Asset Management Suite

 View Only

Understanding How Patch Management Solution for Windows Works in Hierarchy 

Nov 17, 2010 03:10 PM

Replication within a Hierarchy is not designed to be an instantaneous process, however because of the critical nature of Microsoft patching speed is desired for Patch replication.

This article explains some of the processes and the order they should occur in to ensure the fastest possible replication process, with respect to Patch Management Solution for Windows. 

 

Order

Task \  Process

Parent \ Child

Verification Methods

1

Microsoft Patch Management Import - Task

Parent

Check the status of the task.  Manage> Jobs and Tasks> System Jobs and Tasks> Software> Patch Management> Microsoft Patch Management Import

2

Patch Management Import Data Replication for Microsoft - Replication rule

Parent to Child

This can be monitored by using the Current Replication Activity report, keep in mind that this report will not show that this is the replication running just show the replication tasks that are currently running

3

Stage the bulletins - Patch Remediation Center

Parent

Wait for the process dialog box to state task completed or check Manage> Jobs and Tasks> System Jobs and Tasks> Software> Patch Management> Download Software Update Package task to verify it has completed

4a

Site Server in the SMP Server site  downloads the packages

Parent

Step 1 - Look at the UI on the Site Server  and verify that the packages have been downloaded.  Step 2 - Look at the Site Server in the Console and verify that the package count matches what the agent had

4b

Create the Software Update Policies - Patch Remediation Center

Parent

Wait for the wizard to complete After going through the wizard select the policy in the tree.  There can be a delay depending on the size of the policy

4c

Add the policies to Patch Management Software Distribution Replication For Microsoft rule - Replication Rule

Parent

Save the replication rule and open it again if needed to verify that the changes were saved

Important Note: If any of the above items have not completed before the Software Distribution replication rule runs it will need to run again.

5

Patch Management Software Distribution Replication For Microsoft - Replication Rule

Parent to Child

Look at the location the policies will be replicated to, and verify that they exist.

* Use the Current Replication Activity report to monitor the process.

Note: Only include policies that have not been previously replicated and run in Complete mode.

6

Download Software Update Package - Task

Child

View the policies, they will no longer show a message that the bulletins need to be staged and or look at the Download Software Update Package task

7

Site Server downloads the packages

Child

Step 1 - Look at the UI on the Site Server and verify that the packages have been downloaded.  Step 2 - Look at the Site server in the Console and verify that the package count matches.

8

Client updates configuration and installs updates

Child

Use the Compliance and Vulnerability reports. 

Note: See the diagram to get a better feel for the flow of data

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jan 20, 2011 06:22 AM

Hi,

btw: great article Doug.

I did forget something in my previous post:

the replicated Software Update Policy (SUP) does not allow to attach another target to it.

I am only allowed to enable or disable it. There was no option on the parent to specify that the target may be changed on the client as it is with other policies.

 

Kind regards

Robert

 

Jan 20, 2011 06:04 AM

Hi,

for testing purposes I did create one Software Update Policy on the Parent SMP including the Bulletin/Updates related to the outlook junk email filter.

I did enable it for replication as described above, and it did replicate to the child. I was looking forward to see that the updates belonging to this policy are staged automatically.

But surprise: a large number of bulletins got marked for staging and are downloaded.

None of the colleagues did right click those bulletins for staging, nor have they been marked for staging on the parent. 

Any ideas?

Are they flagged to be staged automatically because of dependencies?

Kind regards

Robert

 

 

Dec 10, 2010 11:33 AM

> does anyone know if this behaviour changes in 7.1?
there is no plan to change it for 7.1.

Dec 01, 2010 02:53 PM

Nice to have this for reference, thanks.

As part of the setup of PM in a hierarchy there is an initial communication from the child to the parent advising of the "PM Hierarchy Installed Culture".

In PM 7.0 if a bulletin is staged, but has no policy then the package is not replicated.. does anyone know if this behaviour changes in 7.1?

Nov 19, 2010 01:39 AM

The step 4c is eliminated in Patch 7.1.

The patch policies will be replicated in the same way as other policies, e.g. managed software delivery.

Nov 18, 2010 10:27 AM

Unfortunately there is not, the behavior will be automated in the next version but currently it must be done manually.

Nov 18, 2010 09:40 AM

Great article...  Any way to automate step 4c?  We've completely automated this patch process from staging of bulletins to patch policy creation.  However, the only manual step we have is having to add the patch policy to the replication rule.

It seems a bit redundant to have to create the replication rule to replicate patch policies, then have to add any newly created policies to the rule.  For software managed policies you can replicate everything, etc.

Nov 17, 2010 10:15 PM

I can't believe I forgot to specify but yes it is for version 7.

Nov 17, 2010 04:36 PM

I guess I should have said NS7 or NS71?  since hierarchy doesn't apply to NS6x

Nov 17, 2010 04:34 PM

is this for NS6x, NS7x ?

Nov 17, 2010 03:59 PM

This is the type of detail we need when designing hierarchy and replication structures.  Thanks, Doug.

Related Entries and Links

No Related Resource entered.