Patch Management
- sivani.sahu (Unlicensed)
- Mayuresh Balaji Kamble (Unlicensed)
- Enterprise IT
End-Of-Life (EOL)
Starting from August 1, 2022 SummitAI will discontinue the active selling, development & implementation of the Patch Management module.
What is Patch Management?
Using SummitAI Patch Management, the Administrators can aggregate and deploy Software and Operating System Patches provided by the software vendor. Currently, SummitAI supports Patch Management for Microsoft Applications and Operating Systems (*).
(*)
- Critical Updates
- Security Updates
- Update Rollups
- Definition Update
- Feature Packs
- Upgrades
- Updates
Benefits
- Aggregate all the incremental Patches provided by the software vendors.
- Map the Patch Dependency so that the incompatibilities are minimized.
- Helps the Administrators to plan and test Patch compatibility for few machines or groups before rolling out across the organization.
- The Administrators can select and approve Patches to be deployed on the applicable devices/Asset Groups.
- The Endpoint devices need not be connected to the internet to download and install the Patches.
Solution Architecture
Following are the various components of the Patch Management solution:
- Patch Jobs running on SummitAI Servers
- SummitAI Proxy Servers
- SummitAI Asset Agents on Endpoints
Figure: Patch Management Flow
Process
The following process is followed:
- The SUMMIT MS Patch Repository is maintained on the cloud. Microsoft publishes Patches 2nd Tuesday of every month.
- A job (SUMMIT_PatchJob.exe) is scheduled (Windows Scheduler) to download the Patch list from the cloud to On-Cloud SummitAI Instance or On-Premise SummitAI Instance. This job exe is available in the SummitAI Data Collector under \bin folder. To optimize the process of patch schema synchronization, see Synchronizing Patch Schema in Optimized way.
- The Administrators should test the relevant Patches (see: Viewing Patch List) in the test environment and ensure that they are compatible and approve these Patches (see: Approving Patch List). They also need to classify the machines in proper distribution groups (see: Creating Asset Groups), which can be used to deliver the Patches.
- The SummitAI Proxy Server downloads the approved Patches from the internet and saves the downloaded files in the local directory (Shared Directory).
- The Agents scan the Assets for missing Patches using the MS Patch Offline CAB and get information to download and install the Patches from the MS Patch File Store (see: Configuration for Patches).
- The Agents install the Patches if they are approved in the Approved Patches list. If it is an approved Patch, the Agents download the Patch from the MS Patch File Store. After the Patch is installed on the Assets, the Patch update information is sent to the SummitAI Proxy Server.
- The SummitAI Proxy Server updates the Patch update information in the database for both the On-Cloud SummitAI instance or On-Premise SummitAI instance.
The SummitAI Patch Management ensures that the Assets are scanned for network vulnerabilities, identifies the missing security patches and hotfixes, applies them, and mitigates the risk. Hence, it identifies the missing Patches, checks if the Patches are approved, deploys them on the Assets, and updates the database with Patch update information.
Note:
Patches and Patch files can take substantial space in the disk. Ensure to have large disk space on the Servers where Patch Management needs to be used.
Configuration
To configure the Patch Management solution, the following three configurations must be completed (follow the sequence):
- Patch Proxy Server Settings: The folder path to the Patch file store and the offline CAB must be specified for each Proxy Server. Domain admin user details need to be provided to be able to communicate over web services to SummitAI Servers (see: Configuring Patches) .
- Asset Groups: Asset Groups are created to segregate IT Assets based on various criteria. Patch deployment to these groups can be planned independently. For example, all the devices in the sales team needs to be patched on Mondays as they are in office on that day. Such groups drive setting up policy schedules on when such Assets should be patched and at what frequency.
- View and Approve Patches: The Administrators need to keep a track of all the new Patch releases, security updates, and hotfixes. The required Patches must be approved after due testing to ensure only the relevant Patches are applied to the devices (see: Viewing Patch List and Approving Patch List).
Custom Scheduler Configuration
The Administrators need to add jobs in the Custom Scheduler for downloading the approved Patches from internet (Job Name: Download Approved Patch Files) and for downloading the Offline Patch CAB files (Job Name: Download Offline CAB Patch File). For more information about configuring jobs using Custom Scheduler, see SummitAI General Online Help.
Prerequisites for Client Machine
- The Windows update service needs to be automatic and not in disabled mode.
- The SummitAI SAM agent should be installed.
- The SummitAI Proxy Web Service URL should be accessible.
- The Patch and CAB file shared folders or http/https patch should be accessible.
Additional Configurations Required on Proxy Server and Domain Controller
<add key="IsPatchMgmtEnabled" value="true" />
This key needs to be enabled in Proxy and DC web.config for Patch Management to work.
<add key="PatchMgmt_Interval" value="180"/>
This key defines the interval (in minutes) for SAM Agent to scan missing Patches and contact server to get approved Patches for installation.
Whitelist URLs
The following list of URLs should be whitelisted:
http://wsus.ds.b1.download.windowsupdate.com
http://wsus.ds.download.windowsupdate.com
http://wsus.ds.www.download.windowsupdate.com
http://download.windowsupdate.com
http://go.microsoft.com
Synchronizing Patch Schema in Optimized way
Earlier, while synchronizing the Patch schema from the SummitAI cloud, the Patch schema job was downloading the schema from the SummitAI could which fetched the information from the Patch database directly. The patch synchronization process was a time-consuming activity, and sometimes due to the network bandwidth limitations, the syncing was becoming unsuccessful too. Due to this, the patches could not be deployed immediately as the customer has to wait until all the patches are downloaded and synchronized.
To avoid this issue, the SummitAI Patch Cloud Server is optimized.
Now, the Patch schema job downloads the Patch schema information from the SummitAI Patch Cloud repository to respective customer’s instance consistently (See Step1, Figure 1), so that all the customer instances are up to date by consuming minimal time. Instead of directly downloading the schema from the Patch cloud database, it downloads the data from the extracted and compressed file. The cloud patch server extracts the data on schedule basis, compress it, and stores it in flat file so that every customer instance can download from the extracted file.
Similar flat file will be available in the Customer’s local environment once patch schema job is completed. This will enable the Administrator to perform the patch deployment into its multiple instances without hitting the SummitAI cloud Patch Repository. ((See Step2, Figure 1).
Figure: Patch Schema Sync Architecture
As part of this optimization, now there are two options to download the patches:
- Option 1: Download Patches from SummitAI cloud server
Specify the “app:ProcessOfflineFiles” to False in the Patch schema job exe config file. This option can be used by the customers for main instance to synchronize the Patch details from the cloud.
- Option 2: Download Patches from customer parent instance to child instance
The customers who have multiple instances of patching server, can download the schema details from the main Patch instance instead of downloading from to the SummitAI cloud.
Below settings are required to be made in the child patch job server config file:- Specify the path of the parent patch downloaded schema folder, which was downloaded from SummitAI cloud in the below key. So that another child patch job server can process from the offline data. For example:
<add key="CentralizedProxyUrl" value="\\PARENTPATCHSERVER\Patch_Schema_ZipData_Live_Master\"/> - Specify the “app:ProcessOfflineFiles” key to True in the child proxy.
<add key="app:ProcessOfflineFiles" value="True"/>
- Specify the path of the parent patch downloaded schema folder, which was downloaded from SummitAI cloud in the below key. So that another child patch job server can process from the offline data. For example:
Reports
A few reports are available to provide a complete picture about Patches to the Administrator and Network teams. For more information about Patch reports, see Patch Reports.
Known Issues
- No support for Driver Patch updates.
- Some of the Patches display errors and cannot be installed.
- The prerequisites for Patch installation is not checked.
Confluence Cloud Migration Alert: Please refer to known issues you may encounter in Confluence Cloud: https://eitdocs.atlassian.net/wiki/x/wDGwAQ