Tutorial
Table of Contents
1. Introduction ...3
2. Software deployer ...4
2.1 Preparing the software deployer ...4
2.2 Configuring software deployers ...4
3. Central configuration of patch management ...6
4. Patch Groups ...8
4.1 Creating patch groups ...8
4.2 Group privilege and detailed settings ...9
4.3 Assigning and removing computers from a patch group ...11
5. Preparing client systems ...13
5.1 SDI agent basic configuration ...13
5.2 Activating patch management for client systems ...15
5.3 Deploying SDI Agent ...16
Introduction
1.
The DeskCenter® Management Suite offers you powerful functions for the installation / uninstallation of updates on your client systems and servers.
Using patch management, you are capable of installing updates and patches for your Windows-based operating systems. In addition, updates for other Microsoft products as well as drivers for the hardware on your systems can be downloaded and installed.
There are a few prerequisites for patch management using DeskCenter® Management Studio. The DeskCenter® SDI agent must be installed on all client systems and servers. The SDI agent requires a connection to the central DeskCenter® database.
Moreover, for all client systems and servers, a software deployer must be set up on which all updates are available after download.
Software deployer
2.
Preparing the software deployer
2.1
Software deployers are Windows shares.
In principle, software deployers can be set up on any Windows-based system. However, for large net-works we recommend the use of server systems in order to obtain optimum performance.
Create central folders for your software deployers and authorize them for network access. We recommend the following setup for user access privileges:
Share
Read access for
• “all”
Write access for all
• “authenticated users”, and
Full access for
• “administrators”.
Security
Write access for all
• “authenticated users”, and
Full access for
• “administrators”.
Configuring software deployers
2.2
The configuration of software deployers is carried out in Management Studio.
In the “Options / Software deployers” dialog, you can create, edit, or delete software deployers. A unique name must be assigned to each deployer. Each deployer also needs a path to the correspon-ding network share. Don‘t place a “\” character at the end of this path specification.
Central configuration of patch management
3.
The central configuration of patch management is carried out in Management Studio. To do this, in the
“Software management” view, select “Patch management”.
In the “Patch management” view, the “Additional options/manage software groups” function on the right side of the page takes you the central configuration for patch management.
In the “Settings” view, patch management can be globally activated or deactivated.
The “Download target” field specifies the deployer on which Windows updates are copied after suc-cessful download. If you have more deployers in use, please note that all updates and patches must be copied to this deployer manually.
The “User privileges” menu item is used to specify the privileges the workflow service has to the deplo-yer.
Be sure that the user to be used has read and write privileges to the deployer if you select “Standard user”.
If the access from the workflow service to the Internet is only possible through a proxy server, you can also specify that here. In addition the “Remove unnecessary patches” option can be used to delete patch files that are no longer being used.
If “Just remove files from deployer” is activated , the patch files will only be deleted when approved by the software deployer in use.
The patches remain in the data base.
Patches will then be deleted, if the patch overview for a patch is found to be in the columns “Installed” =
0, “Waiting” = 0, and “Not approved” = 0. If a patch is not installed on a system, nor is it waiting to be
In the “Download” view, set up the settings for download of the update catalog file. This catalog file is needed for the “Offline scan” for updates by individual clients.
You can change the path to this catalog file, but we recommend keeping the default settings.
If you want to restore changed settings, you can restore the default value for the download path using the
“Reset” button at the end of the input line.
The catalog file is downloaded and updated daily. The “Download (hh:mm)” field can be used to set the time for this action.
Patch Groups
4.
Creating patch groups
4.1
In the “Software management/Patch management” view, DeskCenter® Management Studio offers the
“Manage additional options/patch groups” to the right of the screen to manage individual patch groups and their privileges.
In the “Patch groups” menu area, you can create, edit, or delete patch groups. To do this, use the data-base navigation in the lower part of the configuration window.
The “Scan interval” specifies when a client system should check whether new updates are available. The smallest interval that can be selected is once daily. Select the scan type “Offline scan” to use the
catalog file provided on the deployer by the workflow service for the scan.
If “Online scan” is selected, the client connects to the Window Update page on the Internet.
Select the “Global settings” option if you want to use the proxy settings stored in the central configura-tion of patch management.
With the “Reboot immediately” option, you can control the reboot behavior of the client systems in the selected patch group.
If this option is activated, the system automatically carries out a reboot if the patch installed needs it. If the option is deactivated, a window is shown on the system requesting a reboot. The user of the system has the option of rebooting immediately or being reminded to reboot at certain intervals.
Group privilege and detailed settings
4.2
The “Group privileges” function specifies how updates are managed.
No action:
Updates required must be authorized manually for this group. Only after authorization will the workflow service copy the update to the primary deployer.
Download only:
All updates required are copied immediately to the primary deployer by the primary workflow service. The installation requires manual authorization.
Download and installation:
All updates required are copied immediately to the primary deployer by the primary workflow service. After the download is complete, the update is installed immediately.
Detailed settings:
In the “Detailed settings” view, you can break down group permissions for updates more precisely. Here, you can set for each Microsoft product which type of update may be installed and/or downloaded. By right clicking on a classification, you can change the settings for that classification for all products at once.
By right clicking on a product, you can change the settings for all classifications for the selected product. In the “Manual patches” view, all updates are later listed that were manually configured for the selected patch group.
Assigning and removing computers from a patch group
4.3
Assigning computers to a patch group:
In the “Computers in group” tab, you see which computers are in the selected group. Right click on a computer to assign that computer to remove it directly from the patch group.
You can assign computers to a patch group in the system overview of the Management Studios, as well, or remove a computer from a patch group.
Preparing client systems
5.
SDI agent basic configuration
5.1
If the “Manual patch scan” option is activated, you can instruct SDI agent later to carry out a manual patch scan for the system.
You can find detailed information about the individual options for configuration of the SDI agent in the
Activating patch management for client systems
5.2
Before you can use patch management in production, it must be activated for the individual client sys-tems. To do this, the systems must be assigned to the deployer onto which the workflow server copies the updates, and the systems must be assigned to a patch group.
To do this, in the Management Studio system overview, select the systems on which patch management should be activated, and select the “Edit systems” edit function on the right side. Management Studio automatically detects that a multiple selection has been made, and shows the change dialog for a group of systems.
Now, in the “Change computer group” dialog, select the “Primary deployer” and “Patch manage-ment” fields, then switch to the “Settings” view to activate patch management and assign the patch group. Then switch to the “Software deployment” view to assign the corresponding deployer to the selected client systems. Save your changes using the “Change computer group” button.
These settings can already assigned to systems during registration.
Deploying SDI Agent
5.3
If it is not yet deployed, install SDI Agent on your client systems. The deployment of SDI Agent is carried out using Management Studio.
To do this, in the computer overview, select all the systems on which SDI Agent should be installed. Then select the “Install SDI Agent” function on the right side of the screen.
If you need support for alternative options for deployment of the SDI agent, please contact our support department.
You can find more detailed information about installation of the SDI agent on client systems in the “Basics of software deployment” tutorial.
Patch details
6.
After a patch scan has been carried out and it is determined that a system requires a certain patch, or a certain patch is already installed on a system, Management Studio gives you the option in the “Software management” area‘s “Patch management” view of displaying more detailed information about that specific patch.
The “Edit patch” function takes you to a more detailed view of the selected patch.
In the “Details” view, the detailed information about a patch is shown. The “Status” field in the lower table can be used to configure the manual status of an update for that patch group.
Group privilege:
The group privilege for this update is used. The current group privilege can be found in the middle co-lumn.
More information about the group privilege can be found in ChapterGroup privilege and detailed settings
of this tutorial.
Install:
The update is downloaded and installed independently of the group privilege of the selected patch group.
Do not install:
The update is not permitted to install for the selected patch group.
Uninstall:
The “Not installed” view lists all the computers for which the selected update is available but not yet installed. The fields “Group privilege” and “Status” show you whether the selected update has been approved for the patch group of this computer.
