Client Automation Standard Practitioners Forum
Showing results for 
Search instead for 
Do you mean 

Grouping Windows security patches for deploying

SOLVED
Go to Solution
Regular Advisor

Grouping Windows security patches for deploying

Hello,

after a Windows XP SP2 installation if I run Windows Update I have 49 security patches available for download. I would like to deploy these security patches using Radia.
For that reason I have tried to create a Service Group called WXPSP2-PATCHES in PATCHMGR -> ZSERVICE class using System Explorer. When I have the Service Group I connect the security bulletins MS06-032, MS06-030,...
Using RMP I assign this service to a computer. But when the computer is notified, no patch is installed. I'm trying a patch notification.
I have a similar solution for software applications but I don't know if it's possible to do the same with patches or what the correct procedure is.

Thank you for your help.
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
29 REPLIES
Honored Contributor

Re: Grouping Windows security patches for deploying

Sound doable but I don't know anyone who as done it that way.
So now the questions: How do you know that the Patches are not installed? Do the Services appear in the client catalog?
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi Roy,

I don't pretend to be original. For me this is the most logical way to install several patches at the same time. If there is other way to do it, maybe you would like to share your knowledge with me.
About your questions, I know that the patches are not installed because Reporting Server doesn't refresh the information about the patches installed. If I assign only a bulletin, for example, MS06-023 then Reporting Server updates the information, but if I assign the group of patches WXPSP2-PATCHES the information is not updated, so I suppose no patch is installed.
To say the truth, I don't know the way I can check the client catalog if Software Manager is not installed on a client computer and Software Manager doesn't show patch information. So I don't know how to check it.

Thank you very much
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

Policy is so individualized that I wouldnâ t begin to suggest any thing.
RPM will only report compliance on those Patches it knows about and those that are applicable to a particular client. Unless the Patch appears in the compliance report, applying a Patch may not change the compliance report for a particular client.
You can check the connect log to understand which patches are applicable for a particular client.
You can always look at a clients ASERVICE.edm or xml to see what it thinks itâ s entitled to.
You can also review the Radia Managed Services via RRS to see if a Patch (or other Services) was applied.
Regular Advisor

Re: Grouping Windows security patches for deploying

Thank you for your answer.
I usually check Radia logs on client machines but a lot of times the information provided is not very useful to me.
Before opening this thread I checked another one called "Patch Distribution Problem", where other person had a similar problem, but those solutions don't give me a clue about how to solve my problem.
I'll try to check again all Radia logs, but maybe Radia is not understanding correctly the "Patch Service group" that I have created and I should create it in a different way.

Kind regards,

Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Respected Contributor

Re: Grouping Windows security patches for deploying

Hi,

If your using native policy I'd recommend using workgroups instead of service groups to assign multiple services.

You user id could be linked to POLICY.WORKGRP.PATCHES_*

Your workgroups will be called PATCHES_(1/2/3 and so forth) and would be linked to the patch zservice.

I'm not really able to look into this much further at the moment but at least one benefit you'll see from using workgroups instead of super zservices is that each individual service create priority is honoured. With super zservices, the individual zservices are installed in the order they're connected.

Hope this helps,

Moaeed
Respected Contributor

Re: Grouping Windows security patches for deploying

... but the above solution may make piloting and pahsed releases difficult. Could you post up your logs and we'll have a look to see why your method isn't working.

Regards,

Moaeed
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi,

I suppose you want RMP logs and maybe client logs. Tomorrow I'll try to deploy the patch again and I'll attach the logs.

Thank you for your help. Have a nice day.
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi,

I attach the file connect.log and a screenshot of the service that I have created. The screenshot shows that the service is mandatory but I don't know why the patch is not applied because it's considred optional. I think log files in the server don't provide many information about the problem.

Thank you very much.

Regards, Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

I can see MS06-24,25,30,32 patches in the catalog.
MS06-23 is installed/verified in this log.
None of the patches are applicable though.
This may be it:
Service [WXPSP2-PATCHES] is marked as [Optional]
If you changed if from Optional to Mandatory after a connect it may not update the Service.
Try removing the lib tree and running the connect again.
If that fails try to assign each Patch instead of the Service Group.
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi,

I suppose, I should delete the patches folder (inside the lib folder) on the client computer instead of the lib folder. If I remove the lib folder RMP cannot connect with the client. I have deleted the patches folder on the client but the problem is the same, the patch WXPSP2-PATCHES is skipped because it's optional.
I tried with other computer but the patch is always skipped. If I deploy the four patches to the client, they are deployed without problems and updated in RRS.
So the problem is the service WXPSP2-PATCHES.
I have created a new service group with ZSVCMO=M, but when the service is deployed, it is always taken as [Optional].

Regards, Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

So it would appear that RPM re-sets the Services that are not applicable?
Try just assigning the Services directly or via a WorkGroup and run the connect.
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi Roy,

I don't know exactly what RPM is doing. But, I'm using a LDAP connection with my AD for that reason I can manage domain computers in RMP and Policy manager but not in System Explorer, because I don't have an instance called MACHINE.
So, I have added a workgroup called PATCHES_WXP and connected some patches MS_032, MS_030 to that workgroup.
But I don't know how to link this workgroup to my computers, because they are not in System Explorer and this workgroup is not displayed or cannot be assign in Policy Manager or RMP.

Thank you for your help. Regards,

Nuria

He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Respected Contributor

Re: Grouping Windows security patches for deploying

My bad. As you were using service groups I made an assumption you were doing internal policy.

How do you assign policy to machines within AD?

One method of grouping patches within AD is to create a security group called patches and then attach all the patches to that.

HTH,

Moaeed
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi Moaeed,

what I have in System Explorer is a class called POLICY.USER.POLUSER.PATCHMGR.ZSERVICE.*. Then I have linked all the patches to the user POLUSER, so when I log in Policy Server I can select all the patches included the service group I created. I think the procedure is described in Policy Server guide. Then Policy Server is connected to RMP (I don't remember very well), so I can assign all my patches and software directly from RMP without using Policy Manager.

This is the way I'm working and for the moment I have no problem. But now, I'm having this problem trying to create this service group for my WXP patches. I don't know why is taken as Optional when it's configured as Mandatory.

Thank you for your help.

Regards, Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Regular Advisor

Re: Grouping Windows security patches for deploying

Well, I need to add that RMP has a connection with RCS database, so when I select a computer or OU in RMP from Directory and my AD site in Modify Policies I can choose OS Management, Patch Management or Software Management, and there I can manage all my policies.

He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

So couldn't you create a Patch_WXP Group/OU/container etc, add policy to it then add users to it.
You wouldnâ t need the Service Group then.
Respected Contributor

Re: Grouping Windows security patches for deploying

How do you assign the patches to the whole estate?

What I'm suggesting as Roy has mentioned above is to use AD Users and Computers to create a security group and then use the RMP to allocate all your patches to that group.

You can then add your users as members of that security group for them to recieve the patches.

So in essence, rather than grouping your patches to a service or workgroup in Radia, you are grouping them in your to an AD group.

HTH,

Moaeed
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi Roy and Moaeed,

we don't have a policy to assign patches. It's something that I'm trying to established. For the moment I'm the only person that is administering Radia here and I'm having lots of problems and no other points of view than mine...
Your idea is really good, I was trying to find something negative in this solution, but for the moment I don't find it.
I have created my security group in AD and I have added some computer accounts. In RMP I have assigned some patches to that group, and it's working without problems. I only need to assign all the patches to that group once and later add the computer accounts to that group.

Thank you for this different approach, I never thought that the solution could be easier working with AD. It's nice to know that there are people trying to help.

Have a nice day. Kind regards,

Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi,

I decided to group patches in a service group because I thouht that was not logic to attach 50 patches or more to one OU, at least for policy visibility. I thouhgt that the idea of a Security group was better but in the end it will give more administrative load in AD.
I don't know how other people work, but for me would be better to work with a service group, so I'll try to solve the problem with the service group if it's possible.
In other case, I'll have to work in this way.

Kind regards, Nuria
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Regular Advisor

Re: Grouping Windows security patches for deploying

Hello,

It is not possible to create a ZSERVICE in Radia System Explorer to group all WXP patches because in patches distribution is involved the xml file that is publish to the RCS db, the bulletin class, etc. The linkages are complicated.

When a patch service don't met the criteria, it will be marked as optional by discover_patch service. That was the case of the service that I created to group all WXP patches.

In the end it is not possible to entitle "groups" of patches via Policy manager or RMP.

I'll ask for an enhancement of the product.

Thank very much for all your ideas.

Regards, Nuria



He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Regular Advisor

Re: Grouping Windows security patches for deploying

In Policy Manager or RMP the Patch services will need to be entitled one at a time.

It is not possible to entitle "groups" of patches via Policy Manager or RMP.
He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

Hi Nuria,

You can use Radia Internal grouping for group patch assignments. You need to create a new group and change some internal policy to achieve this


Biju
Regular Advisor

Re: Grouping Windows security patches for deploying

Hi Biju,

I can create a group in Radia (Zone -> Groups -> Add Group) but I cannot find the way to assign patches to it. When you said that I need to modify an Internal Policy. What is the internal Policy that I need to modify?.

Thank you.

Regards, Nuria

He who asks a question may be a fool for five minutes, but he who never asks a question remains a fool forever
Honored Contributor

Re: Grouping Windows security patches for deploying

Hi,

I am attaching a document with screen shoot of the customization done.

Hope this is what you are looking out, grouping based on OS, Service pack level etc..

Biju
//Add this to "OnDomLoad" event