What is Patch Management?

Using SummitAI Patch Management, the Administrators can aggregate and deploy Software and Operating System Patches provided by the software vendor. Currently, SummitAI supports Patch Management for Microsoft Applications and Operating Systems (*).

(*)

• Critical Updates
• Security Updates
• Update Rollups
• Definition Update
• Feature Packs
• Upgrades
• Updates

Benefits

• Aggregate all the incremental Patches provided by the software vendors.
• Map the Patch Dependency so that the incompatibilities are minimized.
• Helps the Administrators to plan and test Patch compatibility for few machines or groups before rolling out across the organization.
• The Administrators can select and approve Patches to be deployed on the applicable devices/Asset Groups.
• The Endpoint devices need not be connected to the internet to download and install the Patches.

Solution Architecture

Following are the various components of the Patch Management solution:

• Patch Jobs running on SummitAI Servers
• SummitAI Proxy Servers
• SummitAI Asset Agents on Endpoints

Figure: Patch Management Flow

Process

The following process is followed:

1. The SUMMIT MS Patch Repository is maintained on the cloud. Microsoft publishes Patches 2^nd Tuesday of every month.
2. A job (SUMMIT_PatchJob.exe) is scheduled (Windows Scheduler) to download the Patch list from the cloud to On-Cloud SummitAI Instance or On-Premise SummitAI Instance. This job exe is available in the SummitAI Data Collector under \bin folder. 
3. The Administrators should test the relevant Patches (see: Viewing Patch List) in the test environment and ensure that they are compatible and approve these Patches (see: Approving Patch List). They also need to classify the machines in proper distribution groups (see: Creating Asset Groups), which can be used to deliver the Patches.
4. The SummitAI Proxy Server downloads the approved Patches from the internet and saves the downloaded files in the local directory (Shared Directory).
5. The Agents scan the Assets for missing Patches using the MS Patch Offline CAB and get information to download and install the Patches from the MS Patch File Store (see: Configuration for Patches).
6. The Agents install the Patches if they are approved in the Approved Patches list. If it is an approved Patch, the Agents download the Patch from the MS Patch File Store. After the Patch is installed on the Assets, the Patch update information is sent to the SummitAI Proxy Server.
7. The SummitAI Proxy Server updates the Patch update information in the database for both the On-Cloud SummitAI instance or On-Premise SummitAI instance. 

The SummitAI Patch Management ensures that the Assets are scanned for network vulnerabilities, identifies the missing security patches and hotfixes, applies them, and mitigates the risk. Hence, it identifies the missing Patches, checks if the Patches are approved,  deploys them on the Assets, and updates the database with Patch update information.

Configuration

To configure the Patch Management solution, the following three configurations must be completed (follow the sequence):

1. Patch Proxy Server Settings:  The folder path to the Patch file store and the offline CAB must be specified for each Proxy Server. Domain admin user details need to be provided to be able to communicate over web services to SummitAI Servers (see: Configuring Patches) .
2. Asset Groups: Asset Groups are created to segregate IT Assets based on various criteria. Patch deployment to these groups can be planned independently. For example, all the devices in the sales team needs to be patched on Mondays as they are in office on that day. Such groups drive setting up policy schedules on when such Assets should be patched and at what frequency.
3. View and Approve Patches: The Administrators need to keep a track of all the new Patch releases, security updates, and hotfixes. The required Patches must be approved after due testing to ensure only the relevant Patches are applied to the devices (see: Viewing Patch List and Approving Patch List).

Custom Scheduler Configuration

The Administrators need to add jobs in the Custom Scheduler for downloading the approved Patches from internet (Job Name: Download Approved Patch Files) and for downloading the Offline Patch CAB files (Job Name: Download Offline CAB Patch File). For more information about configuring jobs using Custom Scheduler, see SummitAI General Online Help.

Prerequisites for Client Machine

• The Windows update service needs to be Automatic or Manual (Trigger Start) and not in disabled mode.

• The SummitAI SAM agent should be installed.
• The SummitAI Proxy Web Service URL should be accessible.
• The Patch and CAB file shared folders or http/https patch should be accessible.

Additional Configurations Required on Proxy Server and Domain Controller

<add key="IsPatchMgmtEnabled" value="true" />

This key needs to be enabled in Proxy and DC web.config for Patch Management to work.

<add key="PatchMgmt_Interval" value="180"/>

This key defines the interval (in minutes) for SAM Agent to scan missing Patches and contact server to get approved Patches for installation.

Whitelist URLs

The following list of URLs should be whitelisted:

http://wsus.ds.b1.download.windowsupdate.com
http://wsus.ds.download.windowsupdate.com
http://wsus.ds.www.download.windowsupdate.com
http://download.windowsupdate.com
http://go.microsoft.com

Reports

A few reports are available to provide a complete picture about Patches to the Administrator and Network teams. For more information about Patch reports, see Patch Reports.

Known Issues

• No support for Driver Patch updates.
• Some of the Patches display errors and cannot be installed.
• The prerequisites for Patch installation is not checked.