Escolar Documentos
Profissional Documentos
Cultura Documentos
0
Getting started with Patch Manager
DOWNLOAD PATCH CONTENT TO THE CORE SERVER
INTRODUCTION
This document is intended to assist LANDesk® Management Suite administrators with implementing
Security and Patch Manager in their environment for LANDesk® Management Suite 9.0.
SCOPE
This document covers the steps necessary to get started using Patch Manager to patch clients. It also
contains a quick reference guide for experienced LANDesk administrators that just need a reminder of the
steps required for patching clients.
ASSUMPTIONS
This document is written with the expectation that the LANDesk Core Server has been installed and
activated and the workstations have the LANDesk agent installed. There are other documents that discuss
these topics and are not addressed in this document.
QUICK REFERENCE
This section contains the steps required to set up Patch Manager to patch clients. It is intended to be used
by experienced LANDesk administrators as a reference and does not go into detail on the process. The
details will be covered later in this document. Following are the steps required to set up Patch Manager:
1. Download patch content to the Core Server through the Download Updates window which is
accessed through the Patch and compliance tool in the LANDesk Management Console.
2. Make sure that all of the vulnerabilities that the clients need to be scanned for are in the Scan
folder in the Patch and compliance tool. Only vulnerabilities in the Scan folder will be scanned
for on the clients when the Security Scan is executed.
3. Check the Scan and Repair settings assigned to the clients to verify the options have been set
correctly for detection. This can be done in the Agent Configuration under Security and
Compliance | Patch and Compliance Scan or in the Patch and Compliance window by clicking the
Configure settings toolbar icon and select the Scan and repair settings item from the drop-
down list.
4. Run a Security Scan on all clients to detect what patches they need.
5. Create and run a repair task to install the patches on the clients. Do not rely solely on the repair
task status to determine the success of patching. Continue with the remaining steps to fully
determine the success of patching. Note: Only patches that have been detected by a Security Scan
on a client can be patched with a repair task. Trying to install a patch on a client that has not been
detected will result in the patch failing to install with the message
NO_PATCHES_AVAILABLE.
6. Reboot the clients after the patches have installed if any of the patches require a reboot. If a patch
requires a reboot it is not completely installed until the client is rebooted. Failure to reboot the
client will result in the patch still being detected as not being installed.
8. Check the Security and Patch information for a specific client to see what patches are still needed
or check the affected computers list for a specific vulnerability to determine which computers still
need the patch.
DOWNLOAD PATCH CONTENT TO THE CORE SERVER
The following section contains steps
Double-click the Scan and Repair setting assigned to the client in the agent configuration.
The Scan and Repair Settings window has eight pages: General, Scan, Repair, MSI, Reboot, Network,
Pilot and Spyware. Only the General, Scan and Pilot pages affect the detection.
Most of the settings on the General settings page are self explanatory such as Show progress dialog and
Allow user to cancel scan. The only option that may need to be changed is CPU utilization when
scanning. Adjust the setting to the desired level. Moving the slider bar toward the Low side will reduce
the impact on performance of the Security Scan on the client but will also increase the amount of time it
takes for the scan to finish. Conversely, moving the slider bar towards the High side will increase the
impact on performance of the Security Scan on the client but will also reduce the time it takes for the scan
to finish. If the Security Scan is scheduled to run during non-business hours, it would be best to move the
slider bar all the way to the High side so the scan can finish as fast as possible. Make any changes
required on the General page and then click Scan options.
Scan options page
Scan options page controls what vulnerabilities are scanned for on the clients. Make sure that
Vulnerabilities, Antivirus updates and LANDesk updates types are selected as a minimum. The Antivirus
updates option when checked will detect and return information about the antivirus software installed on
the client if it is one of the more common antivirus applications (McAfee, Symantec, LANDesk AV, etc.).
The Enable autofix checkbox will only make a difference if vulnerabilities have had autofix enabled in
the Patch and Compliance window. Check the Autofix column to see if there is a Yes for any of the
vulnerabilities in the Scan folder. Only vulnerabilities in the Scan folder that have a Yes in the Autofix
column will be automatically installed. Uncheck the Enable autofix box to prevent any patches from
being automatically installed on clients.
Pilot configuration page
Make sure that the Periodically scan and repair definitions in the following group is unchecked. Click
Save when all Scan and Repair settings have been adjusted. When a Security Scan is run on the clients,
any changes made to the Scan and Repair settings will automatically be downloaded to the client.
In the Patch and Compliance window, click the Create a task icon in the toolbar and select Security
Scan from the drop-down list. The Create security scan task window appears.
Click on any of the vulnerabilities in the detected folder and then hit CTRL + a which should select all of
the vulnerabilities in the detected folder.
The lower left corner of the Patch and Compliance window will show the number of vulnerabilities in
the detected folder. Drag and drop all of the vulnerabilities from the detected folder to the custom group
(MyPatchGroup) created previously.
Click the Configure button to open the Configure scan and repair settings window.
Click the New button to create a new scan and repair setting for the repair task.
On the General settings page, enter a name for this scan and repair setting to be used with the repair task.
Adjust the slider bar for CPU utilization when scanning if necessary. Moving the bar towards High will
increase the amount of CPU VULSCAN.EXE is allowed to use. Change any other settings as necessary
for the environment. Click Repair options to switch to the repair options page.
Make sure that the Reboot is already pending box is checked. Adjust other settings as required for the
environment. Click MSI information to switch to the MSI information page.
If the original location for the Microsoft Office install files is no longer accessible by the client, enter the
UNC path to the Office install files and a username and password that can access them. If you are not sure
whether the client can access the original location, leave this page blank and try it. If the Office patches
fail, fill in this page and try it again. Click Reboot options to switch to the reboot options page.
Select the appropriate options on the reboot options page to meet the requirements for the environment.
Click Save.
Make sure the new Scan and Repair setting is highlighted and then click Use selected.
Verify that the correct scan and repair setting is shown in the Scan and repair settings box. Then click
the Patches tab.
Click on any of the patches in the list and hit CTRL+a which should highlight all of the patches in the
list.
Right-click any of the patches and select the Download Patch option. The Downloading Patches
window will appear.
Wait for all of the patches to download and click Close when it is done. Then click the General tab. Any
patches that are already downloaded will be verified and skipped if the file matches the current
vulnerability otherwise the patch will be redownloaded.
It is recommended to use Repair as a scheduled task (push) so that the patching time can be controlled.
For laptops (mobile users), the Repair as policy (pull) is the recommended method for patching the
remote device. This is the most effective method since the policy can run when the device connects to the
network. Select the Don't add any computers option because the patches should be tested on a few
computers first to make sure there are no major problems with the patches. Click OK which will create
the repair task and switch to the Scheduled Tasks window with the repair task highlighted.
Drag a few devices that can be used for testing from the All Devices list and drop them on the repair task
in the Scheduled Tasks window. These will be the computers used to test the patch deployment process.
After the test computers have been added to the repair task, right-click the repair task and click Start now
to immediately patch the computers, or select the Properties option to set a start time for the task. It is
best to patch computers during non-business hours because of the performance impact to the computer
while patches are being installed. Wait for the patch repair task to complete and then continue with the
next section.
Click to place a checkmark in the Create a scheduled task checkbox. Click the Configure button to
create a Scan and repair setting for the reboot task.
Click the New button.
On the General settings page, enter a name for this Scan and Repair setting. Click Reboot options to
switch to the reboot options page.
Select the Always reboot option. Select other options as required for this environment. Click Save.
Verify the correct scan and repair setting is highlighted and click Use selected.
Verify the required scan and repair setting shows in the Scan and repair settings box. Click OK which
will create the reboot task and switch to the Scheduled Tasks window with the reboot task highlighted.
Drag the computers which need to be rebooted from All devices and drop them on the reboot task.
Right-click the reboot task and select the Start now option to immediately start the task or select
Properties to set a start time for the task. Wait for the computers to restart before continuing with the
next section.
CONCLUSION
The steps outlined in this document provide the user with the basic information required to get started
with Patch Manager in a LANDesk® Management Suite 9.0 environment.