getting started with patching (patching 101)

Dell World User Forum

UFIL518: Getting Started with Patching

Veryl White, Senior Trainer

Peter Doerfer, Senior Trainer

Dell WorldUser Forum

Dell World User Forum

Agenda

• Patching Overview

• Glossary of Terms

• Subscribing & Downloading

• Detecting & Deploying Patches

• Now what?

Dell World User Forum

Patching Overview – Plan of Action

Subscription Settings

• Select OSes, SP-levels, Architectures

• Select Languages

• Select Patch Types

Get (thousands of ) Patch Signature Files

DetectAll

Patches

• Detect All Patches on All Machines

Build List of All Patches Needed by Each Machine

Download Packages

• Set K1000 to Download Patches Detected As Missing

(Very few ) Packages Get Downloaded

SchedulePatch

Deployments

• Deploy *All Patches* to Test Machines

• Label +30 Day Old Patches / Unwanted Patches (JRE, iTunes, etc.)

• Deploy *Labeled Patches* to Production Environment

Your Machines Get Patched!

Verification & Clean-Up

• Follow-Up Investigation of Selected Machines / Bulk Reporting

K1000 Cleans-Up Unused Patches

Dell World User Forum

Glossary

Dell World User Forum

Importance of Patches

Security – A really important patchNon-Security – A really important patchOS Patch – A really important patchApp Patch – A really important patchCritical – A really important patchRecommended – A really important patch

Defining Terms – What are patches?

Patch Signature

A small ‘’pattern-matching’’ file, necessary for detecting whether a specific patch is needed by a machine.

Patch Package

A larger file containing the actual payload, necessary for deploying the patch to a machine.

Quite often these are meaningless distinctions. For instance Microsoft considers Operating System Service Packs as Application Patches! They also frequently mark Security fixes as non-Security patches!

Dell World User Forum

Demo: Patch ListingPatch Listing Demonstration Guided Walk-Through

Active, Inactive

Downloaded, Not-Downloaded

Patched, Not Patched, Error

Impact, Severity

Patch Detail

Dell World User Forum

Subscribing to andDownloading Patches

Dell World User Forum

Getting Patches

Subscribe to Signatures

OS, Architecture, Service Pack levelsPatch TypesExclusions

Signature Download

Delayed – on purposeGet them (at least) daily

Package Download

Only “Needed” PatchesGet them often

Dell World User Forum

Subscribe to the OS, Architectures, and Service Pack levels you have

Subscription Settings

Use the Software Inventory!

• Saved queries will be useful for now…and later!

Advanced Search

Smart Label

Security, OS/APP, Severity, etc.

• Remember the caveats we already mentioned:

Will you always agree with the patch vendor on the “importance” of a patch?

Software Installers?

Use Patch Labels to exclude patches you want ignored in your environment.

Select the Patch Types you want

Dell World User Forum

Signature Files

Downloading Patches

• Patches may come out at any time during the month, due to our patch-provider testing the Patches prior to releasing them! This is a good thing!

• Be sure to download at least once a day, to ensure you always have the latest patches for detections.

Package Files• Once the K1000 has detected which of the patches are needed by your

machines, it can then download only those packages.• The more often your K1000 downloads the needed patches, the sooner they

are available for deployment.

Dell World User Forum

Detecting & Deploying Patches

Dell World User Forum

Detections and Deployments

Detect

Compatible Patches DetectedSilent, Non-invasive

Deploy

Only “Needed” PatchesInstalled in batchesSilent or Interactive

Discuss

What works?

Dell World User Forum

Detect Schedule

• Schedule a regular Detect on all of your machines to keep the K1000 updated on which patches are needed by which machines.

• The K1000 will use the Patch Signature, to detect which patches are needed on each machine you target.

• It will only detect the need for those patches that are compatible with the OS (etc.) on that machine. This will build a list of needed patches for each individual machine.

• The combined lists of these needed patches make up the Package Download manifest, minus packages that have already been downloaded.

Dell World User Forum

Deploy Schedule

Deploy Patches

Reboot

Dell World User Forum

Deploy Schedule

Most Important Settings:• Patch Action:

Deploy

• Machine Selection:

Machine Smart Label

Chassis Type contains Laptop AND

Label Names does not contain Test Machines

• Detect Patch Label Selection

• Deploy Patch Label Selection

• Reboot Options Prompt User

• Run On Next Connection if Offline

Dell World User Forum

Detect and Deploy Schedule

NO

Dell World User Forum

Detect and Deploy Schedule

Most Important Settings:• Patch Action:

Detect and Deploy

• Machine Selection:

Machine Smart Label

Chassis Type contains Desktop AND

Label Names does not contain Test Machines

• Detect Patch Label Selection

• Deploy Patch Label Selection

• Reboot Options Force Reboot

• Suspend Tasks After X Minutes From Scheduled Start

Dell World User Forum

Demo: Detect & Deploy Patches

• Patch SchedulingGuided Walk-Through

– Alerts

– Reboot Options

– Patch Schedule Scenarios

Dell World User Forum

Now what?

Dell World User Forum

Things to attend to

Verification

Entire ScheduleIndividual Machine

Reporting

Lots of new reports in 6.0ITNinja.com!

Clean-Up

Automatic

Dell World User Forum

Let’s Take a Look…

• Entire Schedule

Dell World User Forum

Let’s Take a Look…

• Single Machine

Dell World User Forum

Let’s Take a Look…

• Patch Reports

Dell World User Forum

Clean Up Unused Patches

• Eventually many of the currently downloaded patch packages will get deployed to all machines that need them. The K1000 can be configured to delete these “no longer needed” packages.

Delete Unused Patches After X Days:

Deletes Patch Package Files

Keeps Patch Signature Files

Patches Will Continue to be Detected

If Ever Needed Again, Will Be Downloaded Again

Dell World User Forum

Review

Patching Success

OS

Office

Adobe

JAVA

Subscription Settings

• Select OSes, SP-levels, Architectures

• Select Languages

• Select Patch Types

Get (thousands of ) Patch Signature Files

DetectAll

Patches

• Detect All Patches on All Machines

Build List of All Patches Needed by Each Machine

Download Packages

• Set K1000 to Download Patches Detected As Missing

(Very few ) Packages Get Downloaded

SchedulePatch

Deployments

• Deploy *All Patches* to Test Machines

• Label +30 Day Old Patches / Unwanted Patches (JRE,iTunes, etc.)

• Deploy *Labeled Patches* to Production Environment

Your Machines Get Patched!

Verification & Clean-Up

• Follow-Up Investigation of Selected Machines / Bulk Reporting

K1000 Cleans-Up Unused Patches

Dell World User Forum

Round-Table Discussion

Topics for discussion:

• Scenarios Not Discussed

– Example: Urgent Patch Deployment (zero day)

• ITNinja Patch Reports

• KACE KB Patch Reports

Dell World User Forum

Thank you.

Dell World User Forum

KACE Support Portal Migrating to Dell Software Support Portal

• Starting in November, all KACE Support Portal material will be migrated to the Dell Software Support Portal

• All service requests will be submitted online or by phone

• Same great content

– Knowledge base articles

– Video tutorials

– Product documentation

– JumpStart training

• Check out the Support Portal Getting Started videos