patch management - school of computing and information ...users.cis.fiu.edu/~sadjadi/teaching/it...

Patch Management

Table of Contents:

◊ ManageMachines◊ ManageUpdates◊ PatchPolicy◊ Configure◊ PatchParameters

Patch Managem

ent

153 Chapter 5 - Patch Management Chapter 5 - Patch ManagementSadjadi et al.

Asnewoperatingsystemandsoftwareupdatesarereleasedinaneverincreasingpacetoaddresssystemsecurityvulnerabilitiesandprovideenhancedfunctionalities,thetaskofapplyingtheupdatesuniformlyandcorrectly toallmanagedmachinesbecomesmoreandmorecomplexandchallenging.Theapplicationofoperatingsystemandsoftwareupdates isnotasimple installationprocess.Someoperatingsystemandsoftwarepatchesmustbeuniformlydeployedtoallmanagedmachinestomaintaintheirinter-operabilityandsomemustbeavoidedtopreventconflictswithexistingsystemandsoftwarerequirements.Inaddition,themanagedmachinesandtheunderlyingnetworksspanmultiplelocations,includemultipledomains,traversemultiplefirewalls,andincluderemoteandhomeusers.Obviously,maintainingaconsistentandup-to-datesystemonallmanagedmachinesinsuchacomplexenvironmentisamundaneandtimeconsumingtaskandanautomatedPatchManagementtooltoassistthesystemadministratorstosystematicallytrackappliedpatchesandautomaticallyapplynewpatchesbasedonpre-definedpoliciesisamuchneededtool.

Kaseya’s PatchManagement is a secure and comprehensive patchmanagement solution providing theinfrastructuretoaddressthecomplexitiesofoperatingsystemandsoftwarepatchdeploymentandenforcepoliciesthatdescribehowandwhenupdatesmustbeappliedonapermachinebasis.

Animportantaspectofautomatedpatchmanagementistheabilitytoquicklydeterminethepatchstatusofeachmanagedmachine.InKaseya,youcandeterminethepatchstatusofeachmanagedmachineusingthefollowingpages:

• Patch Management > Scan Machine providesinformationonavailablepatchesthatarenotappliedonmanagedmachines.

• Patch Management > Patch Status provides a summary view of installed,missing and deniedpatchesforeachmanagedmachine.

• Patch Management > Patch Historyprovidesadetailedviewofhistoricalpatchmanagementactivi-tiesforeachmanagedmachineusing.

Afterperformingtheinitialassessmentsofmanagedmachinesusingtheabovemethods,youcaninstallthenecessarypatchesusingoneoffivedifferentmethods.Theyareexplainedindetailinthefollowingsection.

Methods of Updating Patches

TheVSAprovidesfivemethodsofapplyingMicrosoftpatchestomanagedmachines:

• Initial Update:Thismethodprovidesaone-timeprocessingofallapprovedMicrosoftpatchesappli-cabletoamanagedmachinebasedonpatchpolicies.Patchpoliciesdescribehowandwhenpatchesaretobeapplied.AnactivepatchisdefinedasapatchthathasbeenreportedbyapatchscanbyatleastonemachineintheVSA.Anymachinecanbemadeamemberofoneormorepatchpolicies.Forexample,youcancreateapatchpolicynamedservers andassignallyourserverstobemembersof this patchpolicy andanother patchpolicy namedworkstations andassignall yourworkstationstobemembersofthispolicy.Thiswaypatchapprovalscanbeconfigureddifferentlyforserversandworkstations.Initial UpdateignoresthePatch Management > Reboot Action policyandrebootsthemanagedmachinewithout warning the userasoftenasnecessaryuntilallpatchesareapplied.Ini-tial Updateshouldonlybeperformedduringnon-businesshoursand is typicallyperformedoveraweekendonnewlyaddedmachines.

• Automatic Update:Thismethodisthepreferredmethodofupdatingmanagedmachinesonarecur-ringbasis.ItobeysboththePatch PolicyandthePatch Management >Reboot Actionpolicy.

Introduction

Patc

h M

anag

emen

t

154Chapter 5 - Patch Management Sadjadi et al.

• Patch Update:Ifyou’reusingAutomatic Update,thenPatch Updateisoccasionallyusedtoapplyindividualpatchestomultiplemachinesorforpatchesthatoriginallyfailedoncertainmachines.ThisoverridesthePatch PolicybutobeysthePatch Management >Reboot Actionpolicy.

• Machine Update:This method isusedtoapplypatchestoindividualmanagedmachines.Itover-ridesthePatch PolicybutobeysthePatch Management >Reboot Actionpolicy.Machine Updateisoftenusedtotestanewpatchpriortoapprovingitforgeneralreleasetoallmachines.

• Patch Deploy:Thismethodenablesyoutodevelopauser-definedproceduretoinstallaMicrosoftpatchusingAgent Procedures > Patch Deploy.MicrosoftreleasesmanyhotfixesaspatchesforveryspecificissuesthatarenotincludedintheMicrosoftUpdateCatalogorintheOfficeDetectionTool,thetwopatchdatasourcesthatthePatch Managementmoduleusestomanagepatchupdates.You can use this method tocreateapatchinstallationprocedureforthesehotfixes,viathiswizard,thatcanbeusedtoscheduletheinstallationonanydesiredmachine.

Patch Processing

Whenapatchinstallationisscheduledusingoneoftheabovemethods,thefollowingoccurs:

1. Theagentonthemanagedmachineistoldtostarttheupdateprocessatthescheduledtime.

2. Thepatchexecutableisdownloadedtothemanagedmachinefromthelocationsetinthe Patch Management > File Source forthatmachineID.

3. ThepatchfileisexecutedonthemanagedmachineusingtheparametersspecifiedinPatch Man-agement > Command Line.Youshouldneverhavetosettheseswitchesyourself,butjustincase,thiscapabilityisthere.

4. Afterallthepatcheshavebeeninstalled,themanagedmachineisrebooted.The time of the rebootforamachineIDdependsonthePatch Management > Reboot Action assignedtothatmachineID.RebootsinresponsetoanInitialUpdatealwaysoccurimmediatelyandwithoutwarningtheuser.

5. Themanagedmachineisrescannedautomatically.Ittakesseveralminutesaftertherescaniscom-pleteforthisdatatoshowupontheVSA.Waitseveralminutesbeforecheckingthepatchstateafterareboot.

5.1.1 Scan Machine

The Scan Machine page schedules scans to search for missing patches on each managed machine.Scanningtakesverylittleresourcesandcanbesafelyscheduledtorunatanytimeofday.Thescanningoperationdoesnotimpactusersatall.

Scanning FrequencySystem and network security depends on all yourmachines having the latest security patches applied.Microsoft typically releases patches onTuesdays.Security and critical patches are typically released onthesecondTuesdayofthemonth(PatchTuesday),andnon-securityandnon-criticalpatchesaretypicallyreleasedonthethirdand/orfourthTuesdaysofthemonth,buttheseschedulesarenotguaranteed.Toensureyourmachinesareupdatedyoushouldscanallmanagedmachinesonadailybasis.

Scanning the KServer

5.1 Manage Machines

Patch Managem

ent


ToscantheKServer,youmustinstallanagentontheKServer.Onceinstalled,youcanscantheKServerjustlikeanyothermanagedmachine.

View DefinitionsYoucanfilterthedisplayofmachineIDsonanyagentpageusingthefollowingoptionsinViewDefinitions.

• Machinesthathavenopatchscanresults(unscanned)

• Lastexecutionstatusforpatchscan(success/failed)

• Patchscan(schedule/notschedule)

• Patchscan(has/hasnotexecutedinthelast<N><periods>)

Note: View Definitions was discussed in the Agents chapter. Please refer the Agents chapter.

ThegenericviewoftheScanMachinepageisshowninFig.5.lbelow.Thelistofavailableoptionsare:

1. Schedule: ClickScheduletodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoschedulea task.Schedulea taskonceorperiodically.Eachtypeofrecurrence(Once,Hourly,Daily,Weekly,Monthly,Yearly)displaysadditionaloptionsappropriate for that typeof recurrence.Periodicschedulingincludessettingstartandenddatesfortherecurrence.

2. Cancel: ClickCanceltocancelexecutionofthistaskonselectedmanagedmachines.

3. Run Now: ClickRun NowtorunthistaskonselectedmachineIDsimmediately.

4. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoseeusingSystem > User Security > Scopes.

5. Last Scan: Thistimestampshowswhenthelastscanoccurred.Whenthisdatechanges,newscandataisavailabletoview.

6. Skip if Machine Offline: Ifagreencheckmarkisdisplayedandthemachineisoffline,skipandrunthenextscheduledperiodandtime.Ifnocheckmarkdisplays,performthistaskassoonasthemachineconnectsafterthescheduledtime.Thistimestampshowsthenextscheduledscan.Overduedate/timestampsdisplayasredtextwithyellowhighlight.

7. Recurrence: Ifrecurring,displaystheintervaltowaitbeforerunningthetaskagain.

8. Remind me when machines need a patch scan scheduled: Ifthisoptionischecked,awarningmessagedisplays thenumberofmachine IDsnotcurrentlyscheduled.Thenumberofmachine IDs

Fig. 5.1: Scan Machine

Patc

h M

anag

emen

t


reporteddependsontheMachineID/GroupIDfilterandmachinegroupstheuserisauthorizedtoseeusingSystem >Scope.

5.1.2 Patch Status

ThePatch Statuspage(Fig.5.2)providesasummaryviewofthepatchstatusforeachofyourmanagedmachines.Youcanquicklyidentifymachinesthataremissingapplicablepatcheseitherbecausetheywereneverinstalledortheirinstallationsfailed.


• MachineswithPatchTestResult

• MachinesmissinggreaterthanorequaltoNpatches

• UsePatchPolicy

Fig.5.2belowshowsthegenericviewofthePatchStatuspage.Theoptionsavailableare:

1. Test: The test functionexercises theentirepatchdeploymentprocesswithoutactually installinganythingonthetargetmachineorcausingareboot.IfamachineID’soperatingsystemdoesnotsupportpatching,theoperatingsystemisdisplayed.ClickTest toverifypatchescanupdateselectedmachineIDs.Doesnotactuallyinstallanypatches.

2. Cancel: ClickCanceltostopthetest.

3. Auto Refresh Table: Ifchecked,thepagingareaisautomaticallyupdatedeveryfiveseconds.ThischeckboxisautomaticallyselectedandactivatedwheneverTestisclicked.

4. Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

5. Install Patches: Displaysthenumberofpatchesinstalled.Clickingonthelinkdisplaysthelistofallpatchesthatareinstalled.

6. Missing Approved: Displaysthenumberofapprovedpatchesthatarenotinstalled.

7. Missing Denied: Displaysthenumberofunapprovedpatchesmissing.

Fig. 5.2: Patch Status

Patch Managem

ent


8. Missing Manual: Thenumberofapprovedpatchesmissingthatmustbeinstalledmanually.ThesepatchescannotbeprocessedbyPatch Management>Automatic Update,Patch Management>Initial Update,Patch Management>Machine Update,orPatch Management>Patch Update.

9. Pending Patches: Displaysthenumberofpatchesscheduledtobeinstalled.

10. User Not Ready: Displaysthenumberofpatchesnotinstalledbecausethepatchrequires:

• Theusertobeloggedin,or

• Theusertotakeactionandtheuserdeclinedordidnotrespond.

11. Failed Patches: Displaysthenumberofpatchesthatattemptedtoinstallbutfailed.

12. Test Results: ThestatusreturnedafterclickingtheTestbutton:

• Untested

• Pending

• Passed

• Failed

5.1.3 Initial Update

Initial Updateisaone-timeprocessingofallapprovedMicrosoftpatchesapplicabletoamanagedmachinebasedonPatchPolicy.Initial UpdateignoresthePatch Management > Reboot Action policyandrebootsthemanagedmachinewithout warning the userasoftenasnecessaryuntilthemachinehasbeenbroughtup to the latest patch level. Initial Update should only be performed during non-business hours and istypicallyperformedoveraweekendonnewlyaddedmachines.

Note: The agent for the KServer is not displayed on this page. InitialUpdate cannot be used on the KServer.

Patch Update OrderServicepacksandpatchesareinstalledinthefollowingorder:

• WindowsInstaller

• OSrelatedservicepacks

• OSupdaterollups

• OScriticalupdates

• OSnon-criticalupdates

• OSsecurityupdates

• Officeservicepacks

• Officeupdaterollups

• AllremainingOfficeupdates

Note: Reboots are forced after each service pack and at the end of each patch group withoutwarning. This is necessary to permit the re-scan and installation of the subsequent groups of patches.

Patc

h M

anag

emen

t


Pre/Post ProceduresAgentprocedurescanbeconfiguredtobeexecutedjustbeforeanInitialUpdateorAutomaticUpdatebeginsand/orafteritcompletes.Forexample,youcanrunagentprocedurestoautomatethepreparationandsetupofnewlyaddedmachinesbeforeorafterInitialUpdate.UsePatch Management > Pre/Post Procedures(seeSection5.1.4)toselectandassigntheseagentproceduresonaper-machinebasis.

Thefigurebelow(Fig.5.3)showsthegenericviewoftheInitialUpdatepagewithallthefunctionslistedbelow:

1. Schedule: ClickScheduletodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoscheduleatask.Optionsinclude:

• Distribution Window-Reschedulesthetasktoarandomlyselectedtimenolaterthanthenumberofperiodsspecified,tospreadnetworktrafficandserverloading.

2. Cancel: ClickCanceltocancelexecutionoftheinitialupdateonselectedmanagedmachines.


4. Scheduled: ThistimestampshowsthescheduledInitialUpdate.

5. Updated: Ifchecked,anInitialUpdatehasbeenperformedsuccessfullyonthemachineID.ThetimestampshowswhentheStatusbeingreportedwascompleted.

6. Status: Duringtheprocessing,theStatuscolumnisupdatedtodisplayamessagedescribingthecurrentstatusoftheinitialupdate.Thefollowingisthelistofavailablestatusmessages:

• Started

• ProcessingWindowsInstaller

• Processingoperatingsystemservicepacks

• Processingoperatingsystemupdaterollups

• Processingoperatingsystemcriticalupdates

• Processingoperatingsystemnon-criticalupdates

• Processingoperatingsystemsecurityupdates

• ProcessingOfficeservicepacks

Fig. 5.3: Initial update page

Patch Managem

ent


• ProcessingOfficeupdaterollups

ProcessingOfficeupdates

• Completed-fullypatched

• Completed-remainingpatchesrequiremanualprocessing

Forthelaststatusmessageabove,selecttheappropriatemachineIDinPatch Management > Machine Update todeterminewhyallpatcheswerenotapplied.Somepatchesmight requiremanual installor fortheuser tobe logged in. In thecaseofpatch failures,manuallyschedule failedpatches tobe reapplied.Duetooccasionalconflictsbetweenpatchesresultingfromnotrebootingaftereachindividualpatch,simplyreapplyingthepatchestypicallyresolvesthefailures.

5.1.4 Pre/Post procedure

Pre/Post Procedure page (Fig. 5.4) can be used to run procedures either before and/or after Patch Management>Initial UpdateorPatch Management>Automatic Update. Forexample,youcanrunprocedurestoautomatethepreparationandsetupofnewlyaddedmachinesbeforeorafterInitial Update.

Note: Post procedures will run even if there are patch installation failures.

1. To Run a Pre/Post Procedure

• SelectmachineIDsormachineIDtemplatesdisplayedonthepage.

• SelectoneoftheoptionslistedasshowninFig.5.4andselectanagentprocedureforeachoptionselected.

• RunselectagentprocedurebeforeInitialUpdate

• RunselectagentprocedureafterInitialUpdate

• RunselectagentprocedurebeforeAutomaticUpdate

• RunselectagentprocedureafterAutomaticUpdate

Fig. 5.4: Pre/Post Procedure

Patc

h M

anag

emen

t


• ClickSet.

2. Edit icon: Toedittheselectionforamachineortocopyamachine’sselectiontoothermachines,clicktheediticonnexttoamachineIDtopopulateitsselectedoptionsintheheaderpartofthispage(refertolabeloneinFig.5.4).Nowyoucanedittheselectedoptionsand/orsetthemtoothermachines.


4. Init Pre-Agent Procedure / Init Post-Agent Procedure: Thiscolumnliststheproceduressettorunbeforeand/orafteranInitial Update.

5. Auto Pre-Agent Procedure / Auto Post-Agent Procedure: Thiscolumnliststheproceduressettorunbeforeand/orafteranAutomatic Update.

5.1.5 Automatic Update

TheAutomatic Updatepage(Fig.5.5)isthepreferredmethodofupdatingmanagedmachineswithMicrosoftpatchesonarecurring basis.Automatic UpdateobeysboththePatchPolicyandthePatch Management > RebootAction policy.Patch Management > Initial Update needstobeusedifyouareinstallingpatchesforthefirsttimeonamanagedmachine.

• PatchesthatrequiremanualinterventionarenotincludedinAutomatic Updates.TheseareshownintheMissing Manual columnofthePatchStatuspageandontheindividualPatch Management > Machine Update pages.

• PatchinstallationonlyoccurswhenanewmissingpatchisfoundbyPatch Management > Scan Machine.

• Automatic Update isdisabledforamachinewhileInitial Update isbeingprocessed.Automatic UpdateisautomaticallyenabledwhenInitial Updatecompletes.

Fig.5.5belowshowsthegenericviewoftheAutomaticpage.Thefunctionssupportedare:

Fig. 5.5: Automatic

Update

Patch Managem

ent


1. Schedule: ClickScheduletodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoscheduleatask.

2. Cancel: ClickCancel tocancelexecutionofthistaskonselectedmanagedmachines.


4. Recurrence: DependingontheoptionselectedinSchedule,itdisplaystheintervaltowaitbeforerunningthetaskagain.AlltheoptionsselectedarerecurringunlessitisspecifiedasOnce inthesched-ulerwindow.

5.1.6 Machine History

TheMachine History page (Fig. 5.6) displays the results from themost recent patch scanofmanagedmachines.All installed andmissing patches applicable to amanagedmachine are listed, regardless ofwhetherthepatchisapprovedornot.

1. Clickamachine ID link todisplayitspatchhistoryasshowninFig.5.6.

2. ClicktheKB Article linktodisplayaDetailspageaboutthepatch.TheDetailspagecontainsalinktodisplaytheknowledgebasearticle.

3. PatchesclassifiedassecurityupdateshaveasecuritybulletinID(MSyy-xxx).Clickingthislinkdis-playsthesecuritybulletin.

4. TheProductcolumnhelpsidentifytheproductcategoryassociatedwithaspecificpatch.Ifapatchisusedacrossmultipleoperatingsystemfamilies(i.e.,WindowsXP,WindowsServer2003,Vista,etc.),theproductcategoryisCommonWindowsComponentelsethespecificoperatingsystemnameisdis-CommonWindowsComponentelsethespecificoperatingsystemnameisdis-elsethespecificoperatingsystemnameisdis-played.ExamplesincludeInternetExplorer,WindowsMediaPlayerandsoon.

Superseded PatchesAsupersededpatchisapatchthatdoesn’thavetobeinstalledbecausealaterpatchisavailable.Atypicalexampleisaservicepack,whichbundlesmanyotherpatchesthathavebeenreleasedbeforetheservicepack.Ifyouinstalltheservicepack,youdon’thavetoinstallalltheearlierpatches.Patch Managementonlyreportspatchessupersededbyaservicepack.SupersededpatcheshaveastringappendedtothetitleofthepatchthatindicatesthatitissupersededbyServicePackX.Thisstringisdisplayedasdarkredtextwithyellowbackgroundtomakeitstandout.

Fig. 5.6: Machine History

Patc

h M

anag

emen

t


Theinstallationprocessinstallssupersededupdatesonly iftheservicepackthatsupersedestheseupdatesis not selected for installation. If the superseding service pack is selected for installation, the supersededupdatesare notdownloadedorinstalled.Aprocedurelogentryisaddedtoindicatetheupdatewasskippedbecauseitwassuperseded.

Inaddition:

• PatchtitlesinthePatchManagementreportincludeSuperseded By: Service Pack X,whenapplicable.

• Thepatchfilteronthepatchapprovalpagesnowincludetheabilitytofilteronsuperseded/not superseded.

• Occasionally,theSuperseded BywarningdisplaysasSuperseded By: Unspecified.Thisistypicallycausedbyacross-operatingsystempatchthatissupersededbyoneormoreservicepacks.ThisislikelytobeseenonupdatesdealingwithMediaPlayer.

PatchPatchesaregroupedbyupdateclassificationfirstandknowledgebasearticlenumbersecond.

StatusThefollowingstatusmessagescanappearnexttoapatch:

• Installed (date unknown)–Displaysthedateofthepatchinstalledasunknown

• Installed (<datetime>)–Displaysthedateandthetimethepatchwasinstalled.

• Missing–ThisisdisplayedifthepatchismissingasKaseyacomparesthepatchlistwiththeWin-dowsUpdateservicelist.

• Denied by Patch Approval–Thisisdisplayedifthepatchwasdenied

• Denied (Pending Patch Approval)

• Manual install to VSA database server only -Applies toSQLServerpatcheson thedatabaseserverwheretheKServerdatabaseishosted

• Manual install to KServer only -AppliestoOfficeorany“install-as-user”patchesontheKServer

• Patch Location Pending -Appliestopatcheswithaninvalidpatchlocation.

• Missing Patch Location – Thelocationoftheinstalledpatchfileismissing.

• Ignore

5.2.1 Machine Update

TheMachine UpdatepageisusedtomanuallyinstallMicrosoftpatchesonindividualmachines.Machine UpdateoverridesthePatch Approval Policy butobeysthePatch Management > Reboot Action policy.Machine Updateisoftenusedtotestanewpatchpriortoapprovingitforgeneralreleasetoallmachines.

5.2 Manage Updates

Patch Managem

ent


ThegenericviewoftheMachineUpdatepageisshowinFig.5.7below.Theoptionsavailableonthispageare:

1. Schedule: ClicktheSchedulebuttontodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoscheduleatask.Alltasksarescheduledonlyonce.


Note: Patches that are currently being processed (status of Pending - Processing Now) cannot be cancelled.

3. Hide patches denied by Patch Approval: Ifchecked,hidespatches thataredeniedpatchap-proval.PatcheswiththestatusPendingApprovalareconsidereddeniedbyMachine Update.

4. Patch: Patchesaregroupedbyupdateclassificationfirstandknowledgebasearticlenumbersec-ond.

5. Status: Astatusmessagemaybedisplayednexttoapatchwhichshowsthecurrentstatusofthepatch.FormoreinformationregardingPatchfailuresanderrormessages,refertoPatchFailuresectionattheendofthischapter.

5.2.2 Patch Update

The Patch Update page updates missing Microsoft patches on all machines displayed in the pagingarea.Patch Update overrides thePatch Approval Policy butobeys thePatch Management > Reboot Action policy.Ifyou’reusingPatch Management >Automatic Update,thenPatch Updateisoccasionallyusedtomanuallyapplyindividualpatchestomultiplemachinesortore-applypatchesthatoriginallyfailedoncertainmachines.

Duplicate EntriesMicrosoftmayuseacommonknowledgebasearticleforoneormorepatches,causingpatchestoappeartobelistedmorethanonce.Patch UpdatedisplayspatchessortedbyUpdate ClassificationorProductfirstandknowledgebasearticlenumbersecond.ChecktheProductnameorclicktheKB Articlelinktodistinguishpatchesassociatedwithacommonknowledgebasearticle.

PatchupdatepageprovidesalotofoptionsasshowninFig.5.8.Theoptionsavailableare:

Fig. 5.7: Machine Update

Patc

h M

anag

emen

t


1. tHide machines set for Automatic Update: Ifchecked,hidespatchesmissingfrommachineIDssettoPatch Management > Automatic Update.

2. Hide patches denied by Approval Policy: Ifchecked,hidespatchesdeniedbyPatchApprovalPolicy.

3. Patch Group By: DisplayspatchgroupsbyeitherClassificationorProduct.

4. Schedule: ClickthisbuttontodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoscheduleatask.Schedulethistaskonce.


Note:Patchesthatarecurrentlybeingprocessed(statusofPending-ProcessingNow)cannotbecan-celled.

6. Show Details: ClicktheShow Details checkboxtodisplaytheexpandedtitleandinstallationwarn-ings,ifany,ofeachpatch.

7. Status Warning Icon: Awarningiconindicatesthepatchstatusforoneormoremachinesshouldbecheckedbefore installingthispatch.ClicktheMachines buttonandreviewtheStatuscolumnforeachmachinemissingthispatch.

8. Machines: ClickMachinestolistallmachinesmissingthispatch.Onthedetailspage,statusmes-sagescanappearnexttoapatchwhichindicatesthecurrentstatusofthepatch.Formoreinformationregardingthestatusmessageofthepatch,referthePatchFailuresectionattheendofthechapter.

9. KB Article: Theknowledgebasearticledescribingthepatch.ClicktheKB Article linktodisplayallthedetailspageaboutthepatch.

10. Security Bulletin: PatchesclassifiedassecurityupdateshaveasecuritybulletinID(MSyy-xxx).Clickingthislinkdisplaysthesecuritybulletin.

11. Missing: Themissingcolumnshowsthenumberofmachinesmissingthispatch.

12. Auto: DisplaysonlyiftheHide machines set for Automatic Update boxisnotchecked.ThenumberofmachinesscheduledtoinstallthispatchbyAutomatic Update.

13. Ignore: ThisoptionshowsthenumberofmachinesettoignoreapatchusingtheMachinesbutton.TheIgnoresettingappliestotheselectedpatchontheselectedmachines.IfIgnoreisset,thepatchisconsideredDenied.PatchesmarkedasIgnoreontheselectedmachinescannotbeinstalledbyanyof

Fig. 5.8: Patch Update

Patch Managem

ent


theinstallationmethods.Tobeinstalled,theIgnoresettingmustbecleared.

14. Product: TheProductcolumnhelpsidentifytheproductcategoryassociatedwithaspecificpatch.Ifapatchisusedacrossmultipleoperatingsystemfamilies(i.e.,WindowsXP,WindowsServer2003,Vista,etc.),theproductcategoryisCommonWindowsComponent.ExamplesincludeInternetExplorer,WindowsMediaPlayer,MDAC,MSXML,andsoon.

5.2.3 Rollback

TheRollbackpageremovespatchesaftertheyhavebeeninstalledonasystem.NotallpatchesmaybeuninstalledwhenRollbackisperformed.Thisisbecausethesystemonlylistspatchessupportingtherollbackfeature.

Warning: Removing Windows software in the wrong order may cause the operating system to stop functioning.

ThegenericviewoftheRollbackpageisshowninFig.5.9below.Theoptionsavailableinthismoduleare:

1. Rollback: ClickthisbuttontodisplaytheSchedulerwindow,whichisusedthroughouttheVSAtoscheduleatask.Schedulethistaskonce.

2. Cancel: ClickCancel tocancelascheduledrollback.

3. Patch: Patchesaregroupedbyupdateclassificationfirstandknowledgebasearticlenumbersec-ond.

4. KB Article: Theknowledgebasearticledescribingthepatch.ClicktheKB Article linktodisplaytheentiredetailspageaboutthepatch.


6. Install Date: Thiscolumndisplaysthedatethepatchwasinstalled,ifavailable.

To Remove a Patch from a Managed Machine

1. ClickthemachineIDthatyouwanttoremoveapatchfrom.

2. Checktheboxtotheleftofthepatchyouwanttouninstall.

Fig. 5.9: Rollback

page

Patc

h M

anag

emen

t


3. ClicktheRollbackbutton.

5.2.4 Cancel Updates

TheCancel Updatespageclearsall manually scheduledpatchinstallationsonselectedmachineIDs.

TheCancel Updatespagecanalso terminate currently runningpatch installationprocesses.The timeapatchinstallationisbeingprocessed,aTerminate buttonisdisplayednexttothemachinename.ClickingthisTerminatebuttondeletesexistingpatchinstallationproceduresfortheselectedmachine,andtheinstallationprocessendsafterdeletionofthepatchinstallationprocedure.

Note: Installed Patches can be removed from managed machines using Rollback.

TheoptionssupportedbytheCancelUpdatespageareshowninFig.5.10below:

1. View By: Thisoptionallowsyoutoviewpatchessortedbymachineorbypatchfirst.Dependingontheoptionselectedhereoption(3.Showpatchlist)changes.

2. Cancel: ClickCancel toclearallscheduledpatchinstallationsscheduledbyeitherMachine Up-dateorbyPatch UpdateonselectedmachineIDs.

3. Show patch list: Show patch list isdisplayedonlyifViewbyMachineisselectedfropmoption(1.Viewby).IfbothView by MachineandShow patch listarechecked,allscheduled patch IDsforeachmachineIDarelisted.IfShow patch list isblank,thetotal number of scheduled patchesislistedforeachmachineID.

Show machine list: IfView By Patch isselectedandShow machine list ischecked,allscheduled patch IDsforeachmachineIDarelisted.IfShow machine list isblank,thetotal number of scheduled patchesislistedforeachmachineID.

Note: This option is displayed only if View by Patch is selected.

Machine.Group ID: ThelistofMachine.GroupIDsdisplayedisbasedontheMachineID/GroupIDfilterandthemachinegroupstheuserisauthorizedtoview.

KB Article: Displaystheknowledgebasearticledescribingthepatch.ThiscolumnisdisplayedonlyifView by patchisselected.ClicktheKB Article linktodisplayaDetailspageaboutthepatch.The

Fig. 5.10: Cancel

Updates

Patch Managem

ent


Detailspagecontainsalinktodisplaytheknowledgebasearticle.

5.3.1 Create/Delete

TheCreate/Deletepagecreatesordeletespatchpolicies.Patchpoliciescontainallactivepatchesforthepurposeofapprovingordenyingpatches.AnactivepatchisdefinedasapatchthathasbeenreportedbyapatchscanbyatleastonemachineintheVSA.Anymachinecanbemadeamemberofoneormorepatchpolicies.

Forexample,youcancreateapatchpolicynamedserversandassignallyourserverstobemembersofthispatchpolicyandanotherpatchpolicynamedworkstationsandassignallyourworkstationstobemembersofthispolicy.Thisway,youcanconfigurepatchapprovalsdifferentlyforserversandworkstations.

• Thepatchesofmachinesthatarenotamemberofanypatchpolicyaretreatedasiftheywereauto-matically approved.

• Whenanewpatchpolicy iscreated thedefaultapprovalstatus ispending approval forallpatchcategories.

• Thedefaultapprovalstatusforeachcategoryofpatchesandforeachproductcanbeindividuallyset.

• Ifamachineisamemberofmultiplepatchpoliciesandthosepolicieshaveconflictingapprovalsta-tuses,themostrestrictiveapprovalstatusisused.

• Patch Management > Initial Update andPatch Management > Automatic Update requirepatchesbeapprovedbeforethesepatchesareinstalled.

• Approval by Policy approvesordeniespatchbypolicy.

• Approval by Patch approvesordeniespatchesbypatchandsetstheapprovalstatusforthatpatchinallpatchpolicies.

• KBOverrideoverridesthedefaultapprovalstatusbyKB Articleforallpatchpoliciesandsetstheap-provalstatusforpatchesassociatedwiththeKBArticleinallpatchpolicies.

• Patch Management > Patch Update andPatch Management > Machine Update caninstallde-niedpatches.

• Non-Masterroleuserscanonlyseepatchpoliciestheyhavecreatedorpatchpoliciesthathavema-chineIDstheuserisauthorizedtoseebasedontheirscope.

Fig.5.11showsthegeneralviewoftheCreate/Deletepage.Theoptionssupportedare:

1. Create: EnteranewmachinepatchpolicynameintheeditfieldandclickCreate todefineanewpatchpolicy.

2. Delete: ClickDelete todeleteselectedpatchpolicies.

3. Policy Name: Listsallmachinepatchpoliciesdefinedfortheentiresystem.

4. Member Count: Liststhenumberofmachinesthataremembersofeachpatchpolicy.

5. Show Members: ClickShow Members tolistthemembersofapatchpolicy.

5.3 Patch Policy

Patc

h M

anag

emen

t


6. Edit Icon: Clicktheediticontotheleftofapatchpolicytorenameit.

5.3.2 Membership

TheMembershippageassignsmachineIDstooneormorepatchpolicies.

Fig.5.12belowshowsthegenericviewoftheMembershippage.Theoptionssupportedbythispagearelistedbelow.

1. Policy: SelectoneormorepatchpolicynamestomarkthemforaddingorremovingfromselectedmachineIDs.

2. Add: ClickAdd toaddselectedmachineIDs(5.Machine.GroupIDbelow)toselectedpatchpolicies(1.Policyabove).

3. Remove: ClickRemove to removeselectedmachine IDs(5.Machine.Group IDbelow) fromse-lectedpatchpolicies(1.Policyabove).

4. Always show all Patch Policies to All Users: Ifchecked,alwaysshowallpatchpoliciestoallus-ers.Thisallowsallnon-masterroleuserstodeploypatchpolicies,eveniftheydidnotcreatethepatchpoliciesanddon’thavemachinesyetthatusethem.Ifblank,onlymasterroleuserscanseeallpatchpolicies.Ifblank,non-masterroleuserscanonlyseepatchpoliciesassignedtomachineswithintheir

Fig. 5.12: Membership

Fig. 5.11: Create/Delete

Page

Patch Managem

ent


scopeortounassignedpatchpoliciestheycreated.Thisoptiononlydisplaysformasterroleusers.


6. Policy Membership: DisplaysacommaseparatedlistofpatchpoliciesthateachmachineIDisamemberof.

5.3.3 Approval by Policy

TheApproval by Policy page approves or denies the installation of Microsoft patches on managedmachinesbypatch policy.Patchespendingapprovalareconsidereddenieduntil theyareapproved.Thisgivesyouthechancetotestandverifyapatchinyourenvironmentbeforethepatchautomaticallypushesout.

ThefeaturessupportedbyApprovalbyPolicypage(Fig.5.13)are:

1. Policy: Selectapatchpolicybynamefromthedrop-downlist.

2. Save As: TosaveapatchpolicyunderadifferentnameclickSave As anditissavedtoanewpolicywithidenticalsettings.Allpatchapproval/denialstatusesarecopiedasthedefaultapprovalstatusesforthepolicy.

3. Copy Approval Statuses to Policy <Policy Name>: Selectapolicytocopyapprovalstatusesto,from thecurrently selectedpolicy.ThenclickCopy Now.This featureenablesyou toperformpatchtestingagainstagroupoftestmachinesusingatestpolicy.Oncetestinghasbeencompletedandthepatcheshavebeenapprovedordenied,usethecopyfeaturetocopyonlytheapprovedordeniedsta-tusesfromthetestpolicytoaproductionpolicy.

4. Policy View / Group By: Displayspatchgroupsbyclassificationorproduct.

5. Patch Approval Policy Status: Thistabledisplaystheapprovalstatusofpatchesbyupdateclas-sificationorproductgroup.Approved, Denied, Pending Approval,andTotals statisticsareprovidedforeachupdateclassificationorproductgroup.

SelectaDefault Approval Status foranycategory for thispatchpolicy.Newly identifiedpatches for thispatchpolicyareautomaticallysettothisdefaultvalue.Choicesinclude:

Fig. 5.13: Approval by

Policy

Patc

h M

anag

emen

t


• Approved Denied PendingApproval

6. Override Default Approval Status with Denied for “Manual Install Only” updates in this pol-icy: Ifthisoptionischecked,allexistingandfutureManualInstallOnlyupdatesaresettoDeniedforthispolicy.

7. Override Default Approval Status with Denied for “Windows Update Web Site” updates in this policy: Ifthisoptionischecked,allexistingandfutureWindowsUpdateWebSiteupdatesaresettoDeniedforthispolicy.

8. Override Default Approval Status with Denied superseded updates in this policy: Ifthisop-tionischecked,itautomaticallydeniessupersededpatchesthathasbeenadded.Thisfunctionsinthesimilarmannerastheabovedescribedoptions.

Note: If the same patch is assigned two different DefaultApprovalStatussettings then the more restrictive of the two defaults has precedence: Denied over Pending Approval over Approved.

ClickinganylinkonthePatch Approval Policy Status tabletakesyouthePatch Approval Policy Details page(Fig.5.16)wherepatchescanbeapprovedordeniedindividually.

InthePatch Approval Policy Details(Fig.5.14)pageyoucan:

1. Approveordenyapprovalofpatchesindividually.

2. ClicktheKB Article linktodisplayaDetailspageaboutthepatch.TheDetailspagecontainsalinktodisplaytheknowledgebasearticle.

Note: Microsoft may use a common knowledge base article for one or more patches, causing patches to appear to be listed more than once. Check the Productname or click the KBarticlelink to distinguish patches associated with a common knowledge base article.

3. ClicktheSecurity Bulletin linktoreviewthesecuritybulletin,ifavailable.Patchesclassifiedassecu-rityupdateshaveasecuritybulletinID(MSyy-xxx).

Fig. 5.14: Patch Approval Policy

Details

Patch Managem

ent


4. TheProductcolumnhelpsidentifytheproductcategoryassociatedwithaspecificpatch.Ifapatchisusedacrossmultipleoperatingsystemfamilies(i.e.,WindowsXP,WindowsServer2003,Vista,etc.),theproductcategoryisCommonWindowsComponent.ExamplesincludeInternetExplorer,WindowsMediaPlayer,MDAC,MSXML,andsoon.

5. ClicktheShow Details checkboxtodisplaytheexpandedtitle,patchstatusnotesandinstallationwarnings,ifany,ofeachpatch.

6. ClickFilter torestricttheamountofdatadisplayed.Youcanspecifyadifferentadvancedfilterforeachcolumnofdatadisplayed.

7. Optionallyaddanote,upto500characters,usingPatch Status Notes.ThenoteisaddedwhentheApprove orDeny buttonsareselected.IfthetextboxisemptywhentheApprove orDeny buttonsareselected,thenoteisremovedforselectedpatches.

5.3.4 Approval by Patch

TheApproval by Patchpageallows forapprovingordenying the installationofallMicrosoftpatchesonmanagedmachinesonapatchbypatchbasis.Changesmadehereaffectpatches installedbyalluserstherebyavoidingtheneedforapprovingpendingpatchesseparatelyforeachpatchpolicy.

ThefeaturessupportedbyApprovalbyPatchpage(Fig.5.15)are:

1. Patch Status Notes: Optionallyaddanote,upto500characters,usingPatch Status Notes.ThenoteisaddedwhentheApprove orDeny buttonsareselected.IfthetextboxisemptywhentheAp-prove orDeny buttonsareselected,thenoteisremovedforselectedpatches.

2. Approve: ClickApprove toapproveselectedpatchesforallpatchpolicies.

3. Deny: ClickDeny todenyselectedpatchesforallpatchpolicies.

4. Show Details: CheckShow Details todisplaymultiplerowsofinformationforallpatches.Thisin-cludesthetitleofapatch,thenumberofpatchpoliciesthathavebeenapproved,denied,orarependingapprovalforapatch,patchstatusnotes,andinstallationwarnings,ifany.

5. Patch Data Filter Bar: YoucanfilterthedatadisplayedbyspecifyingvaluesineachfieldofthePatchDataFilterBaratthetopofthepage.EnterorselectvaluesintheKBArticle,ClassificationorProductsfields.YoucanalsoclicktheEditbuttontofilterbyadditionalfieldsandsavethefilteringselec-tionsyoumakeasaview.Supportsadvancedfilteringlogic.Savedviewscan besharedusingtheMake

Fig. 5.15: Approval by

Patch

Patc

h M

anag

emen

t


Public(otherscanview)checkboxwheneditingtheview.

6. KB Article: ClicktheKB Article link todisplayaDetailspageaboutthepatch.TheDetailspagecontainsalinktodisplaytheknowledgebasearticle.

7. Security Bulletin: ClicktheSecurity Bulletin linktoreviewthesecuritybulletin,ifavailable.PatchesclassifiedassecurityupdateshaveasecuritybulletinID(MSyy-xxx).


9. Approval Status: Theapprovalstatusforthispatchinallpolicies.DisplaysMixed ifeven1policydiffersfromallotherpolicies.ClickingtheApprovalStatuslinkdisplaysapagedisplayingtheapprovalstatusassignedtothispatchbyeachpolicy.

10. Published: ThePublishedcolumndisplaysthedatethepatchwasreleased.

11. Language: TheLanguagecolumndisplaysthelanguagethepatchappliesto.

5.3.5 KB Override

The KB Override page (Fig. 5.18) overrides the default approval status of patches set using Patch Management > Approval by Policy byKB article forall patch policies. It also sets the approval statusforexistingpatchesbyKBArticleforallpatchpolicies.Changesaffectpatchesinallpatchpoliciesinstalledbyallusers.

Example:TheKB890830,“TheMicrosoftWindowsMaliciousSoftwareRemovalTool”,isreleasedmonthly.IfyoudecidetoapproveallpatchesassociatedwiththisKBArticleusingKBOverride,thennotonlyareexistingpatchesapprovedbutallnew patchesassociatedwiththisKBarticleareautomaticallyapprovedeachtimethenewpatchisreleased.

Fig.5.16shows theKBOverridepage.The functionssupportedby thismoduleare listedandexplainedbelow.

1. KB Article: EntertheKB Articletoapproveordeny.

2. Override Notes: EnteranotetoremindVSAuserswhytheoverridewasset.

3. Approve: ClickApprove toapprovepatchesassociatedwiththisKBArticle.Multiplepatchescan

Fig. 5.16: KB Override

Patch Managem

ent


beassociatedwithaKBArticle.

4. Deny: ClickDeny todenypatchesassociatedwiththisKBArticle.Multiplepatchescanbeassoci-atedwithaKBArticle.

5. KB Article: ClicktheKB Article linktodisplaytheKBarticle.

6. Override Status: ApprovedorDenied.AppliestoallpatchesassociatedwiththisKBArticle.

7. Admin: TheuserwhoapprovedordeniedpatchesassociatedwiththisKBArticle.

8. Changed: ThedateandtimetheuserapprovedordeniedpatchedassociatedwiththisKBArticle.

9. Notes:RemindsVSAuserswhytheoverridewasset.

5.4.1 Windows Auto Update

TheWindows Auto UpdatepagedetermineswhetherWindows Automatic Updatesonmanagedmachinesisdisabled,iscontrolledbytheuser,orconfiguredaccordingtotherequirements.

Windows Automatic UpdatesWindowsAutomaticUpdatesisaMicrosofttoolthatautomaticallydeliversupdatestoacomputer.WindowsAutomaticUpdatesissupportedinthefollowingoperatingsystems:Windows2003,WindowsXP,Windows2000SP3orlaterandalloperatingsystemsreleasedaftertheseversions.PatchManagement>WindowsAutoUpdatecanenableordisablethisfeatureonmanagedmachines.WhileWindowsMillenniumEdition(Me)hasanAutomaticUpdatescapability,itcannotbemanagedastheaboveoperatingsystems.

Windows Automatic Update Cannot Use Template AccountsWindowsAutomaticUpdatesisonefeaturethatcannotbepreconfiguredinamachineIDtemplate.ThisisbecauseWindowsAutomaticUpdatesisonlysupportedonWindows2000SP3/SP4,WindowsXP,WindowsServer2003,andlateroperatingsystems.SinceamachineIDtemplatecannotspecifyanoperatingsystem,asettingforthisfeaturecannotbestoredinthemachineIDtemplate.Also,amachine’scurrentsettingsmustbeknownbeforetheycanbeoverridden.ThecurrentsettingsareobtainedwhenaPatchManagement>ScanMachineisperformed.

Fig.5.17showsthegenericviewoftheWindowsAutoUpdatepage.Thefunctionssupportedbythismodulearelistedandexplainedbelow:

5.4Configure

Patc

h M

anag

emen

t


1. Apply: ClickApply toapplyparameterstoselectedmachineIDs.

2. Disable: SelectDisable to disableWindowsAutomatic Updates on selected machine IDs andletPatch Managementcontrolpatchingofthemanagedmachine.OverridestheexistingusersettingsanddisablesthecontrolsinWindowsAutomaticUpdatessotheusercannotchangeanyofthesettings.Userscanstillpatchtheirsystemsmanually.

3. User Control: LetmachineusersenableordisableWindowsAutomaticUpdatesforselectedma-chineIDs.

4. Configure: ForcestheconfigurationofWindowsAutomaticUpdatesonselectedmachineIDstothefollowingsettings.OverridestheexistingusersettingsanddisablesthecontrolsinWindowsAutomaticUpdatessotheusercannotchangeanyofthesettings.Userscanstillpatchtheirsystemsmanually.

• Notify user for download and installation-Notifiestheuserwhennewpatchesareavail-ablebutdoesnotdownloadorinstallthem.

• Automatically download and notify user for installation-Automaticallydownloadsup-datesfortheuserbutletstheuserchoosewhentoinstallthem.

• Automatically download and schedule installation -Automatically downloadsupdatesandinstallstheupdatesatthescheduledtime.

5. Schedule every day / <day of week> at <time of day>: Appliesonlyifautomatically download and schedule installationisselected.Performthistaskeverydayoronceaweekatthespecifiedtimeofday.

6. Force auto-reboot if user is logged on: OptionallychecktheboxnexttoForce auto-reboot if user is logged on.Bydefault,Windows Auto Updatedoesnotforceareboot.Patch Management > Reboot Action settingsdonotapplytoWindows Auto Update.


8. Machine Updated: Displays the status of configuringWindowsAutomaticUpdates on selectedmachineIDsusingthispage.

• Pending-WindowsAutomaticUpdatesisbeingconfiguredontheselectedmachineID.

• Timestamp-ThedateandtimeWindowsAutomaticUpdateswasconfiguredontheselectedmachineID.

Fig. 5.17: Windows Auto

Update

Patch Managem

ent


5.4.2 Reboot Action

TheReboot Action page defines how reboots are performed after a patch install. Patch installs do nottakeeffectuntilafteramachineisrebooted.TheReboot ActionpolicyappliestoMachineUpdate,PatchUpdateandAutomaticUpdate.Itdoesnot applytoInitialUpdate.

Warning: Automatic rebooting of the KServer or database server can have adverse effects on other KServer processes!

Patch ProcessThepatchinstallationprocedurerunsatthescheduledtimeandperformsthefollowingsteps:

• Downloads,orcopiesfromasharedfolder,allthepatchfilestoalocaldrive,typicallythesamedrivetheagentisinstalledon.

• Executeseachpatchfile,oneatatime.

• Performsarebootofthemachine,asspecifiedbythispage.

Note: After all the patches have been installed the machine reboots once.

Note:Ifyouareinstallingaservicepackwithotherpatchesyouwillseearebootaftertheservicepackinstallandthenanothersinglerebootafteralltheotherpatchesareinstalled.


• Showmachinesthathave/havenotrebootedinthelastNperiods

• MachineswithRebootPendingforpatchinstallations

ThegenericviewoftheRebootActionpageisshowninFig.5.18andallthesupportedfunctionsonthispageislistedandexplainedbelow.

1. Apply: ClickApply toapplyparameterstoselectedmachineIDs.

2. Reboot immediately after update: Rebootsthecomputerimmediatelyaftertheinstallcompletes.

3. Reboot <day of week> at <time of day> after install: Afterthepatchinstallcompletes,thecom-puter is rebootedat theselecteddayofweekand timeofday.Use thesesettings to installpatches

Fig. 5.18: Reboot Action

Patc

h M

anag

emen

t


duringthedaywhenusersareloggedin,thenforcearebootinthemiddleofthenight.Selectingevery dayrebootsthemachineatthenextspecifiedtimeofdayfollowingthepatchinstallation.

4. Warn user that machine will reboot in <N> minutes (without asking permission): Whenthepatchinstallcompletes,themessagebelowpopsopenwarningtheuserandgivingthemaspecifiednumberofminutestofinishupwhattheyaredoingandsavetheirwork.Ifnooneiscurrentlyloggedin,thesystemrebootsimmediately.

5. Skip reboot if user logged in: Iftheuserisloggedin,therebootisskippedafterthepatchinstallcompletes.Usethissettingtoavoidinterruptingyourusers.Thisisthedefaultsetting.

6. If user logged in ask to reboot every <N> minutes until the reboot occurs: Thissettingdisplaysthemessagebelow,askingtheuserifitisOKtorebootnow.Ifnooneisatthecomputerortheyanswerno,thesamemessageappearseveryNminutesrepeatedly,untilthesystemhasbeenrebooted.Ifnooneiscurrentlyloggedin,thesystemrebootsimmediately.

7. If user logged in ask permission. Reboot if no response in <N> minutes. Reboot if user not logged in: Thissettingdisplaysthemessagebelow,askingtheuserifitisOKtorebootnow.Ifnooneisatthecomputer,itrebootsautomaticallyafterNminuteswithout savinganyopendocuments.Ifnooneiscurrentlyloggedin,thesystemrebootsimmediately.

8. If user logged in ask permission. Do nothing if no response in <N> minutes. Reboot if user not logged in: Thissettingdisplaysthemessagebelow,askingtheuserifitisOKtorebootnow.Ifnooneisatthecomputer,therebootisskipped.Ifnooneisloggedin,rebootimmediately.

9. Do not reboot after update: Doesnotreboot.Typicallyusedifthemachineisaserverandyouneedtocontrolthereboot.Youcanbenotifiedviaemailwhenanewpatchhasbeeninstalledbycheck-ingEmail when reboot requiredandfillinginanemailaddress.YoucanalsoformattheemailmessagebyclickingtheFormat Emailbutton.Thisoptiononlydisplaysformasterroleusers.

Thefollowingtypesofpatchrebootemailscanbeformatted:

• PatchReboot

Note: Changing the email alarm format changes the format for all PatchRebootemails.

Thefollowingvariablescanbeincludedinyourformattedemailalertsandinprocedures.

10. Run select agent procedure before machine is rebooted: Ifchecked,theselectedagentproce-

Within an Email Description

<at> alerttime<db-view.column>

Includea view.column fromthedatabase.Forexample,toincludethecomputernameofthemachinegeneratingthealertinanemail,use<db-vMachine.ComputerName>

<gr> groupID<id> machineID

Patch Managem

ent


dureisrunjustbeforethemachineisrebooted.

11. Run select agent procedure after machine is rebooted: Ifchecked,theselectedagentprocedureisrunjustafterthemachineisrebooted.


13. Reboot Action: ThetypeofrebootactionassignedtoeachmachineID.

5.4.3 File Source

TheFile Sourcepagedefineswhereeachmachinegetsexecutablepatchfilesfrom,priortoinstallation,andwherethesepatchexecutablesarecopiedtothelocalmachine.Filesourcelocationsinclude:

• TheInternet

• TheKServer

• Asharedfolder

Note: Patch download links with a cab extension are always downloaded directly from the internet regardless of the FileSourcesetting.

ThefigurebelowshowsthegenericviewoftheFileSourcepage(Fig.5.19).Thesupportedfunctionsonthispagearelistedandexplainedbelow.

1. Apply: ClickApply toapplytheselectedpatchsourceoptiontoselectedmachineIDs.

2. Copy packages to working directory on local drive with most free space: Patchesaredown-loaded,orcopiedfromasharedfolder,tothemanagedmachine’sharddisk.Severalpatches,especiallyservicepacks,mayrequiresignificantadditionallocaldiskspacetocompletelyinstall.CheckthisboxtodownloadpatchestotheAgent > Working Directory,butusethedriveonthemanagedmachinewiththemostfreediskspace.Uncheckthisboxtoalways

3. usethedrivespecifiedinWorking DirectoryforthemachineID.

4. Delete package after install (from working directory): The installpackage is typicallydeletedaftertheinstalltofreeupdiskspace.Uncheckthisboxtoleavethepackagebehindfordebuggingpur-

Fig. 5.19: File Source

Patc

h M

anag

emen

t


poses.IftheinstallfailsandyouneedtoverifythePatch Management > Command Line switches,donotdeletethepackagesoyouhavesomethingtotestwith.ThepackageisstoredintheAgent > Work-ing Directoryonthedrivespecifiedinthepreviousoption.

5. Download from Internet: Eachmanagedmachinedownloads thepatchexecutable filedirectlyfromtheinternetattheURLspecifiedinPatch Management > Patch Location.

6. Pulled from system server: FirsttheKServercheckstoseeifitalreadyhasacopyofthepatchfile.Ifnot,thenewpatchexecutableisdownloadedautomaticallyandstoredontheKServer,thenusedforallsubsequentdistributionstomanagedmachines.Whenapatchneedstobeinstalledonamanagedmachine,thispatchfileispushedtothatmachinefromtheKServer.

7. Clear Cache: ClickClear Cache toclearalldownloadedpatchesstoredontheKServer.


9. Patch Source: ListsthepatchsourceselectedforeachmachineID.AClear CachebuttondisplaysinthiscolumnifthePulled from file server using UNC pathoptionisselectedforamachineID.ClickingthisClear CachebuttonclearspatchesfromthespecifiedfileserverUNCpath.TheClear Cache buttonisnot machinespecific.Allpatchesstoredonthatfileserverforthespecifiedpathwillbedeleted.

Pulled from file server using UNC path: ThismethodisrecommendedifyousupportmanymachinesonthesameLAN.PatchfilesaredownloadedtothelocaldirectoryofaselectedmachineID.ThelocaldirectoryonthemachineIDisconfiguredtobesharedwithothermachineIDsonthesameLAN.AllothermachineIDsonthesameLANuseaUNCpathtothesharedfolderlocatedonthefirstmachineID.AllothermachinesonthesameLANrequireacredentialtoaccessthesharedfolderonthefirstmachineandinstallthepatchfiles.AcredentialisspecifiedforthefirstmachinewiththeshareddirectoryusingAgent > Set Credential.

Setup:

1. EnteraUNCpathinthePulled from file server using UNC path field.

Example:“\\computername\sharedname\dir\”or“\\192.168.2.10\ShareDirectory”asshowninFig.5.20.

2. UsetheMachine Group Filter drop-downlisttoselectagroupID.

3. SelectamachineIDfromtheFile share located ondrop-downlist.

4. Enterasharedlocaldirectoryinthein local directory field.

Note: The value in the localdirectoryfield must be in full path format, such as c:\shareddir\dir

FirsttheKServercheckstoseeifthepatchfileisalreadyinthefileshare.Ifnot,themachineIDwiththefileshareautomaticallyloadsthepatchfileeitherdirectlyfromtheinternetorgetsitfromtheKServer.Ineithercase,themanagedmachinewiththefilesharemust have an agentonit.

5. File Server automatically gets patch files from-Selectoneofthefollowingoptions:

• the Internet -Usethissettingwhenthemanagedmachinerunningthefilesharehasfullinternetaccess.

• the System server-Usethissettingwhenthemanagedmachinerunningthefileshareisblockedfromgettinginternetaccess.

6. Download from Internet if machine is unable to connect to the file server-Optionallycheckthisboxtodownloadfromtheinternet.Thisisespeciallyusefulforlaptopsthataredisconnectedfromthecompanynetworkbuthaveinternetaccess.

Patch Managem

ent


5.4.4 Patch Alert

ThePatch Alertpagetriggersanalertforpatchmanagementeventonmanagedmachines.

• AnewpatchisavailablefortheselectedmachineID.

• ApatchinstallationfailedontheselectedmachineID.

• TheagentcredentialisinvalidormissingfortheselectedmachineID.

• WindowsAutoUpdatechanged.

Fig.5.21showsthegenericviewofthePatchAlertpage.Thefunctionssupportedbythispagearelistedandexplainedbelow.

1. Create Alarm: Ifcheckedandanalarmcondition*isencountered,analarmiscreated.Alarmsare

Fig. 5.20: Setup

Fig. 5.21: Patch Alert

Patc

h M

anag

emen

t


displayed inMonitor >Dashboard List,Monitor >Alarm Summaryand Info Center > Reports > Logs > Alarm Log.

Note: An alarm condition exists when a machine’s performance succeeds or fails to meet a pre-defined criteria.

2. Create Ticket: Ifcheckedandanalarmconditionisencountered,aticketiscreated.

3. Run Script: If checkedandanalarmcondition isencountered, anagentprocedure is run.Youmustclicktheselect scriptlinktochooseanagentproceduretorun.YoucanoptionallydirecttheagentproceduretorunonaspecifiedrangeofmachineIDsbyclickingthis machine ID link.ThesespecifiedmachineIDsdonothavetomatchthemachineIDthatencounteredthealarmcondition.

4. Email Recipients: Ifcheckedandanalarmconditionisencountered,anemailissenttothespeci-fiedemailaddresses.

• TheemailaddressofthecurrentlyloggedonuserdisplaysintheEmail Recipientsfield.ItdefaultsfromSystem >Preferences.

• ClickFormat EmailtodisplaytheFormat Alert Email popupwindow.Thiswindowenablesyoutoformatthedisplayofemailsgeneratedbythesystemwhenanalarmconditionisen-counteredasshowninFig.5.22.

• IftheAdd to current listradiooptionisselected,whenApply isclickedalertsettingsareap-

pliedandthespecifiedemailaddressesareaddedwithoutremovingpreviouslyassignedemailaddresses.

• IftheReplace list radiooptionisselected,whenApply isclickedalertsettingsareappliedandthespecifiedemailaddressesreplacetheexistingemailaddressesassigned.

• IfRemove isclicked,allemailaddressesareremovedwithoutmodifyinganyalertparam-eters.

• EmailissentdirectlyfromtheKServertotheemailaddressspecifiedinthealert.Setthe From AddressusingSystem >Outbound Email.

Fig. 5.22: Format Alert

Email

Patch Managem

ent


5. Apply: ClickApply toapplyparameterstoselectedmachineIDs.ConfirmtheinformationhasbeenappliedcorrectlyinthemachineIDlist.

6. Clear: ClickClear toremoveallparametersettingsfromselectedmachineIDs.

7. Patch Alert Parameters: ThesystemcantriggeranalertforthefollowingalarmconditionsforaselectedmachineID:

• New patch is available

• Patch install fails

• Agent credential is invalid or missing

• Windows Auto Update changed


9. Approval Policy Updated: Displaysasthefirstrowofdata.IfselectedandtheApplybuttonclicked,analertisgeneratedwhenanewpatchisaddedtoallpatchpolicies.

10. ATSE: TheATSEresponsecodeassignedtomachineIDs:

• A=CreateAlarm

• T=CreateTicket

• S=RunProcedure

• E=EmailRecipients

11. Email Address: Acommaseparatedlistofemailaddresseswherenotificationsaresent.

12. New Patch: Ifchecked,analarmistriggeredwhenanewpatchisavailableforthismachineID.

13. Install Failed: Ifchecked,analarmistriggeredwhenapatchinstallationhasfailedforthismachineID.

14. Invalid Credential: Ifchecked,analarmistriggeredwhenthecredentialisinvalidforthismachineID.

15. Win AU Changed: If checked, an alarm is triggered if the grouppolicy forWindowsAutomaticUpdateonthemanagedmachineischangedfromthesettingspecifiedbyPatch Management >Win-dows Auto Update.

Note: A log entry in the machine’s Configuration Changes log is made regardless of this alert setting

To Create a Patch Alert

1. Checkanyofthesecheckboxestoperformtheircorrespondingactionswhenanalarmconditionisencountered:

• CreateAlarm

• CreateTicket

• RunScript

• Email Recipients

Patc

h M

anag

emen

t


2. Setadditionalemailparameters.

3. Setadditionalpatchalertspecificparameters.

4. CheckthemachineIDstoapplythealertto.

5. ClicktheApplybutton.

To Cancel a Patch Alert

1. SelectthemachineIDcheckbox.

2. ClicktheClearbutton.ThealertinformationlistednexttothemachineIDisremoved.

Passing Alert Information to Emails and ProceduresThefollowingtypesofpatchalertemailscanbesentandformatted:

• NewPatchAvailable

• PatchInstallFailed

• PatchApprovalPoliciesUpdated

• AgentCredentialInvalid

• WindowsAutoUpdateConfigurationChanged

Note: Changing the email alarm format changes the format for all PatchAlertemails.

5.4.5OfficeSource

TheOffice SourcepagesetsalternatesourcelocationsforinstallingOfficeandOfficecomponentapplications.ThesourcelocationcanbechangedfromthedefaultCD-ROM,whichisthetypicalinstallationsource,toasharedfolderoradirectoryonalocalharddrive.Bychangingtheinstallationsourcetoanetworkshareora localdirectory,patchesthatrequiretheOfficeinstallationsourcefor installationcangetaccesswithout prompting the user for the installation media.This alternate source location canbe configured to beread-only.Itmustcontainanexactcopyoftheinstallationmediacontentsincludingallhiddenfilesand/ordirectories.

AnOfficesourceforamanagedmachineisonlyavailableafteryouhaverunPatch Management > Scan Machine atleastonceforthemanagedmachine.MachineIDsaredisplayedonthispageonlyifthey:

• CurrentlymatchtheMachineID/GroupIDfilter.

• HaveOfficeorOfficecomponentapplicationsinstalledforOffice2000,XP,or2003.

Note: Office 2007 installs a full set of source installation files on a machine and an alternate source location is not required.

Multiple EntriesMultipleentriesmaybedisplayedforamachinebecausethemachinecontainsoneormoreOfficecomponentapplications,suchasFrontPageorProject,thatwereinstalledseparatelyfromtheirowninstallationsourceandwerenotpartoftheOfficeinstallation.

Credential RequiredManagedmachinesmusthaveacredentialset(referAgent>Setcredential)tousetheOfficeSourcepage.TheagentmusthaveacredentialtousethealternateOfficesourcelocation.

Patch Managem

ent


ValidationThespecifiedlocationisvalidatedtobesurethatthelocationisaccessiblefromthemachineandthattheinstallationsource in thespecified locationcontains thecorrecteditionandversionofOfficeor theOfficecomponentapplication.Themachine’sregistryismodifiedtousethespecifiedlocationonlyafterthevalidation.

Installing Office ProductsSome patches—particularly Office service packs—still display progress dialogs even though the silentinstallationswitch(/Q) is includedusingPatch Management > Command Line.Theseprogressdialogsdonotrequireanyuserintervention.Somepatchesandservicepacksdisplayamodaldialogindicatingtheupdatehascompleted,againeventhoughthesilentinstallationswitch(/Q)isused.ThisrequirestheusertoclickontheOKbuttontodismissthedialog.Untilthishappens,thepatchinstallationprocedureappearstobehungandwillnotcompleteuntilthisdialogisdismissed.SomeOfficeservicepacksfailfornoapparentreason.Checkingthemachine’sapplicationeventlogrevealsthatanotherOfficecomponentservicepackfailed.ThishasbeenobservedwithOffice2003servicepack2requiringtheavailabilityofFrontPage2003servicepack2.WhentheOfficesourcelocationfortheFrontPage2003isconfigured,theOffice2003servicepack2finallysuccessfullyinstalls.

Fig.5.23belowshowsthegenericviewoftheOfficesourcepage.Thefunctionssupportedbythispageislistedandexplainedbelow.

1. Filter on Office Product: Becauseeachmanagedmachinemaybelistedmultipletimes—onceforeachOfficeproductorOfficecomponentapplicationinstalled—youcanfiltertheOfficeproducts/compo-nentsdisplayed.Thisensuresselectingthesameproductcodeformultiplemachineswhensettingtheinstallationsourcelocation.

2. Apply: ClickApply toapply theOfficesource locationspecified inLocation of Office installation sourcetoselectedmachineIDs.

3. Location of Office installation source: Add thenetwork shareasaUNCpath (i.e., \\machin-ename\sharename)oralocaldirectoryasafullyqualifiedpath(i.e., C:\OfficeCD\Office2003Pro)intheinstallationsourcetextbox.

4. Reset: ClickReset torestoreselectedmachineIDsbacktotheiroriginalinstallationsource,typicallytheCD-ROM.


Fig. 5.23

Patc

h M

anag

emen

t


StatusDisplaysoneofthefollowing:

• MissingCredential

• UpdateProcedureFailed

• ValidationProcedureFailed

• OriginalSource

• PendingValidation

• UpdatingMachine

• IncorrectEdition

• ProcessingError

• RestoringOriginal

• OfficeSourceUpdated

6. Office Product: DisplaysthenameoftheOfficeproduct.Office Source: DisplaysthecurrentinstallationsourcelocationforthisOfficeproductonthismachineID.

7. Product Code: DisplaystheOfficeproductcode.

5.5.1 Command Line

TheCommand Line page defines the command line switches used to silently install a specified patch.Occasionallyapatch is released thatdoesnotusenormalswitchsettingsor thepatchdatabasehasnotbeenupdatedwiththenewswitches.Ifyoufindapatchdoesnotsuccessfullyinstallwithitsassignedswitchsettings, you can change them here. Locate patch switches by clicking theKB Article link and readingthroughtheknowledgebasearticle.

Warning: Changes to the switches affect all users. This page is only displayed for master role users.

Suppress Automatic RebootUsuallyyouwant to loadapatchwithout requiringanyuser interactionatall.Thesystemsupportsbatchinstallsofmultiplepatchesatthesametimeandrebootsonceattheendofallpatchinstallations.Therefore,useswitchsettingstosuppressautomaticrebootwhereverpossible.

Switch SettingsTypicalpatchfileswitchsettingsforsilent,unattendedinstallswithoutreboot:

• /quiet/norestart-Thisisthestandardsettingformostpatchesinrecentyears.

• /u/q/z-TypicalswitchsettingsusedtosilentlyinstallolderpatchesthatdonotusetheWindowsInstallertechnology.

5.5 Patch Parameters

Patch Managem

ent


• /m/q/z-TypicalswitchsettingstosilentlyinstallolderpatchesreleasedforWindowsNT4.

• /q:a/r:n-InternetExplorerandotherapplicationswitchsettingstoinstallinquietusermode(/q:a)andnotautomaticallyreset(/r:n)whentheinstallcompletes.

• OtherswitchsettingsfoundwithMicrosoftpatchinstallationsinclude:

• /?-Displaythelistofinstallationswitches.

• /u-UseUnattendedmode.

• /m-Unattendedmodeinolderpatches.

• /f-Forceotherprogramstoquitwhenthecomputershutsdown.

• /n-Donotbackupfilesforremoval.

• /o-OverwriteOEMfileswithoutprompting.

• /z-Donotrestartwhentheinstallationiscomplete.

• /q-Usequietmode(nouserinteraction).

• /l-Listtheinstalledhotfixes.

• /x-ExtractfileswithoutrunningSetup.

Microsoft Office command line switchesTheonlyswitchpermittedforusewithMicrosoftOffice2000andOfficeXPrelatedpatchesis/Q.If/Qisnotspecified,MicrosoftOffice2000andMicrosoftOfficeXPswitcheswillbeautomaticallyresetto/INSTALL-AS-USER.MicrosoftOffice2003patchesmayalsoincludethe/MSOCACHEswitchusedtoattemptasilentinstalliftheMSOCacheexistsonthemachine.Thesesettingsareenforcedbytheapplication.Server-side command line switchesSpecialserver-sidecommandlineswitchescanbecombinedwithpatchspecificswitches:

• /INSTALL-AS-USER-Tellsthesystemtoonlyinstallthispatchasauser.Somerarepatchesdonotinstallsuccessfullyunlesssomeoneisloggedontothemachine.Addthisswitchifyoufindapatchisfailingtoinstallifnooneisloggedin.

Warning: This setting conflicts with the Skipupdateifuserloggedinsetting found in RebootAction./INSTALL-AS-USER requires that a user be logged in to install.

• /DELAY-AFTER=xxx-Aftertheinstallwaitxxxsecondsbeforeperformingtherebootstep.There-bootstepstartsaftertheinstallpackagecompletes.Somerareinstallersspawnadditionalprogramsthatmustalsocompletebeforerebooting.Addthisswitchtogiveotherprocessestimetocompleteafterthemaininstallerisdone.

Patc

h M

anag

emen

t


Fig.5.24belowshowsthegenericviewoftheCommandLinepage.Thesupportedoptionsareexplainedbelow.

1. Patch data filter bar: YoucanfilterthedatadisplayedbyspecifyingvaluesineachfieldofthePatchDataFilterBaratthetopofthepage.EnterorselectvaluesintheKBArticle,ClassificationorProductsfields.YoucanalsoclicktheEditbuttontofilterbyadditionalfieldsandsavethefilteringselectionsyoumakeasaview.Supportsadvancedfilteringlogic.SavedviewscanbesharedusingtheMakePublic(otherscanview)checkboxwheneditingtheview.

2. New Switches: Enterthecommandlineswitchesyouwanttoapplytoselectedpatches.

3. Apply: ClickApply toapplythespecifiedcommandlineswitchestoselectedpatches.

4. Reset: ClickReset toresetthecommandlinesofselectedpatchesbacktotheirdefaultsettings.

5. KB Article: Theknowledgebasearticledescribingthepatch.ClicktheKB ArticlelinktodisplayaDetailspageaboutthepatch.TheDetailspagecontainsalinktodisplaytheknowledgebasearticle.

Patch Name: Thepatchinstallfilename.

6. Security Bulletin: ClicktheSecurity Bulletin linktoreviewthesecuritybulletin,ifavailable.PatchesclassifiedassecurityupdateshaveasecuritybulletinID(MSyy-xxx).

7. Product: TheProduct columnhelpsidentifytheproductcategoryassociatedwithaspecificpatch.Ifapatchisusedacrossmultipleoperatingsystemfamilies(i.e.,WindowsXP,WindowsServer2003,Vista,etc.),theproductcategoryisCommonWindowsComponent.ExamplesincludeInternetExplorer,WindowsMediaPlayer,MDAC,MSXML,andsoon.

8. Office?: IftheproductdisplayedisanOfficeproduct,theversionisdisplayedhere.

Switches: Thecommandlineswitchesusedtoinstallthispatchisdisplayed.

5.5.2 Patch Location

ThePatch LocationpagedefinestheURLfromwhicheachpatchisdownloaded.OnlypatchesmissingfrommachineIDsthatcurrentlymatchtheMachineID/GroupIDfilteraredisplayedhere.Youshouldconsultthis

Fig. 5.24: Command Line

page

Patch Managem

ent


pageif,whenattemptingtoinstallapatch,youarenotifiedofaPathMissing.

TheKServermaintainsalistofeachpatchandtheURLitshouldbedownloadedfrom.InmostcasesthedownloadURLsprovidedforpatchesarecorrect.PathMissingerrorsmayoccurforthefollowingreasons:

• EachlanguagemayrequireaseparateURLtodownloadfrom.

• TheURLmaychangeforoneormorepatches.

• TheKServer’srecordfortheURLmaybeenteredincorrectlyorbecorrupted.

Insuchcases,userscanchangethedownloadpathassociatedwithapatch.ManuallyenteredURLsareshownindarkred.

Note: Changes affect patches installed by all users. This page is only displayed for master role users

Fig.5.25belowshowsthegenericviewofthePatchLocationpage.Theoptionssupportedbythismodulearelistedandexplainedbelow.

1. Patch data filter bar: YoucanfilterthedatadisplayedbyspecifyingvaluesineachfieldofthePatchDataFilterBaratthetopofthepage.EnterorselectvaluesintheKBArticle,ClassificationorProductsfields.YoucanalsoclicktheEditbuttontofilterbyadditionalfieldsandsavethefilteringselectionsyoumakeasaview.Supportsadvancedfilteringlogic.SavedviewscanbesharedusingtheMakePublic(otherscanview)checkboxwheneditingtheview.

2. New Location: EnteranewURL.

3. Apply: ClickApply toapplytheURLlistedintheNew Locationfieldtotheselectedpatch.

4. Remove: ClickRemovetodeletethedownloadURLassociatedwithapatchID.

Warning: Removing a path disables patching managed machines using this patch until the correct path is entered

5. KB Article: Theknowledgebasearticledescribingthepatch.ClicktheKB ArticlelinktodisplayaDetailspageaboutthepatch.TheDetailspagecontainsalinktodisplaytheknowledgebasearticle.

Fig. 5.25: Patch Location

Patc

h M

anag

emen

t


6. Security Bulletin: ClicktheSecurity Bulletinlinktoreviewthesecuritybulletin,ifavailable.Patch-esclassifiedassecurityupdateshaveasecuritybulletinID(MSyy-xxx).

7. Product: TheProduct columnhelpsidentifytheproductcategoryassociatedwithaspecificpatch.Ifapatchisusedacrossmultipleoperatingsystemfamilies(i.e.,WindowsXP,WindowsServer2003,Vista,etc.),theproductcategoryisCommonWindowsComponent.ExamplesincludeInternetExplorer,WindowsMediaPlayer,MDAC,MSXML,andsoon.

8. Language: Thelanguageassociatedwiththepatchlocation.

To find the URL to a missing path

1. ClicktheKB Articlelistedforthemissingpath.

2. ReadthroughtheknowledgebasearticleandlocatethedownloadURLforthepatch.

3. Clickonthedownloadlinkforyourpatch.Ifadifferentpatchisavailableforeachlanguage,youwillbepromptedtoselectalanguage.

4. Selecttheappropriatelanguageforthedownload,ifapplicable.

5. ClicktheDownloadlinkorbuttonanddownloadthepatchfile.

6. Onyourwebbrowser,clicktheHistory icontoviewyourURLhistory.

7. Locatethefileyoujustdownloadedfromyourhistorylist.Typically,thefilewillbeinthedownload.microsoft.comdomain.

8. Right-clickthefilenameyoujustdownloadedandselectCopyfromthemenu.ThiscopiestheentireURLintoyourclipboard.

9. ReturntothePatchLocationpageand:

• PastetheURLintotheNew Locationeditbox.

• SelecttheradiobuttontotheleftoftheKBArticleforwhichyouareenteringanewpatchlocation.

• ClicktheApplybutton.

patch management - school of computing and information ...users.cis.fiu.edu/~sadjadi/teaching/it...

Documents