Configuring Automated Patch Deployment

With the steady rise in attack vendors and frequency of attacks, it is mandatory to keep all your enterprise endpoints up to date and round the clock patched. The best way to address this problem, is to have a systematic and automated solution that manages multiple OSs and third party application patches effectively.
Desktop Central's Automate Patch Deployment (APD) feature provides system administrators the ability to deploy patches missing in their network computers automatically, without any manual intervention required.

Enhancements in Automate Patch Deployment:

Enhancements to the Automate Patch Deployment (APD) have been made to ensure there are no delays in the detection and deployment of patches to the computers missing them in your network.

Follow the steps to create and configure an Automate Patch Deployment task:

  1. If you are using Desktop Central build version 10.0.192 and above.

  2. If you are using a Desktop Central build version below 10.0.192

  3. If you want to migrate to the enhanced Automate Patch Deployment feature available in build version 10.0.192

For Desktop Central build version: 10.0.192 and above: Steps to create an Automate Patch Deployment task

Follow the steps given below to create and configure an Automate Patch Deployment task:

Pre-requisite:

  1. Configure Patch Database Settings to specify the time interval for the Desktop Central server to synchronize with the Database and collect details of the latest patches available.
 

Note:

 

After synchronization with the Patch Database, Desktop Central server will collect details of the latest patches released. In the next refresh policy, Desktop Central agents will automatically scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay. Automate Patch Deployment task ensures all the computers in the network are fully patched.

Follow the steps given below to create tasks for automating patch deployment for a set of computers:

  1. Navigate to the Patch Mgmt -> Automate Patch Deployment. This view will display all the tasks that are created.
  2. Click Automate Task to create a new task for Windows/Mac/Linux and name your task.
  3. Configure required details for the following steps:

    1. Select applications - The type of OS and 3rd party apps to patch
    2. Choose Deployment Policy - Configure how and when to deploy the patches based on your enterprise's patching requirements
    3. Define Target - Select the target computers to deploy patches
    4. Configure Notifications - Receive notifications on the deployment status

    Select Applications

    This section allows you to select applications for patching:

    1. Deploy Operating System updates: If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:

      1. Service Packs - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates for different versions of Windows OS.
      2. Rollups - Cumulative set of updates including both security and reliability updates that are packaged together for easy deployment as a single update and will proactively include updates that were released in the past.
      3.  
      4. Optional updates - Also called Preview Rollups, these are optional, cumulative set of new updates that are packaged together and deployed ahead of the release of next Monthly Rollup for customers to proactively download, test and provide feedback.
      5. Feature packs - New product functionality that is included in the full product release.
    2. Deploy Third party updates: If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated. 

    3. Specify if you want to deploy all applications or if you would like to include/exclude a specific application.

    4. Deploy Anti-virus updates: Select this option to deploy anti-virus definition updates for the following: Mcafee Virusscan Enterprise, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Endpoint Protection 2010 Server Management x64, Microsoft Forefront Client Security, Microsoft Forefront Client Security x64, Microsoft Security Essentials, Microsoft Security Essentials x64

    5. Delay Deployment: You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval.

    6. For example, Assume, you specify the number of days as "5 days after release", then  the patches will be deployed only after 5 days, from the day it is supported by Desktop Central. If you choose to deploy patches "after 5 days from approval", then  the patches will be deployed only after 5 days, from when the patch was marked as approved. 

    Choose Deployment Policy 

    This section allows you to customize and configure the deployment policy to carry out deployment.

    1. Customize the patching process according to your enterprise's requirements by configuring the Deployment Policy settings. 
    2. The Deployment Policy
    3. If you have set any policy as default, then the default policy will be automatically applied to the configuration.
    4. Based on your requirements, you can choose from the available list of pre-defined policies or create a policy of your choice. 
    5. Click on View Details to see policy details and the list of configurations to which the policy is applied to.
    6. The Expiry setting allows to suspend a task after a specified period of time.
       

    Define Target

     
       
    1. Select the target computers for which deployment has to be performed. The target can be a whole domain or remote offices. If you select the entire domain as target, this will also include all the remote offices in that specific domain. 
    2.  
    3. You can filter targets based on sites, OU, Group, specific computers and more.
    4.  
    5. 'Exclude Target' allows you to select certain targets that you want to exclude from the patch deployment task. For example, you can exclude Server machines while deploying non-security updates.
    6.  
     

    Configure Notifications

     

    Configure Notification settings to receive email notifications for the following : 

    Managing the scheduled tasks:

    The automatic patch deployment tasks that have been created can be managed easily:

    1. Navigate to the Patch Mgmt -> Automate Patch Deployment. This view will display all the tasks that are created.
    2. Click on the Actions tab.
    3. To modify the task, click on Modify and select an option of your choice. 
    4. To create a copy of the task, click on Save as New:
    5. To suspend a task temporarily and resume its deployment in the future, click on Suspend. If you no longer want a task to be deployed, click on delete.

    Points to be Noted:

    Viewing the details and status of task:

    Navigate to Patch Management -> Automate Patch Deployment. Under this view, click on the status of the task for which you want to view the status. The following details will be listed:

    1. Summary - This displays a detailed summary on the task that has been executed along with the status of deployment (whether it has failed or if it's successful).
    2. System view - This view lists computers based on the deployment status of the task.
    3.  
    4. Patch view - This view lists patches that have been downloaded as per the severity, and the number of systems they have been found missing/installed/installation failed.
    5. Detailed view - You can view the details of all the patches and deployment status in this view. You can see the data in this view, only after the deployment has been initiated for at least one of the patches.
    6. Download failed patches - This view lists all the download failed patches. You can select patches for which download has failed and click on Download Patches to retry the download process.

    Click on save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.

       

    For a Desktop Central build version below 10.0.192: Steps to create an Automate Patch Deployment task:

    Desktop Central allows automating Patch Management at various levels. For example, Administrators can:

    1. Choose to scan the systems in the network to detect the missing patches.

    2. Scan and download the missing patches.

    3. Scan, download and draft the missing patches.

    4. Scan, download, and deploy the missing patches.

    All the above operations can be done for specific set of target computers like few systems will only be scanned, few other systems will be automatically patched and so on.

    How Patch Management works?


    The above mentioned diagram would help you to understand how automated patch management works. For example, a task is scheduled to started at 10.00, then the computers would be scanned during the subsequent refresh interval. Scanning all the computers would have completed at 11:31 (since refresh interval is 90 minutes). It is recommended to specify the deployment window (specified in the deployment policy), at least two hours after the scanning. So, that all the agents would have contacted the Desktop Central server and started to download the missing patches. You can also choose "stagging", so that the patches will be downloaded immediately after the scanning and will not wait for the deployment window for the download to happen.

    Follow the steps below to create scheduled tasks for automating patch management using Desktop Central:

    1. Click the Admin tab to invoke the Admin page.

    2. Click Automate Patch Deployment link available under Patch Settings

    3. Click Add Scheduled Task button and specify the following:

      1. Specify a name for the task

      2. Select the deployment option from any of the following:

        1. Scan the Systems to Identify the Missing Patches: This is the default option, which scans your network to detect the vulnerable applications.

        2. Scan the Systems and Download the Approved Missing Patches: Use this option to detect the vulnerable systems/applications in your network and download the corresponding fixes from the specific vendors website.

        3. Scan the Systems , Download the Approved Missing Patches and Draft the Patch Configuration: Use this option to automatically download the missing patches from the specific vendors website and create a draft of the Patch Configuration. Configure the deployment settings.

        4. Scan the Systems, Download and Deploy the Approved Missing Patches: Use this option to scan the systems periodically to identify the missing patches, download the patches from the specific vendors website, and deploy the patches to the computers. Configure the deployment settings.

      3. Specify the severity for Mircosoft and Third Party Applications:

        1. Deploying Operating System Updates: If you wanted to deploy updates only related to operating systems, then you can choose only "Microsoft/Apple Applications" and follow the steps mentioned below:

          1. Enable the check box to deploy "Security Updates"

          2. Specify the "Severity"  as Critical/Important/Moderate/Low/Unrated. Only the patches with selected severities will be deployed via Automated Patch Deployment.

          3. Enable the check box to deploy "Non-Security Updates"

          4. Specify if you wanted to deploy all applications or specify the application that needs to be included/excluded. If you do not choose "Third Party Updates", only updates related to operating systems will be deployed.

        2. Deploying Third Party Updates: If you wanted to deploy updates only related to Third Party Updates, then you can choose only "Third Party Applications" and follow the steps mentioned below:

          1. Specify the "Severity"  as Critical/Important/Moderate/Low/Unrated. Only the patches with selected severities will be deployed via Automated Patch Deployment.

          2. Specify if you wanted to deploy all applications or specify the application that needs to be included/excluded. If you do not choose updates from  "Microsoft/Apple Applications", only updates related to Third Party Applications will be deployed

          You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval. Assume, you specify the number of days as "5 days after release", then the patches will be deployed only after 5 days, from the day it is supported by Desktop Central. If you choose the deploy the patches "after 5 days from approval", then the patches will be deployed only after 5 days, from when the patch was marked as approved. You should also remember, if you are using Enterprise Edition of Desktop Central and have chosen to test patches before approval, then you would have configured a time delay even before approving the patches.  So, the deployment of patches via APD will be determined by the time "delay specified for the tested patches to be approved" as well as "delay specified, to deploy the patch after approval".
  4. Configure the deployment settings by selecting a Deployment Policy:
    If you have set any Policy as default, then the default policy will be automatically applied to the configuration. You can also choose from the policies which are listed under "Apply Deployment Policy". You can see the Policies segregated as My Policies and  Created by Others.  You can click on View Details to see the policy details and the list of configurations to which the policy is applied.
    If you do not have an existing deployment policy, you can create one by clicking on create policy.

  5. Enable the check box to continue deployment, even if some of the patches cannot be downloaded.

  6. Configure the scheduler settings:
    After selecting the required option, the next step is to schedule the frequency to scan the systems. You have the following options to schedule:

    1. Once - to schedule the scan to be run only once. You need to specify the starting date and starting time.

    2. Daily - to schedule the scan to run everyday. You need to specify the starting time and starting day.

    3. Weekly - to schedule the scan to run on specific day(s) in a week. You need to specify the starting time and the day(s) on which the scan has to be run.

    4. Monthly - to schedule the scan to run on a specific day every month(s). You need to specify starting time, select a day and select a month/months.
      If you wish a mail to be sent upon successful completion of the task, select the Notify when Task Finishes check box and provide the email address. You can specify multiple email addresses as comma separated values.

  7. Choose a Target:

    1. The next step is to select the target computers for which the above operations has to be performed. The target chosen can be a whole domain, site, OU, Group or specific computers. You can also exclude computers from the chosen targets based on specific criteria.

    2. After adding the required target computers, click Create Task.

    3. Repeat the above steps to create more tasks.

  8. Configure Execution Settings:
    Enable the check box "Retry this configuration on failed targets", this will help you to retry in executing the configuration. You can also specify the total number of retry attempts, which includes retry during system start up and refresh interval.

    It is advisable to schedule the Vulnerability Database synchronization prior to scanning the network systems so that the latest patch information will be available for comparison.
  9. Managing the Scheduled Tasks

    Automatic Patch Deployment can be customized, so that managing the tasks becomes more easy. Every scheduled task can now be managed by;

    Modifying the Task

    To modify the automatic patch deployment task, follow the steps mentioned below;

      1. Click the Admin tab to invoke the Admin page.

      2. Click Automate Patch Deployment link available under Patch Settings

      3. Under Automate Patch Deployment view, click on the task for which you want to view the status

      4. To Modify the status of task, against the task name click the Edit icon to modify the task and Save.

    You have modified  the status of the scheduled automated patch deployment task.  Modifying a task is not recommended during the scheduled time (while scan initiated or download is initiated). If you modify the task, the current schedule will be stopped and the modified task will be executed only during the next scheduled time.

    Points to be Noted:

    1. Automated Patch Deployment (APD) Tasks, that have been created by a user, can be viewed and modified by users, who has the same scope.

    2. If the user who has created the APD task, has been removed from the scope, then the  APD tasks can only be viewed by him. He will not be able to modify those tasks.

    3. Only Administrator will have complete control over all the APD tasks, that are created by all the users.

    4. If user A's scope is (Unique Group) UG1 and UG2, user B's scope is UG2 and UG3. User A creates an APD task and applies it to the target UG1 and UG2. User B will not be able to  modify the task. If user A has applied the task to UG2 alone, then User B will be able to modify the task.  

    Suspending the Scheduled Task

    To suspend  the  Automatic Patch Deployment Task,  follow the steps mentioned below;

      1. Click the Admin tab to invoke the Admin page.

      2. Click Automate Patch Deployment link available under Patch Settings

      3. Under Automate Patch Deployment view, click on the task for which you want to view the status,

      4. To suspend the task, click the   icon to suspend the task and Save.

    You have suspended the scheduled automated patch deployment task.

    Suspending a task will suspend all the activities of the task, like scanning, downloading and deployment. So make sure whether you wanted to suspend all the activities including the scheduler, before suspending a task.

    Viewing the Status of Tasks

    To view the status of an automatic patch deployment task, follow the steps mentioned below:

      1. Click the Admin tab to invoke the Admin page.

      2. Click Automate Patch Deployment link available under Patch Settings

      3. Under Automate Patch Deployment view, click on the task for which you want to view the status.

    You can view the status of the scheduled automated patch deployment task.



    You will find the following details;

    Summary

    Task details: This view lists the details of the tasks like, task name, task created time, modified time, deployment option, deployment policy etc, which are configured.

    Task Scan Summary: This report lists the scan details of tasks like, total number of computers scanned, list of computers where scan succeeded, list of computers where scan failed and list of computers yet to be scanned. The report displayed here is as per the results of the previous scheduler.

    Patch Download Summary: This report lists the detailed summary of patches that are downloaded. Patch download starts after the scanning gets completed which is ideally a couple of hours after the scheduled time. Assume a task is scheduled at 10:00 AM, then the patch scanning starts and gets the complete list of missing patches. Then the patch download starts at 12:00.

    Deployment Summary: This report lists the details of the deployment status. Deployment of downloaded patches happens based on the deployment policy. If the policy is defined to deploy the patches only after all the patches are downloaded, then the deployment starts only after all the scheduled patches are downloaded successfully.  If the policy is defined to deploy the successfully downloaded patches, then which ever patch has been downloaded successfully, those patches will be deployed and the failed patches will be deployed during the subsequent deployment schedule.

    Scan Details: You can find the detailed list of computers that are scanned successfully, computers in which the scan process has failed and computers which are yet to be scanned.

    Download Details: All the patches that has been downloaded successfully, yet to be downloaded and download failed will be listed here. The patch download process starts two hours after the scanning is initiated. You can also set the severity for the missing patches so that patches can be deployed based as on the severity, while deployment.

    System  View: You can view the lists of computers based on the status of the task. This view will list computers which for which scanning is completed, failed or yet to start. In case of computers scanning being completed, then you can find the status of the patches that are downloaded, download failed, and yet to download. The patch deployment status will also be listed as per computers in which the deployment has been successful, deployment failed and yet to be deployed.

    Patch View: You can view the list of patches that has been downloaded as per the severity. Patches that are yet to be downloaded and yet to be downloaded.

    Detailed View: You can view the details of all the patches and deployment status in this view. You can see the data in this view, only after the deployment has been initiated for at least one of the patches.

    Copyright © 2018, ZOHO Corp. All Rights Reserved.
    ManageEngine

    Migration to the enhanced, new Automate Patch Deployment workflow

    For customers using Desktop Central build version below 10.0.192, if you would like to make use of the enhanced Automate Patch Deployment feature, them follow the steps to migrate your current APD tasks to the new workflow.
    Enhancements to the Automate Patch Deployment (APD) have been made to ensure there are no delays in the detection and deployment of patches to the computers missing them in your network.

    Changes in the new APD workflow

    How Automate Patch Deployment works?

    The Desktop Central server will synchronize with Patch Database every day at the scheduled time. After synchronization, the server will collect the details of the latest patches released. In the next refresh policy, Desktop Central agents will scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay in the time specified in the Deployment Window. Thus the Automate Patch Deployment task ensures all the computers in the network are equipped with the latest patches.

    Benefits:

    1. Eliminate any delay in the deployment of patches. 
    2. Since scan is initiated subsequently after a patch database sync, the APD task reduces the time to patch known vulnerabilities. 
    3. Enhance your network security. In times of zero day vulnerability patches or security updates, APD ensures their immediate deployment.

    Follow the steps below to migrate your APD tasks to the new workflow:

    If you fail to migrate within 90 days from your date of upgradation to the latest version, all the tasks will be deleted.

    1. Navigate to Patch Management -> Automate Patch Deployment. You can view the list of APD tasks created.
    2. Click on the Migrate button in the message box shown.
    3. Now, you can view an APD task, previously configured scheduler settings of the task, last modified by details and the action that can be performed.
    4. Click on Migrate, if you would like to automatically migrate the APD task to the new workflow with the existing Deployment Policy settings.
    5. Click on Modify, if you would like to modify the deployment settings for the APD task. 
    6. This will display all the settings that you have previously selected.
    7.  
    8. Once you modify an Automate Patch Deployment task and save, it will be migrated to the new workflow.
     

    You can also migrate using the following steps:

    1. Navigate to Patch Management -> Automate Patch Deployment. You can view the list of APD tasks created.
    2. Click on the Action tab across a task and select Modify. 
    3. Choose to modify:
       

    Highlights about the migration:

    1. In the Automate Patch Deployment view, all the tasks that have been deprecated, can be deleted permanently or can be suspended for a definite period of time.
    2. In the new workflow, deployment will be carried out only during the deployment window that you configure in your Deployment Policy. Therefore, it is important to configure the Deployment Policy accordingly to meet the patching requirements of your enterprise.