How to get Started with Patch and Compliance Manager

Version 20

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    Introduction

    This document is designed to give a new Ivanti EPM Administrator a quick way to set up Patch Manager.  It is certainly not the only way to do it, but it will get you started so you have a solid starting place to build upon.

     

    Assumptions

    A license for patch manager is required for full functionality.  Without it, you will not see Vulnerabilities or Security Threats in Patch Manager.  You will have access to Ivanti Updates that can be deployed via Patch Manager to your clients.

     

    It is also assumed that the Ivanti EPM core has been installed and agents deployed.

    The core should have an Internet connection that allows access to LANDESK.com, Ivanti.com and vendor websites like microsoft.com, google.com, apple.com, adobe.com in order to download patches.  The clients will need access to the core server.

     

    Outline

     

     

    Patch and Compliance Manager Basics

    Ivanti EPM uses definitions to scan clients for vulnerabilities.  Definitions are a group of rules that tell the scanning engine (vulscan.exe) what it should look for to determine if a machine needs a patch.

    These definitions are written by Ivanti and are downloaded to the core server from the Ivanti Patch Content servers.

    The Ivanti EPM administrator can determine which definitions are scanned on client devices.

    A client must scan and be vulnerable to a definition before it will attempt to repair that vulnerability (apply the patch).

     

    Handling Replaced Definitions

    One of the advantages of using Ivanti EPM Patch and Compliance Manager is that as much as possible our scanning engine checks the version of files to determine if a patch is needed.  This allows us to only recommend the latest patches without wasting time installing patches that are replaced by newer patches.

     

    1. Go into Tools - Security and Compliance - Patch and Compliance
    2. Click on the icon that looks like a cog wheel (Configure Settings) - Definition Download Settings
      DefinitionDownloadSettingss.jpg
    3. Click New
      DefinitionFilterProperties.jpg

    4. Set Definition Type to Vulnerability
    5. Severity to Any
    6. Comparison to None
    7. Under the Scan tab
    8. Check "Assign Scan Status"
    9. Select "Scan (Global)" in the "Global Scan Status" drop-down.
    10. Select the checkbox "Disable any rules this definition replaces"
    11. Click Ok
    12. Click Close

     

    For further information on handling replaced patches see How To: Manage Superceded Patches in Patch and Compliance Manager

     

    Download Patch Content

    As mentioned before, Ivanti produces definitions that tell the scanning engine what to scan and report on when scanning a client.  Before you can use this content, the core server must download the definitions.

     

    1. From Patch and Compliance, click the yellow icon with the down arrow named "Download Updates"

    2- Expand Windows - Software Updates

    3- Check LANDESK Agent Health and LANDESK Software Updates

    4- Expand Vulnerabilities

    5- Check Microsoft Windows vulnerabilities

    6- Click "Download now"

    7- Once it is done, click close.

     

    Distribution and Patch Settings

    The "Distribution and Patch" Settings control how, when, and what vulscan will do when scanning for patches.

     

    1. To modify Distribution and Patch Settings go to Tools - Configuration - Agent Settings.2014-08-05 10_42_17-blah-96 - VMware Workstation.png
    2. In Agent Settings, expand "All agent settings"
    3. Click on "Distribution and Patch"
    4. Double-click on the Distribution and Patch Settings on the right side to open it up2014-08-05 10_57_38-blah-96 - VMware Workstation.png

     

    Under "General Settings" you'll see items related to how files are downloaded and what notification users will see before running tasks.

    Network Settings controls how files are downloaded and from where.

    Policy sync schedule controls how often policies are checked

    Notification controls what the end user will see while vulscan is running

     

    We'll skip Distribution-only settings as they only apply to software distribution and not patch management.

     

    Patch only settings are covered in this document: "Patch-only settings" in "Distribution and Patch" settings for LDMS 9.6

     

    Scanning the Clients

    Clients by default will scan once a day.

    Here's how to create a scheduled task to run a security scan.  This will ensure the current information is up to date.

    1. From the Patch and Compliance tool, select the Create a task button, then Security Scan
    2. Optional - On the Agent Settings section you can choose to use a different "Distribution and patch settings" or leave it at the default to use the currently assigned setting on the client.
    3. Click Save
    4. This will take you to the Scheduled tasks tool. You know the drill.
    5. Drag the machine to the task.
    6. Right-click the task and select Start now -> All

    Repairing Clients

     

    Now that the clients have been scanned, we can use the "Detected" view to see which patches need to be applied.

    2014-08-17 19_39_07-blah-96 - VMware Workstation.png

     

    In the Patch and Compliance tool, click on "Detected"

    Then sort it by Severity.

    It's recommended to first repair service packs and then Critical patches.

    It's also recommended to test patches first to make sure they don't introduce any unwanted changes in your environment.

     

    In the above screenshot, there are a number of Critical patches.  You can right-click on one or even multi-select a lot of them and chose to repair them.

    However, this method only allows up to 25 patches to be applied at once.

    In order to repair more than 25, a group must be used.

     

    Creating a Custom Patch Group

     

    To create a new patch group, click on "Groups" to expand it out.

    Expand Custom Groups

    Right-Click "My custom groups" and chose "New group"

    Name it "TestPatchGroup" or whatever you choose.

    2014-08-17 19_44_03-blah-96 - VMware Workstation.png

    Now that we have a group we can populate it with the patch definitions we wish to repair.

    Go back to the "Detected" group and select the definitions.

    Right-click on the selected definitions and click "Copy" as seen below

    2014-08-17 19_46_53-blah-96 - VMware Workstation.png

     

    Next, right-click on your test group and select Paste.

     

    Now select all the patches and right-click on them and select "Download" associated patches.

    2014-08-17 19_50_34-blah-96 - VMware Workstation.png

     

    Select all the patches and click Download.

    This will start the patch download.  Any patches that haven't been downloaded will be downloaded.  Those that have already been downloaded will be verified, and if the hash matches they won't be downloaded again.

    Once the patches are downloaded, click "Close".

     

    Using a Custom Group to Repair

     

    Right-click on the custom group TestPatchGroup, select Repair.

    This will bring up the Patch and Compliance - repair task dialog.

    2014-08-17 19_58_19-blah-96 - VMware Workstation.png

    For now, we'll leave the "Add targets" set to "Don't add targets at this time"

    Agent Settings can be used to change to the one created earlier.

    Reboot Settings can also be changed here.  It is recommended that clients be allowed to reboot as needed.  Either in the current task or later in a controlled manner.  Files in use cannot be replaced during patching which will leave your machines unsecured by the patches until the reboot.

     

    How to use Reboot Settings

     

    Click "Save" to finish and the task will show up in Scheduled Task.

    2014-08-17 20_06_29-blah-96 - VMware Workstation.png

    Drag and drop your test clients onto the task.

    Right-click the task and select "Start Now - Devices that did not succeed".

    This will start the patch task.

     

    Expanding the Deployment

    After testing the patches and important applications on your clients, it's time to expand the rollout of the patches.

    Additional clients can be added to Scan task.

    As additional definitions are detected on clients they can be added to the Repair Group and the patches downloaded.

    Then additional clients can be added to the repair group.

     

    Conclusion

    At this point, you will have a decent understanding of the patching process.  Now you can refine the Distribution and Patch settings and the Reboot settings to better match the needs of your environment.