Steve Lamb's Blog

Security Matters

Blogs

Why doesn't SMS check to see whether I've actually installed security updates before inflicting them upon me?

  • Comments 3
  • Likes

The SMS client is present on my computer (Windows XP SP2) to ensure that it's up to date with security updates. I think that's a good thing.

I happen to also use Windows Update and therefore tend to have security updates on my machine before I arrive in the office. Due to traffic in the UK I often work from home first thing in the morning and thereby reduce my commute.

Unfortunately SMS kicks in when I connect to the corporate network (as it did this morning) and informs me that I must allow it to update my system some time today.

Why on Earth can't it check my system before forcing me to go through the hassle of slow network performance/CPU and the inevitable reboot. I'm not an SMS expert and therefore don't know whether SMS can be configured to check first or if that's a limitation of the product. Please hit the "comment button" if you have an incling either way.

YES I GET FRUSTRATED BY SECURITY sometimes just like everyone else. Effective Security is all about using controls in a meaningful way. I hope I've "lost the plot" somewhere here and one of you is going to add a comment letting me know how to comply with policy whilst avoiding the interruption of unnecessary updates.

Comments
  • AHHHH A love hate relationship.... I may suggest just letting SMS manage the box. Also, sounds like SMS patches are allowing you a grace period (/g:XX) which at least gives you some time to reboot when you want.

  • It is possible for SMS to check whether you have an update, but this check is not done at your machine, it's done in the SMS database.  If the information in the SMS database is wrong (i.e. the last scan was yesterday, but you patched your machine overnight) you'll still get targetted.  What you find with those updates is that they are mostly smart enough so that when the hotfix executable runs, it detects that it's already installed and exits quickly.

  • Interesting.  I understand the situation - you patched your system manuall (with windows udpate). Your corporate SMS guys are pushing the patches to a collection that has your system as a target. You receive notification. . . what happens when you allow it to run?  If the patches are already applied (and your SMS Admins are using the patch mgmt features in SMS), the program (patchinstall.exe) shoud see that you already have these patches applied, and gracefully exit.

    If it doesn't gracefully exit, and it does force a system reboot, I would suggest checking the event viewer to see if new patches were actually installed, or if your Admins have SMS configured to force reboot.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment