Quick Start Guide - Patch Management

This section provides a Quick Start Guide to setup and user the Patch Management feature covering the following information along with links back to the main Help section for further detail:

Update or Install the Advanced Monitoring Agent

The first step to get up and running with Patch Management is to update to, or install a version of the Windows Monitoring Agent that supports the required Patch Management feature.

Windows Agent Version

Feature

8.5

Patch Management release (LanGuard Engine)

8.14.1

Included support for all Microsoft Update types (not just security) where the Operating System or Microsoft product is supported by Patch Management.

These include update roll-ups, Service Packs, critical updates, tools and drivers.

9.13

Support for additional third party vendors

10.2.0

Support for Patch uninstallation (where patch is uninstallable)

10.3.4

Automatically adds a Windows Service Check to monitor the Patch Management GFI LanGuard Attendant Service when enabling this feature on a device. (LanGuard engine only)

A fail state is triggered in the Patch Status Check where the scan results are not uploaded to the Dashboard when this information is expected.

10.5.8

Set a schedule for Patch Management Patch Status Scan

10.8.0 RC

New Patch Management engine (SolarWInds Engine)

10.8.0 RC Upgrade Note

If upgrading from agent version 10.5.8 or older, the Patch schedule may not initiate automatically. To avoid this potential issue, please update the Windows Monitoring Agent on your device to 10.5.9 or later before installing 10.8.0 RC.

Patch Management and Windows Update from Monitoring Agent 10.8.0 RC

The Patch Management engine included from Windows Monitoring Agent 10.8.0 RC takes administrative control of Windows Update to download files and install the patches.

Update or Install Agent on Computer

  1. Log into the Dashboard:
  2. Go to Agent > Download Agent
  3. Select the required Agent version (current GA or RC)
  4. Once downloaded, run the installer on each of the devices Patch Management is to be deployed on
    • When running on a new device the program runs the Agent setup wizard
    • Where Windows Monitoring Agent is already present on a device, the program updates the existing files whilst retaining the current settings

Update Agent from the Dashboard

  1. Log into the Dashboard
  2. Go to Agent > Agent Auto-update Settings
  3. Choose the entity (overall device type down to Client and site)
  4. Select the Agent version from the drop-down to Update All or only apply the update to specific devices
  5. OK to apply

Additional installation and update options are covered in Windows Monitoring Agent Installation .

Designate a Site Concentrator (Optional)

A typical workstation may require as much as 20 - 30MB of Microsoft Windows patches alone in any given month. To reduce the volume of traffic where there are a large number of workstations, you can designate a server mode device Site Concentrator (requires Windows Monitoring Agent 8.8 or later). The Site Concentrator acts as a repository for the other devices at that site, downloading and caching Agent features, updates and patch installation files. These other Agents, then retrieve the files from the Site Concentrator, ensuring each patch is only downloaded once and reducing external network traffic. A new bespoke Site Concentrator was introduced from Windows Monitoring Agent 9.8.2, to replace the previous version.

From Dashboard v6.36 when Agents connecting through a Site Concentrator cannot upload due to upstream proxy issues, this is reported in the device's Summary tab. For example: Proxy error: Unable to connect through proxy server.

  1. Log into the Dashboard
  2. Expand the Client under the left Monitoring and Management tree
  3. Right-click on the target Site (or from the Edit menu)
  4. Choose Edit Site
  5. Go to Site Concentrator
  6. Populate the required information
  7. Save to apply

Create Custom Patch Management Policies

You can apply a default policy or use your own custom templates when using the Patch Management Feature Policy configuration option. This allows you to quickly and easily roll-out Patch Management with pre-configured settings, rather than manual configure each setting for each entity which can be time-consuming and potentially introduce the possibility of human error during the setup and subsequent configuration process.

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Feature Policy
  3. Click New
  4. Enter a Policy Name for identification
  5. Choose an existing policy to Base policy on
  6. Select the device type the policy is available for in Policy Type
  7. Click Add to create
  8. Select the new policy in the dialog
  9. Edit (or double-click on the policy)
  10. Configure the policy sections to match the updated requirements. These settings are also covered in the below Patch Management Configuration Sections

  11. Save to apply

Enable and Configure Patch Management

Patch Management is configurable for all devices on the Dashboard based on type, at specific Clients and Sites or on individual devices.

Servers and workstations inherit their configuration from the site, which will in turn inherits from the client, which will in turn inherits the default configuration for all servers and workstations. Device level settings take precedence over those set at the policy level.

Multiple Devices

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Settings
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)

    4. We use dots in the Settings dialog to make it easier to spot if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings.

    • Green - Feature or functionality enabled for all devices under that entity. This includes device level settings
    • Grey - Feature or functionality disabled on at least one device under that entity. This includes device level settings
    • Orange – One of the child entities has a different configuration to the parent. Where a Client only has one Site, its status indicator reflects that of the Site.

    For further information on each of these states, please refer to Feature and Functionality Settings Iconography.

  4. Choose the Setting from On, Off or Use Parent (only for Client or Site)
  5. Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
  6. OK to save and apply

Individual Device

  1. Log into the Dashboard
  2. Right-click on the device in the north pane (or from the Edit Server, Workstation or Device drop-down)
  3. Go to Edit <Device Type> and Patch Management
  4. Choose the Setting from On, Off or Use Policy Setting (On) or (Off)
  5. Configure the Patch Status Check (Scan) and Patch behavior: Auto Approval ,Installation Schedule (including reboots),Failed Patch alerting. Covered below.
  6. OK to save and apply

Read the Windows 10 supportability statement.

Settings Options

Setting: On - Select the Patch Management Configuration Method

Select one of the available configuration options for the selected entity: Patch Management Feature Policy or manual settings configuration.

Apply a Patch Management Feature Policy

  1. Tick Use Patch Management policies (Recommended)
  2. Select the relevant default or custom policy from the drop-down. Where workstations are selected, you can select different policies for desktops and laptops

If you select Patch Management Feature Policy, you can select a different policy but cannot switch to manual configuration.



For new Dashboard accounts only Patch Management Feature Policy is available.

Configure Settings Manually (Legacy)

  1. Manually configure the below settings for each selected entity.
  2. Patch Status Check (Scan)
  3. Patch Auto Approval
  4. Installation Schedule (including reboots)
  5. Failed Patch alerting

Configure the Patch Scan and Patch Management Settings

Patch Scan

Choose the Dashboard and email notifications behavior when missing Patches and Vulnerabilities are discovered.

Schedule (Patch Scan)

Available on devices running Windows Monitoring Agent 10.5.8 and later, this option allows you to configure when the Patch Scan runs on the target devices.

DSC Cycle

Runs the Patch Scan at the same time as the Daily Safety Checks. (Default)

Manual Scan

The Patch Scan only runs when manually initiated from the Deviance context menu.

In the north panel of the Dashboard use multi-select to choose the target devices (use Shift and left-click to choose a range of devices or Control and left-click for specific machines) right-click on one of the selection then go to Patch Management, Re-run Patch Scan.

Scheduled Scan

Run the Patch Scan based on the entered time and repetition.

Regardless of the applied schedule, on-demand Patch Scans may be initiated from the device's context menu. As covered above in the Manual Scan section above.

Auto Approval (Patch Installation)

Select the installation approval Action for Microsoft and Other Vendors patches based on Severity.

Severity

Critical, Important, Moderate, Low, Other

Action

Ignore

Do not install patches of this Severity

Approve

Approve patches of this Severity for automatic installation the next time Patch Management remediation runs (Installation Schedule).

Please note that automatically approved patches are not reported as Missing in the Patch Status Check (or Patches tab and subsequent Reports) but will go immediately to Pending.

Manual

Approve and install patches of this severity at a later date.

All patches must be approved before they are installed via Patch Management and if not selected for automatic or manual approval, they patches may subsequently be approved for all Servers and Workstations or at the Client or Site level via Patch Management Workflow or Approval Policy and at the device level through the Patches tab..

Installation Schedule

Configure when patches are to be installed for the selection:

Manual

Initiate the installation from the Dashboard

Scheduled Installation

Install the patches at the specified time: Day, Week or Month

Choose whether to Reboot After Installation: Never, When Required or Always

And how missed schedules are handled.

The Scheduled Time selected under Installation Schedule refers to the local time of the computer the Agent is installed on. Please take this into consideration where your Dashboard contains Clients, Sites or Devices in different timezones, to ensure Patches are not installed at an inappropriate time. One suggestion is to set a custom Installation Schedule at the Client, Site or Device level based on their timezone.

Failed Patches

Select the behavior when a patch reports as failed.

Automatically reprocess failed patches

Where a patch installation fails, enabling this option will retry the patch deployment based on the device's patch Installation Schedule.

For handling those instances where a patch fails to install multiple times, we have included the ability to set the number of times a patch will be reprocessed (maximum of 5) before it is considered failed,

To avoid installing pches at at time that may not be suitable to the business or user, this reprocessing option respects the patch Installation Schedule .

For example, if patches are set to install every weekday at 10:00am and a patch fails on Monday, then the Dashboard will retry that patch each day at 10:00am until either the patch installs or the maximum number of attempts is reached. Or where patches are set to install manually, we will attempt to retry that patch each time you run a manual patch remediation until either the patch installs or the maximum number of attempts is reached.

Please be aware that running a manual remediation does not count towards the Automatically reprocess failed patches count where the Installation Schedule is set to Scheduled (daily, weekly or monthly). The count figure is only incremented when the remediation takes place  as part of the device's scheduled remediation.

Whilst in the reprocessing state, a patch is not reported as failed on the Dashboard.

Send an email when patch installation fails

As a patch installation failure may require investigation, you can choose whether to send an email notification where a patch fails to install.

In addition to automatically retrying a failed patch, we also have the option to manually reprocess any patch where it is in the Failed state on the Dashboard.

Once Patch Management installs on a device it automatically runs a Patch Scan based on the entered Scan Schedule settings.

View Patch and Vulnerability Information

The scan results are displayed against the Patch Status Check, accessible from the device's Checks tab on the Dashboard.

The Check's More Information link contains a summary of the results the last time the Check ran, click the link for detailed information in including the Last Scan run time along with the vulnerabilities and missing patches that were identified.

Information across multiple devices is available in the Patch Overview Report with the Failure Report containing only those patches where an installation problem was encountered.

Manage Patches From the Dashboard

Individual Devices

Patches are managed at the individual device level by selecting the computer in the north panel then going to its Patches tab.

This tab lists all of the discovered patches along with their Severity level, Patch Name, Product, Date Installed (if installed by Patch Management) along with whether it is Installable and / or Uninstallable.

To simplify the identification of a patch's current state, patches are grouped based on their status: Missing, Installed, Pending etc.

To perform an action against a patch, or number of patches...

  1. Use multi-select (Shift and left-click for a range or Control and left-click for specific patches)
  2. Right-click on one of the patches (or from the Patch drop-down)
  3. Choose the required action from : Inherit, Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall (only available for installed Microsoft patches that are marked as Uninstallable)

These actions are also available for individual patches from the Patch Information dialog...

  1. Double-click on the target patch in the south pane
  2. Choose the required action in the dialog

Regardless of where the action is performed, if Approve is selected the user is prompted to Use existing schedule or Schedule a new time to install the selection entering the password of the account they have logged on to the Dashboard under to confirm.

Multiple Devices

Patches are managed across multiple devices at the overall device type (server or workstation), Client or Site level through the Patch Management Workflow (choose how each of the specified patches is handled, including installation schedule) or the Approval Policy (configure a behavioral policy for each of the selected patches).

For either dialog use the available filters to reduce the returned information, for example filtering by patch status or searching by patch name, then through multi-select (use Shift and left-click to choose a range of patches or Control and left-click for specific patches).

Patch Management Workflow

  1. Choose the required action from Inherit, Approve, Ignore, Do Nothing, Reprocess Failed or Uninstall
  2. Select the target Clients and Sites
  3. Set the installation schedule: use existing or setup a new schedule which is only applicable to this patch selection

Approval Policy

  1. Choose the target Clients and Sites
  2. Set Patch Policy to apply to the patches from Inherit, Approve, Ignore or Do nothing to the target Clients and Sites

Patch Uninstall - the uninstall option is only available for Microsoft patches that are marked as Uninstallable on the Dashboard where the device is running Advanced Monitoring Agent 10.2.0 or later

Visit Patch Approval Actions for information on the patch approval hierarchy.

Disable Patch Management

Multiple Devices

  1. Log into the Dashboard
  2. Go to Settings > Patch Management > Settings
  3. Select the Entity type to apply the configuration to (all servers and workstations or servers and workstations at specific clients and sites)
  4. Choose Setting:Off or Use Parent if off (only for Client or Site)
  5. OK to save and apply

Individual Device

  1. Log into the Dashboard

  2. Right-click on the device in the north pane (or from the Edit Server, Workstation or Device drop-down)

  3. Go to Edit <Device Type> and Patch Management
  4. Choose the Setting: On, Off or Use Policy Setting (Off)
  5. OK to save and apply