3 Replies Latest reply on Sep 8, 2015 7:46 AM by Yanick Girouard

    Compliance - verifying installed Hotfixes against a reference XML

    James Donohue

      Dilemma! Windows Environment. We have a Project going on to move our Patch Management to BSA but that is probably a year away. In the meantime, I'm trying to run Windows Hotfix compliance and the scenario is a bit complex. Here goes. . . .

       

      An XML file resides on all Windows Servers that contains Hotfixes that are supposed to be installed on the Box. I created an 'Extended Object' to consume this XML, as shown in the 'EO-XML' screenshot.

       

      (This example is for Windows 2008 R2 Servers) I'm trying to create a complex Compliance Rule that will:

      • Start Reading the XML and get the first line and determine if it contains the string "Windows6.1". If it does, obtain the value of the Bulletin ID (Value 8). If it doesn't keep reading line by line. If/when found then,
      • Compare the data in Value 8 to the installed Hotfixes on the Server - loop through the Hotfixes / Bulletin ID and determine if there's a match. If not, mark it as non compliant.
      • Repeat until EOF is reached in the XML,

       

      Is this a pipe dream?

        • 1. Re: Compliance - verifying installed Hotfixes against a reference XML
          Yanick Girouard

          Just out of curiosity, what's preventing you from moving forward with BSA to do the patch analysis? It would really make this task a breeze. All you'd have to do is put the QNUMBERs of the patches in a text file and use that as an include list in your Patching Job to run the analysis. If case you didn't know, you don't have to apply the patches, you can just analyse them to get what's missing if that's all you need.

           

          It takes less than a day to setup (including the initial catalog update), and would save you days of work.

           

          If you still don't want to use BSA, I wouldn't do it this way at all as it's way to complicated for nothing. If you have an XML and this is for Windows, I would use a Powershell script to loop through it and check if each patch is installed. You can still call the powershell script using BSA and NSH if you wish...

          • 2. Re: Compliance - verifying installed Hotfixes against a reference XML
            James Donohue

            Yes, that's what I wound up doing Yanick. I always try to use the BSA data inherently before I consider creating Extended Objects. But, in this case, as you mentioned, it seems extremely complicated, if not impossible.

             

            Note: I have no control when the Organization is going to move to BSA for Patch Management and was told it's probably a year away. 

            • 3. Re: Compliance - verifying installed Hotfixes against a reference XML
              Yanick Girouard

              Sometimes it's just a matter of missing information. The patch management module could still save a tremendous amount of time by allowing you to scan servers for missing patches. You don't have to fully deploy the patches, you could only use it to analyze missing patches, and that takes no time to setup. It also wouldn't take any space on the file server because you don't have to download any patches to analyze them (until you decide to remediate/install the patches, if you ever do so). I would really try to sell that if I were you. If anything you propably spent more time working on that powershell script than it would have taken you to setup a quick patch catalog.