Walkthrough: Setting up and managing an online patch catalog for Windows
This topic walks you through the process of creating a patch catalog for Microsoft Windows patches.
This topic includes the following sections:
The goal of this topic and the corresponding walkthroughs is to demonstrate how system administrators can organize patch information in BSA by setting up a central location for storing metadata about a type of patch. These locations are known as patch catalogs. By creating patch catalogs customized to your needs, you can more easily select the patches you want to evaluate on servers.
What is a patch catalog?
A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server.
What does this walkthrough show?
This walkthrough shows how to use the BSA Patch Catalog wizard to create a job that:
- Runs in "online mode" so it will obtain patch metadata from the Shavlik network
- Uses filters to limit the amount of information added to the catalog
- Sets up notifications for the administrator in charge of Windows patching
- Runs on a recurring schedule to obtain the latest patches information.
After setting up the patch catalog job, the walkthrough demonstrates how to set up a patch smart group (Windows Bulletins newer than 10 days and Vendor Impact equals Critical). This Smart Group can be used as an include filter during a Patching Job to determine if only the patches in the group are missing from the target server(s).
What do I need to do before I get started?
For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. For example, the walkthrough instructs you to use PatchingUser, an example role for patch administration. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
How to set and manage a patch catalog for Windows
Optionally, you can schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs. Scheduling is not essential because you can also trigger a Catalog Update Job manually. In production environments, however, BMC recommends that you schedule the job to ensure that a catalog always has the most recent patches. In this example, we set up the job to run immediately and also to run on the first Tuesday of every month afterwards.
Updating the patch catalog is an important task, so if there's a problem, someone will want to know about it. For email notifications to be sent, a mail server must be configured for the Application Server. This step is only required if you want to receive a notification email when this job runs.
Optionally, you can define default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.
You can specify a list of properties automatically assigned to a job. In this list, you can modify the value of any properties that are defined as editable.
You can add individual permissions to a job. You can also set permissions by adding ACL templates or ACL policies. ACLs control access to all objects, including the sharing of objects between roles.
Create a patch smart group for security patches.
Wrapping it up
Congratulations. You have set up a job that creates a patch catalog for Microsoft Windows 2008. The catalog is created in the Depot. The job will run weekly and obtain the latest patch information from Shavlik. You have also learned how to create a patch catalog smart group so you can easily group all patches that are less than 10 days old and have a vendor impact of critical.
Where to go from here
Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough: Basic Microsoft Windows patch analysis.