6 Replies Latest reply on Nov 7, 2012 6:16 PM by Bill Robinson

    Windows Patch Catalog with no Groups

    Jim Campbell

      For situations in which we use a patch analysis job with the 'Group' option selected instead of the option to specify a list is there an easy way to pull a list of all patches included?  If so, is there a way to pull it per OS (2k3, 2k8, 2k8r2) ?


      We are being asked by another team to produce a list of either KBs or Bulletins (or preferably both) to compare to another process and I have not found a way to give them a definitive list of either KBs or Bulletins that are being analyzed in this situation.

        • 1. Re: Windows Patch Catalog with no Groups
          Bill Robinson

          what's in the group will vary at runtime, maybe the best bet is to look in the trace.txt on the target and see what is being analyzed for.  otherwise, just before the execution you could run something to dump the members of the smart patch group.

          • 2. Re: Windows Patch Catalog with no Groups
            Jim Campbell

            We don't need this for every execution, just periodically for informational purposes for external groups (auditors).  What criterion would we need for a patch smart group to determine everything that Shavlik is analyzing, and is there a way to pull it as Bulletins and/or has KBs (preferably without pulling every different permutation of the KB since it ends up having about 16000 of those in our current catalog) ?

            • 3. Re: Windows Patch Catalog with no Groups

              Jim, there's no way to get the accurate number from the Catalog itself, one simple example of that would be this:

              You have two targets, one has .NET installed, and the other one does not. Logically on one target you will be scanning for .NET patches, while on another one they will be not applicable. The same concept will apply to every patch in your catalog pretty much, so if we are talking about all possible patches that could be applicable to your servers (where there will be inapplicability exceptions just like above), you could consider the following conditions for your Smart Groups:


              The hotfix objects will have the OS name and version right in the name, so you can filter by that. Example:

              Windows6.1-2008-R2-SP1-KB982018-v3-x64.msu-MSWU-507-en-WINDOWS SERVER 2008 R2 DATACENTER (X64)-SP1

              Hotfix NAME starts with "Windows6.1-2008-R2" - This will be one of conditions of your Windows 2008 R2 for example.


              Another condition should be about supersedence. Technically we do not scan by default for old patches, so in 8.2 you can say:

              HotFix IS_SUPERSEDED equals False


              With Bulletins, not much there to do except for supersedence, because every Bulletin has patches for multiple OS versions

              • 4. Re: Windows Patch Catalog with no Groups
                Jim Campbell

                "All possible patches" is what we are looking for to compare to lists used by SCCM.  When I try to pull this from the UI it gives me every possible permutation of the patch and I was hoping there was some easy way to pull just one version ( e.g. I don't need to see the datacenter, enterprise, standard, etc versions and really just need 'KB8675309' ).  The Is_Obsolete property only exists for bulletins as well so I don't think I would be able to use that for pulling KBs.


                Another issue is that while hotfixes have a property to differentiate 'Security Tool' from 'Security Patch' this doesn't seem to apply to Bulletins.  We apply only the patches and if I pull the list of Bulletins it seems to be also pulling those that are only security tools.

                • 5. Re: Windows Patch Catalog with no Groups

                  I see, if you just want to see 1 KB, then I would further extend the smart group condition to for example only include patches for "standard" or "enterprise". This would limit the number to only one per OS.


                  Correct about is_obsolete, in 8.2 we added it for hotfix.


                  There's really no easy way out-of-box way to get the list of just KB numbers, without elaborate conditions, and/or some further parsing after you have exported the patch object names from the smart group via blcli (or other method).


                  I suppose another method could be to parse the information from depot_software_hotfix table

                  • 6. Re: Windows Patch Catalog with no Groups
                    Bill Robinson

                    If you want to know just what’s in the catalog or smart group that should be pretty easy to dump. Will that be sufficient ?