5 Replies Latest reply on May 10, 2018 8:04 AM by phoffmann

    How do you transfer the AutoFix status of patches from old core to new core?

    bob.mier Apprentice

      I would like to transfer the Autofix settings of the patches from the old core to the new core I just installed.  Is there a way to do this without manually selecting patches  and setting autofix to "Global"?  I would prefer to only focus on the Autofix settings.

        • 1. Re: How do you transfer the AutoFix status of patches from old core to new core?
          MarXtar ITSMMVPGroup

          Is there any reason why you didn't use a copy of your old database with your new server? That would have brought over all of the old settings. It is still possible to do that if you need it but wanted to check the reasoning first.

           

          Mark McGinn

          MarXtar Ltd/MarXtar Corporation

          http://ivantione.marxtar.com

          Ivanti One Development Partner

           

          Try MarXtar Enterprise Notifer for Ivanti to Better Communicate with Your Service Subscribers

          Try MarXtar State Management for Ivanti to Better Understand and Manage your Assets

          • 2. Re: How do you transfer the AutoFix status of patches from old core to new core?
            phoffmann SupportEmployee

            Yeah - a bit more context would be helpful here, I'm with Mark on that one.

             

            You COULD probably cobble / hack something together by looking at the SQL DB side of things for each vulnerability, but the problem I would mainly expect to be around if you use scope-based auto-fixing that you need to have those exact scope, with those exact names and such.

             

            It'd be a fair bit of a hack & fair bit of potentially complex scrpiting to do ... but could be feasably done, in theory, if needs absolutely must.

             

            Just that more context would be good (since you may not care about vulnerabilities from - say - 2 or 3 years ago, since they'd be auto-included / fixed in more current stuff) ... so I'm not entirely convinced that's really needed even in a scenario where you've started from a clean DB?

            • 3. Re: How do you transfer the AutoFix status of patches from old core to new core?
              bob.mier Apprentice

              Thanks MarXtar and Phoffmann for your comments.

               

              Here is some background. 

               

              The original core is a 9.6 SP3 and the new core is a 2017.3 SU4.  I also moved to a SQL 2017 server for the new database and to the BitDefender AV.  The original core was a patched version of 9.6 SP3 to be able to "Manage" Windows10 computers.  There were instabilities and inconsistencies with the original core that I didn't want to chance being brought over to the new core.  There are only a small amount of Distribution Packages to bring over to the new core.  So that is not a lot of work. 

               

              Thus right now it brings me to the patches, I see two (2) options:

              1) If it is possible to bring the autofix settings from the original core to the new core, bring it over

              2) Review patches for those to set as "Do Not Scan" and  then take the remaining patches from beginning to last month's approved patches and set them to Autofix manually.

               

              I appreciate your help and advice.

              • 4. Re: How do you transfer the AutoFix status of patches from old core to new core?
                MarXtar ITSMMVPGroup

                My gut tells me you should take this as an opportunity to review what you used to do and assess if it is still applicable to want you want to do today.

                 

                Don't try to take the settings from the old system, it will be a hack whichever way you do it at this stage so eyeball them.

                 

                Set up your download rules from scratch so that they only download what you need (even if that means deleting everything you've already downloaded), set to do not scan anything coming down that you had set that way initially (make sure the reasoning for it is still understood), disable those that have been replaced (as part of the download) and then focus on setting up autofix for what is being downloaded and actually being discovered. Perhaps treat anything older than a particular date as 'baseline' and set that to autofix out of the gate. This way you quickly get back to your ongoing patching process. Just keep an eye on the discovered vulnerabilities in case some older ones slip through.

                 

                Mark McGinn

                MarXtar Ltd/MarXtar Corporation

                http://ivantione.marxtar.com

                Ivanti One Development Partner

                 

                Try MarXtar Enterprise Notifer for Ivanti to Better Communicate with Your Service Subscribers

                Try MarXtar State Management for Ivanti to Better Understand and Manage your Assets

                2 of 2 people found this helpful
                • 5. Re: How do you transfer the AutoFix status of patches from old core to new core?
                  phoffmann SupportEmployee

                  Yeah - Mark's response makes sense to me.

                   

                  Since you're already forced to "start clean" effectively, make a virtue out of necessity & start over with the experience & knowledge that you have.

                   

                  Particularly with Windows 10's patching mechanisms, I'd be surprised if you'd need more than a small %-age of stuff to be set to auto-fix. You're likely to have the usual suspects (Flash, etc) , plus a few bits that you use commonly (let's say "Wireshark" for argument's sake), but other than that ... a "lean" list is a good list.

                   

                  There's a lot of content we still "have to" provide, because some folks can't (/wont?) patch up for certain reasons (better or worse, depending on the individual sitation) --  but by and large, a sensible outlet won't need THAT many set to autofix really.

                   

                  And yeah - the SWD packages you can just export & import into the new Core, if you want, that'll work too.

                  1 of 1 people found this helpful