OS Patch Detect Scanning - Active, Inactive, or both?
For OS patches, detect only scanning, patch labels, what are you guys doing?
1. ALL PATCHES (I know this includes app patches)
2. Active Patches Only
3. Active and Inactive patches
The question relates to reporting. Do you guys want to know exactly how many OS patches are installed / missing that are both active and inactive? Or just know what OS active patches are installed / missing? What I think I want to see is an exact number of how many OS patches are installed and missing. Is there a down side to this, does it not make sense, and how should I detect to achieve this? Or, what are you doing to get a accurate installed / Missing patch count report?
I have one detect only once a day.
Then I have two types of deploy jobs:
1. over all patches - for all machines which are "long enough in the env", also daily (small env and some machines are really unregulary online, so I try to catch them with that)
2. detect + deploy for all machines which are freshly deployed, running all 4hr (to catch up with all patches)
I use only active patches ;)
I have two reports (weekly sent)
1. shows all patched systems and the percentage of how many patches are patched
2. failed patches
If you ask for "best patching strategy" you will geht millions of correct answers, since every env has its own needs.