This document is designed to give a new Ivanti EPM Administrator a quick way to set up Patch Manager. It is certainly not the only way to do it, but it will get you started so you have a solid starting place to build upon.
A license for patch manager is required for full functionality. Without it, you will not see Vulnerabilities or Security Threats in Patch Manager. You will have access to Ivanti Updates that can be deployed via Patch Manager to your clients.
It is also assumed that the Ivanti EPM core has been installed and agents deployed.
The core should have an Internet connection that allows access to LANDESK.com, Ivanti.com and vendor websites like microsoft.com, google.com, apple.com, adobe.com in order to download patches. The clients will need access to the core server.
- Introduction Assumptions Outline Patch and Compliance Manager Basics Handling Replaced Definitions Download Patch Content Distribution and Patch Settings Scanning the Clients Repairing Clients Creating a Custom Patch Group Using a Custom Group to Repair Expanding the Deployment Conclusion
- Patch and Compliance Manager Basics
- Handling Replaced Definitions
- Download Patch Content
- Distribution and Patch Settings
- Scanning the Clients
- Repairing Clients
Patch and Compliance Manager Basics
Ivanti EPM uses definitions to scan clients for vulnerabilities. Definitions are a group of rules that tell the scanning engine (vulscan.exe) what it should look for to determine if a machine needs a patch.
These definitions are written by Ivanti and are downloaded to the core server from the Ivanti Patch Content servers.
The Ivanti EPM administrator can determine which definitions are scanned on client devices.
A client must scan and be vulnerable to a definition before it will attempt to repair that vulnerability (apply the patch).
Handling Replaced Definitions
One of the advantages of using Ivanti EPM Patch and Compliance Manager is that as much as possible our scanning engine checks the version of files to determine if a patch is needed. This allows us to only recommend the latest patches without wasting time installing patches that are replaced by newer patches.
- Go into Tools - Security and Compliance - Patch and Compliance
- Click on the icon that looks like a cog wheel (Configure Settings) - Definition Download Settings
- Click New
- Set Definition Type to Vulnerability
- Severity to Any
- Comparison to None
- Under the Scan tab
- Check "Assign Scan Status"
- Select "Scan (Global)" in the "Global Scan Status" drop-down.
- Select the checkbox "Disable any rules this definition replaces"
- Click Ok
- Click Close
For further information on handling replaced patches see How To: Manage Superceded Patches in Patch and Compliance Manager
Download Patch Content
As mentioned before, Ivanti produces definitions that tell the scanning engine what to scan and report on when scanning a client. Before you can use this content, the core server must download the definitions.
- From Patch and Compliance, click the yellow icon with the down arrow named "Download Updates"
2- Expand Windows - Software Updates
3- Check LANDESK Agent Health and LANDESK Software Updates
4- Expand Vulnerabilities
5- Check Microsoft Windows vulnerabilities
6- Click "Download now"
7- Once it is done, click close.
Distribution and Patch Settings
The "Distribution and Patch" Settings control how, when, and what vulscan will do when scanning for patches.
- To modify Distribution and Patch Settings go to Tools - Configuration - Agent Settings.
- In Agent Settings, expand "All agent settings"
- Click on "Distribution and Patch"
- Double-click on the Distribution and Patch Settings on the right side to open it up
Under "General Settings" you'll see items related to how files are downloaded and what notification users will see before running tasks.
Network Settings controls how files are downloaded and from where.
Policy sync schedule controls how often policies are checked
Notification controls what the end user will see while vulscan is running
We'll skip Distribution-only settings as they only apply to software distribution and not patch management.
Patch only settings are covered in this document: "Patch-only settings" in "Distribution and Patch" settings for LDMS 9.6
Scanning the Clients
Clients by default will scan once a day.
Here's how to create a scheduled task to run a security scan. This will ensure the current information is up to date.
- From the Patch and Compliance tool, select the Create a task button, then Security Scan
- Optional - On the Agent Settings section you can choose to use a different "Distribution and patch settings" or leave it at the default to use the currently assigned setting on the client.
- Click Save
- This will take you to the Scheduled tasks tool. You know the drill.
- Drag the machine to the task.
- Right-click the task and select Start now -> All
Now that the clients have been scanned, we can use the "Detected" view to see which patches need to be applied.
In the Patch and Compliance tool, click on "Detected"
Then sort it by Severity.
It's recommended to first repair service packs and then Critical patches.
It's also recommended to test patches first to make sure they don't introduce any unwanted changes in your environment.
In the above screenshot, there are a number of Critical patches. You can right-click on one or even multi-select a lot of them and chose to repair them.
However, this method only allows up to 25 patches to be applied at once.
In order to repair more than 25, a group must be used.
Creating a Custom Patch Group
To create a new patch group, click on "Groups" to expand it out.
Expand Custom Groups
Right-Click "My custom groups" and chose "New group"
Name it "TestPatchGroup" or whatever you choose.
Now that we have a group we can populate it with the patch definitions we wish to repair.
Go back to the "Detected" group and select the definitions.
Right-click on the selected definitions and click "Copy" as seen below
Next, right-click on your test group and select Paste.
Now select all the patches and right-click on them and select "Download" associated patches.
Select all the patches and click Download.
This will start the patch download. Any patches that haven't been downloaded will be downloaded. Those that have already been downloaded will be verified, and if the hash matches they won't be downloaded again.
Once the patches are downloaded, click "Close".
Using a Custom Group to Repair
Right-click on the custom group TestPatchGroup, select Repair.
This will bring up the Patch and Compliance - repair task dialog.
For now, we'll leave the "Add targets" set to "Don't add targets at this time"
Agent Settings can be used to change to the one created earlier.
Reboot Settings can also be changed here. It is recommended that clients be allowed to reboot as needed. Either in the current task or later in a controlled manner. Files in use cannot be replaced during patching which will leave your machines unsecured by the patches until the reboot.
Click "Save" to finish and the task will show up in Scheduled Task.
Drag and drop your test clients onto the task.
Right-click the task and select "Start Now - Devices that did not succeed".
This will start the patch task.
Expanding the Deployment
After testing the patches and important applications on your clients, it's time to expand the rollout of the patches.
Additional clients can be added to Scan task.
As additional definitions are detected on clients they can be added to the Repair Group and the patches downloaded.
Then additional clients can be added to the repair group.
At this point, you will have a decent understanding of the patching process. Now you can refine the Distribution and Patch settings and the Reboot settings to better match the needs of your environment.