How to create and configure an automate patch deployment task?
Need for automated patch deployment:
With the steady rise in attack vendors and frequency of attacks, it is mandatory to keep all your enterprise endpoints up-to-date and patched round the clock. The best way to address this problem, is to have a systematic and automated solution that manages multiple OSs and third party application patches effectively. Endpoint Central's Automate Patch Deployment (APD) feature provides system administrators the ability to deploy patches missing in their network computers automatically, without any manual intervention required.
Benefits of Automated Patch Deployment
- Deployments are fast, and security is tightened due to the readily available patches for deployment.
- All the approved patches will be deployed in the very next deployment window immediately after their download. There's no need to wait for the next APD scheduler to invoke the deployment.
- Whenever the computer in the network goes offline and encounters the network connectivity again, there could be new vulnerabilities and patches that the computer be missing. When the agent comes into contact with the server, it gets automatically scanned in the next refresh cycle, the missing patches are detected and updated in the server. The agent deploys them in the subsequent refresh cycle during the deployment window. Hence, there is no need to worry about the agent contact time and its prolonged vulnerable status.
- Deployment in agent continues until it gets zero missing patches for the APD criteria.
- In APD, you can also see the history of patching in a more detailed view.
Follow the steps given below to create and configure an Automate Patch Deployment task:
Configure Patch Database Settings to specify the time interval for the Endpoint Central server to synchronize with the database and collect details of the latest patches available.
After synchronization with the Patch Database, Endpoint Central server will collect details of the latest patches released. In the next refresh policy, Endpoint Central agents will automatically scan the computers to check if the newly available patches are missing. With Automate Patch Deployment, these patches will automatically be deployed without any delay. Automate Patch Deployment task ensures all the computers in the network are fully patched.
Steps to create an APD task
Follow the steps given below to create tasks for automating patch deployment for a set of computers:
- Navigate to Patch Mgmt -> Deployment -> Automate Patch Deployment. This view will display all the tasks that are created.
- Click 'Automate Task' to create a new task for Windows/Mac/Linux and name your task.
- Configure required details for the following steps:
- Select Applications - The type of OS and third-party apps to patch
- Choose Deployment Policy - Configure how and when to deploy the patches based on your enterprise's patching requirements
- Define Target - Select the target computers to deploy patches
- Configure Notifications - Receive notifications on the deployment status
Deploy Operating System updates
If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:
- Security Updates that involves all security updates of:
and specify severity as Critical/Important/Moderate/Low/Unrated.
- Mac (Security and Supplemental updates)
- Linux (Ubuntu, Debian, Pardus, CentOS, Red Hat, Oracle and SUSE)
- Non-Security Updates that involves all non-security related updates from:
- Linux (Red Hat, Ubuntu, CentOS and Oracle)
- Updates that are applicable only for Windows:
- Service Packs - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates for different versions of Windows OS.
- Rollups - Cumulative set of updates including both security and reliability updates that are packaged together for easy deployment as a single update and will proactively include updates that were released in the past.
- Optional Updates - Also called Preview Rollups, these are optional, cumulative set of new updates that are packaged together and deployed ahead of the release of next Monthly Rollup for customers to proactively download, test and provide feedback.
- Feature Packs - New product functionality that is included in the full product release.
- Driver Updates that can be used to automatically update the network, sound, and video drivers present in your system. For the complete list of Driver updates supported by us, use this link
Deploy Third-Party Updates
If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated.
Specify if you want to deploy all applications or if you would like to include/exclude a specific application.
Deploy Anti-Virus Updates
Select this option to deploy anti-virus definition updates for the following: McAfee Virusscan Enterprise, Microsoft Forefront Endpoint Protection 2010 Server Management, Microsoft Forefront Endpoint Protection 2010 Server Management x64, Microsoft Forefront Client Security, Microsoft Forefront Client Security x64, Microsoft Security Essentials, Microsoft Security Essentials x64
You can choose to delay the deployment of patches to ensure its stability. You can either choose to deploy the patches after a specific number of days from the date of release or approval.
For example, assume you specify the number of days as "5 days after release", then the patches will be deployed only after 5 days, from the day it is supported by Endpoint Central. If you choose to deploy patches "after 5 days from approval", then the patches will be deployed only after 5 days, from when the patch was marked as approved.
Choose Deployment Policy
- Customize the patching process according to your enterprise's requirements by configuring the Deployment Policy settings.
- The Deployment Policy details:
- Deployment frequency - Select how frequently you want to carry out the deployment
- Deployment window - The time interval during which patches need to be deployed
- Deployment will be initiated at - Select if deployment should happen during the system startup or the refresh cycle within the Deployment Window chosen.
- If you have set any policy as default, then the default policy will be automatically applied to the configuration.
- Based on your requirements, you can choose from the available list of pre-defined policies or create a policy of your choice.
- Click on View Details to see policy details and the list of configurations to which the policy is applied to.
- The Expiry setting allows to suspend a task after a specified period of time.
- Select the target computers for which deployment has to be performed. The target can be a whole domain or remote offices. If you select the entire domain as target, this will also include all the remote offices in that specific domain.
- You can filter targets based on sites, OU, Group, specific computers and more.
- 'Exclude Target' allows you to select certain targets that you want to exclude from the patch deployment task. For example, you can exclude server machines while deploying non-security updates.
Configure Notification settings to receive email notifications for the following :
- Failure in the deployment/download of the APD task
- Daily status reports on the APD task
Click on Save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.
Frequently Asked Questions
What happens if I do not migrate the tasks to the new workflow?
- If "Schedule scan" is removed, will I be able to scan my machines at all?
Vulnerabilities keep increasing every day, we must have up to date scanned data of which computers on our network are missing critical and important patches. So, we have automated the scan task. After the patch database sync, if new patches are released when compared to the previous sync, agents will automatically scan in the subsequent refresh cycle.
- Will an automatic scan overburden the server with multiple requests? Will it choke the network traffic?
Definitely not. The scan happens right after the database is synced. Every time the scan happens, the latest missing patches are detected and downloaded on to the server. We employ this effective mechanism of posting only the diff scan data(difference in the scan data between two consecutive scans), it will not overburden the server.
Also, it will not affect the network traffic, since we don't initiate an on-demand scan from the server. It is similar to a configuration, the agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval and hence undisturbed.
- How to get reports of missing patches after the scan is completed?
You can use Schedule Report. Reports -> Schedule Reports. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also you can configure it at any frequency as you wish.
- How do I view the report of patches to be installed in APD?
You can just navigate to 'Patch View' from APD. APD --> Patch View
- I usually delay the patch installation by scheduling it 2 weeks after the 'Patch Tuesday'. How will things be different for me?
No problem at all, you can still use "Delay deployment" option under APD, using which you can:
You have a timeframe of 90 days to migrate. After 90 days, a notification will be sent and your APD tasks will be deleted. Hence, it is recommended to migrate your APD tasks within 90 days.