Automate Patch Deployment

How to automate the patch deployment process?

Summary

This document will guide you through the steps involved in automating the patch deployment using Endpoint Central MSP

How to create and configure an automate patch deployment task?

Need for automated patch deployment:

With the steady rise in attack vendors and frequency of attacks, it is mandatory to keep all your enterprise endpoints up to date and round the clock patched. The best way to address this problem, is to have a systematic and automated solution that manages multiple OSs and third party application patches effectively.

Endpoint Central MSP's Automate Patch Deployment feature provides system administrators the ability to deploy patches missing in their network computers automatically, without any manual intervention required.

Benefits of Automated Patch Deployment

  1. Deployments are fast, and security is tightened due to the readily available patches for deployment.
  2. All the approved patches will be deployed in the very next deployment window immediately after their download.
  3. When the computer in the network goes offline and encounters the network connectivity again, there could be new vulnerabilities and patches that the computer might be missing. When the agent comes into contact with the server, it gets automatically scanned in the next refresh cycle, the missing patches are detected and updated in the server. The agent deploys them in the subsequent refresh cycle during the deployment window. Hence, there is no need to worry about the agent contact time and its prolonged vulnerable status.
  4. Deployment in agent continues until it gets zero missing patches for the APD criteria.
  5. In APD, you can also see the history of patching in a more detailed view.

Automatepatchdeploymentworkflow

Follow the steps to create and configure an Automate Patch Deployment task:

If you are using Endpoint Central MSP build version 10.0.192 and above.

Description

For Endpoint Central MSP build version: 10.0.192 and above:

To automate patch deployment for a set of computers, follow the steps below:

Pre-requisite:

Configure Patch Database Settings to specify the time interval for the Endpoint Central MSP server to synchronize with the database and collect details of the latest patches available.

Note:

After synchronization with the Patch Database, Endpoint Central MSP server will collect details of the latest patches released. In the next refresh policy, Endpoint Central MSP agents will automatically scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay. Automate Patch Deployment task ensures all the computers in the network are fully patched.

Steps to create an APD task

Follow the steps given below to create tasks for automating patch deployment for a set of computers:

  1. Navigate to the Patch Mgmt tab, and click on Automate Patch Deployment under Deployment. This view will display all the tasks that are created.
  2. Click Automate Task to create a new task for Windows/Mac/Linux and name your task.
  3. Configure required details for the following steps:
    1. Select applications - The type of OS and 3rd party apps to patch
    2. Choose Deployment Policy - Configure how and when to deploy the patches based on your enterprise's patching requirements
    3. Define Target - Select the target computers to deploy patches
    4. Configure Notifications - Receive notifications on the deployment status

Select Applications

Deploy Operating System Updates

If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:

  • Security Updates that involves all security updates of Windows and specify severity as Critical/Important/Moderate/Low/Unrated.
  • Non-security Updates that involves all non-security related updates from Windows
  • Updates that are applicable only for Windows:
    1. Service Packs - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates for different versions of Windows OS.
    2. Rollups - Cumulative set of updates including both security and reliability updates that are packaged together for easy deployment as a single update and will proactively include updates that were released in the past.
    3. Optional updates - Also called Preview Rollups, these are optional, cumulative set of new updates that are packaged together and deployed ahead of the release of next Monthly Rollup for customers to proactively download, test and provide feedback.
    4. Feature packs - New product functionality that is included in the full product release.

Deploy Third party updates

If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated.

Specify if you want to deploy all applications or if you would like to include/exclude a specific application.

Deploy Anti-virus updates

Select this option to deploy anti-virus definition updates for the following: Mcafee Virusscan Enterprise, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Endpoint Protection 2010 Server Management x64, Microsoft Forefront Client Security, Microsoft Forefront Client Security x64, Microsoft Security Essentials, Microsoft Security Essentials x64

Delay deployment

You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval. For example, Assume, you specify the number of days as "5 days after release", then the patches will be deployed only after 5 days, from the day it is supported by Endpoint Central MSP. If you choose to deploy patches "after 5 days from approval", then the patches will be deployed only after 5 days, from when the patch was marked as approved.

Choose Deployment Policy

  • Customize the patching process according to your enterprise's requirements by configuring the Deployment Policy settings.
  • The Deployment Policy details:
    1. Deployment frequency - Select how frequently you want to carry out the deployment
    2. Deployment window - The time interval during which patches need to be deployed
    3. Deployment will be initiated at - Select if deployment should happen during the system startup or the refresh cycle within the Deployment Window chosen.
  • If you have set any policy as default, then the default policy will be automatically applied to the configuration.
  • Based on your requirements, you can choose from the available list of pre-defined policies or create a policy of your choice
  • Click on View Details to see policy details and the list of configurations to which the policy is applied to.
  • The Expiry setting allows to suspend a task after a specified period of time.

Define Target

  • Select the target computers for which deployment has to be performed. The target can be a whole domain or remote offices. If you select the entire domain as target, this will also include all the remote offices in that specific domain.
  • You can filter targets based on sites, OU, Group, specific computers and more.
  • 'Exclude Target' allows you to select certain targets that you want to exclude from the patch deployment task. For example, you can exclude Server machines while deploying non-security updates.

Configure Notifications

Configure Notification settings to receive email notifications for the following:

  1. Failure in the deployment/download of the APD task
  2. Daily status reports on the APD task

Click on save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.

Remote Desktop & Mobile Device Management Software for MSPs trusted by