This topic walks you through the process of using BMC BladeLogic Server Automation (BSA) to analyze the Microsoft Windows systems in your environment to see if there are systems that require patches and updates.
This topic includes the following sections:
This topic is intended for system administrators. The goal of this topic is to demonstrate how to perform basic patch analysis for Windows systems using BSA.
- Patch analysis is the process of figuring out which systems need which patches.
- Patch remediation is delivering those fixes to the operating system or application, and is described in a different walkthrough.
BSA supports analysis, download, and deployment of patches for all of the major operating systems. See "Patch management support" under Supported platforms for version 8.7.
What is patch management?
Patch management refers to the acquisition, testing, and installation of patches to ensure that servers are always in compliance with organizational policies.
Due to the number of servers being managed, multiplied by the vast amount of patches released by the software and OS vendors, patch management has become one of the most time consuming tasks for many IT organizations. BSA automates the process of building and maintaining a patch repository, analyzing target servers, and, if necessary, packaging and deploying patches. At the end of the process, reports are available to show compliance.
What does this walkthrough show?
This walkthrough shows how to use a Patch Analysis Job to identify missing critical patches on Windows 2008 servers. The Patch Analysis Job created in the walkthrough:
- Is based on an existing patch catalog
- Uses a single include list based on the patch smart groups set up in the Setting up and managing a patch catalog for Windows walkthrough.
- Does not create "remediation artifacts," which are created in a later walkthrough
- Sets up notifications for the administrator in charge of Windows patching
- Runs on a recurring schedule to obtain the latest patches
The walkthrough also shows how to view Patch Analysis results for Windows 2008 systems and to determine which critical patches need to be applied.
What do I need to do before I get started?
- For this walkthrough, you need various authorizations. You can log in and perform these tasks as BLAdmin, the BSA superuser, but BMC recommends a more restrictive approach to granting authorizations. Ideally, you should set up a role that is granted only the authorizations needed for patch management. To learn how to restrict access, see Walkthrough: Restricting permissions for a patching administrator.
- You must have also created a patch catalog (described in a separate walkthrough).
How to patch Windows systems
Create the Patching Job.
- In the BSA console, under Jobs, navigate to an existing folder or create a new folder for your Windows Patching Job. The examples in this procedure use the folder structure Jobs > Patch Analysis Jobs > Windows Patch Analysis.
- Right-click Windows Patch Analysis, and select New > Patching Jobs > Windows Patching Job.
Define the general settings on the New Windows Patching Job General panel.
- In the Name field, provide a name for this job.
- Optionally, in the Description field, describe the job.
- Verify that the auto-populated value in the Save in field is where you want to store this job. You can browse to another location if necessary.
- In the Specify a Catalog field, browse to a patch catalog in the Depot folder. An updated catalog must already exist. (See Creating and updating patch catalogs.)
- Under Number of Targets to Process in Parallel, select the number of systems on which you want the analysis Job to run simultaneously. This is a frequently requested feature which allows you to throttle the job execution thus controlling the load on the BSA server and the network. You will find this Parallelism option in many jobs in BSA.
- Click Next.
Define the analysis options for the job.
In this panel, you specify a group of patches and/or hotfixes to be included in the job, or a list of your own.
This example creates a Windows Patching Job uses two previously created smart groups that look for Windows Bulletins and hotfixes newer than 10 days and with a vendor impact of critical.
- Select List.
Note: You do not need to exclude the irrelevant patches item as they are already excluded by default by the Shavlik analyzer, which is the engine used by BSA to perform patch analysis on Windows.
- Click Add New Include/Exclude.
The Include/Exclude Selection dialog box opens.
- At the bottom of the panel, select Include.
- Select the smart group (in this example, Production Windows Patch Policy), and click the arrows to add the smart group to the box on the right.
- Add any additional smart groups (in this example, Production Windows Hotfix Policy).
- Click OK.
- When you finish specifying analysis options, click Next.
On the Remediation Options Tab, you define what to do when we find our target out of compliance with the Patch Catalog. BSA can create the BLPackages and Deploy Jobs automatically as part of the Patching Job, if needed.
- Ensure that the Create remediation artifacts field is cleared. In this example, you are running an analysis-only process at this point. You can ignore the other fields on this window.
- Click Next.
On the Targets panel, select the servers that are the targets of this Windows Patching Job.
- In the left panel, navigate to a server smart group or to an individual server.
- Click the > button to move the selection from the left panel to the right panel.
- Continue to select groups or servers until you have a complete list of servers for the analysis.
- Click Next.
On the Default Notifications panel, configure the default notification settings. The defaults are used for all runs of this job unless you override them with notification settings for a scheduled job.
This example sends an email to the patch administrator for any targets that have failed analysis, and appends detailed patch analysis results with the e-mail.
The Schedules page appears.
On this page we set up the job to run immediately and then to run on Wednesday every week afterwards, during the maintenance window. (The patch catalog used by the job is updated every Tuesday)
- Select Execute job now to indicate the job should run as soon as you finish the wizard.
- Click New Schedule and define the a job schedule. In this example, we want to schedule it to update Wednesday mornings at 1 AM, during the maintenance window. You may want to use a different time, day, or even update less often.
- Click Weekly.
- Select Wednesday.
- Enter a time, such as 1:00.
- Click Finish.
This example uses the defaults for the remaining two wizard panels, Properties and Permissions.
Once the job starts to execute, the Tasks in Progress pane appears and shows you which tasks are running at this moment on this BSA application server. In a typical BSA production environment you will see many jobs running at the same time performing many different tasks.
To show the Tasks in Progress pane in full screen mode, double-click the Tasks in Progress tab. This gives you more room to expand the columns in the pane. To return the view to its original size, double-click the tab again.
Wait for the job to finish and click Refresh if needed.
To view the results of the Patching Job:
- Right-click the Patching Job in the folder under the Jobs folder.
- Select Show Results.
Identify the servers with missing patches or hotfixes.
- Expand Server View.
- Click Successful Targets.
The right panel shows a summary of the job results, including the numbers of missing patches and hotfixes for each server.
Identify the missing patches or hotfixes.
- Expand Successful Targets.
- Click a server. The right panel lists the specific missing patches or hotfixes for that server.
In our example, there are a number of critical hotfixes that have been identified for the server.
Optionally, you may want to examine the properties of a patch or a hotfix before choosing to apply it to your servers.
- Right-click one of the missing patches or hotfixes and select Open Patch to get all information published about a specific Patch by the OS vendor including the install and the uninstall commands if the Patch supports rollback.
- Select the Extended Properties Tab. This tab includes all the information about this patch, including links to the Knowledge Base articles, and so on.
As this patch fixes a potential security vulnerability, and is missing on both servers, we will apply this patch to remediate the servers in the next walkthrough (Basic patch remediation).
Wrapping it up
We have seen how BSA manages the analysis of patches for the Microsoft Windows operating system. Now that you have all information regarding the patch level of the servers, you can decide to remediate them by packaging and deploying the missing patches and hotfixes to the servers.
Where to go from here
Walkthrough: Basic patch remediation
The following BladeLogic ZipKit provides a pre-configured component template that performs a number of actions to determine patch readiness on Windows systems:
Blade ZipKit - Component Template with Remediation - Patch Readiness for Windows