2 Replies Latest reply on Apr 3, 2014 12:33 PM by Seth Corder

    Bladelogic - Microsoft WSUS Patching Integration

    Pedro José Barbero Iglesias

      Hi there everyone,


      May be many of you have asked to yourself if the integration between Bladelogic and MS WSUS for Patching from Bladelogic is possible.


      I'd like to know if any of you have something interesting to comment about this topic. Because as you know the way Bladelogic has for Patching is based on Shavlick.


      And this could lead us into many discrepancies and problems with the provider, in this case "Microsoft", regarding to what they say or recommend when patching their OOSS. As you can imagine they could state that we didn't follow their recommendations when patching so that they won't support us.


      So this is the reason to try to  find a way to integrate both and use criterias that WSUS uses for patch analysis and remediation.


      I will anxious wait all the comments you could have regarding this topic.



      My best regards and thanks in advanced.

        • 1. Re: Bladelogic - Microsoft WSUS Patching Integration
          Bill Robinson

          What discrepancies are you referring to here ?  Typically we have found that WSUS and WindowsUpdate do not do as intensive checks to see if a patch is installed on a system.  for example they check the registry to see if the patch is installed, where as Shavlik checks the specific dll versions mentioned in the Microsoft Bulletin article.  There will always be discrepancies between different analysis tools and we have found that Shavlik's analysis is the most accurate.


          Have you run into a case w/ Microsoft where they have told you they will not support the OS because you have used a 3rd party tool to determine what patches apply to the OS ?  as there are many 3rd party patching tools available i highly doubt this is a common occurrence, if one at all, 

          • 2. Re: Bladelogic - Microsoft WSUS Patching Integration
            Seth Corder

            I agree with Bill.  WSUS patching is quite flawed.  There are numerous reasons to move away from WSUS/SCCM based windows patching and to BSA (using shavlik). 

            • the shavlik data is more literal, tied directly to the bulletin details (and patch meta data)
            • BSA Patch Analysis feature is a huge differentiation as it allows BSA to pre-screen server patching needs as well as post validate patch compliance.  Analysis for WSUS and SCCM is done after creating a patch bundle package of patches, regardless fo whether a server needs them or not, then is evaluated through group policy interaction with the server during run time of the patch.  A patch analysis, remediation payload definition, and scope of execution should never be done during execution phase.  This introduces a ton of risk
            • BSA App Server dictates execution.  often windows servers could receive full instructions and payload from Group Policy by way of an SCCM Advertisement (this Deploy Job).  that same server could go offline or the SCCM app servers could crash and the server can still independently execute the patch payload. (this is the age old push vs pull approach).  This works well for workstations as they are often offline, in a desk or bag, on VPN, etc., It is a terrible idea for Servers.
            • It can also be canceled in real-time (as close to real time as one could ever hope for)


            To recap.  The risk of moving to BSA is much less than staying with WSUS for windows server patching.


            the only objection that is reasonable is that Shavlik patch availability is slightly delayed from when Microsoft releases patches by Patch Tuesday afternoon.  But the benefits of the switch to BSA far outweigh a potential delay