Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 11630 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Patch assessment

Louis-M

Lately, our SEC is reporting our servers missing some critical patches. Problem is, the servers have these patches installed which we can see in SCCM. The servers are rebooted so fully patched but Sophos assesses them as not installed.

Any ideas?



This thread was automatically locked due to age.
  • 0

    Hello Louis-M,

    there's the PatchChecker.exe to run a manual assessment on the endpoint. Please note that you have to Run as administrator (simply double-clicking doesn't work). Don't ask me how to interpret the logs though.

    Christian

  • 0

    Are these "missing" critical updates the "Security Only" Microsoft updates? I just opened a ticket with Sophos because I approve the Monthly Quality update which contains the security updates, and decline the "Security Only" updates. But Patch assessment reports those servers as missing the updates for each month. Every month I have to explain to management why we are not installing critical security updates...

     

    https://blogs.technet.microsoft.com/configmgrdogs/2016/12/07/update-to-supersedence-behaviour-for-security-only-and-security-monthly-quality-rollup-updates/

     

    Thanks

    Matt

  • 0 in reply to Matt Gehrls

    Yes, it's that. I do the same. Not point in installing them twice. I've also noticed it complains about missing updates even though the following months patches have gone in and include the previous months. So it looks like the same issue as you are experiencing. I'm not sure the supersedence part on it works either?

  • 0 in reply to Louis-M

    Yeh, Microsoft changed supercedence late last year. The "Security Only" updates don't supersede the previous months "Security Only" update. But the "Monthly Quality Security" update does. Apparently some people want to apply the security updates monthly and quarterly or so do the Quality updates. That's fine, as long as Sophos Patch recognizes when an update in not applicable anymore because I installed the "Monthly Quality Security Update" (Who came up with their totally confusing naming??)

    I just heard back from support yesterday, and ran a test for them. They asked me to download the July Security update, install it, then trigger a scan again. As expected, it showed as installed, but not all the ones since Nov. I replied that I was not going to manually run each security KB for each month on all my servers to fix a "reporting" error. Easier to "fix" the report I send up-line and justify it with WSUS reports if challenged.

Unfiltered HTML