You administer a group of servers that run Windows Server 2012 R2.
You must install all updates. You must report on compliance with the update policy on a monthly
basis.
You need to configure updates and compliance reporting for new devices.
What should you do?
A.
Deploy the Microsoft Baseline Security Analyzer. Scan the servers and specify the /apply switch.
B.
In Configuration Manager, deploy a new Desired Configuration Management baseline that
includes all required updates.
C.
Configure a new group policy to install updates monthly. Deploy the group policy to all servers.
D.
In Operations Manager, create an override that enables the software updates management pack.
Apply the new override to the servers.
Instead of C and D options below are new options. please confirm the answer for the below 2 options.
Configure windows server update service(WSUS) to automatically approve all updates. Configure the servers to use the WSUS server for updates
In the service manager console, add all updates and servers to a new change request. Approve the Change request
That one is pretty obvious lol.
Configure windows server update service(WSUS) to automatically approve all updates. Configure the servers to use the WSUS server for updates
what about B ???
I think C is correct, compliance reporting can be done by using WSUS:
https://technet.microsoft.com/en-us/library/cc708428(v=ws.10).aspx
B could also be used for compliance reporting but it just does not seem the right answer as it is SCCM product and updates are then not configured.
My issue with the given answer is that it mentions nothing about wsus configuration/approval. This configuration is implied in (B) when it mentions “includes all required updates”
DCR in sccm (with update point role installed) can report on and remediate noncompliant devices. New devices can also be identified in SCCM.
I would go for B as the answer.
B.
https://technet.microsoft.com/en-us/library/bb680553.aspx
it doesn’t say anything about SCCM in the question. so shouldn’t it be C? It would B if they were using SCCM.
Agreed
C: Configure a new group policy to install updates monthly. Deploy the group policy to all servers.
C looks like the usual Microsoft Red Herring though, because they ask us to report on compliance with the update policy on a monthly basis. They don’t tell use we need to install updates monthly.
https://www.microsoftpressstore.com/articles/article.aspx?p=2273508&seqNum=2
I took an hour to read this, C doesn’t mention about WSUS, there is no updates and compliance reporting from group policy itself, which is the most important requirement for the question. I prefer answer B.
C can’t be, with group policy you cant choose to install update monthly you can choose only week day and timo to perform notification, download, updates ecc.
The same is for WSUS, automatic update using WSUS are implemented via group policy, and also there is no mention that WSUS is installed on some server, “Configure Windows Update Service WSUS to automatically ….” means that it’s already installed on at least one server. No mention about this.
Finally Configuration Manager is the only one that can check the compliance on a wider scheduler for example each 30 day, and generate compliance report.
The correct answer is B.
BluAlien is right!