Wednesday, October 12, 2016

RM Patch Management: Medicine for the common IT cold.

Patches.  Just the word itself is enough to make any IT staff cringe. Keeping workstations and servers patched can be a very frustrating experience. The list of devices to manage and update goes on. This is where Patch Management comes in. A cloud based solution to keep all your machines running smoothly and up to date, regardless of the device type. 

Why RM Patch Management over WSUS?

There are a few major differences between WSUS and Patch Management, so let’s review them:

  • WSUS requires a server in place for this purpose.
  • WSUS only works on devices within the network. This creates a lot of problems with laptops that are on and off the network.
  • WSUS requires network configuration to use effectively

Patch Management 
  • Patch Management is installed and managed with the Advanced Monitoring Agent.
  • Patch Management can be configured from the MAX RemoteManagement dashboard.
  •  Patches can easily be approved and ignored from the MAX RemoteManagement dashboard. (Since MAX RemoteManagement is a cloud based dashboard. It can be accessed anywhere)
  • Since Patch Management does not require a central server. It is able to patch laptops that are off site. The only requirement is an internet connection.

With the work place expanding to more mobile devices such as laptops, patching has become even more complex. This is where Patch Management comes into play.
We can already see how the Patch Management feature of MAX Remote Management simplifies patching and allows you to keep track of all your work machines, even those that are not always in the office.

Recommended Environmental Settings

Windows Update Service should be enabled, but the GUI portion should be set to not automatically patch a device.  A common issue encountered in most environments where both Patch Management and Windows Update are both running are:
·         Incorrect patches are being installed on devices
·         Bad patches are installed through Windows Update before Microsoft has had a chance to rescind
·         Reboots occur randomly or during unscheduled times throughout the day

When dealing with patches, end-users, and maintaining your environment, these are all situations you want to avoid.  It is important that Windows Update is configured to not automatically install patches.

Patch Management Settings: Alert mode versus Report mode

When working with the Patch Management settings within MAX Remote Management,
there are two settings available for communication regarding Missing Patches and Vulnerabilities:

·         Alert Mode:
o   The Vulnerability Scan Check will be a red X, indicating a failure
o   The information for missing patches is provided
o   The information for found vulnerabilities are provided
o   An email is sent to the contact on file
o   NOTE: An SMS text message can be configured for servers
o   NOTE: Alert Mode is recommended for Servers but not for Workstations.
·         Report Mode:
o   The Vulnerability Scan Check will be a green check and not indicate a failure
o   The information for missing patches is provided
o   The information for found vulnerabilities are provided
o   An email is not sent
Screenshot of the configuration screen where you can adjust this option:

Installation Schedule

After setting up your Auto Approval you will then decide your Installation schedule. The installation schedule can be configured for up to multiple times per week.  During the installation schedule all currently approved patches will be deployed. The options available are:

  •   Manual Installation – Deployment must be triggered from the MAX RemoteManagement dashboard.
  •   Scheduled Installation – Deployment is triggered on a schedule

o   Scheduled Time
o   Repeat – Daily/Weekly/Monthly. Multiple days can be selected weekly.
o   Reboot After Installation – Never/When Required/Always
o   If Schedule Missed – Run ASAP and Include Reboot
o   NOTE: If Schedule Missed is important for laptops as these devices tend to miss patch scheduling. It is recommended to set Run ASAP but it is optional to Include the reboot.

It is recommended to setup your installation schedule to include multiple days for deployment.  This helps keep patching times down and avoids any issues that can occur when running multiple patches at the same time.
Screenshot of the installation schedule in settings:

Approving Patches

Patch Management includes an auto approval functionality which allows you to automatically approve patches of a certain severity level. But should you?

Auto approval can be customized in quite a few different ways.  You can easily approve patches based on their severity.  Severity levels are provided to us from the supported vendor, such as Microsoft, Oracle, and Adobe. The options available for auto approval are:

  • Ignore – Ignore all patches of this severity

  • Approve – Approve all patches of this severity

  • Manual – Patch will not be ignored, but must be manually approved

  • Auto approval can be a great way to save time and push security patches that are needed out to devices, but it can also become problematic if not monitored. Bad patches have been pushed out and caused issues to our partners and clients. There was an issue in November of last year where Microsoft released a bad patch for Office 2013 that caused a large number of problems with Outlook, as well as other issues within office applications generally. Those that automatically approved the critical security patch were now subject to manually removing the patch from each affected device. In instances like this, what can be done? What can be recommended?

    To approve or not approve?

    Auto approval is very tempting, especially in cases where you want to save time, but it is not always the best option.  What is recommend is to go for a manual approval process. This allows you time to research patches that are being pushed out to devices, as well as provide a more direct approach to managing patches.  In the long run, the manual method of approving patches can prevent the IT department from having to perform break fix work relating to bad updates.

    This recommended process has an administrator spending 30-45 minutes once a week approving patches to be installed.  Auto approval always introduces a risk when referencing bad updates. If a bad patch is released into your environment, then it could take a Tier 1 technician upwards of 10+ hours to roll back the patches or resolve the problem across the environment. As an administrator, your first thoughts may be “But I don’t have time to manage all of these patches!” Do not fret, as this is much easier than it seems.

    Let’s talk about the Management Workflow

    Management workflow allows you to see patches currently missing and installed in your environment.  When accessing the Management Workflow you will see missing patches released in the last month.  Let’s look at a few of the options here.

    Your filtering options are located at the top of the Management Workflow window.
    a.      Search Bar – Allows you to search for patch numbers and names
    b.      Date – Changing this will show patches released in the time frame.
    c.       Filter by Status – Allows you to see different categories of patches based on status.
    d.      Apply and Reset Filters – Allows you to apply filters you’ve changed or reset them to default (Date: Last Month, Filter by Status: Missing)

    Now that we know how to search for patches in the Management Workflow.  Let’s talk about approving and ignore patches.
    1.      You can select one patch or multiple patches by Shift+clicking or Ctrl+clicking through the patches you wish to approve or ignore. Click Proceed when you’ve selected what you need

    2.      The next screen will provide your options for the selected patches:

    a.      Inherit – All patches are set to inherit by default. They inherit your Auto Approval settings.
    b.      Approve – Approve the patches to be installed.
    c.       Ignore – Ignore the patches and do not install them.
    d.      Do Nothing – The patch will stay as missing (Neither approved or ignored).
    e.      Reprocess Failed – Reprocess any patches that have previously failed to install.
    f.        Uninstall – Uninstall the selected patches. (Only available for Microsoft patches)
    3.      Selecting which devices the action is selected for:

    a.      Servers/Workstations
    b.      Clients/Sites – Selecting which Clients/Sites will receive the action
    4.      When the patches will be installed or uninstalled:

    a.      Use existing schedule – Install based on your schedule
    b.      Schedule a new time
    o   Push out the patches immediately
    o   Set a new schedule allows you to deploy the patches outside of your normal settings.
    o   Automatically reboot computer after installation of patches – Always/Only if required/Never.


    Patch Management is a powerful tool for automating an environment that's always changing and on the move. Patching is relevant now more than ever.  With mobile devices becoming dominant in the market it can be crucial to insure that all of these devices are properly patched. Patch Management is the tool for the job.