what's in the group will vary at runtime, maybe the best bet is to look in the trace.txt on the target and see what is being analyzed for. otherwise, just before the execution you could run something to dump the members of the smart patch group.
We don't need this for every execution, just periodically for informational purposes for external groups (auditors). What criterion would we need for a patch smart group to determine everything that Shavlik is analyzing, and is there a way to pull it as Bulletins and/or has KBs (preferably without pulling every different permutation of the KB since it ends up having about 16000 of those in our current catalog) ?
Jim, there's no way to get the accurate number from the Catalog itself, one simple example of that would be this:
You have two targets, one has .NET installed, and the other one does not. Logically on one target you will be scanning for .NET patches, while on another one they will be not applicable. The same concept will apply to every patch in your catalog pretty much, so if we are talking about all possible patches that could be applicable to your servers (where there will be inapplicability exceptions just like above), you could consider the following conditions for your Smart Groups:
The hotfix objects will have the OS name and version right in the name, so you can filter by that. Example:
Windows6.1-2008-R2-SP1-KB982018-v3-x64.msu-MSWU-507-en-WINDOWS SERVER 2008 R2 DATACENTER (X64)-SP1
Hotfix NAME starts with "Windows6.1-2008-R2" - This will be one of conditions of your Windows 2008 R2 for example.
Another condition should be about supersedence. Technically we do not scan by default for old patches, so in 8.2 you can say:
HotFix IS_SUPERSEDED equals False
With Bulletins, not much there to do except for supersedence, because every Bulletin has patches for multiple OS versions
"All possible patches" is what we are looking for to compare to lists used by SCCM. When I try to pull this from the UI it gives me every possible permutation of the patch and I was hoping there was some easy way to pull just one version ( e.g. I don't need to see the datacenter, enterprise, standard, etc versions and really just need 'KB8675309' ). The Is_Obsolete property only exists for bulletins as well so I don't think I would be able to use that for pulling KBs.
Another issue is that while hotfixes have a property to differentiate 'Security Tool' from 'Security Patch' this doesn't seem to apply to Bulletins. We apply only the patches and if I pull the list of Bulletins it seems to be also pulling those that are only security tools.
I see, if you just want to see 1 KB, then I would further extend the smart group condition to for example only include patches for "standard" or "enterprise". This would limit the number to only one per OS.
Correct about is_obsolete, in 8.2 we added it for hotfix.
There's really no easy way out-of-box way to get the list of just KB numbers, without elaborate conditions, and/or some further parsing after you have exported the patch object names from the smart group via blcli (or other method).
I suppose another method could be to parse the information from depot_software_hotfix table
If you want to know just what’s in the catalog or smart group that should be pretty easy to dump. Will that be sufficient ?