Friday, December 2, 2011

(T3): Managing your Patch Management

Deploying patches successfully and efficiently across multiple clients can quickly turn from a simple maintenance task to a huge time-suck if you don't have a plan, flexibility, or the  right tools.

Managing/configuring Patch Management

With GFIMAX RemoteManagement's Patch Management feature, you can be as tight or loose as you want with how patches get deployed to systems throughout your client-base.  Whether you want to make sure all machines get the "latest-and-greatest" as soon as possible, or you want to meticulously monitor the importance, stability, and need of each patch, the flexibility is here.

The "White-listing" approach
You may want to strictly disseminate patches that you test prior to installing them on client computers.  Patches can and do effect both system performance and security, and you're the one being paid for your expertise in the balancing the two.

In this situation, you want to effectively halt the installation of everything.  Patch Management settings can do this in two ways.  Setting "Auto-Approval" to Approve but the schedule to Manual, or setting all "Auto-Approval" levels to Manual and the schedule to any - even every- day to install will effectively never install patches without user intervention.

Patch Management will inform you about new patches for each machine as usual, but they will remain under "Missing" status until you review them.  Use the Approval Policy dialogue to search through them and review their impact by clicking the link to the vendor's release-information page. (The left-hand column of the window is this link.)

While in this dialogue, you can select multiple patches using Shift+Click and/or Ctrl+Click and change their approval status on the right-hand side.

After approving across multiple machines, select the client or site view to show those computers where you just approved the patches.  Use Shift+Click and/or Ctrl+Click to select multiple devices in the list.  From the Edit, Server, or Workstation menu, select Patch Management > and you can install the patches now, or schedule it for later (given v8.10.1 or later is installed on the machine).

The "Latest and Greatest" approach
Conversely to the scenario above, MAX can be configured to push out patches and even reboot computers with zero intervention.  Instead of halting at the first step - approval - or second step - scheduled installation - you can auto-approve and set a scheduled time in the Dashboard Policy.  As part of the schedule, you can tell the computer to reboot if a patch requires it, or every time if you'd like.

Simply configure the Patch Management Dashboard Policy  to automatically approve everything.  In the Reboot option, set to  whichever option you prefer: "When Required" or "Always."

From here,  use the Monthly Report for servers and the Patch Overview Report to monitor the job that the system is doing.

Flexibility - everywhere in between
The good thing about MAX's system is that it is quite flexible. The scenario's above need not be the only ones that you use.  Work the system and don't let it work you.  Make it different for every client, depending on their needs.  Make all clients automatically install critical patches only, but then vet the rest carefully.  Turn everything on automatic in one of your own environments and turn it into a test bed. Automatically push out patches to all the workstations, but 'white list' all servers.  It's a tool designed to make the most of your expertise, not to tell you what your expertise "should" be.

In my own experience, I always worked with several very smart consultants, engineers and administrators.  We all had one thing in common: we did things differently than anyone elseNo need to squelch that diversity: embrace it!  Empower those that are there every day where the rubber meets the road.

I'd sure love to hear how you may want to do this task for your clients.  I'd also welcome questions about the effectiveness and efficiency of methods you'd like to propose.  A "different pair of eyes" on the picture often opens up a whole new world of possibility.  Bring it!


  1. Two quick questions on patching...
    How can I exclude 1 machine from the scheduled install?
    If I do, and 'end user intervention' is required to install, how will the user be notified there are updates to install?

    1. Mumma? Is that you? :) The answer is, of course, "it depends." (We're in IT after all, aren't we?)

      To answer the 2nd question first, there will NOT be any end-user intervention/notification with MAX PM. Ever.

      The first question: 1 machine can be excluded from Patch Management altogether on the Edit Server/Workstation dialogue box. Select Patch Management and turn it Off. This turns it off "for all time."
      If you want to turn it off for "one time" you would have to select that one device and either "Unapprove" any patches already in Pending, or "ignore" them to ensure they don't push out. "Ignore" will turn the Vulnerability check green on next run.

      Contact me/us so we're on the page for the situation you're thinking of, though.

    2. oh, shoot. forgot one thing:
      The "all time" change can just EDIT the PM configuration as well as turn it Off altogether. So you could change that 1 device to a Manual Approval or Install to differ from all other devices present.