What are you guys doing with old Monthly Rollups and Security only rollups?
In the old patch management, old rollups would get superseded by the current month. Weekly we would go into our patch management and filter approved patches and deny superseded patches. We only do this after we approve the current monthly rollup. Also we normally deny the security only rollups
I don't see a way to do this in the new SM module. I fear that a fresh deployed workstation may try to install jan, feb, march, april etc. Also what order will it go?
Just looking for feedback. I think we are going to ditch SM and go back to PM
Just wondering if you ever got a satisfactory answer on this here or elsewhere?
Having the same issues myself where the SM module is showing all superseded patches as being pending and has even attempted to install a number of them.
Did you end up returning to PM instead.
I asked this same question in talks with some guys on the PSE team and what they told me essentially is when you install all the available patches, the logic post schedule can determine what patches are actually needed and patches can be discarded. It will list all of them missing then essentially only install the latest of the security patches that will cover all the rest. Just to reiterate, thats what they SAID...Whether thats what hapens is a complete mystery unless the discarding of unneeded rollups is logged somewhere.
I think the cause of this lies to a fair degree with Microsoft as you see similar issues if you run a vulnerability scan from a product such as Nessus.
Put simply, Microsoft are inconsistent in tagging their various patches with vulnerability (CVE) codes. The result is that some CVE codes are not included in later rollups; as a result, any software that scans for vulnerabilities sees some vulnerabilities as un-patched because the corresponding Microsoft update is missing.
Indeed, there even seem to be incosistencies between the "Security Only" and the "Security and Quality" updates, meaning that both end up being installed, even though the ""Security and Quality" update contains eveything in the "Security Only" update and more.
Yeah, I have noticed this unfortunately as well. If Kaseya really just fixed the issue were denied/approved patches could be controlled at the profile level as everyone is begging for, this would be a super helpful improvement. Also, when denied patches are denied, being gone completely as "missing" vulnerabilities would be an absolutely welcomed change. These improvements would make my life so much easier.