4 Replies Latest reply on Jan 24, 2017 2:09 PM by Bill Robinson

    Bladelogic - Microsoft WSUS Patching Integration

    Pedro José Barbero Iglesias

      Hi there everyone,

       

      May be many of you have asked to yourself if the integration between Bladelogic and MS WSUS for Patching from Bladelogic is possible.

       

      I'd like to know if any of you have something interesting to comment about this topic. Because as you know the way Bladelogic has for Patching is based on Shavlick.

       

      And this could lead us into many discrepancies and problems with the provider, in this case "Microsoft", regarding to what they say or recommend when patching their OOSS. As you can imagine they could state that we didn't follow their recommendations when patching so that they won't support us.

       

      So this is the reason to try to  find a way to integrate both and use criterias that WSUS uses for patch analysis and remediation.

       

      I will anxious wait all the comments you could have regarding this topic.

       

       

      My best regards and thanks in advanced.

        • 1. Re: Bladelogic - Microsoft WSUS Patching Integration
          Bill Robinson

          What discrepancies are you referring to here ?  Typically we have found that WSUS and WindowsUpdate do not do as intensive checks to see if a patch is installed on a system.  for example they check the registry to see if the patch is installed, where as Shavlik checks the specific dll versions mentioned in the Microsoft Bulletin article.  There will always be discrepancies between different analysis tools and we have found that Shavlik's analysis is the most accurate.

           

          Have you run into a case w/ Microsoft where they have told you they will not support the OS because you have used a 3rd party tool to determine what patches apply to the OS ?  as there are many 3rd party patching tools available i highly doubt this is a common occurrence, if one at all, 

          • 2. Re: Bladelogic - Microsoft WSUS Patching Integration
            Seth Corder

            I agree with Bill.  WSUS patching is quite flawed.  There are numerous reasons to move away from WSUS/SCCM based windows patching and to BSA (using shavlik). 

            • the shavlik data is more literal, tied directly to the bulletin details (and patch meta data)
            • BSA Patch Analysis feature is a huge differentiation as it allows BSA to pre-screen server patching needs as well as post validate patch compliance.  Analysis for WSUS and SCCM is done after creating a patch bundle package of patches, regardless fo whether a server needs them or not, then is evaluated through group policy interaction with the server during run time of the patch.  A patch analysis, remediation payload definition, and scope of execution should never be done during execution phase.  This introduces a ton of risk
            • BSA App Server dictates execution.  often windows servers could receive full instructions and payload from Group Policy by way of an SCCM Advertisement (this Deploy Job).  that same server could go offline or the SCCM app servers could crash and the server can still independently execute the patch payload. (this is the age old push vs pull approach).  This works well for workstations as they are often offline, in a desk or bag, on VPN, etc., It is a terrible idea for Servers.
            • It can also be canceled in real-time (as close to real time as one could ever hope for)

             

            To recap.  The risk of moving to BSA is much less than staying with WSUS for windows server patching.

             

            the only objection that is reasonable is that Shavlik patch availability is slightly delayed from when Microsoft releases patches by Patch Tuesday afternoon.  But the benefits of the switch to BSA far outweigh a potential delay

            • 3. Re: Bladelogic - Microsoft WSUS Patching Integration
              Isaac Matta

              Hi Seth & Bill, thank you for the information. On your point "the shavlik data is more literal, tied directly to the bulletin details (and patch meta data)"

              I noticed that number of patches mentioned in Microsoft Bulletin are not same as number of Patches being applied by BSA. I verified if all these patches are applicable to the Windows Server Version and I see they are all applicable but BSA is not consistent with applying all the patches in the release, why so?

               

              Thanks in advance!

               

              -Isaac

              • 4. Re: Bladelogic - Microsoft WSUS Patching Integration
                Bill Robinson

                "I noticed that number of patches mentioned in Microsoft Bulletin are not same as number of Patches being applied by BSA."

                -> which bulletin ?  how many 'patches' are listed in the bulletin ?  how many patches are being installed by BSA?  which patches are being installed by BSA and what patches are listed in the bulletin ?

                 

                " I verified if all these patches are applicable to the Windows Server Version and I see they are all applicable "

                -> how did you verify this ?

                 

                "BSA is not consistent with applying all the patches in the release, why so?"

                bsa is not consistent how?  same server, same os?  different servers ?  compares to what WSUS finds for the same servers ?