Patch Management Software - Setting Up Configuring Automated Patch Deployment

Desktop Central allows automating Patch Management at various levels. For example, Administrators can:

  1. Choose to scan the systems in the network to detect the missing patches.

  2. Scan and download the missing patches.

  3. Scan, download and draft the missing patches.

  4. Scan, download, and deploy the missing patches.

All the above operations can be done for specific set of target computers like few systems will only be scanned, few other systems will be automatically patched and so on.

Follow the steps below to create scheduled tasks for automating patch management using Desktop Central:

  1. Click the Admin tab to invoke the Admin page.

  2. Click Automate Patch Deployment link available under Patch Settings

  3. Click Add Scheduled Task button and specify the following:

    1. Specify a name for the task

    2. Select the deployment option from any of the following:

      1. Scan the Systems to Identify the Missing Patches: This is the default option, which scans your network to detect the vulnerable applications.

      2. Scan the Systems and Download the Approved Missing Patches: Use this option to detect the vulnerable systems/applications in your network and download the corresponding fixes from the specific vendors website.

      3. Scan the Systems , Download the Approved Missing Patches and Draft the Patch Configuration: Use this option to automatically download the missing patches from the specific vendors website and create a draft of the Patch Configuration. Configure the deployment settings.

      4. Scan the Systems, Download and Deploy the Approved Missing Patches: Use this option to scan the systems periodically to identify the missing patches, download the patches from the specific vendors website, and deploy the patches to the computers. Configure the deployment settings.

    3. Specify the severity for Mircosoft and Third Party Applications:

      1. Deploying Operating System Updates: If you wanted to deploy updates only related to operating systems, then you can choose only "Microsoft/Apple Applications" and follow the steps mentioned below:

        1. Enable the check box to deploy "Security Updates"

        2. Specify the "Severity"  as Critical/Important/Moderate/Low/Unrated. Only the patches with selected severities will be deployed via Automated Patch Deployment.

        3. Enable the check box to deploy "Non-Security Updates"

        4. Specify if you wanted to deploy all applications or specify the application that needs to be included/excluded. If you do not choose "Third Party Updates", only updates related to operating systems will be deployed.

      2. Deploying Third Party Updates: If you wanted to deploy updates only related to Third Party Updates, then you can choose only "Third Party Applications" and follow the steps mentioned below:

        1. Specify the "Severity"  as Critical/Important/Moderate/Low/Unrated. Only the patches with selected severities will be deployed via Automated Patch Deployment.

        2. Specify if you wanted to deploy all applications or specify the application that needs to be included/excluded. If you do not choose updates from  "Microsoft/Apple Applications", only updates related to Third Party Applications will be deployed

    4. Configure the deployment settings by selecting a Deployment Policy:
      If you have set any Policy as default, then the default policy will be automatically applied to the configuration. You can also choose from the policies which are listed under "Apply Deployment Policy". You can see the Policies segregated as My Policies and  Created by Others.  You can click on View Details to see the policy details and the list of configurations to which the policy is applied.
      If you do not have an existing deployment policy, you can create one by clicking on create policy.

    5. Enable the check box to continue deployment, even if some of the patches cannot be downloaded.

    6. Configure the scheduler settings:
      After selecting the required option, the next step is to schedule the frequency to scan the systems. You have the following options to schedule:

      1. Once - to schedule the scan to be run only once. You need to specify the starting date and starting time.

      2. Daily - to schedule the scan to run everyday. You need to specify the starting time and starting day.

      3. Weekly - to schedule the scan to run on specific day(s) in a week. You need to specify the starting time and the day(s) on which the scan has to be run.

      4. Monthly - to schedule the scan to run on a specific day every month(s). You need to specify starting time, select a day and select a month/months.
        If you wish a mail to be sent upon successful completion of the task, select the Notify when Task Finishes check box and provide the email address. You can specify multiple email addresses as comma separated values.

    7. Choose a Target:

      1. The next step is to select the target computers for which the above operations has to be performed. The target chosen can be a whole domain, site, OU, Group or specific computers. You can also exclude computers from the chosen targets based on specific criteria.

      2. After adding the required target computers, click Create Task.

      3. Repeat the above steps to create more tasks.

    8. Configure Execution Settings:
      Enable the check box "Retry this configuration on failed targets", this will help you to retry in executing the configuration. You can also specify the total number of retry attempts, which includes retry during system start up and refresh interval.

Note: It is advisable to schedule the Vulnerability Database synchronization prior to scanning the network systems so that the latest patch information will be available for comparison.

Managing the Scheduled Tasks

Automatic Patch Deployment can be customized, so that managing the tasks becomes more easy. Every scheduled task can now be managed by;

Modifying the Task

To modify the automatic patch deployment task, follow the steps mentioned below;

    1. Click the Admin tab to invoke the Admin page.

    2. Click Automate Patch Deployment link available under Patch Settings

    3. Under Automate Patch Deployment view, click on the task for which you want to view the status

    4. To Modify the status of task, against the task name click the Edit icon to modify the task and Save.

You have modified  the status of the scheduled automated patch deployment task.  Modifying a task is not recommended during the scheduled time (while scan initiated or download is initiated). If you modify the task, the current schedule will be stopped and the modified task will be executed only during the next scheduled time.

Points to be Noted:

  1. Automated Patch Deployment (APD) Tasks, that have been created by a user, can be viewed and modified by users, who has the same scope.

  2. If the user who has created the APD task, has been removed from the scope, then the  APD tasks can only be viewed by him. He will not be able to modify those tasks.

  3. Only Administrator will have complete control over all the APD tasks, that are created by all the users.

  4. If user A's scope is (Unique Group) UG1 and UG2, user B's scope is UG2 and UG3. User A creates an APD task and applies it to the target UG1 and UG2. User B will not be able to  modify the task. If user A has applied the task to UG2 alone, then User B will be able to modify the task.   

 

Suspending the Scheduled Task

To suspend  the  Automatic Patch Deployment Task,  follow the steps mentioned below;

    1. Click the Admin tab to invoke the Admin page.

    2. Click Automate Patch Deployment link available under Patch Settings

    3. Under Automate Patch Deployment view, click on the task for which you want to view the status,

    4. To suspend the task, click the   icon to suspend the task and Save.

You have suspended the scheduled automated patch deployment task.

Note: Suspending a task will suspend all the activities of the task, like scanning, downloading and deployment. So make sure whether you wanted to suspend all the activities including the scheduler, before suspending a task.

Viewing the Status of Tasks

To view the status of an automatic patch deployment task, follow the steps mentioned below:

    1. Click the Admin tab to invoke the Admin page.

    2. Click Automate Patch Deployment link available under Patch Settings

    3. Under Automate Patch Deployment view, click on the task for which you want to view the status.

You can view the status of the scheduled automated patch deployment task.



You will find the following details;

Summary

Task details: This view lists the details of the tasks like, task name, task created time, modified time, deployment option, deployment policy etc, which are configured.

Task Scan Summary: This report lists the scan details of tasks like, total number of computers scanned, list of computers where scan succeeded, list of computers where scan failed and list of computers yet to be scanned. The report displayed here is as per the results of the previous scheduler.

Patch Download Summary: This report lists the detailed summary of patches that are downloaded. Patch download starts after the scanning gets completed which is ideally a couple of hours after the scheduled time. Assume a task is scheduled at 10:00 AM, then the patch scanning starts and gets the complete list of missing patches. Then the patch download starts at 12:00.

Deployment Summary: This report lists the details of the deployment status. Deployment of downloaded patches happens based on the deployment policy. If the policy is defined to deploy the patches only after all the patches are downloaded, then the deployment starts only after all the scheduled patches are downloaded successfully.  If the policy is defined to deploy the successfully downloaded patches, then which ever patch has been downloaded successfully, those patches will be deployed and the failed patches will be deployed during the subsequent deployment schedule.

Scan Details: You can find the detailed list of computers that are scanned successfully, computers in which the scan process has failed and computers which are yet to be scanned.

Download Details: All the patches that has been downloaded successfully, yet to be downloaded and download failed will be listed here. The patch download process starts two hours after the scanning is initiated. You can also set the severity for the missing patches so that patches can be deployed based as on the severity, while deployment.

System  View: You can view the lists of computers based on the status of the task. This view will list computers which for which scanning is completed, failed or yet to start. In case of computers scanning being completed, then you can find the status of the patches that are downloaded, download failed, and yet to download. The patch deployment status will also be listed as per computers in which the deployment has been successful, deployment failed and yet to be deployed.

Patch View: You can view the list of patches that has been downloaded as per the severity. Patches that are yet to be downloaded and yet to be downloaded.

Detailed View: You can view the details of all the patches and deployment status in this view. You can see the data in this view, only after the deployment has been initiated for at least one of the patches.

 

Tips and Tricks : 

You can deploy the patches which has been downloaded and drafted by clicking on the Deploy button. So that the patch deployment is initiated from the draft mode.

Deployment Rule - If you have enabled the check box "Continue deployment even if some patches cannot be downloaded", then the deployment would be initiated even if one of the missing patch cannot be downloaded. If you have not enabled the check box,  then deployment will not be initiated even if one of the missing patch download fails. In such cases, you can delete the download failed patches, so that the deployment process will be initiated for the patches which has been downloaded successfully.

Download Details - You can select the patches for which the download has failed and click on Download to retry the download process

Copyright © 2005-2014, ZOHO Corp. All Rights Reserved.
ManageEngine