• Spaces
  • Collections
  • Help
    • ×
     
     
    •  
    Server Automation Documentation

    Page tree

    This topic walks you through the process of creating a patch catalog for Microsoft Windows patches.

    This topic includes the following sections:

    Introduction

    This topic is intended for system administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BSA calls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.

    What is a patch catalog?

    A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Microsoft Windows 2008 or 2012. With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server.

    What does this walkthrough show?

    This walkthrough shows how to use the BSA Patch Catalog wizard to create a job that:

    • Runs in "online mode" so it will obtain patch metadata from the Shavlik network
    • Uses filters to limit the amount of information added to the catalog
    • Sets up notifications for the administrator in charge of Windows patching
    • Runs on a recurring schedule to obtain the latest patches information.

    After setting up the patch catalog job, the walkthrough demonstrates how to set up a patch smart group (Windows Bulletins newer than 10 days and Vendor Impact equals Critical). This Smart Group can be used as a include filter during a Patching Job to determine if only the patches is the group are missing from the target server(s) (link to walk through on running a patching job)

    What do I need to do before I get started?

    For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.

    How to create a patch catalog for Windows

     StepExample screen
    1
    1. Log on as PatchingUser.
      See Walkthrough: Restricting permissions for a patching administrator to learn more about setting up a user with authorizations for patching.
    2. Expand the Depot folder and navigate to a subfolder where you want to create a patch catalog.
    3. Right-click the subfolder and select New > Patch Catalog > Windows Patch Catalog.

    2

    The New Patch Catalog wizard opens. 

    For Name, enter a name for the patch catalog you are creating. For example, enter Windows 2008 Patch Catalog.

    3
    1. Click Next.
      The Windows Catalog page appears. On this page we specify the Windows patch information that we want to obtain for this patch catalog. For a complete list of the options, see Patch catalog - Windows Catalog.
    2. For Repository Location (NSH Path), enter a location on a Windows platform where patch information can be stored. This location must have ample free space–typically many gigabytes. Enter the location using a Network Shell-style path.
    3. Make sure that Network URL Type for Payload Deployment is set to Copy To Agent At Staging.
      This setting means BSA copies patch payloads from a NSH location to a staging directory on the target server when you are deploying patches.
      You can also use the Agent mounts source for direct use at deployment (no local copy) option to have the target directly map the location and run the patch installs from that location.
    4. For this example, we will skip the RBAC Policy section.
      This option can be used to apply permissions to patch objects added to the catalog, so that other roles can have some level of access to the patches.
    5. Click Add Filter and make the following settings on the Add Windows Filter dialog box to specify a filter that will include all Windows Server 2008 Patches.
      1. Select Microsoft Windows Server 2008.
      2. Select English.
      3. Click OK.
    4
    1. Click Next.
      The Notifications page appears. On this page we set up a notification so that this job sends an emails if the job fails for some reason. Updating the patch catalog is a pretty important task, so if there's a problem, someone will want to know about it. For email notifications to be sent, a mail server must be configured for the Application Server.
    2. Select Send email to.
    3. Enter an email address of someone to be notified if this Patch Catalog job fails.
    4. Check Failed.
    5
    1. Click Next.
      The Schedules page appears. On this page we set up the job to run immediately and then to run on Tuesday every week afterwards.
    2. Select Execute job now to indicate the job should run as soon as you finish the wizard, to get some data added to the catalog.
    3. Click New Schedule and define the a job schedule. In this example, we want to schedule it to update Tuesday evenings at 5 PM. You may want to use a different time, day, or even update less often.
      1. Click Weekly.
      2. Select Tuesday.
      3. Enter a time, such as 17:00.
      4. Click OK.
    6

    Click Finish.

    The patch catalog job starts running. You can watch its progress on the Tasks in Progress pane. 

    7
    1. In the Depot, right-click the catalog, and select Open.
      The pane at right show the definition of the patch catalog job.
    2. Click the Results tab. 
      A green check indicates the job ran successfully. 
    8

    Create a patch smart group for Windows Bulletins that are less than 10 days old and have a vendor impact of critical.

    1. Right-click the patch catalog you just created and select New > Patch Catalog Smart Group.
      A wizard for creating smart groups opens.
    2. For Name, enter a name for the patch catalog smart group, such as Production Windows Patch Policy.
    3. In the list of conditions, take the following steps:
      1. In the first column, select Windows Bulletin.
      2. In the second column, select Date Posted
      3. In the third column, select Newer than days.
      4. In the fourth column, set the number of days to 10.
        Taken together, the row should read "Any Windows Bulletin where DATE_POSTED is newer than days 10." 
      5. In the fifth column, select AND.
      6. Click Apply Changes .
    4. Click Add New Condition . Double-click the row representing the new condition and enter the following information:
      1. In the first column, select Windows Bulletin.
      2. In the second column, select Vendor Impact.
      3. In the third column, select equals.
      4. In the fourth column, select Critical.
        Taken together, the row should read "Any Windows Bulletin where VENDOR_IMPACT equals Critical." 
    5. Click Finish.
      A new smart group collects all patches that are newer than 10 days and critical. 

    Wrapping it up

    Congratulations. You have set up a job that creates a patch catalog for Microsoft Windows 2008. The catalog is created in the Depot. The job will run weekly and obtain the latest patch information from Shavlik. You have also learned how to create a patch catalog smart group so you can easily group all patches that are less than 10 days old and have a vendor impact of critical.

    Where to go from here

    Now that you have a serviceable patch catalog it is time to use it to measure your Windows servers for patch compliance. See Walkthrough: Basic Microsoft Windows patch analysis.

    © Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.