Configuration Manager 2007 and Patch Compliance Issues
Here at my company ConfigMgr 2007 is used as the enterprise approved security update system.
All Windows-based servers and workstations are required to run the ConfigMgr client and patches
are applied accordingly.
I recently encountered an issue that gave me pause though. I was somewhat blindsided by an
issue with a patch under security bulletin MS09-004...particularly the SQL portion of the patch
concerning clustered SQL servers. MBSA and Windows Update will both report the patch as missing
on a clustered system. However, ConfigMgr has no knowledge whatsoever of these clustered versions
of the patch. What gives?
Well, after doing more research I discovered that if a patch is flagged for user interaction in
WSUS and by Microsoft, it will not sync to ConfigMgr's repository and hence will never show up
in any patch reports - it's as if it simply does not exist.
This causes a major problem. Not so much from the implementation standpoint because at least
you can still manually install the patch (although this can be inconvenient depending on the number
of clusters you have). The major issue is that now during audits, our designated enterprise patch
tool can't even tell me that a patch is missing or even applicable. This seems like a major hole
in how ConfigMgr works. Couldn't it at least tell me if the patch is applicable even if it cannot
deploy it? Could it flag it as such?
I'm curious to find out how you have addressed this in your environment. I'm considering DCM or
other methods to look for the patch install directory or related files but this is basically a
workaround and would fall outside of the built-in patch reports. In my test environment I also
tried hacking a bunch of fields in the SUSDB database to make these patches show up in ConfigMgr,
to no avail. I welcome any responses!
-Casey Robertson