By: Brian C. Teasley
Patches. Just
the word itself is enough to make any IT staff cringe. Keeping workstations and
servers patched can be a very frustrating experience. The list of devices to
manage and update goes on. This is where Patch Management comes in. A cloud
based solution to keep all your machines running smoothly and up to date, regardless
of the device type.
Why RM Patch Management over WSUS?
There are a few major
differences between WSUS and Patch Management, so let’s review them:
WSUS
- WSUS requires a server in place for this purpose.
- WSUS only works on devices within the network. This creates a lot of problems with laptops that are on and off the network.
- WSUS requires network configuration to use effectively
Patch Management
- Patch Management is installed and managed with the Advanced Monitoring Agent.
- Patch Management can be configured from the MAX RemoteManagement dashboard.
- Patches can easily be approved and ignored from the MAX RemoteManagement dashboard. (Since MAX RemoteManagement is a cloud based dashboard. It can be accessed anywhere)
- Since Patch Management does not require a central server. It is able to patch laptops that are off site. The only requirement is an internet connection.
With the work place
expanding to more mobile devices such as laptops, patching has become even more
complex. This is where Patch Management comes into play.
We can already see
how the Patch Management feature of MAX Remote Management simplifies
patching and allows you to keep track of all your work machines, even those that
are not always in the office.
Recommended Environmental Settings
Windows Update Service
should be enabled, but the GUI portion should be set to not automatically patch
a device. A common issue encountered in most environments where both
Patch Management and Windows Update are both running are:
·
Incorrect
patches are being installed on devices
·
Bad
patches are installed through Windows Update before Microsoft has had a chance
to rescind
·
Reboots
occur randomly or during unscheduled times throughout the day
When dealing with
patches, end-users, and maintaining your environment, these are all situations
you want to avoid. It is important that Windows Update is configured to
not automatically install patches.
Patch Management Settings: Alert mode versus Report mode
When working with the
Patch Management settings within MAX Remote Management,
there are two
settings available for communication regarding Missing Patches and
Vulnerabilities:
·
Alert
Mode:
o
The
Vulnerability Scan Check will be a red X, indicating a failure
o
The
information for missing patches is provided
o
The
information for found vulnerabilities are provided
o
An
email is sent to the contact on file
o
NOTE:
An SMS text message can be configured for servers
o
NOTE:
Alert Mode is recommended for Servers but not for Workstations.
·
Report
Mode:
o
The
Vulnerability Scan Check will be a green check and not indicate a failure
o
The
information for missing patches is provided
o
The
information for found vulnerabilities are provided
o
An
email is not sent
Screenshot of the configuration
screen where you can adjust this option:
Installation Schedule
After setting up your Auto Approval you will then decide
your Installation schedule. The installation schedule can be configured for up
to multiple times per week. During the installation
schedule all currently approved patches will be deployed. The options available
are:
- Manual Installation – Deployment must be triggered from the MAX RemoteManagement dashboard.
- Scheduled Installation – Deployment is triggered on a schedule
o
Scheduled Time
o
Repeat – Daily/Weekly/Monthly. Multiple days can
be selected weekly.
o
Reboot After Installation – Never/When
Required/Always
o
If Schedule Missed – Run ASAP and Include Reboot
o
NOTE: If Schedule Missed is important for
laptops as these devices tend to miss patch scheduling. It is recommended to
set Run ASAP but it is optional to Include the reboot.
It is recommended to setup your installation schedule to
include multiple days for deployment.
This helps keep patching times down and avoids any issues that can occur
when running multiple patches at the same time.
Screenshot of the installation schedule in settings:
Approving Patches
Patch Management includes an auto
approval functionality which allows you to automatically approve patches of a
certain severity level. But should you?
Auto approval can be customized in
quite a few different ways. You can
easily approve patches based on their severity.
Severity levels are provided to us from the supported vendor, such as
Microsoft, Oracle, and Adobe. The options available for auto approval are:
Ignore – Ignore all patches of this severity
Approve – Approve all patches of this severity
Manual – Patch will not be ignored, but must be manually approved
Auto approval can be a great way to
save time and push security patches that are needed out to devices, but it can
also become problematic if not monitored. Bad patches have been pushed out and caused
issues to our partners and clients. There was an issue in November of last year
where Microsoft released a bad patch for Office 2013 that caused a large number
of problems with Outlook, as well as other issues within office applications
generally. Those that automatically approved the critical security patch were
now subject to manually removing the patch from each affected device. In
instances like this, what can be done? What can be recommended?
To approve or not approve?
Auto approval is very
tempting, especially in cases where you want to save time, but it is not always
the best option. What is recommend is to
go for a manual approval process. This allows you time to research patches that
are being pushed out to devices, as well as provide a more direct approach to
managing patches. In the long run, the
manual method of approving patches can prevent the IT department from having to
perform break fix work relating to bad updates.
This recommended
process has an administrator spending 30-45 minutes once a week approving
patches to be installed. Auto approval
always introduces a risk when referencing bad updates. If a bad patch is
released into your environment, then it could take a Tier 1 technician upwards
of 10+ hours to roll back the patches or resolve the problem across the
environment. As an administrator, your first thoughts may be “But I don’t have
time to manage all of these patches!” Do not fret, as this is much easier than
it seems.
Let’s talk about the Management
Workflow
Management workflow
allows you to see patches currently missing and installed in your
environment. When accessing the Management
Workflow you will see missing patches released in the last month. Let’s look at a few of the options here.
Your filtering
options are located at the top of the Management Workflow window.
a. Search Bar – Allows you to search for
patch numbers and names
b. Date – Changing this will show patches
released in the time frame.
c. Filter by Status – Allows you to see
different categories of patches based on status.
d. Apply and Reset Filters – Allows you to
apply filters you’ve changed or reset them to default (Date: Last Month, Filter
by Status: Missing)
Now that we know how
to search for patches in the Management Workflow. Let’s talk about approving and ignore
patches.
1. You can select one patch or multiple
patches by Shift+clicking or Ctrl+clicking through the patches you wish to
approve or ignore. Click Proceed when you’ve selected what you need
2. The next screen will provide your
options for the selected patches:
a. Inherit – All patches are set to
inherit by default. They inherit your Auto Approval settings.
b. Approve – Approve the patches to be
installed.
c. Ignore – Ignore the patches and do not
install them.
d. Do Nothing – The patch will stay as
missing (Neither approved or ignored).
e. Reprocess Failed – Reprocess any
patches that have previously failed to install.
f.
Uninstall
– Uninstall the selected patches. (Only available for Microsoft patches)
3. Selecting which devices the action is
selected for:
a. Servers/Workstations
b. Clients/Sites – Selecting which
Clients/Sites will receive the action
4. When the patches will be installed or
uninstalled:
a. Use existing schedule – Install based
on your schedule
b. Schedule a new time
o
Push
out the patches immediately
o
Set
a new schedule allows you to deploy the patches outside of your normal
settings.
o
Automatically
reboot computer after installation of patches – Always/Only if required/Never.
Conclusion
Patch Management is a powerful tool for automating an environment that's always changing and on the move. Patching is relevant now more than ever. With mobile devices becoming dominant in the market it can be crucial to insure that all of these devices are properly patched. Patch Management is the tool for the job.