Patch Management Software - Setting Up Configuring Automated Patch Deployment


Desktop Central allows automating Patch Management at various levels. For example, Administrators can:

  1. Choose to scan the systems in the network to detect the missing patches.

  2. Scan and download the missing patches.

  3. Scan, download, and deploy the missing patches.

All the above operations can be done for specific set of target computers like few systems will only be scanned, few other systems will be automatically patched and so on.

 

Follow the steps below to create scheduled tasks for automating patch management using Desktop Central:

  1. Click the Admin tab to invoke the Admin page.

  2. Click Automate Patch Deployment link available under Patch Settings

  3. Click Add Scheduled Task button and specify the following:

    1. Specify a name for the task

    2. Select the deployment option from any of the following:

      • Scan the Systems to Identify the Missing Patches: This is the default option, which scans your network to detect the vulnerable applications.

      • Scan the Systems and Download the Missing Patches: Use this option to detect the vulnerable systems/applications in your network and download the corresponding fixes from the specific vendors website.

      • Download the Missing Patches and Draft the Patch Configuration: Use this option to automatically download the missing patches from the specific vendors website and create a draft of the Patch Configuration. Configure the deployment settings.

        Automatically Download and Deploy the Missing Patches: Use this option to scan the systems periodically to identify the missing patches, download the patches from the specific vendors website, and deploy the patches to the computers. Configure the deployment settings.

      • Configure the deployment settings by specifying the following;

          • Install Options: Time when the installation should take place, during computer start up, refresh interval, or either of the above whichever is earlier.

          • Install between time: The time interval when the installation should happen, install between time interval should be more than 2 hours.

          • Deployment Policy: Whether to continue deployment even if some patches cannot be downloaded.

          • Skip Deployment: Allow users to skip deployment.

          • Show Deployment progress: Show deployment progress in client computers.

          • Reboot policy: Whether to reboot the computer by forcing it or allow the user to reboot later.

    3. After selecting the required option, the next step is to schedule the frequency to scan the systems. You have the following options to schedule:

      • Daily - to schedule the scan to run everyday. You need to specify the starting time and starting day.

      • Weekly - to schedule the scan to run on specific day(s) in a week. You need to specify the starting time and the day(s) on which the scan has to be run.

      • Monthly - to schedule the scan to run on a specific day every month(s). You need to specify starting time, select a day and select a month/months.

      • If you wish a mail to be sent upon successful completion of the task, select the Notify when Task Finishes check box and provide the email address. You can specify multiple email addresses as comma separated values.

    4. The next step is to select the target computers for which the above operations has to be performed. The target chosen can be a whole domain, site, OU, Group or specific computers. You can also exclude computers from the chosen targets based on specific criteria.

    5. After adding the required target computers, click Create Task.

Repeat the above steps to create more tasks.

Patch Management Software

Note: It is advisable to schedule the Vulnerability Database synchronization prior to scanning the network systems so that the latest patch information will be available for comparison.

 

Managing the Scheduled Tasks

Automatic Patch Deployment can be customized, so that managing the tasks becomes more easy. Every scheduled task can now be managed by;


Modifying the Status of Tasks

To modify  the status of Automatic Patch Deployment Task, follow the steps mentioned below;

  1. Click the Admin tab to invoke the Admin page.

  2. Click Automate Patch Deployment link available under Patch Settings

  3. Under Automate Patch Deployment view, click on the task for which you want to view the status,

  4. To Modify the status of task, against the task name click the icon to modify the task and Save.

You have modified  the status of the scheduled automated patch deployment task.

Patch Management Software

Note: Modifying a task is not recommended during the scheduled time (while scan initiated or download is initiated). If you modify the task, the current schedule will be stopped and the modified task will be executed only during the next scheduled time.

 

Suspend the Scheduled Automatic Patch Deployment  Tasks

To suspend  the  Automatic Patch Deployment Task,  follow the steps mentioned below;

  1. Click the Admin tab to invoke the Admin page.

  2. Click Automate Patch Deployment link available under Patch Settings

  3. Under Automate Patch Deployment view, click on the task for which you want to view the status,

  4. To suspend the task, click the   icon to suspend the task and Save.

You have suspended the scheduled automated patch deployment task.

Patch Management Software

Note: Suspending a task will suspend all the activities of the task, like scanning, downloading and deployment. So make sure whether you wanted to suspend all the activities including the scheduler, before suspending a task.

Viewing the Status of Tasks

To view the status of Automatic Patch Deployment Task, follow the steps mentioned below;

  1. Click the Admin tab to invoke the Admin page.

  2. Click Automate Patch Deployment link available under Patch Settings

  3. Under Automate Patch Deployment view, click on the task for which you want to view the status.

You can view the status of the scheduled automated patch deployment task.



You will find the following details;

Summary

Task details: This view lists the details of the tasks like, task name, task created time, modified time, deployment option, deployment policy etc, which are configured.

Task Scan Summary: This report lists the scan details of tasks like, total number of computers scanned, list of computers where scan succeeded, list of computers where scan failed and list of computers yet to be scanned. The report displayed here is as per the results of the previous scheduler.

Patch Download Summary: This report lists the detailed summary of patches that are downloaded. Patch download starts after the scanning gets completed which is ideally a couple of hours after the scheduled time. Assume a task is scheduled at 10:00 AM, then the patch scanning starts and gets the complete list of missing patches. Then the patch download starts at 12:00.

Deployment Summary: This report lists the details of the deployment status. Deployment of downloaded patches happens based on the deployment policy. If the policy is defined to deploy the patches only after all the patches are downloaded, then the deployment starts only after all the scheduled patches are downloaded successfully.  If the policy is defined to deploy the successfully downloaded patches, then which ever patch has been downloaded successfully, those patches will be deployed and the failed patches will be deployed during the subsequent deployment schedule.

 

Scan Details: You can find the detailed list of computers that are scanned successfully, computers in which the scan process has failed and computers which are yet to be scanned.

Download Details: All the patches that has been downloaded successfully, yet to be downloaded and download failed will be listed here. The patch download process starts two hours after the scanning is initiated. You can also set the severity for the missing patches so that patches can be deployed based as on the severity, while deployment.

System  View: You can view the lists of computers based on the status of the task. This view will list computers which for which scanning is completed, failed or yet to start. In case of computers scanning being completed, then you can find the status of the patches that are downloaded, download failed, and yet to download. The patch deployment status will also be listed as per computers in which the deployment has been successful, deployment failed and yet to be deployed.

Patch View: You can view the list of patches that has been downloaded as per the severity. Patches that are yet to be downloaded and yet to be downloaded.

Patch Management Software

    Tips and Tricks :  

  1. Deployment Settings - Install between time interval should be more than 2 hours.

  2. You can deploy the patches which has been downloaded and drafted by clicking on the Deploy button. So that the patch deployment is initiated from the draft mode.

  3. Download Details - If you have configured your deployment policy, stating to "initiate the deployment only if all the missing patches have been downloaded successfully", then your deployment will fail even if one of the missing patch cannot be downloaded. In such cases, you can delete the download failed patches, so that the deployment process will be initiated for the patches which has been downloaded successfully.

  4. Download Details - You can select the patches for which the download has failed and click in Download to retry the download process.

 

 

 

 

See Also: Patch Management Architecture, Patch Management Life Cycle, Scan Systems for Vulnerability, Patch Reports

 

Copyright © 2005-2014, ZOHO Corp. All Rights Reserved.
ManageEngine