As you're using an ADR for "Security Updates" and "Critical Updates", you'd
have to change the ADR to only select one of "Security Only" or "Security +
Quality". As per the links/info, doing both causes compliance issues.
As the Title is slighty different for the Windows ones vs the .Net Framework
ones, you'd add "Title" where the search list is -Security Only if you want
the "Security + Quality" to be selected. Same as Erik, this is the way we are
If you want the "Security only" to be selected, add "Title" where the search
list is -Quality Rollup
(using the minus sign before the text means "does not contain" that text)
Using those titles should not affect the selection of all the other updates you
want in your ADR.
Date: Fri, 14 Oct 2016 10:37:45 -0700
Subject: Re: [mssms] MS Patching
Hi Chad, We are deploying the full rollups to our infrastructure. My
understanding is that each month will have 2 rollups on patch Tuesday. Security
only and Security + Quality. The Security only are non-cumulative, the Security
+ Quality are cumulative. Each third Tuesday will see a "preview" rollup with
the quality updates in them that will be included in the next month's Security
+ Quality rollup. (Obviously, I am only talking about the OS specific rollups
here.) We decided to take the approach of going all in, since we have a DEV
testing environment. As for ADRs, we don't use them for anything "production"
related, but I just started using them to handle downloading and distributing
updates out to our infrastructure. This way when my patch admins build their
monthly patching cycles, they don't have to worry about downloads and
distribution to DPs. One thing to consider with the rollups is, choose one or
the other. I only have anecdotal evidence of this, but if you deploy both to
collections, it will mess with your compliance reporting. So pick one or the
other. In all honesty, unless you have a known reason, I don't know why you
wouldn't deploy the full rollups. (Obviously with heavy testing...) The blogs
Robert listed earlier are a great primer on the new process.
On Thu, Oct 13, 2016 at 3:34 PM, Chad Beard <cbe...@artc.com.au> wrote:
Apologies if I’ve missed a previous thread.
But what is everyone’s thoughts on the new MS patching procedure and how are
you handling it in ConfigMgr.
Currently we have an ADR setup that scans for Critical and Security’s released
in the last 14 days.
Also wondering how people are utilising the monthly rollup patch that gets
released and if they’re excluding it.
Senior Infrastructure Support - (Data Centre)
M. +61 434 076 370
Australian Rail Track Corporation
11 Sir Donald Bradman Drive
Keswick Terminal SA 5035
The information in this email and any attachments to it is confidential to the
intended recipient and may be privileged. Receipt by a person other than
the intended recipient does not waive confidentiality or privilege. Unless you
are the intended recipient, you are not authorised to disseminate, copy, retain
or rely on the whole or any part of this communication. If you have received
this communication in
error please notify ARTC on +61 8 8217 4366. While we have taken various steps
to alert us to the presence of computer viruses we do not guarantee that this
communication is virus free.