Page tree
Skip to end of metadata
Go to start of metadata

This topic provides an overview of patch management in BMC Server Automation, and introduces the set of tasks required to prepare for, set up, and execute patch management jobs.

Patch management overview

Patch management refers to the acquisition, testing, and installation of patches.

The patch administrator analyzes individual servers to determine which patches must be acquired and installed to comply with organizational standards. BMC Server Automation automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.


  • BMC recommends that you set up a small test group of servers and run the patch process on the group. Then, expand the process to all servers in the organization.
  • (Windows patching only) VMware Update Agent (VUM) uses the same stPatchAssessment.dll file that is used by Shavlik Protect Patch Engine. If you install the VMWare Update Agent on a machine with an RSCD agent, it unregisters the stPatchAssessment.dll file and you cannot perform patching on the target.

Supported platforms for patch management

The patch management feature in BMC Server Automation supports the following operating systems:

For detailed information about supported operating systems and versions, see the BMC Solution and Product Availability and Compatibility Utility.


Patch management is supported for HP-UX and CentOS using an external tool called Vendor Patch Content (VPC). VPC is included as part of BMC Server Automation. For more information, see Performing HP-UX or CentOS patch analysis using Vendor Patch Content.

An additional, separate VPC package is provided for patch management on Solaris 11. For more information, see Performing script-based patch analysis for Solaris 11.

Supported platforms for storing the patch repositories of patch catalogs

Patch catalog

Supported platforms for storing patch repositories


Any Windows or Linux server

Red Hat Enterprise Linux (RHEL)

Based on the version of RHEL patching you are performing, the supported patch repository platforms are as follows: 

For RHEL 6 or earlier: Any RPM-based Linux server

For RHEL 7: Red Hat Enterprise Linux 6 or Red Hat Enterprise Linux 7

Oracle Enterprise Linux

Any RPM-based Linux server
SUSE Linux

The repository server can be any Linux server. However some SUSE-specific patches need to be stored only on a SUSE repository.

BMC strongly recommends that you use a SUSE Linux server for storing the patch repository.


Any AIX server


Any Windows or Linux server

Note: If you are using Solaris 11 patches, you can only use a Solaris 11 server for storing the patch repository.


Any Windows or Linux server


Any Windows or Linux server
Cent OSAny Linux server
FujitsuAny Windows or Linux server
HP-UXIf you are using the offline patch downloader you can use any Windows or Linux server to store the patch repository. However, if you are using the VPC method you must store the patch repository only on a HP-UX server.

Offline and online modes

BMC Server Automation includes two patch management modes:

  • Online mode — Patches are downloaded directly from the appropriate product site.
  • Offline mode — Patches are pre-downloaded to a local repository and patches are applied from the repository.

Use Offline mode if you work in an air-gapped environment, where the BMC Server Automation Application Server does not have external Internet access. In Offline mode, you use the BMC offline Patch Downloader utility to download metadata and payload information to a server with Internet access. After downloading, you can transfer the metadata and payload information (using removable storage) to the patch repository within the air-gapped environment.

The Patch Downloader utilities run scripts that use XML configuration files (samples are provided) containing required information such as the repository location, as well as filters used during downloading from the vendor website.

Patch management workflow

Patch management consists of the following tasks:

  1. Preparatory tasks
    1. Defining role-based permissions
    2. Configuring Global Configuration parameters
    3. (Windows only) Defining the location of Microsoft Windows installation media for Microsoft Office patch deployment
  2. (Offline mode only) Building an offline patch repository
    1. Downloading patch downloader utilities from BMC
    2. Preparing XML configuration files for downloading patch content
    3. Downloading patches to the offline patch repository
  3. Patching tasks
    1. Creating and updating a patch catalog
    2. Creating and running a Patching Job and a Remediation Job

These tasks are described in more detail in the following table:



Preparatory tasks


Defining role-based permissions

To create or update a catalog, you must be assigned a role that includes the necessary permissions. To facilitate division of responsibilities, you can assign permissions to one role or divide them between several roles.

For a list of the required permissions, see Minimum permissions for patching.

For details about assigning roles and permissions, see Managing Authorizations.

For a list of the required permissions for creating Patching Jobs and for deploying patches, see Minimum permissions for patching.

Configuring Global Configuration parameters

Global Configuration parameters provide basic information used during patch catalog creation and updating, as well as for Patch and Remediation Jobs. The following parameter groups are available:

  • All Operating Systems — Configuration parameter options for a proxy server.
  • Platform-specific groups for each platform (such as Windows and Solaris) — Parameters that apply only to that specific platform type
  • Shavlik URL Configuration — Configuration for connecting to Shavlik Technologies to download patch-related metadata for patching Windows software.

    For details about the global configuration parameters, see Global Configuration parameter list.

Defining the location of Microsoft Windows installation media for Microsoft Office patch deployment

(Windows only) To deploy Microsoft Office patches, BMC Server Automation must have access to a network location containing installation media for Microsoft Office. Because target servers can run different versions of Microsoft Office, you might need to specify a different location for each target server or smart group.

For details about defining locations of Microsoft Office patch media, see Defining location of Microsoft Windows installation media for Microsoft Office patch deployment.

Building an offline patch repository


(Offline mode only)


Obtaining the Patch Downloader utilities from BMC

From the BMC EPD site, download the appropriate utilities for building your offline repository. The utilities are platform-specific. You must know which platform you plan to use to download your patches.

For details, see Downloading patch downloader utilities.

Preparing XML configuration files for downloading patch content

Use the utilities that you downloaded from the BMC EPD site to prepare the XML configuration files for downloading the patch content.

For details, in Offline Patch Downloader utility.

Downloading patches to the offline patch repository

To download the patch content, use the utilities that you downloaded from the BMC EPD site and the XML configuration files that you prepared.

For details, see the appropriate section for the platform type that you want to patch in Offline Patch Downloader utility.


Creating and updating a patch catalog

For both types of repositories, online and offline, you create a patch catalog using the BMC Server Automation Console. Patches are added to the catalog as depot objects according to filters that you define for the catalog.

To ensure that you are working with valid patch content, you must run a Catalog Update Job before you run a Patch Job.

For details, see Creating a patch catalog.

Creating and running a Patching and Remediation Job

A Patching Job has two parts:

  • Analysis — Analyzes the configuration of target servers and determines the required patches.
  • Remediation —
    1. Downloads the payload from the vendor sites to the Patch Repository
    2. Packages the payload as a BLPackage
  • Creates a Deploy Job to apply the patches 

    You can choose to run only the Analysis part of a Patching Job, and then run Remediation later, or you can run Remediation immediately after the Analysis. 

    For details about Patching Jobs, see Creating a Patching Job. For details about running Remediation Jobs separately, see Manually remediating servers.

Where to go from here

See Preparatory tasks to set up the patch management environment prior to building an offline patch repository (if you are using offline mode) or creating a patching catalog.