Patch Management Solution

Hi all,

Just wanted to ask the community if anyone has been deploying Windows 7 Extended Security Updates (ESUs) via Software Delivery? What detection rules are you using?

Thanks!

Hi!

Talking about ESU detection rules - there are 2 main options available for use with Software Delivery.

Most obvious is to define new registry-based detection rule right for imported Software Package of MSU update.
In this case you should specify exact path to key, taking it from "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages". As it contains some additional values (besides KB name) - most convenient is to take it from existing setup with update installed.

Another option could be a script task, that is added to Managed Software Delivery policy, configured to abort execution upon return code of task.
Drawback here is that package to still be downloaded to each client targeted + policy will be marked as failed, even for clients where update is installed.
Sample script task could query only for KB, like

• REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f KB4541500

Regards,
Andrei
Original Message:
Sent: 03-23-2020 05:48 PM
From: Mangpui Lau
Subject: Windows 7 Extended Security Update (ESU) Detection Rules

Hi all,

Just wanted to ask the community if anyone has been deploying Windows 7 Extended Security Updates (ESUs) via Software Delivery? What detection rules are you using?

Thanks!

Original Message------

Hi!

Talking about ESU detection rules - there are 2 main options available for use with Software Delivery.

Most obvious is to define new registry-based detection rule right for imported Software Package of MSU update.
In this case you should specify exact path to key, taking it from "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages". As it contains some additional values (besides KB name) - most convenient is to take it from existing setup with update installed.

Another option could be a script task, that is added to Managed Software Delivery policy, configured to abort execution upon return code of task.
Drawback here is that package to still be downloaded to each client targeted + policy will be marked as failed, even for clients where update is installed.
Sample script task could query only for KB, like

• REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f KB4541500

Regards,
Andrei

Thanks! This is what we have been doing, but it's great to get confirmation that we're using the right approach.
Original Message:
Sent: 03-24-2020 08:27 AM
From: Andrei Malinovski
Subject: Windows 7 Extended Security Update (ESU) Detection Rules

Hi!

Talking about ESU detection rules - there are 2 main options available for use with Software Delivery.

Most obvious is to define new registry-based detection rule right for imported Software Package of MSU update.
In this case you should specify exact path to key, taking it from "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages". As it contains some additional values (besides KB name) - most convenient is to take it from existing setup with update installed.

Another option could be a script task, that is added to Managed Software Delivery policy, configured to abort execution upon return code of task.
Drawback here is that package to still be downloaded to each client targeted + policy will be marked as failed, even for clients where update is installed.
Sample script task could query only for KB, like

• REG QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages" /f KB4541500

Regards,
Andrei
Original Message:
Sent: 03-23-2020 05:48 PM
From: Mangpui Lau
Subject: Windows 7 Extended Security Update (ESU) Detection Rules

Hi all,

Just wanted to ask the community if anyone has been deploying Windows 7 Extended Security Updates (ESUs) via Software Delivery? What detection rules are you using?

Thanks!