3 Replies Latest reply on Feb 8, 2019 1:57 PM by COLRmastenbrook

    Patch for Windows -> Endpoint Manager

    COLRmastenbrook Rookie
    COLRmastenbrook Feb 4, 2019 1:02 PM

      Previously our virtual environment was being patched using Ivanti Patch for Windows.

      Due to several circumstances, I am trying to move away from that onto Endpoint Manager.

      My last Patch cycle test did not end well. It took a very long time to scan through the updates, download them from the core, and then install them. I'm working with a roughly 3 hour maintenance window.

      With Patch for Windows, I am able to scan and 'Stage' the updates and then schedule them to be installed at a certain time. What's the best way to achieve this with EPM?

      I've read a few discussions that include having multiple tasks and using scripts. This seems messy, and unpredictable. Is there a better way?

        • 1. Re: Patch for Windows -> Endpoint Manager
          ldms_4mfe Specialist
          ldms_4mfe Feb 6, 2019 10:36 PM (in response to COLRmastenbrook)

          Hi,

           

          your question is unfortunately still very general.

           

          Creating a patch run in 3 hours shouldn't be a problem.

          Of course it depends on how many patches have to be downloaded, how fast the connection to the patch share is and especially on how many CPU the Vulscan can run with.

           

          Please check the agent settings first.

          I would set the Vulscan process to full CPU, the scans are faster and quickly over.

          The installation also benefits dramatically.

           

          The download speed will also increase automatically, if Peer-2-Peer is active and several servers/clients have already cached the patches.

           

          VG, Marco

           

          Translated with www.DeepL.com/Translator

          • 2. Re: Patch for Windows -> Endpoint Manager
            phoffmann SupportEmployee
            phoffmann Expert Feb 7, 2019 4:10 AM (in response to ldms_4mfe)

            So the big thing about pre-staging is being aware of the options (no shortage thereof). So - a few things to consider. These work "hand in hand" so this isn't an "either or" situation

             

            • You can pre-stage by actually multicasting patches out (in "cache only" mode). That way the files "sit on the client" and are ready to be executed when you need them (this works for patches and software packages). This is a separate way of pushing out a package / files.

              Now the "easy / lazy" option here is to dump ALL of the files of your patch cycle on ALL of your devices (so "Windows 2008 patches and Windows 2016" for instance) and let the vulnerability scanner sort it out (it'll only install what it needs).

            • You can make use of peer download (essentially "Hey - anyone on my subnet already have file X? If so, I'd like to have it...!") ... this is something that you generally want to use - and is something the vulnerability scanner (by default) will always attempt when it needs to pick up a patch.

            • You can make use of preferred servers -- so if you have a known system that can act as a file repo on a given location, you can specifiy it as a "preferred server" -- that's the term to look up on community for more documentation. In essence, this is a config item that automatically gets pulled from the Core and - conceptually - is as simple as clients substituting (works on HTTP and UNC) "\\MyCore\MyShare\MyFile.exe" over to "\\MyPreferredServer\MyShare\MyFile.exe" - for clients from that network segment only.

            • The thing that'll usually catch you out is how long the patch(-es) need to install themselves ... if you have a representative test system, awesome -- but being unable to determine how LONG a patch requires up-front is ... annoying. But "oh well" - not much we an do here.
            • Important note -- be aware that the reboot for most Windows patches is REQUIRED for EPM to determine/detect that "yes, this vulnerability is indeed patched" (because a bunch of files only get replaced upon reboot). That can catch a few folks out if they don't think of it.

             

            Does that help?

            • 3. Re: Patch for Windows -> Endpoint Manager
              COLRmastenbrook Rookie
              COLRmastenbrook Feb 8, 2019 1:57 PM (in response to phoffmann)

              Yes, thank you for your tips! before your suggestions I was able to figure out how to pre-scan the machines, only add those patches to a patch group. Then start a task with a maintenance windows only looking at that patch group. It went a lot faster. Thanks for the additional suggestions!