TOC PREV NEXT INDEX

PCDuo Logo
Enterprise User Manual


Chapter 15

Patch Management


In recent years, Microsoft have become increasingly aware of the need to maintain the security of their software products. To help organizations fix bugs and defend their systems from new worms and viruses, Microsoft regularly issue service releases and critical software updates. However, this increase in responsiveness has meant that organizations need to devote more and more resources to protecting their PCs. Microsoft's Software Update Services (SUS) is designed to address this problem by helping organizations keep their systems up-to-date with the minimum of effort.

The Enterprise Patch Management module is a user-friendly interface to Software Update Services. It provides a central location for the management and administration of your SUS servers and Automatic Updates clients without the need to install Active Directory, and enables you to monitor the installation of security updates and service releases on your network's PCs through the Patch Management Reports folder.

The Patch Management Process

Before you can use Software Update Services with Enterprise Patch Management, you must install and set up at least one SUS server, and make sure that the Automatic Updates Client is running on all eligible PCs. This section provides an overview of the set up process and how Patch Management works.

To set up and run Patch Management:
  1. Install the SUS server. For more information on software requirements and getting started with Software Update Services, see "Deploying Microsoft Software Update Services" at Microsoft.com/SUS.
  2. Install the Enterprise Console on the SUS server and any SUS statistics servers. Link the Console to the Site with which you want to use Patch Management, and ensure the Enterprise Scheduler is running and assigned to that Site. For more information, see "Activating the Scheduler" .
  3. In the Console's Patch Management folder, click the Specify SUS Server Operation and enter the details of the SUS server you want to manage from the Console.
  4. Select the SUS Server folder in the tree view, then:
    1. Select Set options to configure the SUS server.
    2. Select Synchronize server to manually download the updates to the SUS server, or to automate the synchronization.
    3. Select Approve updates to specify which updates are to be installed by Automatic Updates clients.

      For more information on working with SUS servers, see "Deploying Microsoft Software Update Services" at Microsoft.com/SUS.

  5. Install the Automatic Updates client on any PCs running Windows 2000 SP2 and Windows XP Gold using the Install Automatic Updates Client Operation.
    The Automatic Updates client will not run on Windows 2000 SP1 or earlier.
  6. Specify the details of the SUS server you want Automatic Updates clients to use and schedule when you want updates to be installed using the Specify Automatic Updates Client Settings Operation.
  7. Apply the settings to clients using the Distribute Automatic Updates Client Settings Operation.
  8. Select the Reports folder to view the details of the updates installed by your Automatic Updates Clients.

Specifying the SUS Server

Software Update Services (SUS) enables organizations to automate the deployment and installation of critical software patches and service releases for Windows 2000, XP and 2003. The server component of SUS provides central download facilities for these software updates and acts as a private version of Microsoft's Windows Update site. This avoids the need for Automatic Updates clients to access an external Web site when they check for updates, and also enables administrators to test updates before deciding which ones must be installed.

Use the Software Update Services dialog to specify the details of the SUS server you want to use with this Enterprise Site.

To administer a SUS server from the Enterprise Console:
  1. In the Patch Management folder, click the Specify SUS Server Operation. The Software Update Services dialog is displayed.
  2. Select Manage SUS Server.

  1. In the SUS server address field, enter the URL of the SUS server you want to administer.
  2. In the SUS server nodename field, enter the name by which the SUS server PC is known to your network.
  3. By default, SUS servers also collect information on the software installed by Automatic Updates clients. If your network uses separate SUS servers to collect updates information:
    1. Select Use separate SUS statistics server.
    2. Click the Add button. The SUS Statistics Server dialog is displayed.
    3. For each SUS statistics server on your network, enter its Address and Nodename and click the Add button.
    4. When you have entered the details of all your statistics servers, click the Close button. The SUS statistics servers are displayed in the list.
  4. Click the OK button to save your changes and close the dialog.

The SUS management pages are displayed in the Console's SUS Server folder. Select Set options to configure your SUS server.

Configuring the SUS Server

A SUS server can download update packages from the Web or from another SUS server and act as a private version of the Windows Update site. Alternatively, it can be used just to control which updates Automatic Updates clients download from the update site. Use the SUS server page to enter the connection settings for the SUS server you specified with the Specify SUS Server Operation, and to control how you want the SUS server to work.

To configure the SUS server:
  1. Select SUS Server in the Patch Management folder. The SUS server administration page is displayed.
  2. In the navigation pane, click Set Options to display the SUS server settings.
  3. Select a proxy server configuration option.
  4. By default, Automatic Updates clients identify the packages they need to install from their location on the SUS server. If your clients cannot access the SUS server using its node name, enter the server's DNS name or IP address in the Server name field.
  5. By default, SUS servers download updates from Microsoft's Windows Updates servers. If you want this server to download its updates from another SUS server on your intranet, select Synchronize from a local Software Update Services server, and enter the node name or DNS name of the server from which to synchronize.

    Select Synchronize list of approved items updated from this location to copy the list of updates that are approved for installation from the source server.

  6. By default, the SUS server automatically unapproves previously approved packages when an update to the package is detected during synchronization. To override this option and allow the update to go ahead, select Automatically approve new versions of previously approved updates.
  7. If you want to store Windows update packages on your SUS server, select Save the updates to a local folder and select the language locales you want to maintain locally. (By default, SUS servers download all update packages from the Windows Update site during synchronization.)

    If you do not want to store the update packages on your SUS server, select Maintain the updates on a Microsoft Windows Update server. This forces each Automatic Updates client to download approved packages direct from a Windows Update site.

  8. Click the Apply button to save your configuration changes.

Synchronizing the SUS Server

When new security patches are released, they are made publicly available through the Windows Update servers. To maintain an up-to-date record of the security patches and service releases that are available for installation on Automatic Updates clients, the SUS server must periodically check the Windows Update servers for new downloads. Use the Software Update Services Synchronize server options to control how often the SUS server checks for and downloads new updates.

To Synchronize the SUS Server:
  1. Select SUS Server in the Patch Management folder. The SUS server administration page is displayed.
  2. In the navigation pane, click Synchronize Server to display the synchronization settings.
  3. To download the latest updates immediately, click the Synchronize Now button. The Schedule Synchronization dialog is displayed.
  4. To automate server synchronization:
    1. Click the Synchronization Schedule button. The Schedule Synchronization dialog is displayed.
    2. Select the Synchronize using this schedule option and specify the time and day when you want the server to download the latest updates.
    3. When a scheduled synchronization is unsuccessful, SUS will attempt to synchronize again after a 30 minute interval, and will make up to three retries. To change the maximum number of retries, select a new entry in the Number of synchronization retries list.
    4. Click the OK button to save your changes and close the dialog.
  5. To display the updates downloaded during the synchronization, and to view past synchronizations and check when updates first became available, click View synchronization log in the navigation pane.

Approving Updates

Although SUS servers can be configured to automatically synchronize their content, they do not automatically make the updates available for installation. This staged approach enables you to review and, if necessary, test each update before deciding whether to make it generally available within your organization. Furthermore, because secondary SUS servers can synchronize the list of approved updates from a primary SUS server, it also enables you to manage update approvals from a central location.

To approve updates for installation by Automatic Updates clients:
  1. Select SUS Server in the Patch Management folder. The SUS server administration page is displayed.
  2. In the navigation pane, click Approve updates to list available security updates. The status of each update is shown at the top right of update description:

    New indicates a recent update that has not been approved. The update is not available for installation by Automatic Updates clients.

    Approved indicates the update has been approved by an administrator and is available for installation.

    Not Approved indicates the update has been deferred by an administrator.

    Updated indicates a previously downloaded update has been changed by a more recent synchronization.

    Temporarily Unavailable indicates that an associated update or dependency required by the update is not available.

    To display more information about the files included in an update, and which operating systems and locales the update applies to, select Details in the description.
  3. Select the check box of each update you want to make available for installation, then click the Approve button to save your changes.
    To view approval changes made from this SUS server, click View approval log in the navigation pane.

Installing the Automatic Updates Client

The Automatic Updates client must be installed on each PC you want to manage with SUS. The client checks for and installs service updates and security patches from Microsoft's Windows Update site or from a network server running SUS. It also records information about the updates it has installed to a specified SUS server.

The Automatic Updates client application is included in Windows 2000 SP3, Windows XP SP1 and Windows 2003. Use this procedure only when you want to install the client on PCs running Windows 2000 SP2 and Windows XP.
To install the Automatic Updates client:
  1. Download the Automatic Updates Client Kit (WUA22.MSI) from the Microsoft Web site (www.microsoft.com/sus). Save the kit to a share that is accessible to all the PCs on which you want to install it.
  2. Copy AUSETUP.EXE from the PC-Duo Enterprise\PM directory to the share in which you have saved the Automatic Updates Client Kit.
  3. In the Patch Management folder, click the Install Automatic Updates Client Operation.
  4. In the Select Clients dialog, select the Clients on which you want to install the Automatic Updates client and click the OK button.
    To select all Enterprise Clients on which the Automatic Updates client may be installed, select MS Auto-update-eligible PCs in the Groups tab.
  5. In the Select Package dialog, select MS Automatic Update Client.PD and click the Next button to continue.
  6. In the Client Filter dialog, select the operating systems on which you want to install the Automatic Updates client and click the Next button to continue.
  7. In the Settings dialog:
    1. Enter the location of the Automatic Updates client kit in the Kit location field.
    2. Enter the details of an account that can be used to access all the Enterprise Clients in the Windows NT account information fields.
    3. Select the Silent (only show errors) option.
    4. Click the Next button to continue.
  8. If you want Enterprise to monitor and report the progress of the installations, select the Monitor distribution feedback for this job option.
  9. To record messages from the installer, enter the name and location of the log files you want to use in the Progress specific area fields.
  10. To record messages from the Software Distribution Agents controlling the installation, enter the name and location of the log files you want to use in the Agent specific area fields.
  11. Click the Finish button. The Automatic Updates client is installed when the Enterprise Clients next check the Offline Area for updates.

Configuring Automatic Updates Clients

The Automatic Updates client can download updates and service releases directly from Microsoft's Windows Update site or from an intranet-based SUS server. Use the Specify Automatic Updates Client Settings and the Distribute Automatic Updates Client Settings Operations to specify the SUS server for the PC you want to manage, and to schedule when you want the updates to take place.

To configure Automatic Updates Clients:
  1. Click the Specify Automatic Updates Client Settings Operation.
  2. Enter the new SUS server and Schedule settings. Click the OK button to save your changes
  3. Click the Distribute Automatic Updates Client Settings Operation.
  4. In the Select Clients dialog, select the Enterprise Clients to which you want to distribute the Automatic Updates settings and click the OK button. The Settings dialog is displayed.
  5. In the Windows NT account information fields, enter the details of an account that can be used to access all the Enterprise Clients. Click the Next button to display the Monitoring and Logging dialog.
  6. If you want to record messages from the installer, enter the name and location of the log files you want to use in the Package specific fields.
  7. If you want to record messages from the Software Distribution Agents controlling the installation, enter the name and location of the log files you want to use in the Agent specific fields.
  8. Click the Finish button. The settings are applied to the Automatic Updates clients when the Enterprise Clients next check the Offline Area for updates.
    You can change the frequency with which the Enterprise Client checks for updates using the Configure Clients Operation, or the SnapshotMinutesInterval parameter in the Enterprise Client's LUCLIENT.INI file.

Patch Management Jobs

When you specify the SUS Server for your Site using the Software Update Services dialog, Enterprise automatically creates two Jobs on the SUS Server's Scheduler. These are used to collect and analyze the information displayed in the Patch Management Reports:

PatchMgtInfo

collects and analyzes data on available updates. By default, the Job is scheduled to run at 00:00 each day.

PatchMgtClient

collects and analyzes data on the updates installed by Automatic Updates clients. By default, the Job is scheduled to run at 01:00 each day.

In addition, Enterprise creates a PatchMgtClient Job on each statistics server specified in the Software Update Services dialog. Because of the large amounts of data that can be generated by SUS data collection, Enterprise automatically adds a one hour interval between each Patch Management Job.

To modify Patch Management Jobs:
  1. In the Scheduled Jobs folder, right-click the Patch Management Job you want to work with and choose Modify. The Modify Job dialog is displayed.
  2. To reschedule the Job, select the Schedule tab, then:
    1. In the Starting run date list, select when you want the Operation to start, or type the date in the form DD-MMM-YYYY. For example, to schedule the Operation to run on December 31, 2002, type 31-Dec-2002.
    2. In the Starting run time field, type the time at which you want the Operation to start. You must enter the time using the 24-hour clock.
    3. Choose the Type of schedule you want to use.
      Patch Management Jobs must be run by the Schedulers located on your SUS Servers. If you want to change the Scheduler on which a Patch Management Job is run, enter the details of the new SUS servers in the Software Update Services dialog. Do not use the Host list to transfer Patch Management Jobs to another Scheduler.
  3. Click the OK button to save your changes.

Patch Management Reports

Patch Management provides comprehensive analysis of updates that are available for installation and of the system updates that have been installed on your organization's PCs. These pre-formatted reports are generated using the Crystal Reports run-time, which is included in the Enterprise kit.

Most Patch Management reports are organized hierarchically for ease of use. This enables you to view a graphical summary of your data, or to drill-down and view the details by domain, by product or by individual PCs. For example, the Outstanding Updates report shows a graphical representation of the departments where approved updates have not been installed. By drilling down through the report layers, it also allows you to view the details of the updates and the PCs which do not yet have them.

To generate Patch Management Reports:
  1. In the Patch Management Reports folder, click a report. The Select Clients dialog is displayed.
  2. Select the Clients you want to want to work with and click the OK button to display the report.

    If the Report displays the Enter Parameter Values dialog, select a data period in the Discrete Value list and click the OK button.

    The report displays a summary chart of the report data for the period you selected.

  3. To view the details of a report, double-click an entry in the breakdown list or click the Group Tree icon in the Report Toolbar, and select an entry in the Report Tree.


Vector Logo
Vector Networks
http://www.vector-networks.com
Voice: +44 (0) 1827 67333
Fax: +44 (0) 1827 67068
info@vector-networks.co.uk
TOC PREV NEXT INDEX