LANDesk® Management Suite 9.

0
Getting started with Patch Manager
DOWNLOAD PATCH CONTENT TO THE CORE SERVER
INTRODUCTION
This document is intended to assist LANDesk® Management Suite administrators with implementing
Security and Patch Manager in their environment for LANDesk® Management Suite 9.0.

SCOPE
This document covers the steps necessary to get started using Patch Manager to patch clients. It also
contains a quick reference guide for experienced LANDesk administrators that just need a reminder of the
steps required for patching clients.

ASSUMPTIONS
This document is written with the expectation that the LANDesk Core Server has been installed and
activated and the workstations have the LANDesk agent installed. There are other documents that discuss
these topics and are not addressed in this document.
QUICK REFERENCE
This section contains the steps required to set up Patch Manager to patch clients. It is intended to be used
by experienced LANDesk administrators as a reference and does not go into detail on the process. The
details will be covered later in this document. Following are the steps required to set up Patch Manager:

1. Download patch content to the Core Server through the Download Updates window which is
accessed through the Patch and compliance tool in the LANDesk Management Console.

2. Make sure that all of the vulnerabilities that the clients need to be scanned for are in the Scan
folder in the Patch and compliance tool. Only vulnerabilities in the Scan folder will be scanned
for on the clients when the Security Scan is executed.

3. Check the Scan and Repair settings assigned to the clients to verify the options have been set
correctly for detection. This can be done in the Agent Configuration under Security and
Compliance | Patch and Compliance Scan or in the Patch and Compliance window by clicking the
Configure settings toolbar icon and select the Scan and repair settings item from the drop-
down list.

4. Run a Security Scan on all clients to detect what patches they need.

5. Create and run a repair task to install the patches on the clients. Do not rely solely on the repair
task status to determine the success of patching. Continue with the remaining steps to fully
determine the success of patching. Note: Only patches that have been detected by a Security Scan
on a client can be patched with a repair task. Trying to install a patch on a client that has not been
detected will result in the patch failing to install with the message
NO_PATCHES_AVAILABLE.

6. Reboot the clients after the patches have installed if any of the patches require a reboot. If a patch
requires a reboot it is not completely installed until the client is rebooted. Failure to reboot the
client will result in the patch still being detected as not being installed.

7. Run a Security Scan on all of the clients.

8. Check the Security and Patch information for a specific client to see what patches are still needed
or check the affected computers list for a specific vulnerability to determine which computers still
need the patch.
DOWNLOAD PATCH CONTENT TO THE CORE SERVER
The following section contains steps

Configure the Download Updates window

Login to the Management Suite Console.
From the Console, click Tools | Security and Compliance | Patch and Compliance.

Click the Download Updates toolbar icon.

This allows you to select what content to download. Core server licensing will determine what content is
available in the Download Updates window. The following figure displays all content that can be
downloaded with the full LANDesk Security Suite license.
Select the required Definition types and Languages for the environment. Microsoft Windows
Vulnerabilities are the most commonly downloaded vulnerability type. Microsoft Windows
Vulnerabilities contain the patches for the Windows Operating Systems as well as the patches for
common applications for the Windows Operating System such as Adobe Reader, ITUNES and Microsoft
Office. Do not check the box for Put new definitions in “Unassigned” group so that all of the
definitions are downloaded to the Scan folder.
Proxy Settings
If the company uses a proxy server then the information should be entered on the Proxy Settings tab to
allow the content to be downloaded. The vulnerabilities (detection logic) are downloaded from the
LANDesk websites. The patches for the vulnerabilities are downloaded from the vendor's website. For
example, Microsoft patches are downloaded from Microsoft's websites. Ensure the proxy will allow the
Core Server to access the appropriate website to get the patch.

Changing the Patch Location

It is recommended that the download location for patches be left at the default settings. If there is limited
space on the drive that the Core Server is installed on, the patch location should be moved. Click the
Patch Location tab if the location needs to be moved
If the patch location is changed, the new location must be setup with the same web settings and folder
permissions as the default location. If a UNC path is used for the client access, add the Domain
Computers group to the new share with Read access.

Scheduling the download

When all settings have been set, click Apply.
Then click the Schedule download button.
Click OK.
Selecting this button will create a scheduled task to update the content that is currently selected. Setting a
scheduled task to run nightly will make sure that the content being scanned for is the most current and up
to date. If changes are made to what needs to be downloaded a new Scheduled task will need to be
created. More than one task can be created but they must be scheduled to run at different times because
only one download (VAMINER.EXE) can run at a time.
Set the appropriate schedule for the download task to run and click Save.

VERIFY VULNERABILITIES ARE IN THE SCAN FOLDER

After the Patch Content has downloaded, check the SCAN folder in the Patch and Compliance tool to
make sure all appropriate vulnerabilities are in there. Any old or unwanted vulnerabilities can be dragged
to the Do Not Scan folder.
SCAN AND REPAIR SETTINGS FOR DETECTION (AGENT BEHAVIOR)
Before starting to scan for vulnerabilities it is necessary to ensure that the scan configuration is set
correctly. Depending on what is licensed there can be as many as nine different types of vulnerabilities to
scan. From the Scan and Repair Settings window, select the types that you want to be scanned. When a
scan is initiated on a managed node an agent behavior needs to be selected so that the scanner knows what
to scan. If there is no agent behavior selected then the scanner will scan for the default three types:
Vulnerabilities, LANDesk Updates and Custom Vulnerabilities. The Scan and Repair Settings window
can be accessed two ways.
From the Patch and Compliance window, click the Configure settings toolbar icon and select the
Scan and repair settings item from the drop-down list.
When configuring an agent configuration click the Security and Compliance | Patch and
compliance scan tree item and click the Configure button.

Double-click the Scan and Repair setting assigned to the client in the agent configuration.
The Scan and Repair Settings window has eight pages: General, Scan, Repair, MSI, Reboot, Network,
Pilot and Spyware. Only the General, Scan and Pilot pages affect the detection.

General settings page

Most of the settings on the General settings page are self explanatory such as Show progress dialog and
Allow user to cancel scan. The only option that may need to be changed is CPU utilization when
scanning. Adjust the setting to the desired level. Moving the slider bar toward the Low side will reduce
the impact on performance of the Security Scan on the client but will also increase the amount of time it
takes for the scan to finish. Conversely, moving the slider bar towards the High side will increase the
impact on performance of the Security Scan on the client but will also reduce the time it takes for the scan
to finish. If the Security Scan is scheduled to run during non-business hours, it would be best to move the
slider bar all the way to the High side so the scan can finish as fast as possible. Make any changes
required on the General page and then click Scan options.
Scan options page

Scan options page controls what vulnerabilities are scanned for on the clients. Make sure that
Vulnerabilities, Antivirus updates and LANDesk updates types are selected as a minimum. The Antivirus
updates option when checked will detect and return information about the antivirus software installed on
the client if it is one of the more common antivirus applications (McAfee, Symantec, LANDesk AV, etc.).
The Enable autofix checkbox will only make a difference if vulnerabilities have had autofix enabled in
the Patch and Compliance window. Check the Autofix column to see if there is a Yes for any of the
vulnerabilities in the Scan folder. Only vulnerabilities in the Scan folder that have a Yes in the Autofix
column will be automatically installed. Uncheck the Enable autofix box to prevent any patches from
being automatically installed on clients.
Pilot configuration page

Make sure that the Periodically scan and repair definitions in the following group is unchecked. Click
Save when all Scan and Repair settings have been adjusted. When a Security Scan is run on the clients,
any changes made to the Scan and Repair settings will automatically be downloaded to the client.

RUN A SECURITY SCAN (VULSCAN.EXE) ON ALL CLIENTS

A patch cannot be applied to a computer unless the vulnerability associated with that patch has first been
detected on that computer. There are three different ways to run a Security Scan on a computer to detect
vulnerabilities. The first two ways are configured from the Agent Configuration tool in the LANDesk
Console and should have been configured before deploying the LANDesk agent. The first two methods
will not be covered in this document. The security scan should be run on managed nodes at least once a
day.
1. When a user logins.
2. Setting a frequency to be run by the client’s local scheduler service. By default, the Security Scan
is set to run once a day in the agent configuration.
3. Create a Security Scan task.
Create a Security Scan Task

In the Patch and Compliance window, click the Create a task icon in the toolbar and select Security
Scan from the drop-down list. The Create security scan task window appears.

Click to place a checkmark in the Create a scheduled task checkbox.

Select the Scan and repair settings from the drop-list that was created or modified in the previous section
of this document. Click OK to create the task which will create the task in the Scheduled Tasks window.
Drag computers from All Devices in the Console and drop them on the Security Scan task (Patch and
Compliance Scan) in the Scheduled tasks window. Drag all computers that the Security scan needs to be
run on to the task.
Right-click the Security Scan task (Patch and Compliance Scan) in the Scheduled tasks window and
click Start now to immediately run the Security Scan task. Or, select Properties to schedule a time for
the Security Scan to run. It is recommended to run the Security Scan task during non-business hours
because the Security Scan will impact the performance of the computer.

CREATE AND RUN A REPAIR TASK

After the Security Scan completes on the clients, it is time to create a repair task to remediate the detected
vulnerabilities. Open the Patch and Compliance window in the LANDesk Console.
Right-click My custom groups in the Patch and Compliance window under Groups | Custom groups
and select the New Group option.

Enter a name for the new group.

Click on the Detected folder under All Types which will display a list of all of the vulnerabilities that
have been detected as needing to be installed on at least one computer that the Security Scan was run on
earlier.

Click on any of the vulnerabilities in the detected folder and then hit CTRL + a which should select all of
the vulnerabilities in the detected folder.
The lower left corner of the Patch and Compliance window will show the number of vulnerabilities in
the detected folder. Drag and drop all of the vulnerabilities from the detected folder to the custom group
(MyPatchGroup) created previously.

If this message window comes up, click Yes.

Click the custom patch group (MyPatchGroup) and verify that all of the patches were added to the
group. The number of vulnerabilities in the group should be equal to or greater than the number on the
detected folder because of dependencies and prerequisites that were automatically added. Look through
the vulnerabilities in the patch group and remove any vulnerabilities that you do not want installed on any
computers in your environment.

Right-click the custom group and select the Repair option.

If this Repair Information message box comes up, click Yes.

Click the Configure button to open the Configure scan and repair settings window.
Click the New button to create a new scan and repair setting for the repair task.

On the General settings page, enter a name for this scan and repair setting to be used with the repair task.
Adjust the slider bar for CPU utilization when scanning if necessary. Moving the bar towards High will
increase the amount of CPU VULSCAN.EXE is allowed to use. Change any other settings as necessary
for the environment. Click Repair options to switch to the repair options page.
Make sure that the Reboot is already pending box is checked. Adjust other settings as required for the
environment. Click MSI information to switch to the MSI information page.
If the original location for the Microsoft Office install files is no longer accessible by the client, enter the
UNC path to the Office install files and a username and password that can access them. If you are not sure
whether the client can access the original location, leave this page blank and try it. If the Office patches
fail, fill in this page and try it again. Click Reboot options to switch to the reboot options page.
Select the appropriate options on the reboot options page to meet the requirements for the environment.
Click Save.

Make sure the new Scan and Repair setting is highlighted and then click Use selected.
Verify that the correct scan and repair setting is shown in the Scan and repair settings box. Then click
the Patches tab.
Click on any of the patches in the list and hit CTRL+a which should highlight all of the patches in the
list.
Right-click any of the patches and select the Download Patch option. The Downloading Patches
window will appear.
Wait for all of the patches to download and click Close when it is done. Then click the General tab. Any
patches that are already downloaded will be verified and skipped if the file matches the current
vulnerability otherwise the patch will be redownloaded.
It is recommended to use Repair as a scheduled task (push) so that the patching time can be controlled.
For laptops (mobile users), the Repair as policy (pull) is the recommended method for patching the
remote device. This is the most effective method since the policy can run when the device connects to the
network. Select the Don't add any computers option because the patches should be tested on a few
computers first to make sure there are no major problems with the patches. Click OK which will create
the repair task and switch to the Scheduled Tasks window with the repair task highlighted.
Drag a few devices that can be used for testing from the All Devices list and drop them on the repair task
in the Scheduled Tasks window. These will be the computers used to test the patch deployment process.
After the test computers have been added to the repair task, right-click the repair task and click Start now
to immediately patch the computers, or select the Properties option to set a start time for the task. It is
best to patch computers during non-business hours because of the performance impact to the computer
while patches are being installed. Wait for the patch repair task to complete and then continue with the
next section.

REBOOT THE CLIENTS

Reboot the clients if any of the patches in the repair task requires a reboot. Until the client is rebooted, the
patch is not completely installed and will still be detected on the clients. This can be done with the reboot
task available in the Patch and Compliance window. Open the Patch and Compliance tool.
Select the Reboot option from the Create a task drop-down list. The Create reboot task window
appears.

Click to place a checkmark in the Create a scheduled task checkbox. Click the Configure button to
create a Scan and repair setting for the reboot task.
Click the New button.

On the General settings page, enter a name for this Scan and Repair setting. Click Reboot options to
switch to the reboot options page.
Select the Always reboot option. Select other options as required for this environment. Click Save.

Verify the correct scan and repair setting is highlighted and click Use selected.
Verify the required scan and repair setting shows in the Scan and repair settings box. Click OK which
will create the reboot task and switch to the Scheduled Tasks window with the reboot task highlighted.

Drag the computers which need to be rebooted from All devices and drop them on the reboot task.
Right-click the reboot task and select the Start now option to immediately start the task or select
Properties to set a start time for the task. Wait for the computers to restart before continuing with the
next section.

RUN A SECURITY SCAN ON THE CLIENTS THAT WERE PATCHED

Follow the instructions in the section titled "RUN A SECURITY SCAN (VULSCAN.EXE) ON ALL
CLIENTS" to run a Security Scan on the computers that were patched.

CHECK SECURITY AND PATCH INFORMATION FOR PATCHED COMPUTERS

Check the Security and Patch information for the patched clients to see what patches are still needed.
Right-click a patched computer under All devices in the console and select the Security and Patch
Information option.
All Detected will show all patches that the computer still needs. Repeat the steps in this document until
all patches have been installed on the computers.

CONCLUSION
The steps outlined in this document provide the user with the basic information required to get started
with Patch Manager in a LANDesk® Management Suite 9.0 environment.

ABOUT LANDESK® SOFTWARE

The foundation for LANDesk’s leading IT management solutions was laid more than 20 years ago. And LANDesk®
has been growing and innovating the systems, security, service and process management spaces ever since. Our
singular focus and our commitment to understanding customers’ real business needs—and to delivering easy-to-use
solutions for those needs—are just a few of the reasons we continue to grow and expand.
LANDesk® pioneered the desktop management category back in 1993. That same year, IDC named LANDesk® the
category leader. And LANDesk® has continued to lead the systems configuration space: pioneering virtual IT
technology in 1999, revolutionizing large-packet distribution with LANDesk® Targeted Multicast™ technology and
LANDesk® Peer Download™ technology in 2001, and delivering secure systems management over the Internet and
hardware-independent network access control capabilities with LANDesk® Management Gateway and LANDesk®
Trusted Access™ Technology in 2005.
In 2006, LANDesk® added process management technologies to its product line and began integrating the systems,
security and process management markets. LANDesk® also extended into the consolidated service desk market with
LANDesk® Service Desk, and was acquired by Avocent to operate as an independent division.
Today, LANDesk® continues to lead the convergence of the systems, security, process and service management
markets. And our executives, engineers and other professionals work tirelessly to deliver leading solutions to
markets around the globe.