Monday, November 28, 2011

(T3): Patch Management & Dashboard v5.21

Yes, y'all - it's finally upon us!  Dashboard v5.21!  Here's some cool stuff you can do with the new dashboard and the new Release Candidate Agent (v8.10.1).  In essence, now patches from both Microsoft and all of our supported vendors can be approved and installed, including reboots, without user intervention if desired.

If you'd like, you can read the release notes on the forums:

The new Dashboard version 5.21 will be released overnight 28 November 2011, possibly by the time you read this.  Here's a quick outline of just some of the new features. These are mainly concerning Patch Management and the added functionality that 5.21/8.10.1 gives to GFIMAX's strongest feature.

First off, you'll notice that the Patch Management feature has a new icon associated with it: gone is the 'software box' (a what? who needs a box for software? and in it's place a "shield" that illustrates the security protection that the Patch Management/Vulnerability Scan feature truly represents. 
Patch Management menu on the Settings Menu

The icon will be different colors depending on the context, but you'll notice it first as a multicolored icon.

From here you can enter the Settings/Dashboard Policy window that looks about the same as it used to, but with new features embedded.  First off, something many have been asking for:
3rd-party patch auto-approval
Auto Approval section of Patch Management Policy Settings
Here you will notice two new things:
  1. The (obvious) addition of the Other Vendors heading that includes Mozilla, Adobe, Java, among several other vendors.
  2. The change in verbiage of the Approval options.  Gone is the good-for-nothing "Do Nothing" option, replaced with "Manual" option indicating you will approve the patch in the Approval Policy dialogue or on individual agents.  The other options, "Ignore," and "Approve" are the same as previous versions.
    • Ignore: you can select to automatically NOT install patches and not be alerted/notified when they appear.
    • Approve: have the first step of our 2-step patch installation process  automatically as soon as the missing patch is discovered.  (Step 2 - the Installation Schedule - is covered next)
Tip/Note: by default, all 3rd-party patches are set to Manual Approval as that is how they've previously been handled. 

Approval Policy view changes
If you're approving multiple patches across multiple vendors, clients, and/or sites, you'll notice this view has been updated as well.  Most notably, the Release Date is shown in its own column on the dialogue.  The "Do Nothing" verbiage rears its head here still, but I guess it does fit in the menu a whole lot better than "Do not make any changes to the setting applied to this level as defined in the Patch Management Policy"
New Approval Policy Dialogue
Do remember that you can use Shift+click and Ctrl+click in this view to select multiple patches at the same time for deployment.  You know, Todd, wouldn't it be cool if ...?  Hold that thought.

After it has been approved - either automatically or manually - the dashboard will indicate that status of a patch in a new column:
Column View for Patches
This column has one icon at this time: a blue dot indicating that step 1 of patch management (Approval) has been achieved, and step 2 (installation) has yet to be accomplished.  (more on forcing installation a little later)
Patch Installation Reboot Options
Yes, Patch Management will now let you know if a patch failed because it requires Windows to reboot.  As part of your Patch Management settings, you can configure this at a Policy level within the dialogue:
Installation Schedule / Reboot Options
There are three options:
  1. "Never" - Do not reboot a computer, even if a patch requires it.  After deployment, the Patch tab on an agent will show the patch as "Reboot Required" (shown below)
  2. "When Required" - Will automatically reboot the machine after the Installing patches are completed.
  3. "Always" - reboot the computer after patches are installed, period.
Tip/Note #1: "Never" was the previous setting; it will be the setting your Patch Management Policy will inherit to begin, and is the default when creating a new policy for a client/site/agent.

Tip/Note #2: for those of you that I've spoken to in detail about Patch Management, option #3 resembles the recommendation I would give about using the Automated Tasks to schedule a reboot about 2 or 3 hours after your Patch Management schedule.  If you configured such a task, remember that you can/should disable or delete the task if & when you change this setting in your policy.
Override the installation schedule 
Force 'immediate' installation

Now that the patches are Approved, the Second Step of Patch Management deployment is the Installation Schedule.  This is typically accomplished by choosing a day (or days) of the week and time in the Policy view.  However, you can select Manual Installation as a 'schedule.'  In this case, patches will never be installed even when they're approved.   Up to now, you could force the installation of patches from the Server/Workstation menu, Patch Management sub-menu.

Tip/Note: There are two roughly equivalent options allowing strict management of patch deployment. I will cover these options & techniques in an upcoming post.
Dashboard v5.21 improves this in two ways as shown:
New Install Patches override

Install schedule dialogue
The previous menu selection allowed you to "Install Patches Now" (which brought up GFI's unique definition of the word now, but that's another story).  As you can see, now you can tell the agent to deploy patches on the next 24x7 cycle, or select to schedule it for a later time.  When you select later, a dialogue box will appear to set your schedule for your convenience.

The second improvement -- is it?  Could it be? Are you serious?  Can we..?!!?  YES, yes you can select multiple machines in your dashboard by using Shift+click and Ctrl+click.  When you do so, the Server/Workstation menu will change to the 'multi-menu that you see above.  Options that are applicable to multiple machines will be the only ones available.  In the case of the Install Patches dialogue, all systems selected will have this command sent to them.

If a deployed patch requires a reboot and it hasn't been set to automatically do so, the Patches tab will show a new group header indicating that status:
Reboot Required Patch

The Summary Tab will also show an explanation of the required reboot as it did with Managed Antivirus
Summary tab indicating required reboot

Reboot Now & Later
The Reboot column in your dashboard will update as well with the blue dot that was previously used to indicate Managed Antivirus had completed its initial step of installation.  Both the options available for Patch Management described above are also available for the previous "Reboot Now" command.  Select "Now" or "Later" on multiple machines and schedule a reboot for later on today or next week so you don't forget!  

This merely scratches the surface of the features included in the new dashboard 5.21 and RC8.10.1.  Please read the Release Notes which are posted on the Forums and will be added to your Help file Appendices after the update.