Quick Start Guide - Patch Management
This section provides a Quick Start Guide to setup and user the Patch Management feature covering the following information along with links back to the main Help section for further detail:
- Update or Install the Advanced Monitoring Agent
- Designate a Site Concentrator (Optional)
- Enable and Configure Patch Management
- View Patch and Vulnerability Information
- Manage Patches From the Dashboard - Individual or Multiple Devices
- Disable Patch Management
Update or Install the Advanced Monitoring Agent
The first step to get up and running with Patch Management is to update to, or install a version of the Windows Monitoring Agent that supports the required Patch Management feature.
Windows Agent Version |
Feature |
---|---|
8.5 |
Patch Management release (LanGuard Engine) |
8.14.1 |
Included support for all Microsoft Update types (not just security) where the Operating System or Microsoft product is supported by Patch Management. These include update roll-ups, Service Packs, critical updates, tools and drivers. |
9.13 |
Support for additional third party vendors |
10.2.0 |
Support for Patch uninstallation (where patch is uninstallable) |
10.3.4 |
Automatically adds a Windows Service Check to monitor the Patch Management GFI LanGuard Attendant Service when enabling this feature on a device. (LanGuard engine only) A fail state is triggered in the Patch Status Check where the scan results are not uploaded to the Dashboard when this information is expected. |
10.5.8 |
Set a schedule for Patch Management Patch Status Scan |
10.8.0 RC |
New Patch Management engine (SolarWInds Engine) |
10.8.0 RC Upgrade Note
If upgrading from agent version 10.5.8 or older, the Patch schedule may not initiate automatically. To avoid this potential issue, please update the Windows Monitoring Agent on your device to 10.5.9 or later before installing 10.8.0 RC.
Patch Management and Windows Update from Monitoring Agent 10.8.0 RC
The Patch Management engine included from Windows Monitoring Agent 10.8.0 RC takes administrative control of Windows Update to download files and install the patches.
Update or Install Agent on Computer
- Log into the Dashboard:
- Go to Agent > Download Agent
- Select the required Agent version (current GA or RC)
- Once downloaded, run the installer on each of the devices Patch Management is to be deployed on
- When running on a new device the program runs the Agent setup wizard
- Where Windows Monitoring Agent is already present on a device, the program updates the existing files whilst retaining the current settings
Update Agent from the Dashboard
- Log into the Dashboard
- Go to Agent > Agent Auto-update Settings
- Choose the entity (overall device type down to Client and site)
- Select the Agent version from the drop-down to Update All or only apply the update to specific devices
- OK to apply
Additional installation and update options are covered in Windows Monitoring Agent Installation .
Designate a Site Concentrator (Optional)
A typical workstation may require as much as 20 - 30MB of Microsoft Windows patches alone in any given month. To reduce the volume of traffic where there are a large number of workstations, you can designate a server mode device Site Concentrator (requires Windows Monitoring Agent 8.8 or later). The Site Concentrator acts as a repository for the other devices at that site, downloading and caching Agent features, updates and patch installation files. These other Agents, then retrieve the files from the Site Concentrator, ensuring each patch is only downloaded once and reducing external network traffic. A new bespoke Site Concentrator was introduced from Windows Monitoring Agent 9.8.2, to replace the previous version.
From Dashboard v6.36 when Agents connecting through a Site Concentrator cannot upload due to upstream proxy issues, this is reported in the device's Summary tab. For example: Proxy error: Unable to connect through proxy server.
- Log into the Dashboard
- Expand the Client under the left Monitoring and Management tree
- Right-click on the target Site (or from the Edit menu)
- Choose Edit Site
- Go to Site Concentrator
- Populate the required information
- Save to apply
Create Custom Patch Management Policies
You can apply a default policy or use your own custom templates when using the Patch Management Feature Policy configuration option. This allows you to quickly and easily roll-out Patch Management with pre-configured settings, rather than manual configure each setting for each entity which can be time-consuming and potentially introduce the possibility of human error during the setup and subsequent configuration process.
- Log into the Dashboard
- Go to Settings > Patch Management > Feature Policy
- Click New
- Enter a Policy Name for identification
- Choose an existing policy to Base policy on
- Select the device type the policy is available for in Policy Type
- Click Add to create
- Select the new policy in the dialog
- Edit (or double-click on the policy)
- Configure the policy sections to match the updated requirements. These settings are also covered in the below Patch Management Configuration Sections
- General Settings
- Patch Status Check (Scan)
- Approval Policy
- Installation Schedule (including reboots)
- Failed Patch alerting
- Save to apply
We recommend creating Client specific policies. These not only allow you to create policies that precisely match the client's requirements, but can be combined with the Manage Feature Policies for Client Group feature. Where enabled, this feature allows users in the Client Group to manage their assigned policies. As any changes will affect the devices using that policy we do not recommend using shared policies with this feature.
Enable and Configure Patch Management
Patch Management is configurable for all devices on the Dashboard based on type, at specific Clients and Sites or on individual devices.
Servers and workstations inherit their configuration from the site, which will in turn inherits from the client, which will in turn inherits the default configuration for all servers and workstations. Device level settings take precedence over those set at the policy level.
Multiple Devices
- Log into the Dashboard
- Go to Settings > Patch Management > Settings
- Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)
- Green - Feature or functionality enabled for all devices under that entity. This includes device level settings
- Grey - Feature or functionality disabled on at least one device under that entity. This includes device level settings
- Orange – One of the child entities has a different configuration to the parent. Where a Client only has one Site, its status indicator reflects that of the Site.
- Choose the Setting from On, Off or Use Parent (only for Client or Site)
- Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
- OK to save and apply
We use dots in the Settings dialog to make it easier to spot if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings.
For further information on each of these states, please refer to Feature and Functionality Settings Iconography.
Individual Device
- Log into the Dashboard
- Right-click on the device in the north pane (or from the Edit Server, Workstation or Device drop-down)
- Go to Edit <Device Type> and Patch Management
- Choose the Setting from On, Off or Use Policy Setting (On) or (Off)
- Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
- OK to save and apply
Read the Windows 10 supportability statement.
Settings Options
Setting: On - Select the Patch Management Configuration Method
Select one of the available configuration options for the selected entity: Patch Management Feature Policy or manual settings configuration.
Apply a Patch Management Feature Policy
- Tick Use Patch Management policies (Recommended)
- Select the relevant default or custom policy from the drop-down. Where workstations are selected, you can select different policies for desktops and laptops
If you select Patch Management Feature Policy, you can select a different policy but cannot switch to manual configuration.
For new Dashboard accounts only Patch Management Feature Policy is available.
Configure Settings Manually (Legacy)
- Manually configure the below settings for each selected entity.
- Patch Status Check (Scan)
- Patch Auto Approval
- Installation Schedule (including reboots)
- Failed Patch alerting
Configure the Patch Scan and Patch Management Settings
Patch Scan |
Choose the Dashboard and email notifications behavior when missing Patches and Vulnerabilities are discovered. |
||||||||||
Schedule (Patch Scan) |
Available on devices running Windows Monitoring Agent 10.5.8 and later, this option allows you to configure when the Patch Scan runs on the target devices.
Regardless of the applied schedule, on-demand Patch Scans may be initiated from the device's context menu. As covered above in the Manual Scan section above. |
||||||||||
Auto Approval (Patch Installation) |
Select the installation approval Action for Microsoft and Other Vendors patches based on Severity.
All patches must be approved before they are installed via Patch Management and if not selected for automatic or manual approval, they patches may subsequently be approved for all Servers and Workstations or at the Client or Site level via Patch Management Workflow or Approval Policy and at the device level through the Patches tab.. |
||||||||||
Installation Schedule |
Configure when patches are to be installed for the selection:
The Scheduled Time selected under Installation Schedule refers to the local time of the computer the Agent is installed on. Please take this into consideration where your Dashboard contains Clients, Sites or Devices in different timezones, to ensure Patches are not installed at an inappropriate time. One suggestion is to set a custom Installation Schedule at the Client, Site or Device level based on their timezone. |
||||||||||
Failed Patches |
Select the behavior when a patch reports as failed.
In addition to automatically retrying a failed patch, we also have the option to manually reprocess any patch where it is in the Failed state on the Dashboard. |
Once Patch Management installs on a device it automatically runs a Patch Scan based on the entered Scan Schedule settings.
View Patch and Vulnerability Information
The scan results are displayed against the Patch Status Check, accessible from the device's Checks tab on the Dashboard.
The Check's More Information link contains a summary of the results the last time the Check ran, click the link for detailed information in including the Last Scan run time along with the vulnerabilities and missing patches that were identified.
Information across multiple devices is available in the Patch Overview Report with the Failure Report containing only those patches where an installation problem was encountered.
Manage Patches From the Dashboard
Individual Devices
Patches are managed at the individual device level by selecting the computer in the north panel then going to its Patches tab.
This tab lists all of the discovered patches along with their Severity level, Patch Name, Product, Date Installed (if installed by Patch Management) along with whether it is Installable and / or Uninstallable.
To simplify the identification of a patch's current state, patches are grouped based on their status: Missing, Installed, Pending etc.
To perform an action against a patch, or number of patches...
- Use multi-select (Shift and left-click for a range or Control and left-click for specific patches)
- Right-click on one of the patches (or from the Patch drop-down)
- Choose the required action from : Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall (only available for installed Microsoft patches that are marked as Uninstallable)
These actions are also available for individual patches from the Patch Information dialog...
- Double-click on the target patch in the south pane
- Choose the required action in the dialog
Regardless of where the action is performed, if Approve is selected the user is prompted to Use existing schedule or Schedule a new time to install the selection entering the password of the account they have logged on to the Dashboard under to confirm.
Multiple Devices
Patches are managed across multiple devices at the overall device type (server or workstation), Client or Site level through the Patch Management Workflow (choose how each of the specified patches is handled, including installation schedule).
Use the available filters to reduce the returned information, for example filtering by patch status or searching by patch name, then through multi-select (use Shift and left-click to choose a range of patches or Control and left-click for specific patches).
Patch Management Workflow
- Choose the required action from Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall
- Select the target Clients and Sites
- Set the installation schedule: use existing or setup a new schedule which is only applicable to this patch selection
Patch Uninstall - the uninstall option is only available for Microsoft patches that are marked as Uninstallable on the Dashboard where the device is running Advanced Monitoring Agent 10.2.0 or later
Visit Patch Approval Actions for information on the patch approval hierarchy.
Disable Patch Management
Multiple Devices
- Log into the Dashboard
- Go to Settings > Patch Management > Settings
- Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)
- Choose Setting:Off or Use Parent if off (only for Client or Site)
- OK to save and apply
Individual Device
- Log into the Dashboard
-
Right-click on the device in the north pane (or from the Edit Server, Workstation or Device drop-down)
- Go to Edit <Device Type> and Patch Management
- Choose the Setting: On, Off or Use Policy Setting (Off)
- OK to save and apply