefully someone else here on the forums can give you more specific information about your patching issues, but I just wanted to let you know that other customers are using KBOX and WSUS. Continuing to use WSUS has pros and cons - it's up to you to decide what is best for your organization. The primary reason we continue to use WSUS is because we can update our systems anytime they have an internet connection (no VPN required), but we wouldn't be comfortable putting our KBOX in the DMZ.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.