Hi All,

I have a very quick question regarding compliance baselines targetting software updates. Does the update need to just be downloaded into a software update package and on an available DP or does the update also have to be deployed to the client for the compliance baseline to automatically remediate the install of this patch?

I'm looking at using ADRs and Software Update Deployments for our monthly patching but also maintain a seperate package that is just distributed and not deployed that the compliance settings can use to remediate devices that come back on the network after a few months.

Ideally this saves me keeping active deployments for months of patches about but old clients can still back patch themselves using the compliance baseline.

Software Updates are not remediated by compliance settings so this is moot. 

What's wrong with keeping an active deployment and why would you want to avoid that?

Hi Jason,

I'm currently using an active deployment for back patching and seperate ADRs for our monthly cycle. It's not that there is anything wrong with this approach, I'm just digging into compliance and it seemed like a very elegant way of managing the whole thing.

If I have an active deployment to my clients for all my updates and I'm getting the compliance reporting back from this, what's the point of a software updates baseline?

Separate compliance activities is the only answer here. If a way to create surface compliance in a separate manner that can be exposed to external systems or used to create collections among other things. Since it can't enforce update installation, it's a moot point though.