Jump to content


Kops

Update compliance in need of serious attention

Recommended Posts

So the reason your compliance numbers are so low is because your ADR's are adding the new updates they find to an existing group which is causing the group to constantly have to re-evaluate. Depending on the activity on your clients and how often they are on the network as well as how often you are running your compliance checks it takes some time to get the numbers back.

 

One way to do the ADR's would be to run them once per month and have them create a new group everytime they are ran. This will leave the old group with its compliance numbers so that it won't re-evaluate on you. Once a quarter or 1/2 year or full year you can take the groups and combine them down to a single group covering a larger time period.

 

For instance I take my update groups once they reach 85% compliance and merge them into a bigger group for the entire quarter and then finally the entire year. (with the amount of updates lately though this is more difficult to merge due to the cap of 1000).

 

veu9gz.jpg

 

I haven't moved the November and December 2014 into the year group yet because of the updates limit per group. You can see my ADR group which is the Microsoft Forefront Endpoint one has low compliance because of the constant changes to the group and it having to re-evaluate constantly. Basically the same situation that you are having.

Share this post


Link to post
Share on other sites

Thanks for the reply Garrett, interesting thoughts. What you've said might explain a few things..

 

We have an ADR for Critical/Security updates only that runs every day, and adds to an existing software update group (to avoid creating new groups everyday) - this is the one with the low compliance. I've now created another ADR to run every second wednesday for regular windows updates and to create a new group each time, so I'll monitor how that reports compliance and see how that goes.

 

If I report out of Monitoring > Reports, the compliance numbers actually look great. It just seems to be in the Software Update Group area that shows them very low.

Share this post


Link to post
Share on other sites

The way to tell your entire environment compliance would be to go to Software Library > Software Updates > Software Update Groups. The compliance numbers there are for the entire environment regardless of deployment.

 

To see the compliance isolated to a deployment then you'd have to run a report based on a given collection of machines as you are probably already doing.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.