LANDesk® Management Suite 9.0

Getting started with Patch Manager

DOWNLOAD PATCH CONTENT TO THE CORE SERVER

INTRODUCTION

This document is intended to assist LANDesk® Management Suite administrators with implementing

Security and Patch Manager in their environment for LANDesk® Management Suite 9.0.

SCOPE

This document covers the steps necessary to get started using Patch Manager to patch clients. It also

contains a quick reference guide for experienced LANDesk administrators that just need a reminder of the

steps required for patching clients.

ASSUMPTIONS

This document is written with the expectation that the LANDesk Core Server has been installed and

activated and the workstations have the LANDesk agent installed. There are other documents that discuss

these topics and are not addressed in this document.

QUICK REFERENCE

This section contains the steps required to set up Patch Manager to patch clients. It is intended to be used

by experienced LANDesk administrators as a reference and does not go into detail on the process. The

details will be covered later in this document. Following are the steps required to set up Patch Manager:

1. Download patch content to the Core Server through the Download Updates window which is

accessed through the Patch and compliance tool in the LANDesk Management Console.

2. Make sure that all of the vulnerabilities that the clients need to be scanned for are in the Scan

folder in the Patch and compliance tool. Only vulnerabilities in the Scan folder will be scanned

for on the clients when the Security Scan is executed.

3. Check the Scan and Repair settings assigned to the clients to verify the options have been set

correctly for detection. This can be done in the Agent Configuration under Security and

Compliance | Patch and Compliance Scan or in the Patch and Compliance window by clicking the

Configure settings toolbar icon and select the Scan and repair settings item from the drop-

down list.

4. Run a Security Scan on all clients to detect what patches they need.

5. Create and run a repair task to install the patches on the clients. Do not rely solely on the repair

task status to determine the success of patching. Continue with the remaining steps to fully

determine the success of patching. Note: Only patches that have been detected by a Security Scan

on a client can be patched with a repair task. Trying to install a patch on a client that has not been

detected will result in the patch failing to install with the message

NO_PATCHES_AVAILABLE.

6. Reboot the clients after the patches have installed if any of the patches require a reboot. If a patch

requires a reboot it is not completely installed until the client is rebooted. Failure to reboot the

client will result in the patch still being detected as not being installed.

7. Run a Security Scan on all of the clients.

8. Check the Security and Patch information for a specific client to see what patches are still needed

or check the affected computers list for a specific vulnerability to determine which computers still

need the patch.

DOWNLOAD PATCH CONTENT TO THE CORE SERVER

The following section contains steps

Configure the Download Updates window Login to the Management Suite Console.

From the Console, click Tools | Security and Compliance | Patch and Compliance.

Click the Download Updates toolbar icon.

This allows you to select what content to download. Core server licensing will determine what content is

available in the Download Updates window. The following figure displays all content that can be

downloaded with the full LANDesk Security Suite license.

Select the required Definition types and Languages for the environment. Microsoft Windows

Vulnerabilities are the most commonly downloaded vulnerability type. Microsoft Windows

Vulnerabilities contain the patches for the Windows Operating Systems as well as the patches for

common applications for the Windows Operating System such as Adobe Reader, ITUNES and Microsoft

Office. Do not check the box for Put new definitions in “Unassigned” group so that all of the

definitions are downloaded to the Scan folder.

Proxy Settings If the company uses a proxy server then the information should be entered on the Proxy Settings tab to

allow the content to be downloaded. The vulnerabilities (detection logic) are downloaded from the

LANDesk websites. The patches for the vulnerabilities are downloaded from the vendor's website. For

example, Microsoft patches are downloaded from Microsoft's websites. Ensure the proxy will allow the

Core Server to access the appropriate website to get the patch.

Changing the Patch Location It is recommended that the download location for patches be left at the default settings. If there is limited

space on the drive that the Core Server is installed on, the patch location should be moved. Click the

Patch Location tab if the location needs to be moved

If the patch location is changed, the new location must be setup with the same web settings and folder

permissions as the default location. If a UNC path is used for the client access, add the Domain

Computers group to the new share with Read access.

Scheduling the download When all settings have been set, click Apply.

Then click the Schedule download button.

Click OK.

Selecting this button will create a scheduled task to update the content that is currently selected. Setting a

scheduled task to run nightly will make sure that the content being scanned for is the most current and up

to date. If changes are made to what needs to be downloaded a new Scheduled task will need to be

created. More than one task can be created but they must be scheduled to run at different times because

only one download (VAMINER.EXE) can run at a time.

Set the appropriate schedule for the download task to run and click Save.

VERIFY VULNERABILITIES ARE IN THE SCAN FOLDER

After the Patch Content has downloaded, check the SCAN folder in the Patch and Compliance tool to

make sure all appropriate vulnerabilities are in there. Any old or unwanted vulnerabilities can be dragged

to the Do Not Scan folder.

SCAN AND REPAIR SETTINGS FOR DETECTION (AGENT BEHAVIOR)

Before starting to scan for vulnerabilities it is necessary to ensure that the scan configuration is set

correctly. Depending on what is licensed there can be as many as nine different types of vulnerabilities to

scan. From the Scan and Repair Settings window, select the types that you want to be scanned. When a

scan is initiated on a managed node an agent behavior needs to be selected so that the scanner knows what

to scan. If there is no agent behavior selected then the scanner will scan for the default three types:

Vulnerabilities, LANDesk Updates and Custom Vulnerabilities. The Scan and Repair Settings window

can be accessed two ways.

From the Patch and Compliance window, click the Configure settings toolbar icon and select the

Scan and repair settings item from the drop-down list.

When configuring an agent configuration click the Security and Compliance | Patch and

compliance scan tree item and click the Configure button.

Double-click the Scan and Repair setting assigned to the client in the agent configuration.

The Scan and Repair Settings window has eight pages: General, Scan, Repair, MSI, Reboot, Network,

Pilot and Spyware. Only the General, Scan and Pilot pages affect the detection.

General settings page

Most of the settings on the General settings page are self explanatory such as Show progress dialog and

Allow user to cancel scan. The only option that may need to be changed is CPU utilization when

scanning. Adjust the setting to the desired level. Moving the slider bar toward the Low side will reduce

the impact on performance of the Security Scan on the client but will also increase the amount of time it

takes for the scan to finish. Conversely, moving the slider bar towards the High side will increase the

impact on performance of the Security Scan on the client but will also reduce the time it takes for the scan

to finish. If the Security Scan is scheduled to run during non-business hours, it would be best to move the

slider bar all the way to the High side so the scan can finish as fast as possible. Make any changes

required on the General page and then click Scan options.

Scan options page

Scan options page controls what vulnerabilities are scanned for on the clients. Make sure that

Vulnerabilities, Antivirus updates and LANDesk updates types are selected as a minimum. The Antivirus

updates option when checked will detect and return information about the antivirus software installed on

the client if it is one of the more common antivirus applications (McAfee, Symantec, LANDesk AV, etc.).

The Enable autofix checkbox will only make a difference if vulnerabilities have had autofix enabled in

the Patch and Compliance window. Check the Autofix column to see if there is a Yes for any of the

vulnerabilities in the Scan folder. Only vulnerabilities in the Scan folder that have a Yes in the Autofix

column will be automatically installed. Uncheck the Enable autofix box to prevent any patches from

being automatically installed on clients.

Pilot configuration page

Make sure that the Periodically scan and repair definitions in the following group is unchecked. Click

Save when all Scan and Repair settings have been adjusted. When a Security Scan is run on the clients,

any changes made to the Scan and Repair settings will automatically be downloaded to the client.

RUN A SECURITY SCAN (VULSCAN.EXE) ON ALL CLIENTS

A patch cannot be applied to a computer unless the vulnerability associated with that patch has first been

detected on that computer. There are three different ways to run a Security Scan on a computer to detect

vulnerabilities. The first two ways are configured from the Agent Configuration tool in the LANDesk

Console and should have been configured before deploying the LANDesk agent. The first two methods

will not be covered in this document. The security scan should be run on managed nodes at least once a

day.

1. When a user logins.

2. Setting a frequency to be run by the client’s local scheduler service. By default, the Security Scan

is set to run once a day in the agent configuration.

3. Create a Security Scan task.

Create a Security Scan Task

In the Patch and Compliance window, click the Create a task icon in the toolbar and select Security

Scan from the drop-down list. The Create security scan task window appears.

Click to place a checkmark in the Create a scheduled task checkbox.

Select the Scan and repair settings from the drop-list that was created or modified in the previous section

of this document. Click OK to create the task which will create the task in the Scheduled Tasks window.

Drag computers from All Devices in the Console and drop them on the Security Scan task (Patch and

Compliance Scan) in the Scheduled tasks window. Drag all computers that the Security scan needs to be

run on to the task.

Right-click the Security Scan task (Patch and Compliance Scan) in the Scheduled tasks window and

click Start now to immediately run the Security Scan task. Or, select Properties to schedule a time for

the Security Scan to run. It is recommended to run the Security Scan task during non-business hours

because the Security Scan will impact the performance of the computer.

CREATE AND RUN A REPAIR TASK

After the Security Scan completes on the clients, it is time to create a repair task to remediate the detected

vulnerabilities. Open the Patch and Compliance window in the LANDesk Console.

Right-click My custom groups in the Patch and Compliance window under Groups | Custom groups

and select the New Group option.

Enter a name for the new group.

Click on the Detected folder under All Types which will display a list of all of the vulnerabilities that

have been detected as needing to be installed on at least one computer that the Security Scan was run on

earlier.

Click on any of the vulnerabilities in the detected folder and then hit CTRL + a which should select all of

the vulnerabilities in the detected folder.

The lower left corner of the Patch and Compliance window will show the number of vulnerabilities in

the detected folder. Drag and drop all of the vulnerabilities from the detected folder to the custom group

(MyPatchGroup) created previously.

If this message window comes up, click Yes.

Click the custom patch group (MyPatchGroup) and verify that all of the patches were added to the

group. The number of vulnerabilities in the group should be equal to or greater than the number on the

detected folder because of dependencies and prerequisites that were automatically added. Look through

the vulnerabilities in the patch group and remove any vulnerabilities that you do not want installed on any

computers in your environment.

Right-click the custom group and select the Repair option.

If this Repair Information message box comes up, click Yes.

Click the Configure button to open the Configure scan and repair settings window.

Click the New button to create a new scan and repair setting for the repair task.

On the General settings page, enter a name for this scan and repair setting to be used with the repair task.

Adjust the slider bar for CPU utilization when scanning if necessary. Moving the bar towards High will

increase the amount of CPU VULSCAN.EXE is allowed to use. Change any other settings as necessary

for the environment. Click Repair options to switch to the repair options page.

Make sure that the Reboot is already pending box is checked. Adjust other settings as required for the

environment. Click MSI information to switch to the MSI information page.

If the original location for the Microsoft Office install files is no longer accessible by the client, enter the

UNC path to the Office install files and a username and password that can access them. If you are not sure

whether the client can access the original location, leave this page blank and try it. If the Office patches

fail, fill in this page and try it again. Click Reboot options to switch to the reboot options page.

Select the appropriate options on the reboot options page to meet the requirements for the environment.

Click Save.

Make sure the new Scan and Repair setting is highlighted and then click Use selected.

Verify that the correct scan and repair setting is shown in the Scan and repair settings box. Then click

the Patches tab.

Click on any of the patches in the list and hit CTRL+a which should highlight all of the patches in the

list.

Right-click any of the patches and select the Download Patch option. The Downloading Patches

window will appear.

Wait for all of the patches to download and click Close when it is done. Then click the General tab. Any

patches that are already downloaded will be verified and skipped if the file matches the current

vulnerability otherwise the patch will be redownloaded.

It is recommended to use Repair as a scheduled task (push) so that the patching time can be controlled.

For laptops (mobile users), the Repair as policy (pull) is the recommended method for patching the

remote device. This is the most effective method since the policy can run when the device connects to the

network. Select the Don't add any computers option because the patches should be tested on a few

computers first to make sure there are no major problems with the patches. Click OK which will create

the repair task and switch to the Scheduled Tasks window with the repair task highlighted.

Drag a few devices that can be used for testing from the All Devices list and drop them on the repair task

in the Scheduled Tasks window. These will be the computers used to test the patch deployment process.

After the test computers have been added to the repair task, right-click the repair task and click Start now

to immediately patch the computers, or select the Properties option to set a start time for the task. It is

best to patch computers during non-business hours because of the performance impact to the computer

while patches are being installed. Wait for the patch repair task to complete and then continue with the

next section.

REBOOT THE CLIENTS

Reboot the clients if any of the patches in the repair task requires a reboot. Until the client is rebooted, the

patch is not completely installed and will still be detected on the clients. This can be done with the reboot

task available in the Patch and Compliance window. Open the Patch and Compliance tool.

Select the Reboot option from the Create a task drop-down list. The Create reboot task window

appears.

Click to place a checkmark in the Create a scheduled task checkbox. Click the Configure button to

create a Scan and repair setting for the reboot task.

Click the New button.

On the General settings page, enter a name for this Scan and Repair setting. Click Reboot options to

switch to the reboot options page.

Select the Always reboot option. Select other options as required for this environment. Click Save.

Verify the correct scan and repair setting is highlighted and click Use selected.

Verify the required scan and repair setting shows in the Scan and repair settings box. Click OK which

will create the reboot task and switch to the Scheduled Tasks window with the reboot task highlighted.

Drag the computers which need to be rebooted from All devices and drop them on the reboot task.

Right-click the reboot task and select the Start now option to immediately start the task or select

Properties to set a start time for the task. Wait for the computers to restart before continuing with the

next section.

RUN A SECURITY SCAN ON THE CLIENTS THAT WERE PATCHED

Follow the instructions in the section titled "RUN A SECURITY SCAN (VULSCAN.EXE) ON ALL

CLIENTS" to run a Security Scan on the computers that were patched.

CHECK SECURITY AND PATCH INFORMATION FOR PATCHED COMPUTERS

Check the Security and Patch information for the patched clients to see what patches are still needed.

Right-click a patched computer under All devices in the console and select the Security and Patch

Information option.

All Detected will show all patches that the computer still needs. Repeat the steps in this document until

all patches have been installed on the computers.

CONCLUSION

The steps outlined in this document provide the user with the basic information required to get started

with Patch Manager in a LANDesk® Management Suite 9.0 environment.

ABOUT LANDESK® SOFTWARE

The foundation for LANDesk’s leading IT management solutions was laid more than 20 years ago. And LANDesk®

has been growing and innovating the systems, security, service and process management spaces ever since. Our

singular focus and our commitment to understanding customers’ real business needs—and to delivering easy-to-use

solutions for those needs—are just a few of the reasons we continue to grow and expand.

LANDesk® pioneered the desktop management category back in 1993. That same year, IDC named LANDesk® the

category leader. And LANDesk® has continued to lead the systems configuration space: pioneering virtual IT

technology in 1999, revolutionizing large-packet distribution with LANDesk® Targeted Multicast™ technology and

LANDesk® Peer Download™ technology in 2001, and delivering secure systems management over the Internet and

hardware-independent network access control capabilities with LANDesk® Management Gateway and LANDesk®

Trusted Access™ Technology in 2005.

In 2006, LANDesk® added process management technologies to its product line and began integrating the systems,

security and process management markets. LANDesk® also extended into the consolidated service desk market with

LANDesk® Service Desk, and was acquired by Avocent to operate as an independent division.

Today, LANDesk® continues to lead the convergence of the systems, security, process and service management

markets. And our executives, engineers and other professionals work tirelessly to deliver leading solutions to

markets around the globe.