Walkthrough: Basic Microsoft Windows patch analysis
This topic walks you through the process of using BMC BladeLogic Server Automation (BSA) to analyze the Microsoft Windows systems in your environment to see if there are systems that require patches and updates.
This topic includes the following sections:
This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch analysis for Windows systems using BSA.
- Patch analysis is the process of figuring out which systems need which patches.
- Patch remediation is delivering those fixes to the operating system or application, and is described in a different walkthrough.
BSA supports analysis, download, and deployment of patches for all of the major operating systems (see Patch management support for a complete list of supported platforms and versions).
What is patch management?
Patch management refers to the acquisition, testing, and installation of patches to ensure that servers are always in compliance with organizational policies.
Due to the number of servers being managed, multiplied by the vast amount of patches released by the software and OS vendors, patch management has become one of the most time consuming tasks for many IT organizations. BSA automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.
What does this walkthrough show?
This walkthrough shows how to use a Patch Analysis Job to identify missing critical patches on Windows 2008 servers. The Patch Analysis Job created in the walkthrough:
- Is based on an existing patch catalog
- Uses a single include list based on the patch smart groups set up in the Setting up and managing a patch catalog for Windows walkthrough.
- Does not create "remediation artifacts," which are created in a later walkthrough
- Sets up notifications for the administrator in charge of Windows patching
- Runs on a recurring schedule to obtain the latest patches
The walkthrough also shows how to view Patch Analysis results for Windows 2008 systems and to determine which critical patches need to be applied.
What do I need to do before I get started?
- For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
- You must have also created a patch catalog (described in a separate walkthrough).
How to patch Windows systems
Create the Patching Job.
Define the general settings on the New Windows Patching Job General panel.
Define the analysis options for the job.
In this panel, you specify a group of patches and/or hotfixes to be included in the job, or a list of your own.
This example creates a Windows Patching Job uses two previously created smart groups that look for Windows Bulletins and hotfixes newer than 10 days and with a vendor impact of critical.
On the Remediation Options Tab, you define what to do when we find our target out of compliance with the Patch Catalog. BSA can create the BLPackages and Deploy Jobs automatically as part of the Patching Job, if needed.
On the Targets panel, select the servers that are the targets of this Windows Patching Job.
On the Default Notifications panel, configure the default notification settings. The defaults are used for all runs of this job unless you override them with notification settings for a scheduled job.
This example sends an email to the patch administrator for any targets that have failed analysis, and appends detailed patch analysis results with the e-mail.
The Schedules page appears.
On this page we set up the job to run immediately and then to run on Wednesday every week afterwards, during the maintenance window. (The patch catalog used by the job is updated every Tuesday)
This example uses the defaults for the remaining two wizard panels, Properties and Permissions.
Once the job starts to execute, the Tasks in Progress pane appears and shows you which tasks are running at this moment on this BSA application server. In a typical BSA production environment you will see many jobs running at the same time performing many different tasks.
To show the Tasks in Progress pane in full screen mode, double-click the Tasks in Progress tab. This gives you more room to expand the columns in the pane. To return the view to its original size, double-click the tab again.
Wait for the job to finish and click Refresh if needed.
To view the results of the Patching Job:
Identify the servers with missing patches or hotfixes.
The right panel shows a summary of the job results, including the numbers of missing patches and hotfixes for each server.
Identify the missing patches or hotfixes.
In our example, there are a number of critical hotfixes that have been identified for the server.
Optionally, you may want to examine the properties of a patch or a hotfix before choosing to apply it to your servers.
As this patch fixes a potential security vulnerability, and is missing on both servers, we will apply this patch to remediate the servers in the next walkthrough (Basic patch remediation).
Wrapping it up
We have seen how BSA manages the analysis of patches for the Microsoft Windows operating system. Now that you have all information regarding the patch level of the servers, you can decide to remediate them by packaging and deploying the missing patches and hotfixes to the servers.