8 Replies Latest reply on Apr 13, 2017 3:06 AM by phoffmann

    LDMS 2016 VM Snapshot as part of patching process

    RobLent Specialist

      We are looking to implement the latest version of LDMS as above.

       

      We are currently on LDMS 9.5 SP3 and thus far have not ventured to patching servers with Patch Management but do all our workstations.

       

      Is there any mechanism built into LDSM2016 to take a snapshot of a server before patching or is it still a case of needing to run a pre-patch script?

       

      Is anyone doing this with patching already and if so would you care to share any ups and downs of the process?

       

      Rob

        • 1. Re: LDMS 2016 VM Snapshot as part of patching process
          jonlongLCE Rookie

          LDMS 2016 as well as LDMS 9.5 there is a pre script setting under the repair/installation menu.  I am sure there is a way to call a snapshot on your VM host for the machine you are patching.  If you have anyone that can write VB, Powershell, or Batch commands that would be the way that LDMS would handle that function for you.

           

          I personally have not done this type of work before but if I was to develop a process like you are looking to do then that is where I would start.

          • 2. Re: LDMS 2016 VM Snapshot as part of patching process
            phoffmann SupportEmployee

            Yep - the above works.

             

            Essentially - you're going to need to leverage VMWare's integration tools (i.e. "PowerCLI" and so on) with whatever language you prefer (they've got hooks for PowerShell, Python & many others), but not "just vanilla www-services" (annoyingly it's a bit of a faff).

             

            If you have LANDesk Process Manager (or a similiar process automation tool) you can combine the two into an automated process flows.

             

            You may find the following also potentially useful to start playing with things:

            - Getting Started with the MBSDK (Example Scripts Included)

            1 of 1 people found this helpful
            • 3. Re: LDMS 2016 VM Snapshot as part of patching process
              RobLent Specialist

              phoffmann quick question as I know you know the answer.

               

              The pre-patch script in the agent settings, what account does it run under?

               

              We have a script to take a VM Snapshot but need to know what permissions are going to be required on the VCentre Server.

              • 4. Re: LDMS 2016 VM Snapshot as part of patching process
                phoffmann SupportEmployee

                Generally, all vulnerability and soft-dist stuff runs as follows:

                 

                - if we're set to run as the logged on user, and the logged-on user has local admin access, ==> we'll run as that local admin. (Not USUALLY the case)

                Then ...

                - If no one is logged on / If we're set to run as the logged-on user and they do *NOT* have local admin account (normally the case) ==> We'll run as "LOCAL SYSTEM".

                 

                In 99% of cases, you should see us running as "local system" as a result / general rule.

                1 of 1 people found this helpful
                • 5. Re: LDMS 2016 VM Snapshot as part of patching process
                  RobLent Specialist

                  Well after looking into this a bit more and having raised a call with support it seems that I won't be able to do this natively from the pre-patch script area.

                   

                  Suggestions were to install the VM CLI tools on all virtual servers, sorry but no, or using PSExec on all servers to call scripts.

                   

                  Not really a seamless process which is a shame as I had high hope for this.

                   

                  If we are going to have to create schedules and processes to create the snapshots outside of LDMS then we may as well stick with WSUS and do it that way anyway.

                   

                  Thanks for the help though Phil.

                  • 6. Re: LDMS 2016 VM Snapshot as part of patching process
                    Frank Wils ITSMMVPGroup

                    If it will really save you lots of time (=money), you might want to take a look at Ivanti Patch for Servers (previously Shavlik). This tool can make snapshots automatically before patching and clean them up again, but also has the ability patch templates, snapshots, VM's that are turned off etc. Really worth taking a look at if you have a large VMWare-based server environment.

                     

                    Frank

                    • 7. Re: LDMS 2016 VM Snapshot as part of patching process
                      RobLent Specialist

                      Thanks for that Frank.

                       

                      I will take a look but it is unlikely I will be able to convince the powers that be to spend more money.

                       

                      Maybe one day all these patching tools will be combined into one product that does everything we all need. 

                       

                      Currently all server patching is done manually so we were hoping to automate a lot of this work with LDMS but with the paranoia here snapshots are an essential part of the patching process.  (I can understand it really)

                       

                      Thanks again for your comment.

                      • 8. Re: LDMS 2016 VM Snapshot as part of patching process
                        phoffmann SupportEmployee

                        Paranoia is not wrong in this case -- patching is important, and it's not like Microsoft alone haven't been busy breaking stuff with the Anniversary edition of Win 10 for instance.

                         

                        However, a lot of this stuff *IS* automateable (which is why there's stuff like "PowerCLI" and so on -- stuff to talk to the VMWare API's).

                         

                        If you guys run your patching regime on (say) a Sunday night in the evening, all it would take is to have a script (automated == good and saves man-hours) talk to VMWare & request snapshots of all the affected machines.

                         

                        That's quite doable.

                         

                        And should be REALLY easy to get sign-off for -- because if you folks patch manually, the sheer amount of man-hours wasted on that will be paid for within 1-2 patch cycles.

                         

                        The trick is to speak "their language" and point out to them "Manual patching costs us xxx man-hours which equates to $$$ in overtime and so on". EVERY time you patch.

                         

                        If this can be automated, that cost breaks down to a tiny fraction of that, if not close to 0 (in ideal circumstances).

                         

                        It's doable. Usually (Depends on how much of an ostrich the decision makers are of course -- some people can't be cured of ill-sense).

                        1 of 1 people found this helpful