®
ScriptLogic
Patch Authority Ultimate™ 7.8
Administration Guide
i
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Copyright © 2011 ScriptLogic Corporation.
All rights reserved.
No part of this document may be reproduced or retransmitted in any form or by any
means electronic, mechanical, or otherwise, including photocopying and recording for
any purpose other than the purchaser’s personal use without written permission of
ScriptLogic Corporation.
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
1.561.886.2400
www.scriptlogic.com
Trademark Acknowledgements
ScriptLogic Patch Authority Ultimate and the ScriptLogic Corporation logo are either
trademarks or registered trademarks of ScriptLogic Corporation. Microsoft, Windows,
and Microsoft Baseline Security Analyzer are registered trademarks of Microsoft
Corporation.
All other trademarks, tradenames, or images mentioned herein belong to their
respective owners.
Updated 22 February 2011
ii
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
iii
DOCUMENTATION CONVENTIONS
Typeface Conventions
Bold
Indicates a button, menu selection, tab, dialog box title, text to type,
selections from drop-down lists, or prompts on a dialog box.
CONTACTING SCRIPTLOGIC
ScriptLogic may be contacted about any questions, problems or concerns you
might have at:
ScriptLogic Corporation
6000 Broken Sound Parkway NW
Boca Raton, Florida 33487-2742
561.886.2400 Sales and General Inquiries
561.886.2450 Technical Support
561.886.2499 Fax
www.scriptlogic.com
SCRIPTLOGIC ON THE WEB
ScriptLogic can be found on the web at www.scriptlogic.com. Our web site
offers customers a variety of information:
ƒ
ƒ
ƒ
ƒ
Download product updates, patches and/or evaluation products.
ƒ
Search Frequently Asked Questions, for the answers to the most common
non-technical issues.
ƒ
Participate in Discussion Forums to discuss problems or ideas with other
users and ScriptLogic representatives.
Locate product information and technical details.
Find out about Product Pricing.
Search the Knowledge Base for Technical Notes containing an extensive
collection of technical articles, troubleshooting tips and white papers.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
iv
Contents
WELCOME TO SCRIPTLOGIC PATCH AUTHORITY ULTIMATE......................................................12
SYSTEM REQUIREMENTS............................................................................................................................13
CONSOLE ...........................................................................................................................................................13
CLIENTS (AGENTLESS).......................................................................................................................................14
CLIENTS RUNNING PATCH AUTHORITY ULTIMATE AGENT ...............................................................................16
PORT REQUIREMENTS .......................................................................................................................................17
INSTALLATION AND SETUP ........................................................................................................................18
INSTALLING THE PREREQUISITES ......................................................................................................................18
Automatic Installation ............................................................................................................................................... 18
Manual Installation .................................................................................................................................................... 18
SQL SERVER PRE-INSTALLATION NOTES..........................................................................................................19
PERFORMING A NEW INSTALLATION .................................................................................................................20
SQL SERVER POST-INSTALLATION NOTES ........................................................................................................25
Manually Configuring a Remote SQL Server to Accept Machine Account Credentials...............................25
Allowing Other Users Access to the Program ..............................................................................................27
Performing Periodic Maintenance on the Database ....................................................................................27
GETTING STARTED ............................................................................................................................................28
Starting Patch Authority Ultimate ................................................................................................................28
Activating Patch Authority Ultimate ............................................................................................................28
Running the Setup Wizard ............................................................................................................................30
Version and License Information..................................................................................................................33
User and Version Information ................................................................................................................................... 33
Version Log ............................................................................................................................................................... 33
How Licenses are Tracked ...........................................................................................................................34
Navigating the Interface ...............................................................................................................................35
Major Program Functions............................................................................................................................37
About the Patch Authority Ultimate Home Page..........................................................................................39
Menu Commands ..........................................................................................................................................40
Toolbar Buttons ............................................................................................................................................42
Editing the Database Description ................................................................................................................42
For Data Rollup Configurations................................................................................................................................. 44
Help System ..................................................................................................................................................44
Command-line Option ..................................................................................................................................44
USING MACHINE GROUPS .................................................................................................................................45
About Machine Groups.................................................................................................................................45
About the My Test Machines Group .............................................................................................................45
Creating Machine Groups ............................................................................................................................46
Working with a Machine Group ...................................................................................................................46
Machine Group Dialog: Top Section ...........................................................................................................47
Machine Group Dialog: Middle Section ......................................................................................................49
Machine Group Dialog: Bottom Section ......................................................................................................50
ADDING MACHINES TO A MACHINE GROUP ......................................................................................................53
Adding Machines by Name to a Machine Group..........................................................................................53
Adding an Individual Machine Name ........................................................................................................................ 54
Importing Machine Names From an External Source................................................................................................ 54
Adding Domains to a Machine Group..........................................................................................................55
Adding an Individual Domain Name ......................................................................................................................... 55
Importing Domain Names From an External Source................................................................................................. 55
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
v
Adding Machines by IP Address to a Machine Group .................................................................................57
Adding an Individual IP Address............................................................................................................................... 57
Adding a Range of IP Addresses ............................................................................................................................... 57
Importing IP Addresses from an External Source...................................................................................................... 57
Adding Organizational Units to a Machine Group ......................................................................................58
Adding an Individual Organizational Unit................................................................................................................. 58
Importing OUs From an External Source .................................................................................................................. 59
Defining Nested Groups ...............................................................................................................................60
ADDING VIRTUAL MACHINES TO A MACHINE GROUP .......................................................................................61
How to Add Virtual Machines to a Machine Group .....................................................................................61
Adding Virtual Machines Hosted by a Server ..............................................................................................61
Logging on to an ESX or Virtual Infrastructure Server ...............................................................................64
Adding Offline Virtual Machines That Reside On Workstations ..................................................................64
Viewing Servers and Virtual Machines in a Machine Group .......................................................................66
Excluding Certain Machines ........................................................................................................................67
Linking Files to a Machine Group................................................................................................................67
Supplying Credentials for Machines ............................................................................................................68
To Individual Machines in a Machine Group ............................................................................................................ 69
To All Machines in a Machine Group ....................................................................................................................... 69
Credential Priorities ................................................................................................................................................... 69
When Local Machine Credentials will be Used......................................................................................................... 70
Supplying Credentials for Virtual Machines.............................................................................................................. 71
USING FAVORITES .............................................................................................................................................72
Creating Favorites........................................................................................................................................72
Performing Actions on a Favorite ................................................................................................................73
USING ROLE-BASED ADMINISTRATION .............................................................................................................73
How Role-Based Administration Works .......................................................................................................73
Assigning User Roles....................................................................................................................................74
Enabling and Disabling Role-Based Administration....................................................................................75
Enabling Role-Based Administration ........................................................................................................................ 75
Disabling Role-Based Administration ....................................................................................................................... 76
Determining the Currently-Assigned Role....................................................................................................77
QUICK START INFO FOR LIMITED USERS .............................................................................................78
WHAT IS PATCH AUTHORITY LIMITED ?............................................................................................................78
HOW TO USE THE LIMITED PROGRAM ...............................................................................................................78
HOW TO SCAN YOUR OWN MACHINE ...............................................................................................................78
HOW TO PERFORM A SCAN OF MULTIPLE MACHINES ........................................................................................80
ACCESSING THE FULL CAPABILITIES OF THE PROGRAM ....................................................................................81
QUICK START INFO FOR ALL USERS.......................................................................................................82
HOW DO I GET STARTED SCANNING AND PATCHING? ......................................................................................82
HOW DO I AUTOMATE SCHEDULED PATCHING? ...............................................................................................83
HOW DO I TRACK DEPLOYMENT STATUS?........................................................................................................84
Tracking Patch Deployments........................................................................................................................84
Monitoring Post-patch Machine Status ........................................................................................................84
HOW DO I DOWNLOAD APPROVED PATCHES? ..................................................................................................84
HOW DO I SET UP AND MONITOR AGENTS?......................................................................................................85
HOW DO I COLLECT DATA FOR TECHNICAL SUPPORT?.....................................................................................85
Installation Log Files ...................................................................................................................................85
Program Log Files .......................................................................................................................................86
HOW DO I USE A DISTRIBUTION SERVER?........................................................................................................87
HOW DO I GENERATE REPORTS? ......................................................................................................................88
QUICK START INFO FOR VIRTUAL MACHINES....................................................................................89
VIRTUAL MACHINE OVERVIEW .........................................................................................................................89
Online Virtual Machines ..............................................................................................................................89
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
vi
Offline Virtual Machines ..............................................................................................................................89
VIRTUAL MACHINE TEMPLATES .......................................................................................................................90
NOTES ABOUT VIRTUAL MACHINES .................................................................................................................90
NOTES ABOUT VIRTUAL MACHINE TEMPLATES ...............................................................................................93
TASKS FOR VIRTUAL MACHINES AND VIRTUAL MACHINE TEMPLATES ............................................................95
Patch Tasks...................................................................................................................................................95
PATCH MANAGEMENT OVERVIEW .........................................................................................................96
WHAT SETS PATCH AUTHORITY ULTIMATE APART FROM THE OTHERS?..........................................................96
Features........................................................................................................................................................96
Security and Integrity ...................................................................................................................................96
SCANNING ENGINE OVERVIEW..........................................................................................................................97
Enumerating Machines.................................................................................................................................98
Determining Patch Status.............................................................................................................................98
File Version Analysis....................................................................................................................................99
Determining Patch Supersedence.................................................................................................................99
Identifying Explicitly Installed Patches ......................................................................................................100
Identifying Effectively Installed Patches.....................................................................................................100
PERFORMING PATCH SCANS ............................................................................................................................100
Patch Scanning Overview...........................................................................................................................100
Scans Are Performed As Background Tasks...............................................................................................100
Scanning Considerations............................................................................................................................101
Scanning Prerequisites ...............................................................................................................................101
Special note regarding Simple File Sharing...............................................................................................103
Performing a Scan of the Local Machine ...................................................................................................103
Performing Domain Scans..........................................................................................................................104
Scanning a Machine Group........................................................................................................................105
Scanning a Favorite ...................................................................................................................................105
Scheduling Scans Using the Run Patch Scan Dialog .................................................................................106
Monitoring a Scheduled Patch Task ........................................................................................................................ 108
Monitoring a Patch Scan............................................................................................................................109
Scan History ...............................................................................................................................................109
Scan Options Menu.....................................................................................................................................110
PATCH SCAN TEMPLATES ................................................................................................................................110
About Patch Scan Templates ......................................................................................................................110
Predefined Patch Scan Templates ..............................................................................................................110
Creating or Editing a Patch Scan Template...............................................................................................111
Specifying a Default Patch Scan Template.................................................................................................115
Managing a Patch Scan Template..............................................................................................................115
PATCH GROUPS ...............................................................................................................................................116
About Patch Groups ...................................................................................................................................116
Creating and Editing a Patch Group..........................................................................................................116
Alternate Patch Group Creation Methods ................................................................................................................ 118
Using a Patch Group..................................................................................................................................118
SCANNING FOR SELECT THIRD-PARTY APPLICATIONS ....................................................................................120
About Third-Party Applications .................................................................................................................120
How to Scan for Third-Party Applications .................................................................................................120
INTERPRETING PATCH SCAN RESULTS (SCAN VIEW) ......................................................................................121
Accessing Patch Scan Results (Scan View) ................................................................................................121
Navigating the Scan View Grid ..................................................................................................................122
Customizing the Column Headers ..............................................................................................................123
USING THE TOP PANE ......................................................................................................................................125
Scan View Scan Summary...........................................................................................................................125
Machine Group Information is Dynamic....................................................................................................126
Searching for Machines in the Top Pane ...................................................................................................126
Tips for Using the Search Tool................................................................................................................................ 127
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
vii
Using Smart Filter ......................................................................................................................................127
Default Filters .......................................................................................................................................................... 127
Custom Filters.......................................................................................................................................................... 128
Example................................................................................................................................................................... 129
Performing Actions on Machines ...............................................................................................................129
USING THE MIDDLE PANE ...............................................................................................................................131
Viewing Patch Summaries in Scan View ....................................................................................................131
Performing Actions on Patches ..................................................................................................................132
USING THE BOTTOM PANE ..............................................................................................................................134
Viewing Patch Information.........................................................................................................................134
Viewing Machines That Are Missing A Selected Patch ..............................................................................135
Viewing the List of Machines That Contain the Selected Patch .................................................................136
DOWNLOADING PATCHES................................................................................................................................136
Downloading Patches and Service Packs...................................................................................................136
Downloading Non-English Language Patches...........................................................................................137
Downloading Non-English Language Patches Individually.......................................................................138
Patch Downloads Are Performed As Background Tasks ...........................................................................139
DEPLOYING PATCHES ......................................................................................................................................139
Patch Deployment Overview ......................................................................................................................139
Patch Deployment Prerequisites ................................................................................................................141
Patch Deployment Security ........................................................................................................................142
Testing the Deployment ..............................................................................................................................142
Deploying One or More Patches to a Machine ..........................................................................................143
Deploying All Missing Patches to a Machine.............................................................................................144
Deploying Patches to Multiple Machines...................................................................................................146
Deploying Third-Party Applications ..........................................................................................................148
Deploying Patches to Virtual Machines and Virtual Machine Templates..................................................148
Deploying Service Packs ............................................................................................................................152
Deploying a Service Pack to a Single Machine ....................................................................................................... 152
Deploying by Criticality .............................................................................................................................155
Deploying Patches to All Members of a Domain........................................................................................156
Automatically Deploying Patches...............................................................................................................157
Scheduling and Configuring a Deployment................................................................................................157
Monitoring the Deployment........................................................................................................................159
Tips for Monitoring Patch Deployments to Virtual Machines ................................................................................. 160
Viewing Deployment Results ......................................................................................................................161
Canceling a Deployment ............................................................................................................................162
Deployment History....................................................................................................................................162
DEPLOYMENT TEMPLATES ..............................................................................................................................162
About Deployment Templates .....................................................................................................................162
Creating or Editing a Deployment Template..............................................................................................163
Deployment Template: General Tab ..........................................................................................................164
Deployment Template: Office Tab..............................................................................................................166
Deployment Template: Pre-Deploy Reboot Tab.........................................................................................167
Deployment Template: Post-Deploy Reboot Tab .......................................................................................169
Deployment Template: E-Mail Tab ............................................................................................................171
Deployment Template: Custom Actions Tab ..............................................................................................172
Deployment Template: Distribution Servers Tab .......................................................................................174
Deployment Template: Hosted VMs/Templates Tab...................................................................................175
Deployment Template: Used By Tab ..........................................................................................................176
Managing a Deployment Template.............................................................................................................177
USING DEPLOYMENT TRACKER.......................................................................................................................177
About the Deployment Tracker...................................................................................................................177
About the Deployment Tracker Dialog.......................................................................................................179
Canceling a Task ........................................................................................................................................179
UNINSTALLING PATCHES ................................................................................................................................180
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
viii
Uninstall From a Single Machine ............................................................................................................................ 180
Uninstall From Multiple Machines .......................................................................................................................... 181
INTERNATIONAL LANGUAGE PATCH SUPPORT ................................................................................................182
About International Patches.......................................................................................................................182
Accessing Language Support Options ........................................................................................................182
Creating a Foreign Machine Group...........................................................................................................183
CREATING CUSTOM PATCH XML FILES ..........................................................................................................184
Overview of the Custom Patch XML Process.............................................................................................184
Creating a New Custom XML File .............................................................................................................185
Creating a Custom Product........................................................................................................................186
Creating a Custom Bulletin ........................................................................................................................189
Creating a Custom Patch ...........................................................................................................................190
Patch Scan Information Tab.......................................................................................................................191
Patch Deployment Information Tab ...........................................................................................................196
Saving and Validating Your Changes.........................................................................................................197
Changing a Custom XML File....................................................................................................................198
Specifying Which Custom XML Files to Use ..............................................................................................198
Removing a Custom XML File................................................................................................................................ 199
Viewing Custom Patches and Products......................................................................................................200
USING PATCH VIEW ........................................................................................................................................201
About Patch View .......................................................................................................................................201
Accessing Patch View.................................................................................................................................201
Navigating Patch View ...............................................................................................................................202
Modifying the Look of Patch View..............................................................................................................202
Customizing the Patch View Column Headers ...........................................................................................203
USING THE TOP PANE ......................................................................................................................................204
Understanding the Top Pane......................................................................................................................204
Searching Patch View.................................................................................................................................205
Tips for Using the Search Tool................................................................................................................................ 205
Filtering Patch View...................................................................................................................................205
Custom Filters.......................................................................................................................................................... 205
Example................................................................................................................................................................... 206
Performing Actions on Patches ..................................................................................................................207
Right-Click Menu .................................................................................................................................................... 207
Keyboard Shortcuts ................................................................................................................................................. 208
USING THE BOTTOM PANE ..............................................................................................................................209
Viewing Patch Details ................................................................................................................................209
Viewing Machines That Are Missing A Selected Patch ..............................................................................210
Viewing the List of Machines That Contain the Selected Patch .................................................................210
USING MACHINE VIEW...............................................................................................................................211
About Machine View...................................................................................................................................211
Accessing Machine View ............................................................................................................................211
Navigating Machine View ..........................................................................................................................212
Customizing the Column Headers ..............................................................................................................213
USING THE TOP PANE .....................................................................................................................................214
Machine View Top Pane Summary.............................................................................................................214
Understanding Patch Count Data ..............................................................................................................216
Machine Group Information is Dynamic....................................................................................................217
Searching for Machines in the Top Pane ...................................................................................................217
Tips for Using the Search Tool................................................................................................................................ 217
Using Smart Filter to Filter Information in the Top Pane..........................................................................218
Default Filters .......................................................................................................................................................... 218
Custom Filters.......................................................................................................................................................... 218
Example................................................................................................................................................................... 219
Performing Actions on Machines ...............................................................................................................220
Right-Click Menu .................................................................................................................................................... 220
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ix
Keyboard Shortcuts ................................................................................................................................................. 222
USING THE MIDDLE PANE ...............................................................................................................................222
Viewing Patch Summaries in Machine View ..............................................................................................222
Performing Actions on Patches ..................................................................................................................223
Right-Click Menu .................................................................................................................................................... 223
Keyboard Shortcuts ................................................................................................................................................. 224
USING THE BOTTOM PANE ..............................................................................................................................225
Viewing Patch Information.........................................................................................................................225
Viewing Machines That Are Missing A Selected Patch ..............................................................................226
Viewing the List of Machines That Contain the Selected Patch .................................................................227
Typical Uses of Machine View ...................................................................................................................227
VIEWING SUMMARIES AND MACHINE PROPERTIES .........................................................................................228
Manage Items .............................................................................................................................................228
Accessing Machine Properties ...................................................................................................................229
Managing Individual Machine Properties..................................................................................................229
Managing Multiple Machine Properties ....................................................................................................230
USING THE OPERATIONS MONITOR .................................................................................................................232
About the Operations Monitor....................................................................................................................232
USING THE SCHEDULED TASKS MANAGER......................................................................................................233
About the Scheduled Tasks Manager..........................................................................................................233
Installing and Uninstalling the ScriptLogic Scheduler...............................................................................235
CONFIGURING PROGRAM OPTIONS ..................................................................................................................236
Configuration Options Overview................................................................................................................236
Display Options ..........................................................................................................................................236
Notification and Warning Options..............................................................................................................238
Definition Download Options.....................................................................................................................239
Patch Download Options............................................................................................................................241
Default Credential Options ........................................................................................................................244
Patch Language Options ............................................................................................................................245
Scan Options...............................................................................................................................................246
Deployment Options ...................................................................................................................................247
Scheduling Options.....................................................................................................................................248
Agent Options .............................................................................................................................................249
Logging Options .........................................................................................................................................251
Proxy Options.............................................................................................................................................252
E-mail Options............................................................................................................................................253
Arrivals/Data Rollup Options.....................................................................................................................254
SENDING E-MAIL REPORTS AND NOTIFICATIONS ............................................................................................256
E-mail Overview.........................................................................................................................................256
Populating the Address Book .....................................................................................................................256
Defining a New Contact .......................................................................................................................................... 257
Defining a New E-mail Group................................................................................................................................. 257
Deleting an Existing Contact or Group.................................................................................................................... 257
Automatically Sending E-Mail Reports and Notifications..........................................................................258
Templates ................................................................................................................................................................ 258
Machines and Machine Groups ............................................................................................................................... 258
Manually Sending E-Mail Reports and Notifications.................................................................................258
From Scan View ...................................................................................................................................................... 259
From Patch Deployment Results ............................................................................................................................. 259
From the Report Viewer Window............................................................................................................................ 259
RUNNING IN DISCONNECTED MODE ................................................................................................................260
Enabling Disconnected Mode.....................................................................................................................260
Managing Data Files in Disconnected Mode .............................................................................................260
File Locations .......................................................................................................................................................... 260
REPORTS .........................................................................................................................................................261
Available Reports .......................................................................................................................................261
Report Gallery ............................................................................................................................................263
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
x
Pick a Report ........................................................................................................................................................... 263
Pick Filtering Options.............................................................................................................................................. 263
View the Report....................................................................................................................................................... 264
Generating a Report from a Data Rollup Console ................................................................................................... 264
Advanced Filtering .....................................................................................................................................264
Exporting Reports.......................................................................................................................................265
USING DISTRIBUTION SERVERS .......................................................................................................................266
Why Use a Distribution Server? .................................................................................................................266
Determining How Many Distribution Servers to Use.................................................................................266
Do You Need a Distribution Server? ....................................................................................................................... 266
If You Need Distribution Servers, How Many?....................................................................................................... 267
Configuring a New or Existing Distribution Server ...................................................................................267
Configuring System Account Permissions ..................................................................................................271
Assigning IP Addresses to Distribution Servers .........................................................................................272
Synchronizing Distribution Servers............................................................................................................274
Creating a Status Report .......................................................................................................................................... 274
Manually Synchronizing Selected Distribution Servers with Patches ..................................................................... 275
Manually Synchronizing Selected Distribution Servers with Engines and Definitions ........................................... 275
Manually Synchronizing All Distribution Servers................................................................................................... 276
Automatically Synchronizing All Distribution Servers ........................................................................................... 276
MANAGING MULTIPLE CONSOLES ........................................................................................................277
WHY USE MULTIPLE CONSOLES? ...................................................................................................................277
DATA ROLLUP CONFIGURATION .....................................................................................................................278
What is a Data Rollup Console Configuration?.........................................................................................278
Implementing a Data Rollup Configuration ...............................................................................................278
On the Central Console............................................................................................................................................ 278
On Each Remote Console ........................................................................................................................................ 279
Watching For Data Rollup Activity ............................................................................................................279
UNATTENDED CONSOLE CONFIGURATION ......................................................................................................280
What is an Unattended Console Configuration? ........................................................................................280
Implementing an Unattended Console Configuration ................................................................................281
On the Distribution Server....................................................................................................................................... 281
On Each Unattended Console .................................................................................................................................. 281
Ongoing Maintenance.............................................................................................................................................. 282
DISCONNECTED CONSOLE CONFIGURATION....................................................................................................282
What is a Disconnected Console Configuration?.......................................................................................282
Tasks Performed by the Central Console................................................................................................................. 283
Tasks Performed by the Remote Consoles............................................................................................................... 283
Configuring the Central Console in a Disconnected Configuration ..........................................................284
I. Configure the Data Rollup Service....................................................................................................................... 284
II. Set Up a Distribution Server ............................................................................................................................... 284
III. Update the Distribution Server with the Latest Files ......................................................................................... 284
Configuring the Remote Consoles in a Disconnected Configuration .........................................................285
I. Configure the Data Rollup Service....................................................................................................................... 285
II. Set Up a Distribution Server ............................................................................................................................... 285
III. Create a Machine Group of the Machines at This Site....................................................................................... 285
IV. Specify Where to Download Files ..................................................................................................................... 285
V. Create a Patch Scan Template............................................................................................................................. 286
VI. Create a New Favorite and Schedule a Periodic Scan ....................................................................................... 286
Multiple Console Configuration with Agents .............................................................................................287
AGENT OVERVIEW ......................................................................................................................................288
AGENTLESS VS. AGENT-BASED SOLUTIONS.....................................................................................................288
Agentless Solution ......................................................................................................................................288
Agent-based Solution..................................................................................................................................288
Patch management ................................................................................................................................................... 288
Summary.....................................................................................................................................................289
Agentless ................................................................................................................................................................. 289
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
xi
Agent-based ............................................................................................................................................................. 289
When Should I Use Agentless and Agent-based Solutions?........................................................................289
For Patch Management Tasks.................................................................................................................................. 289
What Exactly is Patch Authority Ultimate Agent ?.....................................................................................290
How the Agent Process Works....................................................................................................................291
PREPARING TO USE PATCH AUTHORITY ULTIMATE AGENT ............................................................................292
I. (Optional) Set Up and Synchronize a Distribution Server.................................................................................... 292
II. Create and Configure a Patch Authority Ultimate Agent Policy ......................................................................... 292
III. Install the Agent on the Desired Machines ........................................................................................................ 292
How to Install Patch Authority Ultimate Agent from the Console .............................................................293
For Machines That Have Been Previously Scanned ................................................................................................ 293
For Machines That Have Not Been Previously Scanned ......................................................................................... 294
MANUALLY INSTALLING PATCH AUTHORITY ULTIMATE AGENT ....................................................................295
Requirements ..............................................................................................................................................295
Installation Procedure................................................................................................................................296
Creating and Using a Manual Installation Script ......................................................................................298
Troubleshooting Agent Installation Errors.................................................................................................299
USING THE AGENT MANAGER .........................................................................................................................300
MONITORING PATCH AUTHORITY ULTIMATE AGENT .....................................................................................302
Determining Which Machines Have Patch Authority Ultimate Agent........................................................302
Ongoing Maintenance Tasks ......................................................................................................................303
Using an Agent on a Machine ....................................................................................................................303
Administrator Tools within the Client Program....................................................................................................... 304
Uninstalling Patch Authority Ultimate Agent.............................................................................................305
Uninstalling Patch Authority Ultimate Agent from Machines................................................................................. 305
Uninstalling Patch Authority Ultimate Agent from Connected Machines ............................................................... 305
Manually Uninstalling Patch Authority Ultimate Agent from Machines................................................................. 305
CONFIGURING AN AGENT POLICY ...................................................................................................................306
Creating a New Patch Authority Ultimate Agent Policy ............................................................................306
Configuring General Settings for a Patch Authority Ultimate Agent Policy..............................................307
Creating a New Patch Task ........................................................................................................................310
SERVICE PACK GROUPS...................................................................................................................................316
About Service Pack Groups........................................................................................................................316
Notes About Service Pack Groups........................................................................................................................... 316
Creating and Editing a Service Pack Group ..............................................................................................317
Using a Service Pack Group ......................................................................................................................319
Copy, Delete, or Rename a Service Pack Group ........................................................................................319
DATABASE MAINTENANCE.......................................................................................................................320
REPORTING ERRORS AND CHECKING FOR POSSIBLE SOLUTIONS............................................323
CHECK ONLINE FOR A SOLUTION ....................................................................................................................323
PRIVACY AND SECURITY CONCERNS ...............................................................................................................324
OBTAINING SUPPORT ......................................................................................................................................324
INDEX ...............................................................................................................................................................325
Updated 22 February 2011
Welcome to ScriptLogic Patch
Authority Ultimate
Welcome to Patch Authority Ultimate, a unified IT management platform used
for managing and protecting Microsoft-based machines. Patch Authority
Ultimate provides you with one centralized and common interface that you
can use to perform several essential IT management functions.
ScriptLogic Corporation' industry-leading patch management function
provides the ability to scan all Microsoft-based machines in your network and
assess the current patch status of those machines. After a scan is performed
you can generate reports that provide additional details about the patch
"health" of each machine. Patch Authority Ultimate can then be used to easily
and automatically bring each machine up-to-date. You simply instruct the
program to download and deploy the desired patches to the machines of your
choosing. You can even dictate when the deployment will occur and if and
when each machine should be restarted. In addition, Patch Authority Ultimate
can provide e-mail alerts that notify you when patches are available and it
can e-mail the results of scans and other information you wish to share with
selected users.
The patch management function can be performed with or without agents.
This unique blending of agentless and agent-based technologies gives you
maximum flexibility while minimizing management overhead.
12
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
13
System Requirements
CONSOLE
Restrictions
ƒ
ƒ
A FAT file system cannot be used on a console machine
If you install the console on a domain controller that uses LDAP certificate
authentication, you may need to configure the server to avoid conflict
issues between the SSL certificate and the Patch Authority Ultimate
program certificate. There is no easy way to configure this on a Windows
Server 2003-based domain controller and this combination is not
recommended for use as a console.
Processor
ƒ
ƒ
Minimum: Pentium 4
Recommended: 2.0 GHz CPU (multi-core machine if more than 1000 seat
license)
Memory
ƒ
ƒ
Minimum: 1 GB of RAM
Recommended: 2 GB of RAM (4 GB if more than 1000 seat license)
Video
ƒ
1024 x 768 screen resolution or higher (1280 x 1024 recommended)
Disk Space
ƒ
ƒ
100 MB for application
2 GB or more for patch repository
Operating System (one of the following)
Note: Patch Authority Ultimate supports 32- and 64-bit versions of the listed
operating systems for both console and target systems.
Minimum
ƒ Windows XP Professional, SP3 or later (SP2 or later if using 64-bit version)
ƒ
ƒ
Windows Vista, SP1 or later, Business, Enterprise, or Ultimate Edition
Windows Server 2003 Family, SP2 or later
Recommended
ƒ Windows 7, Professional, Enterprise, or Ultimate Edition
ƒ
Windows Server 2008 Family, excluding Server Core
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
14
Windows Server 2008 Family R2, excluding Server Core
Database
ƒ
Use of a SQL Server database (SQL Server 2005, SQL Server 2005
Express Edition, SQL Server 2008, or SQL Server 2008 R2 Express
Edition) is required. If you do not have a SQL Server database, the option
to install SQL Server 2008 R2 Express Edition will be provided during the
prerequisite software installation process.
Note: SQL Server 2000 is not supported for use as a back-end database.
ƒ
Size: 1.5 GB
Prerequisite Software
ƒ
MSXML 6.0 SP2 Hotfix (only required on console machines using Windows
Vista SP1 or earlier)
ƒ
Windows Installer 4.5 or later (only required if installing SQL Express 2008
during Patch Authority Ultimate installation)
ƒ
Use of Microsoft SQL Server 2005, SQL Server 2005 Express Edition, SQL
Server 2008, or SQL Server 2008 R2 Express Edition
ƒ
ƒ
SQL Native Client or SQL 2008 Native Client
Microsoft .NET Framework 4.0 or later
Windows Account Requirements
ƒ
In order to access the full capabilities of Patch Authority Ultimate, you
must run under an account with administrator privileges
CLIENTS (AGENTLESS)
Browser
ƒ
Internet Explorer 5.5 or later required to receive patch deployments
Operating Systems (any of the following)
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter Server
Windows 2000 Small Business Server
Windows XP Professional
Windows XP Tablet PC Edition
Windows XP Embedded
Windows Server 2003, Enterprise Edition
Windows Server 2003, Standard Edition
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Windows Server 2003, Web Edition
Windows Server 2003 for Small Business Server
Windows Server 2003, Datacenter Edition
Windows Vista, Home Basic Edition
Windows Vista, Home Premium Edition
Windows Vista, Business Edition
Windows Vista, Enterprise Edition
Windows Vista, Ultimate Edition
Windows 7, Home Premium Edition
Windows 7, Professional Edition
Windows 7, Enterprise Edition
Windows 7, Ultimate Edition
Windows Server 2008, Standard
Windows Server 2008, Enterprise
Windows Server 2008, Datacenter
Windows Server 2008, Standard - Core
Windows Server 2008, Enterprise - Core
Windows Server 2008, Datacenter - Core
Windows Server 2008 R2, Standard
Windows Server 2008 R2, Enterprise
Windows Server 2008 R2, Datacenter
Windows Server 2008 R2, Standard - Core
Windows Server 2008 R2, Enterprise - Core
Windows Server 2008 R2, Datacenter - Core
Virtual Machines (offline virtual images created by any of the following)
ƒ
ƒ
ƒ
ƒ
ƒ
VMware ESX Server 3.0 or later
VMware ESXi 3.0 or later
VMware vCenter (formally VMware VirtualCenter) 2.0 or later
VMware Workstation 4.0 or later
VMware Player
Configuration Requirements
ƒ
Remote Registry service must be running
Updated 22 February 2011
15
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
ƒ
ƒ
ƒ
16
Simple File Sharing must be turned off
Server service must be running
NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible
When deploying patches on Windows Vista or later operating systems, the
Windows Update service Startup type must be set to either Manual or
Automatic.
Disk Space (for patch program)
ƒ
Free space equal to five times the size of the patches being deployed
Supported Languages (for patch program)
ƒ
Arabic, Chinese (Simplified), Chinese (Traditional), Czech, Danish, Dutch,
English, Finnish, French, German, Greek, Hebrew, Hungarian, Italian,
Japanese, Korean, Norwegian, Polish, Portuguese (Brazil), Portuguese
(Portugal), Russian, Spanish, Swedish, Thai, Turkish
CLIENTS RUNNING PATCH AUTHORITY ULTIMATE AGENT
Processor
ƒ
500 MHz or faster CPU
Memory
ƒ
ƒ
Minimum: 256 MB RAM
Recommended: 512 MB RAM or higher
Disk Space
Note: FAT file systems are not supported on agent machines.
ƒ
ƒ
30 MB for Patch Authority Ultimate Agent client
500 MB or more for patch repository
Operating Systems (any of the following)
ƒ
Windows 2000 SP4 or later (with Windows Installer 3.1 or the latest
version supported by Windows 2000)
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Windows XP SP2 or later
Windows Vista Family
Windows 7 Family
Windows Server 2003 Family
Windows Server 2008 Family
Windows Server 2008 Family R2
Prerequisite Software
ƒ
MSXML 3.0 or later
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
17
PORT REQUIREMENTS
These are the default port requirements. The port numbers are configurable.
Inbound Ports (Basic NAT Firewall)
TCP
80
TCP
135
TCP 139 OR
TCP 445
Client System
X
X
Console
System
Distribution
Server
TCP
3121
TCP 4155
TCP
5120
X (For listening
agents)
X
TCP
443
X
X
X
X
X
Outbound Ports (Highly Restricted Network Environment)
TCP 80
TCP 139 OR
TCP 445
TCP 3121
Client System
X (For
agents)
X
X
X (For
agents)
Console
System
X
X
X
Distribution
Server
Updated 22 February 2011
TCP
5120
UDP 9
X
X (For error
reporting)
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
18
Installation and Setup
INSTALLING THE PREREQUISITES
Automatic Installation
The prerequisites can be automatically installed during the Patch Authority
Ultimate installation.
Manual Installation
If you prefer to download and install the prerequisites yourself, you may do
so using the following URLs.
Windows Installer 4.5
http://www.microsoft.com/downloads/details.aspx?FamilyID=5a58b56f-60b64412-95b9-54d056d6f9f4
.NET Framework 4.0
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=9cfb2d515ff4-4491-b0e5-b386f32c0992&displaylang=en
SQL Server 2008 R2 Express Edition (needed only if you don't already have a full
edition of SQL Server)
http://www.microsoft.com/express/Downloads/
SQL 2008 Native Client (if using SQL Server 2008)
English
http://download.microsoft.com/download/0/E/6/0E67502A-22B4-4C47-92D30D223F117190/sqlncli.msi (x86)
http://download.microsoft.com/download/A/D/0/AD021EF1-9CBC-4D11AB51-6A65019D4706/sqlncli.msi (x64)
French
http://download.microsoft.com/download/2/1/2/212DDFE2-3F12-44A1-A96C42AB89F951D2/sqlncli.msi (x86)
http://download.microsoft.com/download/6/8/B/68BD0291-CED3-4538B6CB-10978DC4ED9C/sqlncli.msi (x64)
German
http://download.microsoft.com/download/0/9/7/0971CDDD-AE32-44F19075-4547E24ED463/sqlncli.msi (x86)
http://download.microsoft.com/download/7/7/B/77B0D929-34B5-402083D7-4F28CD2336C3/sqlncli.msi (x64)
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
19
Japanese
http://download.microsoft.com/download/D/C/D/DCD9DA3A-8736-467FAD1F-B91F4FF4F5D6/sqlncli.msi (x86)
http://download.microsoft.com/download/8/7/F/87FAA8FF-9152-4ADA-9E7A38375728FFFE/sqlncli.msi (x64)
If your language is not listed the 'Microsoft SQL Server Native Client'
download is part of the collection found at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b33d2c781059-4ce2-b80d-2343c099bcb4&displaylang=en
MSXML 6.0 SP2
The English version is provided in the installation package and does not need
to be downloaded. If you have a non-English operating system, use the Web
to find the Microsoft hotfix identified by KB960064.
SQL SERVER PRE-INSTALLATION NOTES
Patch Authority Ultimate will store all scan and patch deployment results in an
SQL Server database. The SQL Server backend enables real-time
collaboration and knowledge management amongst all individuals responsible
for performing patch management tasks. Some of the benefits to using the
SQL Server database include:
ƒ
High performance when scanning either a handful of machines or many
machines
ƒ
ƒ
Storage of data on a remote machine
Ability for multiple Patch Authority Ultimate consoles to share templates,
comments, reports, and scan results
Before installing Patch Authority Ultimate please review the following SQL
Server notes:
ƒ
Microsoft SQL Server 2005, SQL Server 2005 Express Edition, SQL Server
2008, or SQL Server 2008 R2 Express Edition is required.
ƒ
If you do not have SQL Server, Microsoft SQL Server 2008 R2 Express
Edition will be installed for you on the console machine by the Patch
Authority Ultimate installation process.
ƒ
If you will be using Microsoft SQL Server 2008 R2 Express Edition you
should consider downloading and installing Microsoft SQL Server
Management Studio Express. This free software can be used to perform
backups and to manage your database.
ƒ
Installation of SQL Express may fail if you have a SQL Native Client
previously installed. It is strongly recommended you uninstall SQL Native
Client using Add or Remove Programs before running the installation
program.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
20
You must have access to the specified SQL Server. The program will
support either Windows authentication or SQL Server authentication to
access the specified SQL server. Although administrative access is not
required, this account does need permissions to create and populate the
product database on the specified SQL Server. In addition, the Patch
Authority Ultimate console machine background services must be able to
access the SQL Server. All background services run using the LocalSystem
account on the console, so use the machine account when defining the
console login account on SQL Server.
Note: For security purposes, ScriptLogic Corporation recommends using
Windows authentication where possible. For information on configuring a
remote SQL Server to accept Windows authentication credentials from the
Patch Authority Ultimate console, see SQL Server Post-Installation Notes.
ƒ
In order to create the database, the user account you specify during the
installation process must be assigned the db-owner role.
ƒ
If you are using SQL Server 2005 or 2008 on a remote machine, you must
configure the server to allow remote connections. This can be done using
the SQL Server Surface Area Configuration tool that is provided with SQL
Server.
ƒ
If you want to use a clustered configuration for redundancy purposes it
must be configured prior to installation. You then reference the virtual
clustered instance during the installation process. Clustered configurations
are not supported with SQL Server 2005 Express Edition or SQL Server R2
2008 Express Edition.
PERFORMING A NEW INSTALLATION
1. Begin the installation process by double-clicking the file named
Patch_Authority_ScriptLogic_7.x.0.#.exe .
The Setup dialog appears, indicating the status of the Patch Authority
Ultimate prerequisites. The sample dialog shown here indicates that all but
one of the prerequisites is installed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
21
2. Click the Install button to install the missing prerequisites.
After the prerequisites have all been installed, the installation window
reflects this fact. If any prerequisites were missing the installation
program will request a system reboot before continuing. The installation
program will restart automatically following the reboot.
3. To continue with the installation, click Install.
4. Read the information on the Welcome dialog and then click Next.
The license agreement is displayed. You must agree to the terms of the
license agreement in order to install the program.
5. To continue with the installation click Next.
The Destination Folder dialog is displayed.
6. If you want to change the default location of the program, click the
browse button and choose a new location.
Tip: If you want a shortcut icon to be created and placed on your desktop,
enable the Create a shortcut on the desktop check box.
When you are done, click Next. The Ready to install dialog is displayed.
7. To begin the installation click Install.
Near the end of the installation process the Database Setup Tool dialog
is displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
22
8. If you have a previously installed Patch Authority Ultimate database that
you wish to use, select Use an existing database and then click Next.
Otherwise, select Create a new database and then click Next.
A dialog similar to the following is displayed:
9. Use the boxes provided to define how users and services will access the
SQL Server database.
Choose a database server and instance
ƒ Server name: You can specify a machine or you can specify a
machine and the SQL Server instance running on that machine (for
example: machinename\SQLExpress).
ƒ
Database name: Specify the database name you want to use. The
default database name is Scans.
Choose how interactive users will connect to the database
Specify the credentials you want the program to use when a user
performs an action that requires access to the database.
ƒ
Integrated Windows Authentication: This is the recommended and
default option. Patch Authority Ultimate will use the credentials of the
currently logged on user to connect to the SQL Server database. The
User name and Password boxes will be unavailable.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
23
ƒ
Specific Windows User: Select this option only if the SQL Server
database is on a remote machine. This option will have no effect if the
database is on the local (console) machine (see Supplying Credentials
for more information about local machine credentials). All Patch
Authority Ultimate users will use the supplied credentials when
performing actions that require interaction with the remote SQL Server
database.
ƒ
SQL Authentication: Select this option to enter a specific user name
and password combination when logging on to the specified SQL
Server.
Caution! If you supply SQL authentication credentials and have not
implemented SSL encryption for SQL connections, the credentials will
be passed over the network in clear text.
ƒ
Test Server Connection: To verify that the program can use the
supplied interactive user credentials to connect to the SQL Server
database, click this button.
Choose how services will connect to the database
Specify the credentials you want the background services to use when
making the connection to the database. These are the credentials that the
results importer, agent operations, and other services will use to log on to
SQL Server and provide status information.
ƒ
Use alternate credentials for console services:
ƒ
If the SQL Server database is installed on the local machine you will
typically ignore this option by not enabling this check box. In this
case the same credentials and mode of authentication that you
specified above for interactive users will be used.
ƒ
You will typically only enable this check box if the SQL Server
database is on a remote machine. When the database is on a
remote machine you need an account that can authenticate to the
database on the remote database server.
ƒ
Authentication method: Available only if Use alternate credentials for
console services is enabled.
ƒ
Integrated Windows Authentication: Selecting this option means
that the machine account will be used to connect to the remote SQL
Server. The Kerberos network authentication protocol must be
available in order to securely transmit the credentials. The User name
and Password boxes will be unavailable.
Note: If you choose Integrated Windows Authentication the
installation program will attempt to create a SQL Server login for the
machine account. If the account creation process fails, see SQL Server
Post-Installation Notes for instructions on manually configuring a
remote SQL Server to accept machine account credentials. Do this
after you complete the Patch Authority Ultimate installation process but
before you start the program.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
24
ƒ
Specific Windows User: Select this option to enter a specific user
name and password combination. Patch Authority Ultimate 's
background services will use these credentials to connect to the SQL
Server database. This is a good fallback option if for some reason you
have difficulties implementing integrated Windows authentication.
ƒ
SQL Authentication: Select this option to provide a specific user
name and password combination for the services to use when logging
on to SQL Server.
10. After providing all the required information, click Next.
Note: If the installation program detects a problem with any of the
specified credentials, an error message will be displayed. This typically
indicates that a user account you specified does not exist. Make a
correction and try again.
The program will create, link to, or upgrade the database. When the
database operation is complete the Database Complete dialog is
displayed.
11. Click Next.
The Installation Complete dialog is displayed.
12. Click Finish.
The Completed dialog is displayed.
13. If you want to start Patch Authority Ultimate immediately, enable the
Launch ScriptLogic Patch Authority check box and then click Finish;
otherwise, just click Finish.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
25
SQL SERVER POST-INSTALLATION NOTES
Manually Configuring a Remote SQL Server to Accept Machine Account
Credentials
Note: The manual process described here is required only if the automated
account creation process failed during product installation.
To get Patch Authority Ultimate to interact properly with a remote SQL Server
you must configure the server to accept machine account credentials. The
best time to do this is immediately after you have installed Patch Authority
Ultimate but before you actually start the program. You can, however,
perform these steps after starting the program. Any scans you initiate prior to
this that require interaction with a remote SQL Server database will probably
fail.
This section describes how to configure a remote SQL Server to accept
Windows authentication (machine account) credentials from the Patch
Authority Ultimate console. For security purposes, ScriptLogic Corporation
recommends using Windows authentication where possible. Microsoft SQL
Server Management Studio is used as the editor in the following examples but
you can use a different tool if you prefer.
1. The Patch Authority Ultimate console and SQL Server must be joined to
the same domain or reside in different domains that have a trusted
relationship.
This is so the console and the server can compare credentials and
establish a secure connection.
2. On SQL Server, create a new login account for Patch Authority Ultimate to
use.
You must have securityadmin privileges in order to create an account.
To do this: Within the Security node, right-click Logins and select New
Login. Type the login name using a SAM-compatible format
(domain\machine name). The machine account is your console's machine
name and must contain a trailing $.
Note: Do not use the Search option. You must manually type the name
because it is a special name.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
26
Make sure you choose Windows Authentication and that the Default
database box specifies the Patch Authority Ultimate database. For
example:
3. For your Patch Authority Ultimate database, create a new user login using
the console machine account.
Right-click the Users folder, select New User, browse to find the Login
name, and then paste the name in the User name box. Assign the user
the db_datareader, db_datawriter, and STExec roles. For example:
4. Start Patch Authority Ultimate.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
27
5. Perform any troubleshooting as necessary.
ƒ
You can use the SQL Server activity monitor to determine if connection
attempts are successful when performing a patch scan.
ƒ
If you ran Patch Authority Ultimate before creating the SQL Server user
account, some services may fail to connect to SQL Server. You should
select Control Panel > Administrative Tools > Services and try
restarting the services.
ƒ
If the connection attempts are failing you can view the messages in the
SQL Server logs to determine why the failures are occurring.
Allowing Other Users Access to the Program
Note: This section also applies if you are using the role-based administration
feature.
If you wish to allow other users access to the program, you may need to
configure SQL Server so that those users have the necessary database
permissions. Specifically, when using Windows integrated authentication,
users without administrative rights on the database machine must be granted
read and write permission to all tables and views. They must also be granted
execute permission to all stored procedures in the Patch Authority Ultimate
application database. They may not otherwise be able to start Patch Authority
Ultimate .
One way to grant these permissions is to assign your users the db_owner
role. For security reasons, however, this may not be the best solution. A safer
alternative is to grant execute permission at the database level. You do this
by assigning the users in question to the STExec role.
For more details on granting the necessary database permissions, see the
following article: http://www.sqldbatips.com/showarticle.asp?ID=8
Performing Periodic Maintenance on the Database
Patch Authority Ultimate provides the ability to perform periodic maintenance
on the database by automatically removing old scans, rebuilding index files,
and performing backups. See Database Maintenance for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
28
GETTING STARTED
Starting Patch Authority Ultimate
Note: In order to access the full capabilities of Patch Authority Ultimate, you
must run under a Windows account with administrator privileges.
You can start Patch Authority Ultimate two ways:
ƒ
Select Start > All Programs > ScriptLogic Corporation > Patch
Authority Ultimate
ƒ
Double-click the Patch Authority Ultimate icon on your desktop
After starting the program the home page is displayed. See About the Home
Page for detailed information about the home page.
Activating Patch Authority Ultimate
Until you activate Patch Authority Ultimate you are very limited in the actions
you are allowed to perform. You activate the program by entering a valid
activation key. To activate Patch Authority Ultimate :
Note: If you are only interested in using Patch Authority Limited you can skip
this section. A license key is not required to perform the functions provided by
Patch Authority Limited . For more information see What is the Limited
Program? .
1. If you have an electronic copy of your license key copy it to your
computer's clipboard.
Your license key is typically sent to you in an e-mail from ScriptLogic
Corporation when you purchase the product.
2. From the Patch Authority Ultimate menu select Help > Enter License
Key.
The Activation dialog is displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
29
The program should automatically detect the activation key and paste it in
the appropriate boxes.
3. (Optional) If the activation key did not automatically populate in the boxes
(or if you didn't copy the key into your computer's clipboard until after you
launched this dialog), click Paste key.
You can also manually type your activation key if you prefer.
If You Have an Internet Connection
1. Select Online activation.
2. Click Activate online now.
If the activation is successful the message Patch Authority Ultimate
product activation successfully completed is displayed near the
bottom of the dialog.
3. Click Close.
If You Do Not Have an Internet Connection
1. Select Offline activation.
2. Click Create request.
A text file is generated, saved to your computer, and opened within
Notepad. The location of the text file on your computer is specified in the
first couple of sentences in the file.
3. Move the text file to a computer that has an Internet connection.
4. E-mail the file to support@scriptlogic.com .
ScriptLogic Corporation will process the license information and e-mail you
back the processed license file.
5. When you receive the processed license file, move the file to the console
computer.
6. Within Patch Authority Ultimate , select Help > Enter License Key.
7. On the Patch Authority Ultimate Activation dialog select Offline
activation.
8. Click Import data and then open the file you received from the
ScriptLogic Corporation Support group.
Patch Authority Ultimate will process the file and the program will be
activated.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
30
Running the Setup Wizard
When Patch Authority Ultimate is run for the first time, the Setup Wizard
gathers pieces of information that will aid in quickly performing a successful
scan. The Setup Wizard can also be run at any time by choosing Tools >
Setup Wizard.
The first dialog box that appears is simply an informational dialog.
1. After reading the welcome message, click Next.
The Setup Wizard now checks the proxy settings in Internet Explorer and
conducts an Internet connectivity test to determine whether or not further
proxy server settings are necessary. If Patch Authority Ultimate is unable
to access the Internet with these settings a dialog similar to the following
will appear.
If you are required to enter a user name and password each time you
launch your browser and browse the Internet, please enter those
credentials here. It may be necessary to specify a domain as part of your
user name (for example: mydomain\my.name). These settings can be
modified later by going to Tools > Options > Proxy. You may test your
settings by clicking Test.
Important! If you are using a proxy server for HTTP, then you must
enable the Bypass proxy server for local addresses check box in the
browser's proxy server settings. To access these settings, on the Tools
menu in Internet Explorer, click Internet Options, click the
Connections tab, and then click LAN Settings. Enabling the Bypass
proxy server for local addresses check box specifies that the proxy
server should not be used when the Patch Authority Ultimate console
connects to a computer on the local network.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
31
2. After specifying your proxy server information, click Next.
The next dialog prompts you for your user name and password
credentials. These credentials are not used for the normal scan process,
they are used during the rescan process (after deployment). The
credentials you provide in this dialog are supplied to the Patch Authority
Ultimate Service and are presented during a rescan operation for the
purpose of patch validation (unless alternate credentials were provided
using the Set Credentials function).
These credentials can be modified later by selecting Tools > Options >
Default Credentials.
3. After specifying your credentials, click Next.
The Tracker dialog enables you to specify the IP address used by Patch
Authority Ultimate Deployment Tracker . If you are on a multi-homed
machine, it is necessary to choose the IP address that corresponds to the
network that will be scanned. If desired, you can elect to specify the
console host name rather than the IP address.
4. After specifying the address, click Next.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
32
The next dialog that appears enables you to specify if you want to use the
automatic e-mail feature of Patch Authority Ultimate . This feature
enables you to send e-mail alerts, reports, and messages to specified
users (see E-mail Overview for details). To use this feature, enable the
Enable automatic E-Mailing of notifications and results check box
and then specify the name or IP address of the SMTP server you use. In
the From E-Mail Address box type the e-mail address that should be
used within the e-mail message.
5. If you have not elected to use the automatic e-mail feature, click Finish
and skip the following step. Otherwise, after specifying your e-mail
settings, click Next.
This dialog enables you to verify the authentication information required
by your SMTP server and to test your setup.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
33
6. After specifying the required information, click Finish.
If the machine on which Patch Authority Ultimate is installed has multiple
network adapters or has multiple IP addresses, it is necessary to choose the
IP address which corresponds to the network that will be scanned. On the
dialog box that appears, select an appropriate IP address from the IP
Address for Patch Authority Ultimate Deployment Tracker drop-down
menu. If it is necessary to change this information later, you can do so by
choosing Tools > Options > Deployment and changing the IP address in
the Tracker IP Address field.
This completes the initial configuration of Patch Authority Ultimate .
Version and License Information
Selecting Help > About will provide a variety of information about Patch
Authority Ultimate .
User and Version Information
The center portion of the Help > About dialog is used to view both
application and version information. To toggle between both views, click
either the Version Info or App Info button (the button name changes each
time it is clicked).
ƒ
ƒ
App Info: Displays application information for Patch Authority Ultimate
and information about the database being used by the program, including:
ƒ
Program Version: Displays both the version and the edition of the
program being used.
ƒ
Administration Role: If role-based administration is enabled, displays
the current role assignment.
ƒ
Patch Licensing: Displays the license expiration date, the number of
machines you are licensed to scan, the number of machines you are
licensed to deploy to and install agents on, and the number of
deployment licenses currently being used.
ƒ
Database capabilities: Displays the current database being used.
Version Information: Displays version information about each of the
program components being used by the program. This can be helpful if
you ever need to perform any troubleshooting of the program as you can
quickly determine if you are using the most current data.
Version Log
To save the version information to a Notepad file, click Version Log.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
34
How Licenses are Tracked
When a patch deployment is performed, Patch Authority Ultimate records the
machine name in the database if it does not already exist. From there, the
number of remaining seats available for deployment is reduced by one for
each target. If you elect to use Patch Authority Ultimate Agent , each agent
machine is allocated a license and also counts against the total number of
license seats available. When scanning virtual machines, a machine is counted
only once even if it is scanned both in online (powered on) mode and offline
(powered off) mode.
You can easily find out how many license seats have been used by choosing
Help > About.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
35
Navigating the Interface
The Patch Authority Ultimate interface is designed to be simple yet powerful,
enabling you to perform any number of activities quickly and easily. An
annotated interface is shown here. For information about each area of the
interface, see the table that follows.
1
2
The menu bar and the toolbar provide quick access to many of the features of the
program.
The active function pane. This pane displays
whatever function is currently selected in the button
tray at the bottom of the navigation bar. There can
be only one function active at a time. In this
example the Machine Groups function is the active
function.
You can collapse the navigation bar by clicking the
icon. This maximizes the size of the right-hand
pane.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
3
4
5
The button tray contains buttons representing each
of the major functions within the program. To work
with a function, simply click the desired button in
the button tray. The function is displayed within the
active function pane at the top of the navigation
bar. There are several actions you can perform on
the button tray.
ƒ
: If you find that the buttons in the
button tray take up too much space, position
your mouse pointer over the horizontal splitter
bar at the top of the button tray, and when the
pointer turns into a double-headed arrow, drag
the splitter bar down. Dragging the horizontal
splitter bar to the bottom of the navigation bar
converts the buttons to small icons at the
bottom of the navigation bar.
ƒ
: The Configure Buttons icon enables you
to manage the buttons shown within the button
tray. When you click the icon the following
options are presented:
ƒ
Show more buttons: Converts the left-most
icon to a button and adds it to the bottom of
the button tray. If all available buttons are
contained in the button tray, this menu option
is disabled.
ƒ
Show fewer buttons: Removes the bottom
button in the button tray, converting it to an
icon that is displayed at the bottom of the
navigation bar. If there are no buttons
contained in the button tray, this menu option
is disabled.
ƒ
Add or remove buttons: Enables you to add
or remove buttons from the button tray. When
you remove a button, that function is no longer
available within the navigation bar until you
add the button back.
This area provides one-click methods for initiating a patch scan of your local machine,
your domain, or of a new machine group that you create and configure.
The middle pane is a large display area. It is used to display items related to the feature
or function currently being used.
In this example the start page is displayed. The start page is the page you will see the
first time you start the program. It provides links to topics in the Help system that explain
how to quickly and easily begin using the patch features of Patch Authority Ultimate .
Updated 22 February 2011
36
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
37
Major Program Functions
The following program functions are available from within the Patch Authority
Ultimate button tray.
Machine groups are used to define the machines you want
included in a particular scan. Many actions within the
program are performed using machine groups. The Machine
Groups pane contains the following:
ƒ
New Machine Group: To create a custom group of
machines, click this button.
ƒ
My Machine: A default group consisting of only the
console machine.
ƒ
My Domain: A default group consisting of the machines
in the local domain.
ƒ
My Test Machines: A default group that is initially
empty. You should add machines to this group that
represent a 'smaller' view of your actual network
environment and use the group to perform tests.
ƒ
Entire Network: A default group consisting of all
machines visible on the network.
A patch group is a collection of patches that you wish to scan
for and/or deploy. A service pack (SP) group is a collection
of service packs that you wish to deploy using agents. Patch
groups and service pack groups can represent required or
mandatory patches/SPs that have been approved for your
organization. To add a new group, click New Group.
An agent policy defines exactly what an agent can and
cannot do. With Patch Authority Ultimate Agent you can
create as many different agent policies as is needed. To
create a new agent policy, click New Agent Policy.
Patch Authority Ultimate supports the use of a number of
different types of templates.
ƒ
The patch scan template defines exactly how a patch
scan will be performed. The available patch scan
templates are:
ƒ
Security Patch Scan: Scans for missing and
installed security patches. Allows the scanner
engine to scan 64 machines simultaneously.
ƒ
WUScan: Scans for both security patches and
non-security patches. Allows the scanner engine to
scan 64 machines simultaneously.
ƒ
New Template > Patch Scan: Creates a new
patch scan template.
ƒ
A deployment template provides a way to save desired
settings for patch deployment and have them quickly
available for future deployments. To view the settings
for the three default templates, click Agent Standard,
Standard, or Virtual Machine Standard. To create a
new template, click New Template > Deployment.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
38
A favorite is a collection of machines to scan and a choice of
how to scan them. To create a new favorite, click on New
Favorite. Select the machine groups you want to scan and
then select the desired scan template.
A history of the patch scans and deployments that you have
performed is available in the Patch Results list.
ƒ
To view the results of a scan or deployment that you
performed today, simply expand the Today's Items list
and select the desired item. You can right-click on an
item to either delete it from the list or to rename it.
ƒ
To view the results of a scan or deployment that was
performed within the last 15 days, simply expand the
Recent Items list and select the desired item. (The
number of days is configurable via Tools > Options >
Display.) You can right-click on an item to either delete
it from the list or to rename it.
ƒ
To view the results of a scan or deployment that was
performed over 15 days ago, simply expand the
Archive Items list and select the desired item. (The
number of days is configurable via Tools > Options >
Display.) You can right-click on an item to either delete
it from the list or to rename it.
Here's a quicker method for deleting many items at once
from any of these lists:
1.
Select Manage > Items.
2.
On the summary screen that appears select the items
you want to delete.
3.
Click Delete Selected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
39
About the Patch Authority Ultimate Home Page
The home page provides a place for you to quickly initiate some of the most
popular scans on the machines in your network. It also displays a number of
charts that show the security status of your network at the time of the most
recent machine scans. For example:
1
2
This area provides one-click methods for initiating a patch scan of your local machine,
your domain, or of a new machine group that you create and configure.
This area displays a number of charts that show the security status of your network at the
time of the most recent machine scans. Two charts are displayed at a time. You can
toggle through all the available charts by clicking Previous and Next. If you want certain
charts to always be displayed or never be displayed you can do so by clicking Options.
By default, each time you return to the home page a different set of charts will be
displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
40
Menu Commands
Note: The menu commands that are available are dependent upon your
particular product license.
The Patch Authority Ultimate menus enable you to do the following:
File:
ƒ New: Create a new agent policy, favorite, group, or template
ƒ
Import Machine Group: Imports an existing group definition from an
encrypted XML file
ƒ
Exit: Exit the program
View:
ƒ Home: Returns you to the home page
ƒ
Machine View: Displays current information about every machine in your
network that has been previously scanned
ƒ
Patch View: Provides detailed information about patches for the various
operating systems and applications scanned for by Patch Authority
Ultimate
ƒ
Operations Monitor: Launches the Patch Authority Ultimate Operations
Monitor, which is used to track the installation of agents and the
deployment of patches
ƒ
Deployment Tracker : Launches Patch Authority Ultimate Deployment
Tracker , which is used to track deployment tasks that are currently in
progress
ƒ
Refresh: Refresh the information displayed in the right-hand pane
Scan:
ƒ My Machine: Initiates a patch scan of the local computer using the
default patch scan template
ƒ
My Domain: Initiates a patch scan of your local domain using the default
patch scan template
ƒ
My Default Favorite: Initiates a patch scan of the machine
group(s)/scan template combination that is designated as your default
favorite
Manage:
ƒ Items: Displays a list of all prior scans and patch deployments
ƒ
Address Book: Displays the address book used to store the names and
e-mail addresses of contacts you wish to send reports
ƒ
Distribution Servers: Configure distribution servers used to store
patches for deployment
ƒ
Custom Patches: Used to create and manage custom patches, products,
and bulletins
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
41
ƒ
Scheduled Tasks: Launches the Scheduled Tasks Manager, which is used to
monitor the status of all scheduled tasks on the machines in your network
ƒ
Agents: Launches the Agent Manager, which enables you to configure
how agents will operate on each target machine
ƒ
User Role Assignment: Used to assign specific roles to specific administrators
Tools:
ƒ Edit Database Description: Launches the Edit Database Description
dialog, which is used to change the name the program uses when
referring to the database
ƒ
Database maintenance: Launches the Database Maintenance dialog,
which is used to perform periodic maintenance on your database and keep
it operating at peak efficiency
ƒ
Create Report: Launches the Report Gallery, which is used to generate a
variety of reports on any of the scans and patch deployments that have
been performed
ƒ
Distribution Server Update: Used only if you have upgraded from a
previous version of Patch Authority Ultimate . It enables you to reapply
the credentials used by the console and by your agents when connecting
to your distribution server(s).
ƒ
Setup Wizard: Launches the Setup Wizard, which guides you through the
process of configuring initial program options
ƒ
Custom Patch Editor: Used to create and manage custom patches,
products, and bulletins
ƒ
Run Disconnected: Used when running the program from a console not
connected to the Internet
ƒ
Options: Launches the Options dialog, which enables you to configure a
number of different program options
Help:
ƒ Enter License Key: Enables you to activate the program
ƒ
Register: Enables users of Patch Authority Limited to register for a fully
functional trial version of the program
ƒ
Check for Program Updates: Checks if a new version of the program is
available
ƒ
Refresh License: Enables you to activate the program or to upgrade
your program license
ƒ
Refresh Files: Downloads new versions of the XML files and the
command files used by the program
ƒ
ƒ
ƒ
Contents: Display the Help contents tab
Index: Display the Help index tab
About: Display program version information
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
42
Toolbar Buttons
The toolbar provides quick access to often used options and tasks. The
following buttons are available on the toolbar:
ƒ
: Returns you to the home page.
ƒ
: Displays the Machine View, enabling you to view current
information about every machine in your network that has been previously
scanned.
ƒ
: Provides detailed information about patches for the various
operating systems and applications scanned for by Patch Authority
Ultimate
ƒ
: Initiates a patch scan of the local machine or the local
domain using the default patch scan template, or a patch scan of the
machine group/scan template combination that is designated as your
default favorite.
ƒ
ƒ
ƒ
ƒ
: Displays the Distribution Servers dialog.
: Launches the Agent Manager dialog.
: Launches the Scheduled Tasks Manager.
: Launches the Report Gallery, which enables you to generate a
variety of reports.
Editing the Database Description
You can change the name the program uses when referring to the database.
This serves two purposes:
ƒ
It enables you to assign a user-friendly name to use for all references to
the database. By default the name for the database is the console
computer name. If there is only one console using the database then the
default name may be fine. But in some cases the default name may not
have much meaning to you and you'll want to change the name.
ƒ
It helps avoid confusion if the database is on a remote server or if two or
more consoles are using the same database.
Note: This does not change the actual name of the database; rather, it
simply provides a user-friendly name for the program to use when
referring to the database.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
43
To edit the console name:
1. Select Tools > Edit Database Description.
A dialog similar to the following is displayed.
2. Change the name and description as desired.
The program will use the new, friendly name whenever it refers to the
database. The new name will be used in any reports you generate for the
console. For example, if you changed "JOEA-D620" to "Headquarters DB"
you would see the following:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
44
For Data Rollup Configurations
This feature is particularly useful in data rollup configurations (see What is a
Data Rollup Configuration), where one database (the database associated
with the central console) receives results that are rolled up to it from other
remote databases. An entry is automatically generated in the central
console's Edit Database Description dialog whenever a remote database
imports the central console's data rollup settings. Once an entry is generated,
its name and description can be modified, if desired. For example:
Help System
A robust Help system is available for the program. To access the Help system,
select Help > Contents.
Context-sensitive help is also available for many of the various program
) or
windows and dialogs. Simply click the context-sensitive help icon (
press F1 to view information specific to the window or dialog currently being
displayed.
Command-line Option
Patch Authority Ultimate can be operated from a command prompt using
C:\Program Files\ScriptLogic\PatchAuthority\hfcli.exe . On 64-bit
machines the file is located in the C:\Program Files
(x86)\ScriptLogic\PatchAuthority\ directory. To view all available
commands, type hfcli -?.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
45
USING MACHINE GROUPS
About Machine Groups
Patch Authority Ultimate uses machine groups to keep track of the machines
that are included in a particular scan. Even the local machine My Machine is
considered a machine group. Among the predefined machine groups are:
My Machine
This group includes only the local machine.
My Domain
Includes all of the machines that are a part of the domain to which the
scanning computer is joined.
My Test Machines
A group of machines that represent a 'smaller' view of your actual
network environment. A machine of each type that is typically scanned
should be added to this group and used for testing purposes.
Entire Network
Includes all machines currently viewable in Network Neighborhood.
About the My Test Machines Group
One hard lesson that many administrators have learned is the importance of
testing new implementations before rolling them out to critical production
systems. In anticipation of this need we have created a default group for you
to use for this purpose.
You can use this group just like any other. Simply add either lab machines or
low priority production systems to it. You should take care to make sure that
you have a representative mix of machines in the group in order to cover the
production systems on your network.
For instructions on adding machines to this group, see Machine Group Pane:
Middle Section.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
46
Creating Machine Groups
To create a new machine group:
1. In the button tray at the bottom of the navigation bar, click Machine
Groups.
2. In the Machine Groups pane, click New Machine Group.
Note: Alternatively, you can choose File > New > Machine Group from
the main menu.
The New Machine Group dialog is displayed.
In this dialog, provide a descriptive name for the new machine group
along with an optional comment that describes the purpose of the group.
To save the group click Save; to abort the operation click Cancel.
For information on configuring the new machine group, see Machine Group
Pane: Middle Section.
Tip: Another way to create a new machine group is to select multiple
machines from a scan result (press and hold the CTRL key while selecting
the machines), then right-click and select Create Group to create a group
that contains the selected machines.
Working with a Machine Group
When a machine group is selected in the navigation bar, the details for it are
shown in a separate dialog. The dialog is logically separated into three
functional sections:
ƒ
Top section: Contains buttons, links, and filters that apply to the entire
machine group.
ƒ
ƒ
Middle section: Enables you to add machines to the group.
Bottom section: Enables you to perform actions on individual machines
within the group.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
47
For example, here are the details for a group named Sample Machine Group.
Machine Group Dialog: Top Section
When viewing a machine group, the top section of the machine group dialog
contains buttons, links, and filters that apply to the entire group.
This section contains the following items:
ƒ
Group-level buttons: Buttons that apply to the group as a whole.
Enables you to change the name of the machine group and the
comment that describes the purpose of the group.
Displays this group in Machine View, which shows the most recent
scan information for every machine in the group.
Copies the current machine group to a new group. Type a name and a
comment for the new group and then click Save. The new machine
group is displayed.
Deletes the current machine group.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
48
Enables you to select one of the following options:
ƒ
: Enables you to provide common
credentials for every machine in the group. Be sure to include the
domain name when defining the user name (for example:
SampleDomain\Sample.Name). When credentials are applied the
icon will contain a check mark (
ƒ
).
: Enables you to remove any credentials
defined for the group. When credentials are not defined the icon
will be dimmed ( ).
For more information see Supplying Credentials.
Defines e-mail options for the entire group. The e-mail options enable
you to define which reports (if any) will be automatically sent — and to
whom they will be sent — whenever this group is used in a scan.
To specify which reports should be automatically sent and to whom
they should be sent:
1.
Click E-Mail > Set E-Mail.
1.
In the Automated E-Mail Settings dialog, select a
report in the Reports list.
2.
In the Report Recipients list, select the groups and/or
individuals you want to e-mail the report to.
3.
Repeat Step 2 and Step 3 for each report you want to be
automatically sent.
4.
When finished, click Close.
Enables you to select one of the following options:
ƒ
: Imports an existing group definition from an
encrypted XML file.
ƒ
: Exports the group definition to an encrypted
XML file. This file can be imported into another machine group on
the same console or on a different console.
Note: You will be asked to supply a passphrase when importing or
exporting a group file. This is done to secure the contents of the file
and prevent an unauthorized person from learning about your network
topology, from discovering your machine credentials, etc.
Displays online Help information about machine groups.
ƒ
Scan with box: Contains a list of all the available patch scan templates.
Choose one before beginning a scan.
ƒ
Begin Scan button: Enables you to begin a scan of all machines in the
machine group.
ƒ
Scan only: A variety of filters that can be applied to the machines in this
group.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
49
Filters enable you to specify the types of machines you want included in a
scan. For example, if you want to scan all the print servers within a domain,
you would specify the desired domain on the Domain Name tab and then in
the Scan only area you would select Print Servers. All other machine types
are ignored.
To specify one or more machine types, simply enable the check box in front of
the machine type(s) you want included in the scan. If no check boxes are
enabled then no filters are applied.
Machine Group Dialog: Middle Section
When viewing a machine group, the middle section of the machine group
dialog enables you to add machines to the group.
You can add machines a number of different ways. See the following topics
for details:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Adding Machines by Name
Adding Domains
Adding Virtual Machines
Adding Machines by IP Address
Adding Organizational Units
Defining Nested Groups
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Machine Group Dialog: Bottom Section
When viewing a machine group, the bottom section of the machine group
dialog displays the machines that are currently members of the group. The
bottom section also enables you to perform actions on individual machines
within the group.
The bottom section contains the following items and capabilities:
ƒ
Machine-level buttons: Buttons that perform actions on individual
machines within the group.
Note: These actions can also be performed by right-clicking on one or
more machines.
Removes the selected machines from the current machine
group.
ƒ
: The selected machines will be
included when scans are performed on this machine
group.
ƒ
: The selected machines will be
excluded when scans are performed on this machine
group.
Updated 22 February 2011
50
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
51
ƒ
: The ability to provide
administrative credentials for the selected machines in
the group. Credentials assigned to individual machines
will take precedence over credentials assigned to the
group.
When credentials are applied to the selected machines, the
icon in the Admin Credentials column will become active (
).
ƒ
: Applies only to
organizational units. Enables you to provide browse
credentials that are used to locate all machines in an
OU. These credentials may be different than the
administrator credentials used to connect to the
machines in the OU.
ƒ
: Applies only to domains.
Enables you to provide browse credentials that are
used to locate all machines in a specific domain. These
credentials may be different than the administrator
credentials used to connect to the machines in the
domain.
When credentials are applied to a domain, the icon in the
Browse Credentials column will become active (
ƒ
).
: Removes specified
credentials from the selected machines. The credentials
icon will become dimmed (
). Any group-specific
credentials will still be applied to the machines.
For more information see Supplying Credentials.
ƒ
ƒ
: Defines e-mail options for the selected
machines. Defining e-mail options for individual
machines overrides any e-mail options defined for the
group. The e-mail options enable you to define which
reports (if any) will be automatically sent— and to whom
they will be sent— whenever the machines are used in
a scan.
To specify which reports should be automatically sent
and to whom they should be sent:
1.
In the Automated E-Mail Settings dialog, select a
report in the Reports list.
2.
In the Report Recipients list, select the groups
and/or individuals you want to e-mail the report to.
3.
Repeat Step 1 and Step 2 for each report you want
to be automatically sent.
4.
When finished, click Close.
: Removes all e-mail settings
currently applied to the selected machines.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
52
Installs Patch Authority Ultimate Agent on the selected
machines.
ƒ
The machines must be added to the machine group
using a machine name, domain name, or IP address.
You cannot use the Install / Reinstall Agent button to
install agents on machines that were added as
organizational units, nested groups, or IP address
ranges.
ƒ
The machines must be online and connected to the
network. If the console cannot make a connection to a
machine the install will fail for that machine.
See Installing Agents from the Console for more details.
ƒ
ƒ
ƒ
: Verifies the existence of the
selected machines.
: Verifies that the credentials
defined for the selected machines can be used to
access the machines.
The ability to display the machines in the group a number of different
ways.
ƒ
You can click on a column heading to sort the table by that
information.
ƒ
You can reorder the columns by clicking and dragging the column
headers to new locations. For example, if you want administrator
credential information to be displayed in the first column, simply click
on the Admin Credentials column header and drag it to the first
column.
Tip: When reordering columns, the column header you are moving will
always be placed in front of the column you drag it to.
ƒ
You can right-click within a column header and perform a number of
additional actions. For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Sort
Ascending
Sorts the selected column in ascending order.
Sort
Descending
Sorts the selected column in descending order.
Column
Chooser
Enables you to add and remove information from the table. When
you select Column Chooser the Customization dialog is displayed.
This dialog is used to store the columns you currently don't want
displayed within the table. Simply click and drag the desired column
headers from the table to the Customization dialog. For example, if
you decide you don't want Browse Credentials Applied and E-Mail
Options Applied information displayed in the table, simply drag those
column headers into the Customization dialog.
53
If you decide you want an item back in the table, simply click and
drag it from the Customization dialog back to the table.
Best Fit
Resize the width of the selected column so that all information in the
column is displayed in the optimal amount of space.
Best Fit (all
columns)
Resize the width of all columns in the table so that information in the
columns is displayed in the optimal amount of space.
Group by
Moves the selected column to the first column in the table,
effectively grouping the table by that column.
ADDING MACHINES TO A MACHINE GROUP
Adding Machines by Name to a Machine Group
One of the ways that a machine can be added to a machine group is by
machine name. Like most other tasks in Patch Authority Ultimate , there are
many ways that you can add a machine name to a machine group.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
54
Adding an Individual Machine Name
The easiest way to add a machine to a machine group is as follows:
1. Select the Machine Name tab.
2. Type the name of the machine in the
box.
3. Click Add.
Note: If you want to specifically exclude a machine, enable the
check box before you click Add. The machine will be added to the
machine list but will not be included in any scans. See Excluding Certain
Machines for more information.
Importing Machine Names From an External Source
You can also add machines by using the following buttons to import machine
names from an external source.
This button opens a separate dialog that lists the contents of your
Microsoft network. Locate the machines you would like to add to the
custom group, place a check mark in the check boxes, and then click
Select.
You can import a list of machines from a previously created text file.
The text file can be created manually or it can be created using any
network-based tool available to you. Each machine name in the text file
must be separated by either a carriage return or a comma.
Machine names can also be dynamically linked to a text file rather than
imported. Linking a file to a machine group is different than importing
its contents. Importing contents is a one-time operation after which the
information from the file becomes a part of the machine group. When
you link a file to a machine group, any changes that you make to the file
are automatically reflected in the next scan. See Linking Files to
Machine Groups for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
55
When machines are added or imported by name, the new entries are
displayed within the bottom section of the machine group pane, as illustrated
here:
Tip: The recommended best practice is to always supply credentials for the
machines in the machine group. See Supplying Credentials for more details.
Adding Domains to a Machine Group
Another way that machines can be added to a machine group is by domain.
Adding a domain to a machine group will result in all machines that are
members of the domain being made a part of the group.
Adding an Individual Domain Name
The easiest way to add a domain to a machine group is as follows:
1. Select the Domain Name tab.
2. Type the name of the domain in the
box.
3. Click Add.
Note: If you want to specifically exclude a domain, enable the
check
box before you click Add. The domain will be added to the machine list but
will not be included in any scans. See Excluding Certain Machines for more
information.
Importing Domain Names From an External Source
You can also add domains by using the following buttons to import domain
names from an external source.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
56
This button opens a separate dialog that lists the contents of your
Microsoft network. Locate the domains you would like to add to the
custom group, place a check mark in the check boxes, and then click
Select.
You can import a list of domain names from a previously created text
file. The text file can be created manually or it can be created using any
network-based tool available to you. Each domain name in the text file
must be separated by either a carriage return or a comma.
Domain names can also be dynamically linked to a text file rather than
imported. Linking a file to a machine group is different than importing
its contents. Importing contents is a one-time operation after which the
information from the file becomes a part of the machine group. When
you link a file to a machine group, any changes that you make to the file
are automatically reflected in the next scan. See Linking Files to
Machine Groups for more information.
When domains are added or imported by name, the new entries are displayed
within the bottom section of the machine group pane, as illustrated here:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
57
Adding Machines by IP Address to a Machine Group
Machines can be added to a machine group by entering individual IP
addresses or by defining a range of IP addresses.
Adding an Individual IP Address
The easiest way to add an individual IP address to a machine group is as
follows:
1. Select the IP Address/Range tab.
2. Type the IP address in the Enter IP address box.
3. Click Add Individual.
Note: If you want to specifically exclude an IP address, enable the
check box before you click Add Individual. The IP address will
be added to the machine list but will not be included in any scans. See
Excluding Certain Machines for more information.
Adding a Range of IP Addresses
The easiest way to add a range of IP addresses to a machine group is as
follows:
1. Select the IP Address/Range tab.
2. Type the starting and ending IP addresses in the Enter IP range boxes.
3. Click Add Range.
Importing IP Addresses from an External Source
You can also add IP addresses by using the following buttons to import the
addresses from an external source.
You can import a list of individual IP addresses or a list of IP address
ranges from a previously created text file. The text file can be created
manually or it can be created using any network-based tool available to
you. Each IP address in the text file must be separated by either a
carriage return or a comma.
When defining an IP range, include a dash between the beginning and
ending IP address:
172.16.1.1-172.16.1.255
IP addresses can also be dynamically linked to a text file rather than
imported. Linking a file to a machine group is different than importing its
contents. Importing contents is a one-time operation after which the
information from the file becomes a part of the machine group. When
you link a file to a machine group, any changes that you make to the file
are automatically reflected in the next scan. See Linking Files to
Machine Groups for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
58
When IP addresses are added, the new entries are displayed within the
bottom section of the machine group pane, as illustrated here:
Tip: The recommended best practice is to always supply credentials for the
machines in the machine group. See Supplying Credentials for more details.
Adding Organizational Units to a Machine Group
Companies often split up Active Directory entities by creating multiple
Organizational Units (OUs). A machine group in Patch Authority Ultimate can
be configured to include specific organization units from Active Directory. For
example, you might create a machine group that includes all machines from
the 'Sales' organizational unit.
Adding an Individual Organizational Unit
The easiest way to add an organizational unit to a machine group is as
follows:
1. Select the Organizational Unit tab.
2. Type the name of the organizational unit in the
box.
An OU is added in full LDAP format. For example, to add the Sales OU
from the domain example.com, the format is
'ou=sales,dc=example,dc=com'. If you specify a parent OU, all children
OUs will be included in the scan.
3. Click Add.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
59
Importing OUs From an External Source
You can also add organizational units by using the Browse Active Directory
button to import organizational unit names from an external source.
This button opens a separate dialog that lists the contents of your
Microsoft network. Locate the organizational units and/or machines
you would like to add to the custom group, place a check mark in the
desired check boxes, and then click OK.
Note: You must have the proper permissions in order to browse the
Active Directory OUs on the available domains.
Organizational
Units
You have two options:
ƒ
Active Directory Wide: Enables you to
select or deselect all OUs contained
within your Active Directory.
ƒ
Organizational Unit Wide: Enables you
to select or deselect all OUs contained
within your organization.
For both options you can Select All available
OUs, Deselect All available OUs, or Invert
Selection (enabling OUs not currently
selected and deselecting those OUs currently
selected).
Machines
You have two options:
ƒ
Active Directory Wide: Enables you to
select or deselect machines contained
within your Active Directory.
ƒ
Current Level: Enables you to select or
deselect machines contained within the
currently selected level of your Active
Directory.
For both options you can Select All available
machines, Deselect All available machines,
or Invert Selection (enabling machines not
currently selected and deselecting those
machines currently selected).
Set
Credentials
To set credentials to use for browsing an
Active Directory hierarchy on a remote
domain:
1.
Select the domain.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
2.
Click Set Credentials.
3.
Type a user name and password with
permissions to the remote domain.
Clear
Credentials
Removes the credentials currently defined for
the selected domain.
Include Child
OUs
If enabled, for every parent OU selected, all
children OUs will also be included in the
machine group.
60
When organizational units are added, the new entries are displayed within the
bottom portion of the machine group pane, as illustrated here:
Defining Nested Groups
You can use nested groups when configuring a machine group. A nested
group is a group that consists of one or more other groups.
All currently defined machine groups are listed except the machine group you
are currently configuring. To add one or more nested groups, simply enable
the check boxes of the desired groups and then click Add Checked.
When one or more nested groups are added, the new entries are displayed
within the bottom portion of the machine group pane, as illustrated here:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
61
ADDING VIRTUAL MACHINES TO A MACHINE GROUP
How to Add Virtual Machines to a Machine Group
Virtual machines can be added to a machine group. The recommended best
practice is to create a machine group consisting of nothing but virtual
machines. You can, however, add both physical machines and virtual
machines to the same machine group if you wish.
There are four different ways to add virtual machines to a machine group:
ƒ
If virtual machines are hosted by a server you can add the server to the
machine group. This effectively adds all virtual machines hosted by the
server to the machine group. The virtual machines can be in either online
or offline mode.
ƒ
If virtual machines are hosted by a server you can add individual virtual
machines to the machine group. The virtual machines can be in either
online or offline mode.
You can also add virtual machine templates that may be hosted on a server.
ƒ
If virtual machines reside on individual workstations, you may consider
adding the machines to the group twice to ensure that each virtual
machine is successfully scanned regardless of its current power state
(online or offline).
ƒ
You can add the full path names or directory names of the offline
virtual machines to the machine group using the Workstation Virtual
Machines tab. The virtual machines defined using this tab are scanned
only if they are in offline mode.
ƒ
You can add the virtual machines to the machine group using the
Machine Name tab, the Domain Name tab, or the IP
Address/Range tab. Virtual machines defined using these tabs are
scanned only if they are in online mode.
Note: For overview information about scanning for and deploying patches to
virtual machines, see Virtual Machine Overview.
Adding Virtual Machines Hosted by a Server
Many organizations will host their virtual machines on one or more VMware
servers. Doing so provides the means to manage the virtual machines in an
organized fashion. There are two main types of VMware servers:
ƒ
VMware ESX/ESXi Server: A server dedicated to hosting and managing
multiple virtual machines. VMware ESX servers are typically used in smalland medium-sized organizations that want to control multiple virtual
machines from one location. The server often runs on a dedicated blade
computer that is using a VMware operating system.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
62
VMware vCenter Server: This type of server is typically used by large
organizations that need to manage multiple VMware ESX servers, each of
which may be running multiple VMware images. For example, you can
quickly move a highly-utilized virtual machine from a busy ESX server to
another less busy ESX server.
You can use the Hosted Virtual Machines tab to log on to these servers and
select the virtual machines you want to include in your machine group. The
virtual machines can be in either offline or online mode. You can also use this
tab to add virtual machine templates that may be hosted on a server.
1. Log on to the desired server by clicking Add Server.
See Logging on to a Server for information on logging on to a server. The
credentials you use to log on to the server are called browse credentials.
They will be used to connect to the server and to enumerate the machines
hosted by the server.
After a connection is made the server is displayed in the left-hand pane.
The virtual machines hosted by the server are displayed in the right-hand
pane. At this point you can either add the server itself to the group or you
can add individual virtual machines.
Note: You must have server permission set on the datacenter, the folder,
or the individual virtual machines in order for the machine to be displayed.
If you don't have permission for a specific virtual machine it will not be
displayed in the right-hand pane.
2. To add all machines hosted by a server, select the server in the left-hand
pane and click Add Server(s) to Group.
3. To add individual hosted machines, in the right-hand pane select the
virtual machines you want to add to the machine group and then click
Add Machine(s) to Group.
The virtual machines are added to the bottom pane of the machine group.
Be sure to supply any credentials that may be needed for the individual
machines.
Note: You can also add virtual machine templates to the machine group.
Templates are identified by a unique icon ( ). For complete details see
Notes About Virtual Machine Templates.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
63
You can log on to multiple servers at the same time. All virtual machines
found on the servers are displayed in the right-hand table. The server
table identifies the server type (VI = Virtual Infrastructure server, ESX =
ESX server) and the server name. The virtual machine table contains a
large amount of information about each virtual machine, including:
ƒ
Parent ESX Server: The name of an ESX server being used to host
virtual machines.
ƒ
ƒ
VM Name: The name of a virtual machine being managed by a server.
ƒ
Memory: The amount of memory (MB) allocated to the virtual
machine.
ƒ
Disk Space: The amount of disk space (GB) allocated to the virtual
machine.
ƒ
Operating System: The operating system being used on the virtual
machine.
ƒ
Last Known Power State: The last known state of the virtual
machine (Powered On, Powered Off, or Suspended)
ƒ
ƒ
IP Address: The IP address of the virtual machine.
CPUs: The number of Central Processing Units (CPUs) available to the
virtual machine.
Host Name: The name of the machine on the network that is hosting
the virtual machine.
You can reorder the columns in both tables by clicking and dragging the
column headers to new locations. You can also click within a column header
and sort the column in ascending or descending order.
The Hosted Virtual Machines tab contains the following buttons:
Add Server
Enables you to log on to a VMware ESX server or virtual infrastructure server.
After a successful logon the server and its hosted virtual machines are displayed
and available for selection.
Refresh
Server
Reconnects to the selected server and updates the list of virtual machines hosted
by the server.
Edit Server
Allows you to edit the information used to connect to the selected server.
Remove
Server
Removes the selected server from the table. All virtual machines hosted by the
server will be removed from the right-hand table.
Add
Server(s) To
Group
In the left-hand pane, select the desired server(s) and then click Add Server(s)
To Group. The server is added to the bottom pane. When you add a server, it
effectively adds all virtual machines hosted by that server to the machine group.
Add
Machine(s)
To Group
To add individual virtual machines to the machine group, select the desired
virtual machines in the right-hand table and then click Add Machine(s) To Group.
You can add an individual virtual machine even if the server being used to host
the virtual machine is already contained in the machine group. Although the
virtual machine in this case would technically be listed twice, it will only be
scanned once. This applies for all duplicate entries.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
64
Logging on to an ESX or Virtual Infrastructure Server
When you click New Server or Edit Server on the Hosted Virtual
Machines tab the following dialog is displayed:
Server
Type the full path name of the VMware ESX or virtual infrastructure server
you want to log on to.
Port
The port number used when making a connection to the server. The
default port value is 443.
User
Type a user name that has access to the server.
Password
Type the password for the user.
Verify Password
Retype the password to verify you specified it correctly.
OK
To complete the server definition process, click OK. The program will
search for all virtual machines hosted by the server and will populate the
table.
Note: In order to mount a VMware® ESX Server (v3.0.x or later) through a
virtual infrastructure server, you must be running VMware® Infrastructure
2.5 or later.
Adding Offline Virtual Machines That Reside On Workstations
Some virtual machines may reside on individual workstations. Any machine
using VMware Workstation software is capable of supporting a virtual
machine. The virtual machines may reside almost anywhere, including hard
drives, network drives, jump drives, etc. You use the Workstation Virtual
Machines tab to add these stand-alone offline virtual machines to a machine
group.
Note: This tab is used to specify the offline identity of each virtual machine.
If a virtual machine added here is online when a scan is performed, a
mounting error will occur and the scan of that machine will fail.
Tip: If you want to be absolutely sure that all your virtual machines are
successfully scanned, simply add the same machines to the group a second
time using one of the other tabs (Machine Name, Domain Name, or IP
Address/Range). This duplication assures that each virtual machine will be
successfully scanned regardless of its power state (online or offline).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
65
The virtual machines specified here are the actual images and you must
therefore specify the full path name. Once the virtual machine is added to a
machine group you should also specify the credentials used to connect to that
virtual machine. This is different from virtual machines hosted by a server. On
a server you can simply reference a file that points to the actual virtual
machine, letting the server manage the path and credential information.
Adding a virtual
machine residing on
a workstation
There are two ways to add an offline virtual machine that is hosted
on a workstation:
ƒ
In the Click here to enter the full path to a virtual machine
box, type the full path name of the virtual machine. You must
specify the full path name and not just the name of the virtual
machine. The name must contain a valid image extension (such
as .vmx) and must not contain any illegal characters (such as
@, ", etc.). When possible, avoid using network drive letters; the
recommended practice is to instead specify the Uniform Naming
Convention (UNC) path. For example:
\\machinename\sharename\directory\machine.vmx.
ƒ
Click the Browse button (
) and locate the virtual machine
by browsing your local machine and your network for the desired
file.
Once the virtual machine is defined, click Add VM to add it to the
machine group list.
Adding a directory
of virtual machines
There are two ways to add a directory of offline virtual machines:
ƒ
In the Click here to enter the path to a directory of virtual
machines box, type the full path name of the directory. When
possible, avoid using network drive letters. The recommended
practice is to specify the Uniform Naming Convention (UNC)
path. For example: \\virtual\directory\.
ƒ
Click the Browse button (
) and locate the directory by
browsing your local machine and your network for the desired
directory.
If you want the program to recursively search all subdirectories for
virtual machines when performing a scan, enable the Include all
VMs in all subdirectories check box.
Once the directory is defined, click Add Directory to add it to the
machine group list.
Note: Adding a large number of virtual machines that are all hosted
on the same workstation could cause a connection limit error to
occur when scanning the virtual machines. See Notes About Virtual
Machines for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Import virtual
machines or virtual
machine directories
66
You can import a list of offline virtual machines or a list of virtual
machine directories from a previously created text file. The text file
can be created manually or it can be created using any networkbased tool available to you.
When you click Import From File you are presented with two
options:
ƒ
File with offline virtual machines: You can import a list of
virtual machines from a previously created text file. Navigate to
the location of the text file and then click Open.
When creating the text file, each virtual machine name must be
separated by either a carriage return or a comma. For example:
D:\VMware Images\VM-MAF-FR-XPP\winXPPro.vmx,
D:\VMware Images\VM-QA-EN-2KS-4\win2000Serv.vmx,
Z:\VMware Images\WinXP_EN_gold_2\winXPPro.vmx
ƒ
Files with offline virtual machine directories: You can import
a list of virtual machine directories from a previously created text
file. Navigate to the location of the text file and then click Open.
When creating the text file, each directory name must be
separated by either a comma or a carriage return. For example:
D:\VMware Images\VM-MAF-FR-XPP, D:\VMware Images\VMQA-EN-2KS-4
Z:\VMware Images\WinXP_EN_gold_2
Link to a file
Offline virtual machines and virtual machine directories can also be
dynamically linked to a text file rather than imported. Linking a file to
a machine group is different than importing its contents. Importing
contents is a one-time operation after which the information from the
file becomes a part of the machine group. When you link a file to a
machine group, any changes that you make to the file are
automatically reflected in the next scan. See Linking Files to
Machine Groups for more information.
Viewing Servers and Virtual Machines in a Machine Group
When servers, virtual machines, and virtual machine templates are added to
a machine group, the new entries are displayed within the bottom section of
the machine group dialog. For example:
The recommended best practice is to always supply credentials for the
VMware servers, the virtual machine templates, and the offline workstation
virtual machines. See Supplying Credentials for details. Be careful if you have
multiple console administrators, as different administrators are likely to
provide different server credentials.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
67
Excluding Certain Machines
You can define a number of machines you want to exclude. This is especially
useful for defining a machine group that consists of all but a few machines
from a large group of machines. For example, if you want to create a
machine group that consists of all but two machines in a domain, you simply
add the domain and then specify the two machines you want to exclude.
Machines can be added to the "exclude list" by machine name, by domain
name, or by IP address. When specifying the name or IP address, simply
enable the Exclude check box before you click Add. Excluded machines are
icon. For example:
identified in the machine group list by an
Linking Files to a Machine Group
Patch Authority Ultimate provides a dynamic mechanism for keeping a
machine group current. This is especially useful if your machine list changes
from time to time and you want an easy way to update it. Linking a file to a
machine group is different than importing its contents. Importing contents is
a one-time operation after which the information from the file becomes a part
of the machine group.
When you link files to a machine group, any changes that you make to the
files are reflected upon the next scan. In other words, if you add machines to
and delete machines from a linked file between scans, any new machines
added to the file will be scanned while any machines removed will not.
When defining a machine group you can link to files containing machine
names, domains, IP addresses , and virtual machines. The following table
describes how to create each particular link file.
Link Machine File
Provide the name of a file containing machine names. One machine
name per line with a carriage return at the end.
Sample:
machine1
machine2
dc
mail
dbserver
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Link Domain File
68
Provide the name of a file containing domain names. One domain
name per line with a carriage return at the end.
Sample:
example
yourcompany
corp
redmond
dmz
Link Virtual
Machine File
Provide the name of a file containing virtual machines. One virtual
machine name per line with a carriage return at the end, or separate
each name by a comma.
Sample:
D:\VMware Images\VM-MAF-FR-XPP\winXPPro.vmx, D:\VMware
Images\VM-QA-EN-2KS-4\win2000Serv.vmx
Z:\VMware Images\WinXP_EN_gold_2\winXPPro.vmx
Link IP Address
File
Provide the name of a file containing IP addresses. One IP address
per line with a carriage return at the end.
Note: You cannot combine individual IP addresses and IP ranges in
the same file.
Sample:
192.168.29.132
10.1.1.10
172.16.1.5
Link IP Range File
Provide the name of a file containing IP ranges. IP ranges in the
format of x.x.x.x-y.y.y.y are acceptable. One per line with a carriage
return at the end.
Sample:
192.168.29.1-192.168.29.5
172.16.2.20-172.16.2.99
Supplying Credentials for Machines
Note: This section discusses information related to scan credentials, which
allow the program to authenticate to individual machines. Browse credentials
are slightly different; they are used by servers, domains, and organizational
units to enumerate machines but not actually authenticate to the individual
machines. See Adding Virtual Machines Hosted by a Server and Machine
Group Dialog: Bottom Section for information on specifying browse
credentials.
Credentials consist of a user name and password pair used to authenticate
the program to the specified target machines. You use a machine group to
supply credentials for the machines. The credentials are stored with strong
encryption techniques and are not available by anyone except the user who
provided them.
When specifying the user name:
ƒ
If you enter User@<Domain>, <Domain>\User, or a fully qualified user
name, Patch Authority Ultimate will use the domain account rights.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
69
ƒ
If you enter <Target Machine>\User, Patch Authority Ultimate will use the
target's local account rights.
ƒ
If you do not include a domain or machine as part of the user name, the
name will be qualified to the target machine
(<targetmachinename>\User).
ƒ
Microsoft Windows .alias name formats (for example: '.\username') are
supported by Patch Authority Ultimate.
You can supply credentials to individual machines, to all machines in a
machine group, or both.
To Individual Machines in a Machine Group
To apply credentials to one or more machines in a machine group, select the
machines and then select Credentials > Set Admin Credentials. Specify
the appropriate credentials for the machines and click OK.
For more information, see Working with a Machine Group.
To All Machines in a Machine Group
To apply credentials to all machines in a machine group, select Credentials
> Set Credentials. Specify the appropriate credentials for the group and
click OK.
Credential Priorities
Initiating actions from a machine group or a favorite
Machine groups and favorites can be used to initiate patch scans. When
performing these actions, Patch Authority Ultimate will attempt to
authenticate to each machine using a variety of credentials and will do so in
the following order:
1. Machine-level credentials (see To Individual Machines in a Machine
Group, above).
2. Group-level credentials (see To All Machines in a Machine Group,
above).
3. Default credentials (see Default Credential Options).
4. Credentials of the person currently logged on to the program (will not
work for deployments to offline virtual machines).
If none of these credentials work the scans will fail.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
70
One suggestion is to make your default credentials the same as the account
credentials you typically use to log on to the program. This will eliminate
problems that may occur if you forget to assign credentials.
Initiating actions from Machine View or Scan View
When initiating a patch deployment from Machine View or Scan View, the
program will attempt to authenticate to the target machines using a variety of
credentials and will do so in the following order:
1. The credentials used in the last successful scan of the target machines
(when from Machine View) or the credentials used in the corresponding
scan (when from Scan View).
2. Default Credential Options (used if the scan credentials are invalid or
missing (for example, if an agent performed the scan rather than the
console)).
3. Credentials of the person currently logged on to the program (will not
work for deployments to offline virtual machines).
If none of these credentials work then the action will fail.
When Local Machine Credentials will be Used
The credentials you supply will be used to access remote machines, to
perform any scans, and to push any necessary files. The supplied credentials
will NOT be used to:
ƒ
Authenticate to the local (console) machine
Rather, the program uses the credentials of the currently logged on user
to authenticate to resources on the local machine. Therefore, in order to
perform tasks on the local machine, make sure you log on using an
account that has administrator and local machine access rights.
ƒ
Perform a patch deployment
The machine credentials that you supply are used to provide access to the
remote machine and to push the necessary patch deployment files. The
actual deployment, however, will be run under the remote machine's Local
System account.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
71
Supplying Credentials for Virtual Machines
There are several different tabs that can be used to add virtual machines to a
machine group. The credentials that will be used to scan and/or deploy
patches to these machines depends on how the machines are defined to the
group and on the current power state of each machine.
ƒ
Hosted Virtual Machines tab: Used to add virtual machines that are
hosted by a server. The credentials used to scan each machine depends
on the current power state of the machine.
ƒ
A hosted virtual machine that is offline at the time of a scan will be
accessed using the server's browse credentials. Any individual
credentials supplied for the machine are ignored.
ƒ
A hosted virtual machine that is online at the time of a scan will be
accessed using authorized credentials for that machine. See
Credential Priorities (above) for details.
ƒ
Workstation Virtual Machines tab: Used to add offline virtual
machines that reside on individual workstations. You must supply
individual machine credentials (see above) for each virtual machine
defined using this tab. The credentials are used during the mounting
process and provide permission for Patch Authority Ultimate to access the
virtual machine files on the workstation.
ƒ
Machine Name tab, the Domain Name tab, or the IP Address/Range
tab: Used to add virtual machines that reside on individual workstations
and that are online at the time of a scan. See Credential Priorities
(above) for details.
You typically use these three tabs if you want to be absolutely sure that all your
workstation-based virtual machines are successfully scanned. Adding the same
machines here and on the Workstation Virtual Machines tab assures that each
virtual machine will be successfully scanned regardless of its power state (online
or offline).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
72
USING FAVORITES
Creating Favorites
A favorite is a marriage between machine groups and a scan template. It
consists of one or more machine groups and one scan template . You select
the machine groups you want to scan and then select a template that dictates
how the machines should be scanned.
A favorite is used whenever you want to initiate a scheduled scan. You can
use one favorite to schedule multiple different scans.
To create a new favorite:
1. In the button tray at the bottom of the navigation bar, click Favorites.
2. In the Favorites pane, click New Favorite.
Note: Alternatively, you can choose File > New > Favorite from the
main menu.
A dialog similar to the following is displayed.
3. Give the favorite a unique name (e.g. "Domain Controllers").
4. If desired, provide a description. For example "This favorite consists of a
machine group made up of only domain controllers using a Security Patch
Scan".
5. In the Select at least 1 group list, select which machine groups you
would like to include in this favorite.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
73
Note: If you elected to exclude certain machines from one or more
machine groups, the exclusions will apply to all machine groups you
include in this favorite.
6. Select the patch scan template you want to use when scanning the
machines.
If none of the available scan templates are acceptable, click New and
create a new template.
7. Click Save.
A new entry will appear in the Favorites pane.
8. If you want to immediately perform a scan using this favorite, click Begin
Scan.
Performing Actions on a Favorite
When you select a favorite from the Favorites list the Favorite dialog is
displayed. It shows the current configuration of the favorite. To edit the
configuration, simply make the desired changes and then click Save.
You can also right-click a favorite and perform the following actions:
Copy
Makes a copy of the selected favorite. The new favorite will contain the same
settings as the selected favorite.
Delete
Deletes the selected favorite.
Make Default
Specifies that this should be used as your default favorite. This favorite will be
used when you select the Scan > My Default Favorite menu command or the
Scan Now > My Default Favorite toolbar icon.
Rename
Enable you to rename the favorite.
Scan
Initiates a scan of the machines specified within the favorite. Initiating a scan
from a favorite is an easy way to schedule a scan for a later time or date.
USING ROLE-BASED ADMINISTRATION
How Role-Based Administration Works
You can assign different roles to different users of Patch Authority Ultimate .
This enables you to make the program available to a wide variety of people
within your organization while maintaining control over its use. The role
assigned to a user determines what that particular user can do.
Here's how it works. When Patch Authority Ultimate is launched it checks if
role-based administration is enabled. If so, the program then looks to see if
the current user has been assigned a role. If the user has been assigned a
role, the program grants that user access to only those features allowed by
their role. For example, you may have a number of users who are allowed to
create reports, but only one or two users who have permission to deploy
patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
74
Features that are not available due to role limitations will be either grayed out
or removed from the interface. If a user has not been assigned a role, that
user will be extremely limited in what they can do with the program. It is not
possible for a user to switch roles while within the program.
Role-based administration is initially disabled. Until you enable this feature,
all users will have full access to the program. You enable and configure rolebased administration via the Manage > User Roles Assignment menu. See
Assigning User Roles for detailed information.
Assigning User Roles
You can assign roles to as many users as needed. At least one user must be
assigned the administrator role.
1. Select Manage > User Role Assignment.
The User Role Assignment dialog is displayed.
If the buttons on the dialog are unavailable it means you do not have
permission to modify the user role assignments. Only a user assigned the
Administrator role can modify the roles.
2. Click New.
The Select User and Role dialog is displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
75
3. Type a user name and then select the role you want to assign to that user.
ƒ
When specifying the user name you must use the following format:
domain\user.
ƒ
If you are unsure of the correct domain and user name, you can view a
list of all available domains and users by clicking Find User. The
resulting dialog enables you to conduct either a quick search of just the
Users organizational unit or a more comprehensive search of the entire
active directory.
Role definitions:
Administrator: Full access to all features of the program. Only an
administrator user can modify the roles assigned to other users.
ƒ
CAUTION! If you assign the Administrator role to only one user,
make sure you know how to log on to the console machine using that
user. Otherwise it is possible to lock yourself out from certain features,
with the only solution being to reinstall the program.
ƒ
Full User: Access to all features except for the ability to administer
roles.
ƒ
Scan and Report Only: Can perform patch scans and can generate
reports.
ƒ
Deploy and Report Only: Can perform patch deployments and can
generate reports.
ƒ
Report Only: Can generate reports
4. Click OK.
Note: All configured users must have access to the database. If users without
administrative rights on the console machine receive an error when starting
Patch Authority Ultimate , it probably means they don't have the necessary
SQL Server permissions. See SQL Server Preinstallation Notes for more
information.
Enabling and Disabling Role-Based Administration
Enabling Role-Based Administration
Simply defining one or more users and assigning them roles does not
automatically enable the role-based administration feature. The program
allows you to predefine several users without actually enabling the feature.
You will not be able to enable role-based administration, however, without
having at least one user assigned to the Administrator role.
To enable role-based administration:
1. Select Manage > User Role Assignment.
The User Role Assignment dialog is displayed.
2. Enable the Roles Enabled check box.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
76
You must have defined at least one user with the Administrator role in
order to enable role-based administration. See Assigning User Roles for
detailed information.
For example:
3. Click OK.
Role-based administration takes effect the next time the program is
launched.
Disabling Role-Based Administration
To disable role-based administration:
1. Clear the Roles Enabled check box.
2. Click OK.
After disabling role-based administration, the next time that Patch Authority
Ultimate is launched all users will have full access to the program. Any users
that are defined in the User Role Assignment dialog will remain but their
role assignments will be ignored.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
77
Determining the Currently-Assigned Role
Information about the currently-assigned role is available in the About Patch
Authority Ultimate dialog.
1. Select Help > About.
2. In the upper portion of the dialog you will be able to view the current role
assignment.
For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
78
Quick Start Info for Limited Users
WHAT IS PATCH AUTHORITY LIMITED ?
Patch Authority Limited can be used free of charge. This security program fills
the gap that Microsoft Baseline Security Analyzer (MBSA) 2.x leaves behind.
It analyzes the patch status of those Microsoft products not supported by
current Microsoft patch technologies. Use it as a supplement to MBSA 2.x to
provide a complete security analysis of all the Microsoft products contained on
your network machines. See http://technet.microsoft.com/enus/security/cc184924.aspx for the list of legacy Microsoft products supported
by Patch Authority Limited .
Patch Authority Limited will scan one or more machines in your network and
detect any missing patches. In addition to the normal scan results produced
by the program, an MBSA-compatible output file will also be created for each
machine that was scanned. The MBSA files can be used as input to MBSA
when reviewing the security status of the individual machines.
As its name suggests, Patch Authority Limited is not a full-featured version of
the program. It scans only a limited product set for missing patches. It does
not enable you to deploy missing patches to the machines in your network
nor does it provide access to the agent-based capabilities of Patch Authority
Ultimate Agent . For these and other capabilities you must purchase a product
license from ScriptLogic Corporation . A free trial license is available if you
want to sample the full-featured version of Patch Authority Ultimate before
purchasing a license.
HOW TO USE THE LIMITED PROGRAM
Using Patch Authority Limited is fairly straightforward. See the following
topics for detailed instructions on how to perform a scan and review the
results:
ƒ
ƒ
Scanning Your Own Machine
Performing a Scan of Multiple Machines
HOW TO SCAN YOUR OWN MACHINE
1. Start Patch Authority Ultimate .
If this is the first time you have started the program the Setup Wizard
dialog will appear. Using the Setup Wizard is optional; in most cases the
information is not required by Patch Authority Limited and you can simply
click Cancel.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
79
2. Select Tools > Options > Scans, enable the Generate MBSAformatted output check box, and then click Save.
By default the scan output will be written to one of the following directories:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic Corporation\Patch Authority
Ultimate\SecurityScans
ƒ
On earlier Windows operating systems such as Windows XP: C:\Documents
and Settings\All Users\Application Data\ScriptLogic
Corporation\Patch Authority Ultimate\SecurityScans
The output file will be created with the name <domain> - <computer>
(<timestamp>).mbsa. If you want the output file to be written to a
different directory, or if you want to add a unique prefix to the output file
name, see Scan Options.
3. Initiate a scan of your machine.
To quickly perform a scan of the local machine, click the Scan My
Machine button on the home page. On the Run Patch Scan dialog,
select Run Now and then click Scan Now. This will immediately begin a
scan of your machine. For information on other methods of scanning your
machine, see Scanning Your Local Machine.
4. View the results of the scan from within Patch Authority Ultimate Limited.
Patch Authority Ultimate Limited provides a large amount of information
following a successful scan. See Accessing Patch Scan Results for details
on interpreting this information.
5. Locate the MBSA-compatible output file that was produced by the scan.
The file will be located in the default directory or in the directory you specified.
6. Review the results of the scan using MBSA.
If Microsoft Baseline Security Analyzer is installed on your machine you
can simply double-click the output file and view the results. For example:
To display the individual patches that are missing, click Result details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
80
HOW TO PERFORM A SCAN OF MULTIPLE MACHINES
You can scan multiple remote machines from the console machine. This is
performed using a machine group.
1. Start Patch Authority Ultimate .
If this is the first time you have started the program the Setup Wizard
dialog will appear. Using the Setup Wizard is optional; in most cases the
information is not required by Patch Authority Limited and you can simply
click Cancel.
2. Select Tools > Options > Scans and enable the Generate MBSAformatted output check box.
By default the scan output will be written to one of the following
directories:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic\Patch Authority\SecurityScans
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application
Data\ScriptLogic\Patch Authority\SecurityScans
One output file will be created for each machine that is scanned. The
output files will be created with the name <domain> - <computer>
(<timestamp>).mbsa. If you want the output files to be written to a
different directory, or if you want to add a unique prefix to the output file
names, see Scan Options.
3. Create a machine group that contains each machine you want to scan.
See Creating A New Machine Group for details.
4. Supply credentials as needed.
The program must be able to log on to each of the machines in the group
before it can perform a scan. See Supplying Credentials for information on
how to supply credentials to individual machines or to the entire machine
group.
5. Initiate a scan of the machine group by clicking Begin Scan from within
the machine group.
See Working With A Machine Group for more information.
6. View the results of the scan from within Patch Authority Ultimate Limited.
Patch Authority Ultimate Limited provides a large amount of information
following a successful scan. See Accessing Patch Scan Results for details
on interpreting this information.
7. Locate the MBSA-compatible output files that were produced by the scan.
The files will be located in the default directory or in the directory you
specified.
8. Use the files to review the results of the scans.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
81
Each file contains the results for one particular machine -- the machine
described by the file name. If Microsoft Baseline Security Analyzer is
installed on your machine you can simply double-click the output file and
view the results. For example:
To display the individual patches that are missing, click Result details.
ACCESSING THE FULL CAPABILITIES OF THE PROGRAM
As its name suggests, Patch Authority Ultimate Limited is not a full-featured
version of the program. It will only scan a limited number of products for
missing patches. It will not enable you to deploy missing patches to the
machines in your network.
For these and many other capabilities you must purchase a product license
from ScriptLogic Corporation. If you are interested in using the full version of
the program (called Patch Authority Ultimate), please visit our Web site at
http://www.scriptlogic.com. A free trial license is also available if you want to
sample the full-featured version before purchasing a license.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
82
Quick Start Info
for All Users
HOW DO I GET STARTED SCANNING AND PATCHING?
Scanning for and deploying missing patches is easy! You simply do the
following:
1
A) Create and Configure a Machine Group
The quickest way to evaluate many machines at once is to create
and configure a machine group. For details, see Creating a New
Machine Group and Configuring a Machine Group.
B) Perform a Scan of the Machine Group
After creating and configuring the machine group, you simply click
Begin Scan to begin a scan of all machines in the group. For
example:
2
3
Review the Scan Results
Scan results are available immediately following a successful scan.
For details, see Accessing Patch Scan Results.
Deploy Any Missing Patches
You can immediately deploy any patches that are missing on your
machines. For details, see Deploying One or More Patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
83
HOW DO I AUTOMATE SCHEDULED PATCHING?
A scheduled scan enables you to specify exactly when a scan should be
performed. You can configure Patch Authority Ultimate to automatically
perform recurring scheduled scans and to automatically deploy any missing
patches it detects during a scan.
1. (Optional) Create a custom patch group and a custom patch scan
template.
This step is necessary if you want to control exactly which patches you
scan for and deploy. You do this by first creating a patch group that
contains just your approved patches, and then using it as a patch filter in
a custom patch scan template.
Note: If the scheduled scan is something you intend to perform regularly
(for example, to coincide with Microsoft's monthly patch release), you will
also have to update the patch group on a regular basis.
2. (Optional) Create a custom machine group or a favorite.
Using one of the default machine groups will work, too.
3. (Optional) Create a deployment template.
Using one of the default templates will work, too.
4. Initiate a scan from a machine group or a favorite.
Simply select the desired machine group or favorite and then click Begin
Scan.
5. On the Run Patch Scan dialog, enable the Run recurring at check box
and specify when you want the scheduled scans to be performed.
You can schedule a scan to run once at a specific time, or you can
schedule a recurring scan. See Scheduling Patch Scans for complete
details.
6. Enable the Auto-deploy patches after scan check box.
The dialog extends to display additional deployment options.
7. Select the desired deployment template and specify when the deployment
should occur.
8. Click Schedule.
9. If prompted, provide credentials that can be used to schedule the job on
the console machine.
10. Use the Scheduled Tasks Manager to review scheduled scans.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
84
HOW DO I TRACK DEPLOYMENT STATUS?
Tracking Patch Deployments
It is very simple to track the status of patch deployment tasks.
ƒ
Scheduled patch deployments can be managed using the Scheduled Task
Manager.
ƒ
Active patch deployments can be monitored using the Patch Authority
Ultimate Deployment Tracker.
ƒ
When a deployment is finished, you can review the status of the
deployment by selecting the deployment in the Patch Results pane in the
navigation bar.
Monitoring Post-patch Machine Status
To verify the status of the updated machine(s), simply perform a new scan
and review the updated results using Machine View.
HOW DO I DOWNLOAD APPROVED PATCHES?
There are a couple of reasons for downloading patches in advance of a patch
deployment:
ƒ
If you are using one or more distribution servers to store patches you wish
to deploy, you must download the patches to the console's download
center before you can copy them to the desired distribution servers. See
Synchronizing Servers for more details.
ƒ
It will speed the deployment process. The act of deploying one or more
patches will automatically download those patches not already resident in
the download center, but downloading them in advance will make the
deployment process much faster.
Patch Authority Ultimate provides a number of different ways to download
patches.
ƒ
From within the top pane of Patch View, select the desired patches, rightclick the patches, and then select Download > Patches.
ƒ
From within an approved patch group, click View in Patch View. From
the resulting patch view, select all the patches, right-click the patches,
and then select Download > Patches.
ƒ
From within the middle pane of the Scan View view, right-click the
selected patches and select Download Selected.
ƒ
From within the middle pane of Machine View, right-click the selected
patches and select Download Selected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
85
HOW DO I SET UP AND MONITOR AGENTS?
Setting up and using agents consists of the following general steps:
Create and Configure an Agent Policy
1
An agent policy defines exactly what an agent can or cannot do.
With Patch Authority Ultimate Agent you can create as many
different agent policies as is needed. This provides a great deal of
flexibility, enabling you to assign different agent policies to
different machines in your organization.
See Creating a New Agent Policy for complete information.
2
Install the Agent Policy On the Desired Machines
3
Monitor the Agents as They Protect Your Machines
Agents can be push-installed from the console to the desired
target machines, or they can be installed manually.
You can monitor the agents from the console or you can use the
Patch Authority Ultimate Agent client program to perform
additional actions directly on the agent machine.
HOW DO I COLLECT DATA FOR TECHNICAL SUPPORT?
If you ever have a question or issue with Patch Authority Ultimate that
requires help from the ScriptLogic Corporation Technical Support staff, please
have the following information available when e-mailing or calling:
ƒ
ƒ
What version of Patch Authority Ultimate are you using?
ƒ
What operating system(s) are the target machines running? Please include
the service pack level and architecture version (32-bit or 64-bit).
ƒ
What exactly were you doing when the issue occurred, or what exactly do
you want to do? Please be as descriptive as possible.
ƒ
ƒ
Provide your Patch Authority Ultimate license key.
What operating system is the console installed on? Please include the
service pack level and architecture version (32-bit or 64-bit).
Provide screen shots or text of any on-screen errors.
Installation Log Files
The installation logs are located in the following directory:
ƒ
On Windows Vista and other newer operating systems: C:\Users\user
name\AppData\Local\Temp
ƒ
On earlier Windows operating systems like Windows XP: C:\Documents
and Settings\user name\Local Settings\Temp
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
86
There are three installation log files within the directory:
ƒ
ƒ
ƒ
Main installation log file: PAUSetup_date_time.log
Prerequisite installation log file: PreSetupdate.log
Windows Installer log file: PAUInstall_date_time.log
Program Log Files
If necessary, you may be asked to capture program log files.
1. Select Tools > Options > Logging and in the User Interface and
Services boxes specify All.
2. Restart the program.
3. Recreate the issue.
Please note the steps you took to recreate the issue. Also note the date and
time of day so our analysts know where to look in the log files.
4. Once the issue is recreated, and before you close or restart the program,
make a copy of all the logs and include them in your e-mail
correspondence.
The logs are located in the following directory:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ ScriptLogic Corporation \Logs
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application Data\
ScriptLogic Corporation \Logs
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
87
HOW DO I USE A DISTRIBUTION SERVER?
Distribution servers can be used as an alternate location for storing the scan
engines, the XML data files, and the patches used by Patch Authority Ultimate.
There are a number of reasons you may want to use a distribution server. For
details, see Why Use a Distribution Server?
To use a distribution server you do the following:
1. Create and configure a new distribution server.
Select Manage > Distribution Servers, and on the Servers tab click
New. For details, see Configuring Distribution Servers.
2. Define which target machines will use the distribution server.
On the IP Ranges tab, click New and then specify the IP ranges you want to
associate with the server. For details, see Assigning IP Addresses to Servers.
3. Update the distribution server with the latest files.
On the Synchronize tab, enable one or more of the available check boxes
and then click Start automatic synchronization of all Distribution
Servers. It is also possible to configure Patch Authority Ultimate to
automatically synchronize itself with the distribution server. For details,
see Synchronizing Servers.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
88
HOW DO I GENERATE REPORTS?
There are a number of different reports you can generate to view the state of
the machines in your network.
1. Select Tools > Create Report from the main menu.
2. Select a report from the drop-down list at the top of the Report Gallery
dialog.
For example:
For a list of all available reports, see Overview of Reports.
3. Select your filtering options.
For details, see Report Gallery.
4. Click Generate Report.
The report is generated and displayed within the report viewer.
5. (Optional) If you elected to use advanced filtering, specify the advanced
filtering options.
For details, see Advanced Filtering.
6. If desired, export the report to a number of different formats.
For details, see Exporting Reports.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
89
Quick Start Info for
Virtual Machines
VIRTUAL MACHINE OVERVIEW
A virtual machine is not actually a physical machine but rather a software
environment (usually an operating system) designed to emulate a physical
machine. A virtual machine can run programs just like a physical machine.
The physical machine used to host the virtual machine can often support
multiple virtual machines.
Patch Authority Ultimate can scan for and deploy patches to the virtual
machines on your network regardless of whether they are online or offline.
Online Virtual Machines
A virtual machine that is online and running is treated by Patch Authority
Ultimate the same as a physical machine. Patch scans will be performed in
the same manner as on a physical machine. Any patches that may be missing
can also be deployed in the same manner to both your physical machines and
your online virtual machines. This means that your online virtual machines
are protected by the latest software patches just like your physical machines.
Offline Virtual Machines
Patch Authority Ultimate also enables you to scan and patch offline virtual
machines. Offline virtual machines are those that aren't powered on when a
patch scan is performed. These virtual machines may be powered on for only
a few hours or days a month and then powered off until they are needed
again the next month. It's important to ensure that these systems are
patched so that when they are brought online they don't place your network
at risk.
Patch Authority Ultimate makes it easy to scan these offline virtual machines.
When you initiate a scan of a machine group that contains offline virtual
machines, Patch Authority Ultimate will perform a full assessment of the
offline virtual machines and display the scan results alongside the results for
running systems. Offline virtual machines will be differentiated in the scan
results by a unique icon ( ). The scan results may even identify offline
virtual machines that you don’t know about. When viewing machines in
Machine View the Offline Scan column in the top pane will indicate if a
virtual machine was offline at the time of the scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
90
Patching offline virtual machines is similarly simple. You simply highlight the
machines and patches you'd like to install and then select Deploy from the
Patch Authority Ultimate menu. For offline virtual machines that are hosted on
a server, the machines will be powered on, the patches installed, and the
machines powered back down. For virtual machines that reside on
workstations, the patches will be copied to the offline virtual machines and
will be installed the moment that the virtual machine is started (or according
to the scheduled patch deployment time).
VIRTUAL MACHINE TEMPLATES
Virtual servers and virtual workstations are often created using a template.
Templates enable you to quickly create new virtual machines that conform to
your particular configuration requirements. A template that is offline poses no
danger to your organization. A template that is brought online, however, is no
different than an online virtual machine. It can perform tasks just like any
other virtual machine, and it can also contain the same viruses, spyware, and
other types of malware that target improperly patched machines. For this
reason it is critical that your virtual machine templates receive the same
patch management care as your physical and virtual machines.
Patch Authority Ultimate enables you to patch your virtual machine
templates. You simply add your templates to a machine group and Patch
Authority Ultimate will take care of the rest. For complete details on the
virtual machine template scan and deployment process, see Notes About
Virtual Machine Templates.
NOTES ABOUT VIRTUAL MACHINES
Before using Patch Authority Ultimate to scan virtual machines, please review
the following notes:
ƒ
Only the current state of the virtual machine will be scanned and patched.
Snapshots of virtual machines are not scanned or patched.
ƒ
A virtual machine is counted only once against the total number of license
seats available, even if it is scanned both in online (powered on) mode
and offline (powered off) mode.
ƒ
In machine groups and in scan results, special icons will distinguish an
offline virtual machine ( ) from a physical machine or an online virtual
machine ( ) and from a virtual machine template ( ).
ƒ
Avoid using network drive letters when defining offline virtual machines in
a machine group. The recommended practice is to instead specify the
Uniform Naming Convention (UNC) path. This comes into play when
performing a scheduled scan on an offline virtual machine. Network drive
mappings are session-specific, so it is very possible that a specified
mapping will no longer exist when the scheduled scan process is run.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
91
ƒ
Within a machine group, the Scan only filters do not apply to offline
virtual machines or to virtual machine templates.
ƒ
Dual boot systems (for example, a virtual machine with two partitions,
each containing a different operating system) are not supported.
ƒ
It is possible for two offline virtual machines to have the same domain and
computer name. This will be the case if you clone a virtual machine and do
not change either the computer name or domain on one or both machines.
In this situation, of the two duplicate virtual machines, only the last one
scanned will be visible in Machine View. The machines displayed in
Machine View are keyed on domain and computer name and duplicates
are not allowed.
ƒ
Virtual machines that are offline (powered off) will be mounted before
they are scanned. Virtual machines that are online (powered on) do not
need to be mounted as they are treated no differently than a physical
machine.
ƒ
When performing a patch scan, a virtual machine that was added to a
machine group as an offline virtual machine but that is online at the time
of a scan will be scanned if it is hosted on an ESX server and if the proper
credentials are available in order to access that machine. Online virtual
machines that are hosted on workstations will fail to mount and will not be
scanned.
ƒ
In order to mount a VMware ESX Server through a virtual infrastructure
server, you must be running VMware Infrastructure 2.5 or later.
ƒ
When scanning offline virtual machines that are supported by VMware® ,
please keep in mind the following:
ƒ
ƒ
ƒ
You cannot mount encrypted virtual disks.
ƒ
You cannot mount a virtual disk that is currently being used by a
running or suspended virtual machine.
ƒ
Linked clones and compressed images are not supported.
You cannot mount a virtual disk if any of its .vmdk files are
compressed or have read-only permissions.
When scanning multiple offline virtual machines that are hosted on one
workstation, it is possible to reach the connection limit for that
workstation. If the connection limit is reached an error will occur and the
scans will fail. The maximum number of simultaneous connections
supported varies for each Windows OS. For example, Windows XP only
allows a maximum of 10 simultaneous connections while servers allow
many more. See http://support.microsoft.com/kb/314882 for more
information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
92
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, the virtual machine will be powered on, the patches installed, and
the virtual machine powered down. See Deploying Patches to Virtual
Machines for more details.
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, VMware tools must be installed on the virtual machine.
ƒ
When deploying patches to an offline virtual machine that is hosted on a
server, the following VMware server permissions are required in order to
manage snapshots and to change the power state of the machine during
the deployment process:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.DeviceConnection (to disable/enable the
network card)
When deploying patches to an offline virtual machine that resides on a
workstation, the new deployment job will overwrite any older deployment
jobs that have not yet been performed. For this reason you should deploy
all desired patches in a single deployment.
Example: You deploy Patch A to a workstation-based offline virtual
machine. The virtual machine is still offline a month later when you deploy
Patches B and C. Because the first deployment job was never executed it
gets overwritten and only Patches B and C are now scheduled for
deployment. To avoid this you simply include Patch A along with Patches B
and C in the second deployment job.
One way to manage this is to use a patch group to define the patches you
want deployed to your workstation-based offline virtual machines. When
new patches are identified you simply add them to the list of patches in
the patch group. This is particularly useful when specifying a patch group
in the Patch filter settings area of the patch scan template and enabling
the Deploy missing patches using check box on the template. See
Creating a New Patch Scan Template for more details about these options.
ƒ
Patch Authority Ultimate Agent operations are not supported on offline
virtual machines.
ƒ
If you install Patch Authority Ultimate Agent on an online virtual machine
and then later scan the virtual machine while it is in an offline state, Patch
Authority Ultimate may report the wrong agent status for that image. For
example, it may show that the agent is not installed, or it may let you
attempt to uninstall the agent. This occurs because Patch Authority
Ultimate Agent operations are not supported on offline virtual machines.
The correct status will be reported once the virtual machine is brought
back online and rescanned by Patch Authority Ultimate.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
93
NOTES ABOUT VIRTUAL MACHINE TEMPLATES
Before using Patch Authority Ultimate to scan and patch virtual machine
templates, please review the following notes:
ƒ
For information on using virtual machine templates in patch scans and
patch deployments, see Roadmap of Tasks.
ƒ
The type of virtual machine template (server template, workstation
template, etc.) does not matter, they are all supported by Patch Authority
Ultimate.
ƒ
Only virtual machine templates that are hosted on a VMware server are
supported by Patch Authority Ultimate. The templates are added to a
machine group using the Hosted Virtual Machines tab. Virtual machine
templates that reside on individual workstations are not supported.
ƒ
A unique icon ( ) is used to identify virtual machine templates. You will
see this icon when adding a template to a machine group and when
viewing scan results in Scan View and in Machine View.
ƒ
As with anything that involves components on a network, errors can occur
if connections go bad, if servers are shut down, if a template is modified
while being accessed by Patch Authority Ultimate, etc. In general, the
templates should not be touched at any time during the scanning or patch
deployment process.
ƒ
When you initiate a patch scan of a virtual machine template, Patch
Authority Ultimate will scan the template in its current state and will
report the results the same way it does for virtual machines and physical
machines.
ƒ
During a scan, a template will be accessed using the VMware server
credentials. Any individual credentials supplied for the template are
ignored.
ƒ
You should supply online credentials for any virtual machine template that
will be included in a patch deployment process. During the patch
deployment process the template is converted to a virtual machine and
powered on -- Patch Authority Ultimate will need the supplied credentials
in order to access the online virtual machine.
ƒ
When deploying patches to a virtual machine template, the following
VMware server permissions are required in order to manage snapshots
and to perform the deployment:
ƒ
ƒ
ƒ
ƒ
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
94
When you initiate a patch deployment to a virtual machine template,
Patch Authority Ultimate will do the following:
1. Convert the virtual machine template to an offline virtual machine.
2. (Optional) Take a snapshot if the patch deployment template is
configured to take a pre-deployment snapshot.
3. (Optional) Delete old snapshots if one of the snapshot thresholds
defined on the patch deployment template is exceeded.
4. Push the patches to the offline virtual machine.
5. Reconfigure the following on the offline virtual machine:
ƒ
Disable the network adaptor's Connect at power on option. This is
done so that the machine is isolated from the network when the
patch process is run.
ƒ
If Sysprep is scheduled to run, disable it so it will not automatically
configure the machine's operating system when the machine is first
powered on.
6. Power on the virtual machine.
7. Install the patches.
8. Power down the virtual machine.
9. Reset the machine configuration to its original network connection and
Sysprep settings.
10. (Optional) Take a snapshot if the patch deployment template is
configured to take a post-deployment snapshot.
11. (Optional) Delete old snapshots if one of the snapshot thresholds
defined on the patch deployment template is exceeded.
12. Convert the offline virtual machine back to a virtual machine template.
ƒ
The patch deployment template you use must not specify the use of a
distribution server. The offline virtual machine will be disconnected from
the network and unable to download the patches from the distribution
server.
ƒ
The patch deployment template you use must not specify the use of a
Office media path. The offline virtual machine will be disconnected from
the network and unable to access the location of the original Office
installation media.
ƒ
The patch deployment template you use should not specify a pre-deploy
reboot (the program will be unable to initiate the reboot because the
machine will be offline) and it should always perform a post-deploy reboot
(this is a "best practice" when deploying patches). For deployments to
virtual machine templates it is recommended you use the Virtual
Machine Standard deployment template.
ƒ
During a patch deployment, a virtual machine template that may normally
be available only to an administrator will become visible to other users. This
is because during the patch deployment process the template is temporarily
converted to a virtual machine and powered on.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
95
TASKS FOR VIRTUAL MACHINES AND VIRTUAL MACHINE TEMPLATES
Patch Tasks
Patch Authority Ultimate can scan and deploy patches to online virtual
machines, to offline virtual machines, and to virtual machine templates. You
do this by performing the following tasks:
1. Create one or more machine groups that contain the virtual machines and
virtual machine templates you want to scan and patch. See How to Add
Virtual Machines.
2. Supply credentials for the virtual machines.
When performing scans, the recommended best practice is to always supply
credentials for the virtual machines and virtual machine templates. When
performing patch deployments, credentials must be set at the machine,
group, or default level. See Supplying Credentials for more details.
3. Use the machine group in a scan. See Scanning a Machine Group for details.
4. Review the scan results. See Accessing Patch Scan Results for details.
In the scan results, unique icons will distinguish an offline virtual machine
( ) from a physical machine or an online virtual machine ( ) and from a
virtual machine template ( ). When viewing machines in Machine View
the Offline Scan column in the top pane will indicate if a virtual machine
was online or offline at the time of the scan.
5. (Optional) If you want to take snapshots of your hosted virtual machines
and templates immediately before and/or immediately after the
deployment process, make sure you specify this on the Hosted
VMs/Templates tab of the deployment template you plan to use.
6. Deploy the desired patches to the desired virtual machines and virtual
machine templates. See Deploying Patches to Virtual Machines for details.
You may not know if a particular virtual machine is online or offline at the
time you perform a deployment, and it typically doesn't matter. The
following guidelines apply for patch deployments to virtual machines:
ƒ
If a virtual machine is hosted on a server, the deployment can be
successful regardless of whether the virtual machine is online or offline
at the time of the deployment.
ƒ
If a virtual machine is defined in a machine group using the
Workstation Virtual Machines tab, the deployment can be
successful as long as the virtual machine is offline.
ƒ
If a virtual machine is defined in a machine group using the Machine
Name, Domain Name, or IP Address/Range tab, the deployment
can be successful as long as the virtual machine is online.
If a virtual machine is online the patch deployment is performed in the
same manner as for a physical machine. Patch deployments to offline
virtual machines and to virtual machine templates are performed by Patch
Authority Ultimate in a slightly different manner. See Deploying Patches to
Virtual Machines for details.
7. Monitor the deployment activities. See Monitoring the Deployment for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
96
Patch Management Overview
WHAT SETS PATCH AUTHORITY ULTIMATE APART FROM THE OTHERS?
Features
Ease of use
Patch Authority Ultimate can be installed and used to deploy missing
patches within minutes; not days, weeks, or months.
Real-time patch
validation
Patch Authority Ultimate utilizes XML data files that are updated the
moment a security patch is released.
Agentless and
agent-based
operation
Provides the ability to manage machines directly from a console and to
manage hard to reach machines (such as roaming laptops) using agents.
Background (nonmodal) tasking
Enables multiple tasks to run at the same time. Simultaneously perform
patch scans, download files, deploy patches, install agents, and keep on
working.
Patch
supersedence
Only those patches that are necessary and applicable to the scanned
platform are evaluated during the scan process. Unnecessary and
superseded patches are not presented.
Dynamic product
detection (DPD)
Provides the ability to support additional non-Microsoft products simply by
updating the necessary XML files.
Virtual machine
support
Operates exactly the same on both physical machines and on virtual
machines that are online. Can perform patch assessment of offline virtual
machines without powering them on. Missing patches are copied into the
virtual image so when the offline image is powered on it immediately
patches itself.
Technology
endorsed by
Microsoft
Patch Authority Ultimate is built upon the same engine that powers the
Microsoft Baseline Security Analyzer and the SMS Feature Pack and is
driven by the same database schema used by the Microsoft Security
Bulletin Web site. ScriptLogic Corporation is also the vendor
recommended by Microsoft Corporation for customers with legacy
Microsoft products no longer supported by MBSA 2.x
(http://technet.microsoft.com/en-us/security/cc184924.aspx)
Security and Integrity
Detailed Patch
Analysis and
Validation
File versions and registry keys are evaluated to aid in determining patch
status. Solutions that rely solely on registry keys and/or minimum file
versions are unable to differentiate between legitimate files and trojaned
files, including patches that have been re-released by Microsoft.
External validation
data
File data used to perform patch validation tests are obtained from a signed
source independent of the machine being scanned. Patch validation that
is performed using file version data stored in the remote machine's registry
cannot be relied upon to provide valid results.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
97
Data file antispoofing
protection
The XML patch data file is parsed only if obtained from a valid, specifically
signed CAB file or SSL location.
Trojan protection
All files are digitally validated prior to patch deployment.
SCANNING ENGINE OVERVIEW
The Patch Authority Ultimate engine performs Microsoft security patch
assessment against a variety of Windows operating systems and products.
The engine also scans for updates of many products from other vendors.
The Patch Authority Ultimate engine uses an Extensible Markup Language
(XML) file that contains information about which security hotfixes are
available for each product. The XML file contains security bulletin name and
title, and detailed data about product-specific security hotfixes, including:
ƒ
ƒ
ƒ
ƒ
ƒ
Files in each hotfix package and their file versions
Registry changes that were applied by the hotfix installation package
Information about which patches supersede which other patches
Related Microsoft Knowledge Base article numbers
Links to additional information from Bugtraq (BugtraqID) and cross
references to the Common Vulnerabilities and Exposures (CVE) database
hosted by Mitre.org (CVEID)
When you run Patch Authority Ultimate (without specifying advanced file input
options), the program must download a copy of this XML file so that it can
identify the hotfixes that are available for each product. The XML file -- a
digitally signed .CAB file -- is available on the ScriptLogic Corporation Web
site in compressed form. Patch Authority Ultimate downloads the CAB file,
verifies its digital signature, and then decompresses the CAB file to your local
computer. Note that a CAB file is a compressed file that is similar to a ZIP file.
If the CAB file is not located or cannot be downloaded, Patch Authority
Ultimate will attempt to download an uncompressed copy of this file from the
ScriptLogic Corporation Web site via SSL (https).
After the CAB file is decompressed, Patch Authority Ultimate scans your
machine (or the selected machines) to determine the operating system,
service packs, and programs that you are running. Patch Authority Ultimate
then parses the XML file and identifies security patches that are available for
your combination of installed software. Patches that are available for your
in the
machine but are not currently installed are displayed as
resulting output. In the default configuration, Patch Authority Ultimate output
displays only those patches that are necessary to bring your machine up-todate. Patch Authority Ultimate recognizes roll-up packages and does not
display those patches that are superseded by later patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
98
Enumerating Machines
When scanning by domain name, Patch Authority Ultimate does the following
to enumerate the machines in the domain:
ƒ
If the scan is being run as an administrative user with appropriate
permissions, Patch Authority Ultimate attempts to contact the domain
controller and enumerate its list of machine accounts.
ƒ
Machines are also enumerated from the network browse list which is the
same list of machines seen on a per domain basis when viewing Network
Neighborhood, or similar to 'net view /domain:domainname'. No special
permissions are required to enumerate machine names this way as Patch
Authority Ultimate is using UDP port 137 (NetBIOS name service) to
enumerate the browse list. If the scanning machine has just been
connected to the network, it may take up to 15 minutes until the machine
synchronizes with the browse master and for this list to become available
to the scanning machine. The list of machines that are returned represent
machines that are currently online or have been within the last 15
minutes. Machines that are 'hidden' via registry modifications won't
appear as they don't propagate their machine names to the network
browse list. If the scanning machine doesn't have access to the browse
list, or the machines are behind filtering devices where the browse list
isn't updated, etc. then no machines will appear.
Determining Patch Status
Patch Authority Ultimate performs a detailed analysis of each scanned
machine to accurately determine its patch status. Unlike other patch
management systems, the Patch Authority Ultimate engine goes far beyond
the traditional patch detection mechanisms that rely solely on the presence of
registry keys.
For Patch Authority Ultimate to determine if a specific patch is or is not
installed on a given computer, two items are typically evaluated:
ƒ
ƒ
The registry key that is installed by the patch
The file versions for all files installed by the patch
Patch Authority Ultimate compares file versions in the XML patch data file to
the files versions on the computer that is being scanned. If any of the file
versions on the scanned computer are less than those stored in the XML file,
) and
the associated security patch is identified as not installed (
the results are displayed on the screen. Specific details about why a patch is
considered not installed are also displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
99
File Version Analysis
In order for a system to 'pass' a given patch analysis for a patch that is
applicable to the system, the file versions for all patch-related files must
match what is stored in the XML patch data file.
ƒ
If the file version for a patch-related file is below what is expected (on the
target system), the patch is considered not found, and both the file
version found on the system and the file version expected (from the XML
file) are displayed in the output with a 'Patch Missing' message.
ƒ
If 'View Notes and Warnings' is selected via a custom scan template and
the file version of any file on the system is greater than expected, both
the existing and the expected file versions are displayed along with a
Warning message that the file on the system is more recent than
expected. This may indicate the presence of a more recent non-security
bulletin related hotfix, or the presence of a trojaned file.
Determining Patch Supersedence
One of the benefits of Patch Authority Ultimate is that it only shows you
patches that are necessary for your machine to be up to date, and it doesn't
show you earlier patches that have been superseded by later patches
(although you can configure the program to do this if you want).
Many recent Microsoft security patches have been released as 'Cumulative
Rollup' patches. Rollup patches include all the previously released security
patches for the given product as well as including fixes for the most recently
announced issues. A cumulative patch that completely encompasses an
earlier patch is said to supersede the earlier patch. In order for a patch to be
superseded, all the files in the earlier patch must be included in the later
patch, all file versions must be revved higher than those in the earlier patch
(or the file versions must be the same as the earlier patch), and associated
functional registry keys must be included in the superseding patch.
The XML patch data file contains information on each of the superseded
patches. Patch Authority Ultimate evaluates the patch supersedence codes to
identify non-superseded patches that are applicable to each system being
scanned. Particular attention is paid to superseded patches that span Service
Pack applicability. As an example:
ƒ
ƒ
Patch A is applicable to Windows XP Service Pack 1 (SP1)
ƒ
Patch C supersedes Patch B and is applicable to Windows XP SP2
Patch B supersedes Patch A and is applicable to both Windows XP SP1 and
SP2
Patch Authority Ultimate correctly scans for the presence of Patch C on
Windows XP SP2 machines, and for Patch B on Windows XP SP1 machines even though Patch B is marked in the XML file as being superseded by Patch
C.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
100
Identifying Explicitly Installed Patches
In order to identify that a patch has been explicitly installed, several criteria
must be met.
ƒ
The patch must include a registry key that gets written to the machine on
which it will be installed*, and this registry key must exist** in the XML
patch data file.
ƒ
ƒ
The registry key must exist on the system being scanned.
All the files in the patch (as defined by the XML file) that were written to
the remote system must be equal to or greater than the file versions
recorded in the XML file. If any of the file versions on the remote system
are below what is expected, the patch is considered not installed even if
the registry key is present.
*Several types of patches do not write registry keys to the system on which
they're being installed, most notably SQL Server patches. Since there is no
explicit indication that the patch has been applied, it cannot be determined
that the SQL patch (or similar) was specifically installed at any point in time.
To ensure that these systems are up to date, run a scan against the system
and ensure that there are no SQL patches that appear as 'Patch Missing'.
Identifying Effectively Installed Patches
Patch Authority Ultimate can also scan for 'effectively installed patches'. An
effectively installed patch is a situation in which you install a single patch that
supersedes other patches. In these circumstances, the patches that are not
installed but that have been superseded by the newer patch are considered
effectively installed since you have at least the expected file version or
greater for each of the files. For example, suppose you install a new Windows
machine and then install a patch that supersedes 20 earlier patches. While
you've only 'installed' one patch, you've effectively installed 20 other patches.
PERFORMING PATCH SCANS
Patch Scanning Overview
Patch Authority Ultimate allows you to perform a patch scan via a few simple
mouse clicks. From one management console you can initiate a patch scan of
a single machine or of many machines.
Scans Are Performed As Background Tasks
All patch scans are performed as background tasks using the services of the
Operations Monitor. This means you can initiate a scan and then move on to
other concurrent work within Patch Authority Ultimate without having to wait
for the scan to complete. This also means you can have multiple patch scans
active at the same time.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
101
Scanning Considerations
ƒ
Is there a practical limit to the number of scans you can have active at the
same time?
Yes. It is dependent on the CPU and memory size of the console machine.
It is also dependent on the number of other tasks currently active (for
example, other patch downloads, patch deployments, etc.). While there is
no exact answer, you'll know you've reached a practical limit if Patch
Authority Ultimate starts responding slowly.
ƒ
Is there a problem if the same machine is included in two or more
concurrent scans?
No. Multiple scanning tasks can be performed on a target machine at the
same time.
ƒ
If I minimize the Operation Monitor window, how will I know when the
scan is complete?
A notification dialog box is displayed in the lower-right corner whenever a
scan completes. The dialog box will be displayed for several seconds
before slowly fading away. You can pin the dialog box in place by clicking
the pin icon.
ƒ
Will I still be able to immediately view scan results?
Yes. You can either click the View complete results link within the
Operations Monitor or you can select the scan from within the Today's
Items list of the Patch Results pane.
Scanning Prerequisites
The following criteria must be met to ensure a successful scan:
When scanning your local (console) machine
ƒ
ƒ
You must be an administrator on your local machine.
ƒ
The machine must be capable of obtaining the patch database XML file,
either from a location on the Internet (via http or https) or from another
specified location (either on the local machine or from a specified network
location).
ƒ
The local machine’s Workstation service must be started.
Credentials must be provided for the local machine. See Supplying
Credentials for details.
Note: The Server service is not required to be started on the local
machine.
When scanning a remote machine you must meet all the requirements for
the local scan above, plus
ƒ
You must have local administrative rights on the remote machine and be
able to logon to this machine from the workstation performing the scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
102
ƒ
Credentials must be provided for the target machines. See Supplying
Credentials for details.
ƒ
The credentials you supply must have access to the control panel on the
target machine. If control panel access is disabled through group policy,
Patch Authority Ultimate will be unable to connect to the target machine.
ƒ
ƒ
File and Print Sharing must be enabled.
ƒ
The remote machine must be running the Server service.
The NetBIOS (tcp139) or Direct Host (tcp445) ports must be accessible on
the remote machine.
Note: The Workstation service is not required to be started on the remote
machine.
ƒ
The remote machine must be running the Remote Registry service.
Note: The remote registry service is disabled by default on Windows Vista
machines. You must enable the remote registry service (either manually
or via group policy) before performing remote scans of Windows Vista
machines.
ƒ
The %systemroot% share (usually C$ or similar) must be accessible on
the remote machine.
ƒ
For machines using Windows operating systems that employ the use of
User Account Control (this includes Windows Vista or later and Windows
Server 2008 or later), you must either:
ƒ
Join the machines to a domain and then perform the scan using
domain administrator credentials, or
ƒ
If you are not using the true administrator account on the remote
machines you must disable User Account Control (UAC) remote
restrictions on the machines. To do this:
1. Click Start, click Run, type regedit, and then press Enter.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\C
urrentVersion\Policies\System
3. If the LocalAccountTokenFilterPolicy registry entry does not
exist, follow these steps:
a. On the Edit menu, point to New, and then click DWORD Value.
b. Type LocalAccountTokenFilterPolicy and then press Enter.
4. Right-click LocalAccountTokenFilterPolicy and then click OK.
5. In the Value data box, type 1, and then click OK.
6. Exit Registry Editor.
For more details on disabling UAC remote restrictions, see
http://support.microsoft.com/kb/951016
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
103
Special note regarding Simple File Sharing
When Simple File Sharing is enabled, remote administration and remote
registry editing does not work as expected from a remote computer and
connections to administrative shares (such as C$) do not work because all
remote users authenticate as Guest. Guest accounts do not have
administrative privileges.
On Windows XP Professional or later operating systems, go to the following
Microsoft Knowledge Base article to learn more about this feature and how to
disable Simple File Sharing:
http://support.microsoft.com/default.aspx?scid=kb;en-us;304040
If you are running Windows XP Home Edition, Simple File Sharing cannot be
disabled (Microsoft states that it is as designed) so remote scanning will not
work on this operating system.
Performing a Scan of the Local Machine
There are many ways to initiate a scan of your local machine. Two of the
quickest and easiest methods are:
ƒ
ƒ
Clicking the Scan My Machine button on the home page
Selecting My Machine in the Machine Groups pane and then clicking
Begin Scan
Clicking Scan My Machine
To quickly perform a scan of the local machine, click the Scan My Machine
button on the home page. On the ensuing dialog click Scan Now and a scan
will be performed using the default scan template. During the scan process
the latest patch data files are automatically downloaded (unless the file
download options have been modified) and the Operations Monitor dialog
shows the current status of the scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
104
When the scan is complete a scan summary is automatically displayed.
From the My Machine Group
You can also initiate a scan of your local machine by selecting My Machine in
the Machine Groups pane. The advantage of this method is it gives you the
opportunity to first select the scan template you wish to use during the scan.
It also enables you to specify credentials if they are needed and it lets you
determine when the scan should be performed.
When you select My Machine the details for the machine group are displayed
in a separate dialog.
Use the Scan With drop-down list to specify the scan template you want to
use. If you need to apply credentials for a user with administrative rights,
click the Credentials button and supply an appropriate user name and
password. (See Supplying Credentials for more information about
credentials.) To initiate the scan click Begin Scan.
After you click Begin Scan the Run Scan dialog appears. This allows you to
specify if the scan should be Run Now, Run Once (at a specific time), or
configured to Run Recurring. To begin the scan immediately, click Scan
Now.
Performing Domain Scans
Scans can be automatically performed in a single step against all machines in
the local domain as long as the default credentials supplied are appropriate
for all domain machines. There are many ways to perform a domain scan:
ƒ
You can click the Scan My Domain button on the home page to
immediately launch the scan using the default scan template.
ƒ
ƒ
You can select Scan > My Domain from the program menu.
You can select the My Domain machine group in the Machine Groups
pane and then click the Begin Scan icon.
The Operations Monitor is used to monitor the status of a patch scan. See
Monitoring a Patch Scan for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
105
Scanning a Machine Group
You can specify exactly which machines you want to scan by creating and
configuring a machine group. There are two ways to create a new machine
group:
ƒ
ƒ
You can click the Choose Machines To Scan button on the home page.
You can click New Machine Group in the Machine Group pane.
After you configure the machine group you simply select the desired patch
scan template and then click Begin Scan.
On the resulting Run Patch Scan dialog you can specify if you want the scan
performed immediately or if you want to schedule it for a later time.
The Operations Monitor is used to monitor the status of a patch scan. See
Monitoring a Patch Scan for details.
Scanning a Favorite
A favorite consists of one or more machine groups and one scan template .
You select the machine groups you want to scan and then specify how the
machines should be scanned. A favorite is typically used to initiate a
scheduled scan.
One way to initiate a scan of a favorite is to right-click the favorite in the
Favorites list and then select Scan. If you want to verify the configuration of
the favorite before you initiate the scan you simply:
1. Select the desired favorite in the Favorites list.
The Favorite dialog is displayed. It shows the current configuration of the
favorite.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
106
2. Verify the configuration and then click Begin Scan.
Scheduling Scans Using the Run Patch Scan Dialog
When you initiate a scan the Run Patch Scan dialog appears. This dialog
enables you to specify if the scan should run now or be scheduled for a future
time or date.
Note: This is a configurable item. If the dialog does not appear see Scan
Options.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
107
Note: Make sure you assign credentials for all machines involved in the
scheduled scan.
The dialog contains the following options:
ƒ
Scan Name enables you to provide a unique name for the scan. By
default the machine group or favorite used to initiate the scan will be
used. The name is displayed in the Patch Results pane and in the Scan
View scan summary.
ƒ
ƒ
Run now runs the scan as soon as the Scan Now button is clicked.
ƒ
Run recurring at allows an administrator to regularly run patch scans at
a specific time and using a specified recurrence pattern. For example,
using this option, a scan could be run every night at midnight, or every
Saturday at 9 PM, every weekday at 11 PM, or at any other user selected
time and interval.
ƒ
Do not show this dialog again results in future scans running
immediately. If you select this option and later want to re-enable the
prompt, you can do so from Tools > Options > Scans by enabling Show
'Run Now' Dialog.
ƒ
Auto-deploy patches after scan will extend the Run Scan dialog to
allow choices to be made on how and when the patch deployment will
occur.
ƒ
The Deployment Template box includes deployment template entries
which can be used in conjunction with this scan. A new deployment
template can be created by clicking the New button.
ƒ
The Deploy When options let you specify when the deployment should
occur. Deployment can be scheduled to begin immediately after the scan
by choosing Install Immediately or at a later day and time by choosing
Schedule at. If you wish to copy the selected patch(es) to the remote
machine (along with a deployment batch file) but do not wish to install the
patches, you may choose the Copy patch installations only (no
automatic execution) option. You may then execute the batch file
yourself from the console of the remote machine(s).
Run once at indicates that the scan will be run at the day and time
selected.
When the desired options are selected, click either Scan Now (if Run Now is
selected) or Schedule (if Run once at or Run recurring at is selected).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
108
ƒ
Scan Now: The scan is initiated immediately and the Operations
Monitor is displayed.
ƒ
Schedule: If the credentials of the currently logged on user do not match
the default credentials, the Set Credentials dialog is displayed. The
credentials you provide here will be used to schedule the scan on the
console machine. These are different from the machine-level credentials
that are used to perform the actual scans and deployments on the target
machines.
After specifying credentials (if necessary), a task is scheduled on the console
machine.
Monitoring a Scheduled Patch Task
When you click Schedule, a scheduled task is created on the console that will
launch the scan at the appointed day and time. How you view a scheduled
task depends on which scheduler you are using (see Scheduling Options).
To view a scheduled task when the ScriptLogic Scheduler is used:
ƒ
Click the
toolbar icon.
To view a scheduled task when the Microsoft Scheduler is used:
ƒ
On Windows Server 2003 and 2008 console machines, select Start > All
Programs > Accessories > System Tools > Scheduled Tasks
ƒ
On Windows Vista and Windows 7 console machines, select Start >
Control Panel > System Security > Administrative Tools and access
the Task Scheduler
ƒ
On Windows XP console machines, select Start > Control Panel >
Performance and Maintenance > Scheduled Tasks
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
109
Monitoring a Patch Scan
The Operations Monitor is automatically displayed whenever a patch scan is
initiated. It shows the steps involved in the patch scanning process and the
progress of each step. For example:
When the patch scan process is complete you can:
ƒ
View the patch scan results by clicking View complete results. The
current patch scan tab will be removed from the Operations Monitor, the
Operations Monitor will be closed, and the scan results will be displayed.
See Accessing Patch Scan Results for details.
ƒ
Remove the current patch scan tab by clicking Close (scan is
complete). Any other tabs on the Operations Monitor will remain open.
ƒ
Minimize the Operations Monitor by clicking Hide. No tabs are removed
from the Operations Monitor.
ƒ
Remove the current tab and all other tabs by clicking Clear All
Completed.
Scan History
Even after a series of scans, all of the results of prior scans are just a click away.
The scans are recorded in the Patch Results pane in the navigation bar.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
110
Scans that are performed today are shown in the Today's Items list. After
the day is done, scans are moved to an archive list called Recent Items.
After approximately 15 days (the value is configurable), items are moved
from the Recent Items list to the Archive Items list.
Additionally, you can get a complete list of available prior scans by selecting
Manage > Items from the main menu.
Scan Options Menu
Additional scanning options can be set using the Tools > Options menu.
See Scan Options for details.
PATCH SCAN TEMPLATES
About Patch Scan Templates
Patch Authority Ultimate comes with two predefined patch scan templates:
Security Patch Scan and WUScan. While these templates are good for
most scanning activities, some administrators desire a higher level of
flexibility when scanning machines. To this end, Patch Authority Ultimate
includes the ability to create any number of custom scan templates granting
you the means to completely customize the way that machines are scanned.
Patch scan templates enable you to:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Specify the location of the XML data file
ƒ
Associate a deployment template with the scan template for automatic
deployment
ƒ
Configure automatic e-mail notifications
Enable or disable warnings and notes
Scan a smaller or larger number of machines simultaneously
Create log files
Customize what is actually scanned for or ignored
Specify which, if any, filters are used (you can filter by patch, criticality,
product, or type)
Predefined Patch Scan Templates
Security Patch Scan and WUScan are the predefined patch scanning
templates provided with Patch Authority Ultimate. The predefined templates
cannot be modified. Both predefined templates do the following:
ƒ
ƒ
ƒ
Use data from the patch data XML file
Allow the scanner engine to scan 64 machines simultaneously
Report on all installed and missing patches
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
111
The primary differences between the templates are:
ƒ
Security Patch Scan: Scans for missing and installed security patches.
This is the default scan template.
ƒ
WUScan: Scans for missing and installed security patches and nonsecurity patches.
If the predefined templates are not adequate for your needs, you can create a
new scan template.
Creating or Editing a Patch Scan Template
1. In the button tray at the bottom of the navigation bar, click Templates.
2. In the Templates pane:
ƒ
ƒ
To create a new scan template, click New Template > Patch Scan.
To edit an existing scan template, click the template name.
Note: Alternatively, you can choose File > New > Patch Scan
Template from the main menu.
This will display the Patch Scan Template dialog box as shown below.
Tip: To speed the template creation process, copy an existing template that
is similar to the one you want to create. The contents of the copied template
will be populated in the new Patch Scan Template dialog and you can
simply modify the appropriate items. You copy an existing template by
selecting it in the Patch Scan Templates pane and then, in the summary
section of the template in the right-hand pane, clicking Copy.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
112
The Patch Scanning Template dialog contains several tabs that collectively
define the characteristics of a particular scan template.
Name
The name that you wish to assign to this scan template.
Description
A description of the template.
Deploy missing
patches using
Note: This option applies only to agentless scans initiated from the console;
it does not apply to agents that may also be using this template.
If you want to automatically deploy any patches that are missing, enable this
check box. You must select the deployment template you want to use when
deploying the patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Filtering tab
113
There are four different filters available on this tab.
Note: Be careful when using the Skip Selected filter option. If you skip a
patch that supersedes another patch, the program will now scan for the
superseded patch. This is done on purpose to avoid any unintentional
vulnerabilities. If the intended consequence of skipping a patch is to not
automatically deploy it or the related patches, then all the patches in the
chain of superseded patches must also be skipped.
ƒ
Product filter: Scan for or skip patches for the selected products. If you
do not wish to use this particular filter, specify Scan All.
ƒ
Scan only for MBSA legacy products: If you want to scan only those
legacy Microsoft products no longer supported by Microsoft Baseline
Security Analyzer (MBSA) 2.x, enable this check box. See What is the
Limited Program for more details about this product set. Enabling this
check box disables all other product filter options.
ƒ
Patch filter: Either scan for or skip the patches listed in the specified
text file and/or patch groups. If you do not wish to use this particular
filter, specify Scan All.
ƒ
Patch Type filter: Specify the types of patches you will scan for or skip.
The options are:
ƒ
Custom Actions: Enables you to perform custom actions even if
you are already fully patched. It does this by scanning for a specific
QNumber and patch (QSK2745, MSST-001) that will never be
found. The process uses the temporary file Nullpatch.exe.
ƒ
Non-security Patches: The set of patches supported by Microsoft
Software Update Services (driver updates not supported). These
patches are released on a weekly basis.
ƒ
Security Patches: Security bulletin related patches
ƒ
Security Tools: Patches for the malware tool provided by
Microsoft.
ƒ
Criticality filter: What user-assigned criticality level -- Ignore, Low,
Medium, High, Critical -- should the scanner either skip or include (at or
below the specified level). If you do not wish to use this particular filter,
specify Scan All.
Note: If you use multiple filters, the order of precedence is as follows:
1) Product filter: This filter takes precedence over all other filters. If you
elect to scan or skip one or more specific products, those products will be
scanned or skipped regardless of how the other filters are configured.
2) Skip Selected: Any patches that are specified as Skip Selected on any of
the three remaining filters (Patch filter, Patch Type filter, and/or Criticality
filter) will be excluded from the scan. (But see the note above about
superseded patches.)
3) Scan Selected: If any patches are specified as Scan Selected on any of
the three remaining filters (Patch filter, Patch Type filter, and/or Criticality
filter), then only those patches will be included in the scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
General tab
114
ƒ
Scan For: During the scanning process, you can choose to scan for just
missing patches or for both missing and installed patches. When
scanning for both missing and installed patches, you can include
effectively installed patches in the results. These are patches that
supersede other patches. See effectively installed patches and
Determining Patch Supersedence for more information.
Note: The following options apply only to the console, not to agents that may
also be using this template.
ƒ
Simultaneous machines scanned: Specify if you want to
simultaneously scan a few machines or many machines. Patch Authority
Ultimate can scan up to 256 machines at a time. The more machines
you scan at the same time the more network resources that are required.
Reduce this number if you are scanning over a slow link.
ƒ
View Notes: If enabled, enables you to view any notes that are
generated during the scanning process.
ƒ
MBSA Output File Name: Specifies the base file name that will be used
for the file containing MBSA-compatible output. The machine name and
the date/time stamp of the scan will be appended to the base name. The
full file name will therefore be: YOURNAME-domain-computer(date
time).xml. The file will reside in the directory specified in the MBSA XML
output directory box.
This option only applies if you are Patch Authority Limited user, or if the
Generate MBSA-formatted output for patch scan results check box
is enabled as a program option. See Scan Options for more information.
Software
Distribution tab
This tab enables you to specify if you want to scan for free third-party
products that can be deployed by Patch Authority Ultimate . Use the vertical
scroll bar to view the complete list of third-party products supported by Patch
Authority Ultimate .
The products that will be displayed are those that are available for the
operating system being used on the scanned machine. If you want to include
or skip reporting on a particular product, create a patch group that contains
the desired product and then reference the patch group in the Patch filter
settings area of the Filtering tab.
E-Mail tab
Note: This tab applies only to agentless scans initiated from the console; it
does not apply to agents that may also be using this template.
This tab enables you to specify which reports should be automatically sent
and to whom the reports should get sent. The specified reports will be sent
when a scan using this template is completed.
There are many different reports that can get sent. To understand what a
particular report contains, click on the report in the list and view its
description immediately below the list.
To specify which reports should be automatically sent and to whom they
should be sent:
Note: New templates must be saved before you can perform these steps.
1.
Select a report in the Reports list.
2.
In the Report Recipients list, select the groups and/or individuals you
want to e-mail the report to.
3.
Repeat Step 1 and Step 2 for each report you want to be automatically
sent.
4.
When finished, click Save.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Used by tab
115
This tab shows you the Favorites and agent policies that are currently using
this scan template. This is important to know if you are considering modifying
the template, as it tells you what other areas of the program are affected.
To save the template click Save and then Close. To close the dialog without
saving the changes Cancel and then Close.
Specifying a Default Patch Scan Template
To specify which patch scan template Patch Authority Ultimate should use as
the default, you can do one of the following:
ƒ
In the Templates pane, right-click the template icon and select the Make
Default option from the shortcut menu.
ƒ
Select Tools > Options > Scans and specify the default scan template in
the Default Patch Scan Template box.
When you have identified a default template, the word (default) will be
added to the end of the template name. The default template will be used for
all one-click scanning operations on the home page.
Managing a Patch Scan Template
Custom patch scan templates are listed in the My Patch Scan Templates
section of the Templates pane. You can right-click a template and perform a
number of different actions.
Copy
Enables you to create a new template by using the existing template as a
base. When you click Copy the Scan Template dialog will appear and
the dialog will be populated with the same description and settings as the
current template. The name of the new template will be 'Copy of { selected
template name }'. Change the name and the other template
characteristics as desired.
Delete
Deletes the current template. You cannot delete a template that is
currently being used by an agent policy.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Edit
Launches the Scan Template dialog and enables you to make changes to
the template. If you edit and save a template that is currently being used
by an agent policy, the agents using that policy will be updated the next
time they check in with the console.
Make Default
Sets the selected patch template as the default template.
Rename
Enables you to rename the selected template.
116
PATCH GROUPS
About Patch Groups
Patch Authority Ultimate provides the ability to use a patch group to scan for
a particular set of patches.
Example 1: Suppose Company A has a patch approval process under which
they've certified four patches as being mandatory for their organization. They
want to scan just for those four patches, receive compliance reports, and then
be able to patch for those specific items. By creating a patch group, they can
then scan for only those selected patches.
Example 2: Suppose you identify a certain patch as being critical for your
organization. You can create a patch group with just this patch. When you
create the group, you can browse patches from the list and select a product
and service pack and then a patch. Patch Authority Ultimate will scan for all
instances of that QNumber, not just for the product and SP that you select.
You can perform a scan using the patch group and a scan will be done just for
the selected patch.
Note: When Patch Authority Ultimate uses a patch group to scan for selected
patches, it always scans for all service packs and reports on the status of all
service packs.
Creating and Editing a Patch Group
To create a new patch group or edit an existing patch group:
1. In the button tray at the bottom of the navigation bar, click Patch and SP
Groups.
2. In the Patch and SP Groups pane, click New Group > Patch Group or
select an existing patch group.
Note: Alternatively, you can choose File > New > Patch Group from the
main menu or select a patch group from within an agent patch task.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
117
This will display the Patch Group dialog.
Note: Be careful when editing an existing patch group. Any modifications you
make will affect any scan template that references the patch group. Also, if
you edit and save a patch group that is currently being used by an agent
policy, the agents using that policy will be updated the next time they check
in with the console.
Name
Type a name that you would like to assign to this patch group.
Description
Provide a comment that describes the purpose of this group.
View in Patch
View
Use Patch View to see detailed information about each patch currently defined
in this group. The patch group will automatically be saved and will be used as
a filter in Patch View.
Copy
Makes a copy of the patch group. Type a new name for the group and then
click Save.
Delete
Deletes this patch group. You cannot delete a patch group that is currently
being used by an agent policy.
Displays Help information about this dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Add Patches
118
Enables you to add patches to this group. It will display a list all of the patches
that are currently available. The list can be sorted by clicking in any of the
column headers. To assign patches to the group, browse through the list and
place a check in the box next to each patch you would like to include. You can
also use the following buttons to populate the list:
ƒ
ƒ
ƒ
Check all: Enables every check box in the list.
Uncheck all: Clears every check box in the list.
Import groups: Enables you to import the patches currently defined in
another patch group.
When done, click OK.
Remove
To remove one or more patches from the group, select the desired patches
and then click Remove.
Used By tab
This tab shows you the patch scan templates and agent policies that are
currently using this patch group. This is important to know if you are
considering modifying the group, as it tells you what other areas of the
program are affected.
Alternate Patch Group Creation Methods
You can also create a patch group while using Machine View, Patch View, or
Scan View. Select the desired patches and then use the right-click menu to
create a new patch group or to add to an existing patch group. You can scan
for the patches in the patch group and then generate compliance reports
using the report function.
Using a Patch Group
To use a patch group in a custom scan template:
1. In the button tray at the bottom of the navigation bar, click Templates.
2. In the Templates pane, click the desired custom patch scan template.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
3. In the scan template, enable the Patch filter option by selecting either
Scan Selected or Skip Selected.
4. Select the patch group you created.
For example:
A patch group can also be used in an agent policy. For example:
Updated 22 February 2011
119
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
120
SCANNING FOR SELECT THIRD-PARTY APPLICATIONS
About Third-Party Applications
Patch Authority Ultimate can scan for and deploy a number of free third-party
applications, including:
ƒ
ƒ
ƒ
ƒ
ƒ
RealNetworks RealPlayer
Mozilla Firefox
Adobe Reader
Apple QuickTime
And more ...
To do this you simply scan your machines to identify the machines that are
missing the third-party applications and then deploy the desired application(s)
to the machines you specify. See How to Scan for Third-Party Applications
and Deploying Third-Party Applications for more details.
How to Scan for Third-Party Applications
To scan for machines missing the third-party applications supported by Patch
Authority Ultimate :
1. In the button tray at the bottom of the navigation bar, click Templates.
2. In the Templates pane, click New Template > Patch Scan.
The Patch Scan Template dialog appears.
3. In the Name box, type a name for this custom scan (for example,
Software Distribution Scan).
4. In the Software Distribution tab, enable the Software distribution
check box.
5. (Optional) If you want to automatically deploy the applications to any
machines that are missing the applications, enable the Deploy missing
patches using check box and then select the desired deployment
template.
6. Click Save.
7. Initiate a scan using this new scan template.
For example, you might click on the desired group in the Machine Group
pane, select the new custom scan template in the Scan with box, and
then click Begin Scan.
8. When the scan is complete, if you elected not to automatically deploy the
applications, see Deploying Third-Party Applications for information on
installing the applications.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
121
INTERPRETING PATCH SCAN RESULTS (SCAN VIEW)
Accessing Patch Scan Results (Scan View)
Patch scan results are available immediately following a successful scan by
clicking the View complete results link on the Operations Monitor dialog
(see Monitoring a Patch Scan). The scan results are also available when you
select a previous scan from the Patch Results pane.
Note: If scan results are not displayed it could be because the program's
background services do not have the proper credentials to use when making a
connection to the database. For more information see Performing a New
Installation.
Machines Scanned
Machines that were successfully scanned will be included on the Machines
Scanned tab. For information on understanding and using your patch scan
results, see Navigating the Scan View Grid.
Machines Not Scanned
Any machines that the program was unable to scan will be contained on the
Machines Not Scanned tab. There may be several reasons why a particular
machine was not scanned. Error codes are provided that explain the reason
for a particular failure. For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
122
Navigating the Scan View Grid
Patch scan results are presented in a Scan View grid that contains three
separate panes. Each pane displays unique information and provides unique
functionality. The panes are interrelated in that the information presented in a
lower pane is dependant on what is selected in the pane directly above it. This
"top down" approach means you use the top pane to view high-level
information and the two lower panes to drill down to more detailed
information.
Note: While the two are extremely similar in look and feel, Scan View is
different than Machine View. Scan View represents a point in time (the date
and time the scan was performed) for the machines specified in the scan.
Machine View, however, displays the most current information for all
machines that have ever been scanned.
ƒ
The top pane displays all machines that were either successfully or
unsuccessfully scanned. See the following topics for information on using
the top pane:
ƒ
ƒ
ƒ
ƒ
Filtering Info in the Top Pane
Performing Actions on Machines
The middle pane displays patch information about the machine(s) selected
in the top pane. See the following topics for information on using the
middle pane:
ƒ
ƒ
ƒ
Searching for Machines
Viewing Scan Result Patch Summaries
Performing Actions on Patches
The bottom pane displays detailed information about the patch selected in
the middle pane. See the following topics for information on using the
bottom pane:
ƒ
ƒ
ƒ
Viewing Patch Details
Viewing Machines Missing A Selected Patch
Viewing Machines That Contain A Selected Patch
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
123
Customizing the Column Headers
You can easily customize the way information is displayed within any of the
panes in Machine View or Scan View.
ƒ
You can reorder the columns by clicking and dragging the column headers
to new locations.
For example, if you want missing patch information to be displayed in the
first column of the top pane, simply click on the Missing Patch Count
icon and drag it to the first column.
Tip: When reordering columns, the column header you are moving will
always be placed in front of the column you drag it to.
ƒ
You can right-click within a column header and perform a number of
additional actions.
Sort
Ascending
Sorts the selected column in ascending order.
Sort
Descending
Sorts the selected column in descending order.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Column
Chooser
124
Enables you to add and hide information within a pane. When you select
Column Chooser the Customization dialog is displayed. This dialog is
used to store the columns you don't currently want displayed within the
pane. Simply click and drag the desired column headers from the table to
the Customization dialog. For example, if you decide you don't want
Language and Last Scan Template information displayed in the table,
simply drag those column headers into the Customization dialog.
If you decide you want an item back in the table, simply click and drag it
from the Customization dialog back to the table.
Best Fit
Resize the width of the selected column so that the header text is
displayed in the optimal amount of space.
Best Fit (all
columns)
Resize the width of all columns in the table so that the header text is
displayed in the optimal amount of space.
Hide
Moves the selected column to the Column Chooser Customization dialog,
effectively removing the column from the table.
Group by
Moves the selected column to the first column in the table, effectively
grouping the table by that column.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
125
USING THE TOP PANE
Scan View Scan Summary
The left side of the top pane contains a collapsible sub-pane. This pane
provides summary information about the scan. The pane can be collapsed and
expanded by clicking the chevron icon in the top-right corner. For example:
Scan Summary Expanded
Scan Summary Collapsed
The top pane in the scan summary also displays a table containing detailed
information about each machine that was scanned. Click on a column
heading to sort the table by that information. You can also specify what
information is presented by right-clicking the table heading and selecting or
clearing the available items.
,
,
, or
Indicates whether the computer is a physical machine or an
), or a physical
online virtual machine defined by its name (
machine defined by its IP address ( ), or an offline virtual
machine (
), or a virtual machine template (
).
Machine Group
The machine group that was scanned and that contains the
selected machine.
Domain
The domain of the scanned machine.
Machine
The machine name.
IP Address
The IP address of the scanned machine.
Installed Patch Count
The total number of patches installed on the scanned machine.
Missing Patch Count
The total number of patches missing on the scanned machine.
Missing Service Pack
Count
The total number of service packs missing on the scanned
machine.
Operating System With
Service Pack
The operating system and service pack level being used on the
scanned machine.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Operating System
Language
The operating system language being used on the scanned
machine.
Offline Scan
Indicates if this is a virtual machine that was scanned in offline
mode.
Last Scan Template
The template that was used to scan the machine.
126
Machine Group Information is Dynamic
The machine group information that is displayed is based on the machine
group used to perform the most recent action on each machine. So it is
possible for the machine group information to change. For example, if you
perform a scan of a group containing three machines, the information
displayed will be similar to the following:
If you then re-scan the first machine from a different machine group, the
refreshed display will reflect this change:
The first machine is no longer listed with its original group because the most
recent scan of the machine was initiated from a different machine group.
When agents check in with the console they will be listed with the machine
group from which they were last scanned from the console.
Searching for Machines in the Top Pane
You can easily search for machines contained in the top pane. All searches are
performed using the Search tool.
The Search tool contains two logic boxes. In the first box you select one of
the predefined category types, and in the second box you specify the machine
item you want to find. You initiate the search by pressing Enter or by clicking
). Only those machines matching the search criteria are
the search icon (
displayed; all other machines are hidden.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
127
Tips for Using the Search Tool
ƒ
The Search tool works only on the information currently visible in the top
pane.
ƒ
If a Smart Filter is applied, only machines matching BOTH the search
criteria and the smart filter criteria are displayed.
ƒ
All partial matches are displayed. For example, if you search for machines
named Test, any machine with "test" in its name will be considered a
match (e.g. TestMachine1, Contest, etc.).
ƒ
The use of wildcards in the Search tool is not allowed.
Using Smart Filter
Information displayed in the list can be easily filtered to narrow the focus to
only those machines of interest. One way to do this is by using the Smart
Filter.
The Smart Filter contains several default filters. You can also define your own
custom filters.
Default Filters
The default filters are identified by a leading asterisk. Default filters cannot be
modified or deleted. The default filters include the following:
ƒ
*All Machines: All machines are displayed, including servers and
workstations.
ƒ
ƒ
ƒ
*Servers: Only servers are displayed.
ƒ
*Last 7 Days: Only those machines that have been scanned within the
last seven days are displayed.
ƒ
*Last 14 Days: Only those machines that have been scanned within the
last 14 days are displayed.
ƒ
*Last 30 Days: Only those machines that have been scanned within the
last 30days are displayed.
ƒ
*Last 60 Days: Only those machines that have been scanned within the
last 60 days are displayed.
ƒ
*Last 90 Days: Only those machines that have been scanned within the
last 90 days are displayed.
ƒ
*Missing at least 1 patch: Only those machines that are missing at
least one patch are displayed.
ƒ
*Has an Agent Policy: Only those machines that have Patch Authority
Ultimate Agent installed are displayed.
*Workstations: Only workstations are displayed.
*Today: Only those machines that have been scanned within the last 24
hours are displayed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
128
*Does not have an Agent Policy: Only those machines that do not have
Patch Authority Ultimate Agent installed are displayed.
Custom Filters
You can create your own custom filters. This is a powerful tool that enables
you to specify exactly which machines you want displayed in the top pane.
Each custom filter is comprised of one or more rules. You can define as many
rules in a filter as needed.
To create a new filter:
1. Click the Create a New Smart Filter icon (
).
The Smart Filter dialog is displayed:
2. Specify which rules in the filter must be matched.
ƒ
All: Only those machines that match all the rules in the filter will be
displayed.
ƒ
Any: Machines that match at least one rule in the filter will be
displayed.
3. Define one or more rules.
To define a rule, select an option in each of the first two logic boxes and
then type the criteria in the third box. To add another rule simply click
Add Rule.
Note: If you define a rule that does not make sense (for example,
"Machine Name is greater than 3") the rule will simply be ignored.
4. Type a name for the filter.
5. When you are finished defining your custom filter, click Save/Rename.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
129
Example
Assume you want to see which machines in a particular machine group are
missing more than 20 patches. You simply create a filter similar to the
following:
Performing Actions on Machines
Right-Click Menu
You can right-click on any machine in the top pane and perform a number of
different actions. For example:
Patch Scan / Scan
With
Enables you to initiate a patch scan of the selected machines using any
of the available patch scan templates.
Deploy All Missing
Patches
Enables you to deploy (install) all patches currently missing on the
selected machine. See Deploy to All Scanned Machines for more
information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Test Patch
Deployment
130
Enables you to perform a test deployment to the selected machines.
This is especially useful for patch deployments you want to schedule for
a later time. Testing the deployment allows you to correct any potential
problems in a deployment and make it less likely that a deployment will
fail. See the Operations Monitor for more information.
Note: Test deployments will not work on offline virtual machines .
Power
Enables you to modify the power state of the selected machines. You
can immediately restart or shut down the machine(s).
Add to Machine
Group
Enables you to add the selected machines to a new machine group or
to an existing machine group. See Creating A New Machine Group for
more information.
Important! Machines you add to the machine group are automatically
assigned credentials. The credentials assigned will be either the
credentials used in the previous scan of the machine or, if no
credentials were assigned in the previous scan, the default credentials
will be assigned. In the latter case, if the default credentials are not valid
for the machines, and if the account credentials of the person currently
logged on to the program are also not valid for the machines, scans of
the machines you just added to the group will fail. To prevent scanning
errors, always supply credentials for machines you add to a machine
group. See Supplying Credentials for more information.
Refresh
(Machine View only)
Refreshes the information displayed in the top pane.
Machine Properties
Enables you to view and edit machine properties. See Managing
Individual Machine Properties for more information.
Agents
Enables you to:
Delete
(Machine View only)
Note: This menu item is available in Machine View but not in Scan
View.
ƒ
Install an agent, assign a different policy to the agent, or uninstall
an agent.
ƒ
Send a number of different commands to the selected agents. The
commands apply only to machines that already have agents
installed, that are online, and that are configured to be listening
agents. See the Send command description for detailed information
about the available commands.
ƒ
(Machine View only) Initiate any of the tasks currently defined
within the selected agents. When you select a task a confirmation
dialog is displayed. If you choose to continue, the task is
immediately started on the agent machines. See Creating a New
Agent Policy for information on the types of tasks that may be
available.
Deletes the selected machine from Machine View. If the machine is
rescanned it will be re-added to Machine View.
Deleting a machine from Machine View also affects the information
displayed for that machine within Scan View (see Accessing Patch
Scan Results). The machine will be moved to the Machines Not
Scanned tab and all previous scan information for that machine will be
lost.
Note: This menu item is available in Machine View but not in Scan
View.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
131
Expand All
Expands all machine trees in the top pane. This can also be
accomplished using the Machines > Expand All menu.
Collapse All
Collapses all machine trees in the top pane. This can also be
accomplished using the Machines > Collapse All menu.
Export selected
machines to CSV
Export information about the selected machines to a Comma Separated
Values (CSV) file. The CSV file can then be used within a spreadsheet
program. This can also be accomplished using the Machines > Export
visible machines to CSV menu.
View Executive
Summary Report
(Scan View only)
Generates an Executive Summary report that provides a high-level
summary about the patches and the machines discovered by the scan.
Keyboard Shortcuts
The following keyboard shortcuts are available:
ƒ
ƒ
Ctrl+A: Selects all machines.
ƒ
SHIFT+click: A contiguous group of machines can be selected by holding
down the SHIFT key while selecting the starting and ending machines in
the list.
ƒ
SHIFT+PAGE UP: Selects a range of machines from the one currently
selected to the top of the table.
ƒ
SHIFT+PAGE DOWN: Selects a range of machines from the one
currently selected to the bottom of the table.
ƒ
ƒ
HOME: Moves the focus to the first cell in the table.
CTRL+click: Multiple machines can be selected by holding down the CTRL
key while selecting machines.
END: Moves the focus to the last cell in the table.
USING THE MIDDLE PANE
Viewing Patch Summaries in Scan View
The Patches tab on the middle pane displays general patch information
about the machine(s) selected in the top pane. If multiple machines are
selected in the top pane, this tab will display patch information for all selected
machines. For example, if you select two domains in the top pane, summary
information about all the machines in both domains will be displayed. The
Affected Machine Count column indicates how many of the selected
machines are affected by a specific patch or service pack.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
132
The values for the Found Patch Count and Missing Patch Count columns
in the top pane may not always match the values shown in the middle pane.
This is because the top pane counts every patch on every machine, while the
middle pane counts only unique patches and ignores duplicates.
If you refresh Scan View during or after a patch deployment, the Current
Patch Status column will reflect the new patch status. For example, in the
following figure, the Skype 4.2 patch that was originally detected as missing
is now being reported as installed.
You can customize the way information is displayed within this pane. See
Customizing the Column Headers for information.
Performing Actions on Patches
Right-Click Menu
You can right-click on any patch in the middle pane and perform a number of
different actions. For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
133
Deploy
Enables you to deploy (install) patches or service packs currently missing
on the machine(s) selected in the top pane. See Deploying One or More
Patches to a Machine for more information.
Uninstall Selected
Enables you to uninstall (rollback) the selected patch. See How to
Uninstall Patches for more information.
Download Selected
Enables you to download to the download center the selected patches or
service packs. See Downloading Patches for more information.
Delete
Enables you to delete selected patches from the download center.
Open Bulletin(s) in
Browser
Displays the related Microsoft security bulletin within a Web browser.
Add to Patch Group
Enables you to add the selected patch(es) to an existing patch group or
to a new patch group. See Creating and Editing a Patch Group for more
information.
Set Criticality
Criticality is the user supplied threat and severity level associated with a
particular vulnerability. While ScriptLogic Corporation can reasonably
evaluate the general threat posed by a patch, even the most critical
patches will not always warrant a sense of urgency in organizations in
which the vulnerability poses little or no threat. Therefore, Patch
Authority Ultimate provides a mechanism to allow the administrator to
assign a custom level of criticality for each patch. Criticality can be
assigned by clicking Set Criticality and choosing one of the options from
the shortcut menu. If you assign a custom criticality to a patch, the flag
displayed in the lower pane will change to the appropriate color.
(Red) Critical
(Orange) High
(Yellow) Medium
(Gray) Low
(White) Ignore
(Clear) Criticality not set
Add Comment
Enables you to add your own specific comment about the patch.
Expand All
Expands all patch and informational trees in the middle pane.
Collaps All
Collapses all patch and informational trees in the middle pane.
Export selected
patches to CSV
Export information about the selected patches to a Comma Separated
Values (CSV) file. The CSV file can then be used within a spreadsheet
program.
Keyboard Shortcuts
The following keyboard shortcuts are available:
ƒ
ƒ
Ctrl+A: Selects all patches.
CTRL+click: Multiple patches can be selected by holding down the CTRL
key while selecting patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
134
ƒ
SHIFT+click: A contiguous group of patches can be selected by holding
down the SHIFT key while selecting the starting and ending patches in the
list.
ƒ
SHIFT+PAGE UP: Selects a range of patches from the one currently
selected to the top of the table.
ƒ
SHIFT+PAGE DOWN: Selects a range of patches from the one currently
selected to the bottom of the table.
ƒ
ƒ
HOME: Moves the focus to the first cell in the table.
END: Moves the focus to the last cell in the table.
USING THE BOTTOM PANE
Viewing Patch Information
The Patch Information tab in the bottom pane displays detailed information
about the patch, service pack, or informational item selected in the middle
pane. Detailed information will not be displayed if multiple patch items are
selected in the middle pane.
Download
Enables you to download the patch to the download center. When you click
this button the Patch Download Status dialog is displayed. Use this dialog to
select which language version of the patch you want to download. On the
dialog, if the download icon is grayed out (
) it indicates the patch has not
yet been downloaded. If the icon is green (
already been downloaded and verified.
) it indicates the patch has
Bulletin ID
Provides a link to the Microsoft Security Bulletin article that describes the
threat addressed by this patch.
Superseded by
If shown, indicates that the patch is superseded by another more recent
patch.
Microsoft
Knowledge
Base Article
Provides a link to the associated Knowledge Base article that provide more
information about the flaw.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Vendor Severity
135
ScriptLogic Corporation assigns one of four severity levels based on its
perceived threat of the vulnerability related to the patch.
(Red) ScriptLogic Corporation has deemed the problem
associated with this patch to be Critical in nature.
(Orange) ScriptLogic Corporation considers the problem related
to this patch Important to correct.
(Yellow) The related vulnerability is of Moderate severity.
(Gray) While it poses a security risk, ScriptLogic Corporation
deems that risk to be Low.
Included in
If shown, indicates that the patch is contained in a service pack.
CVEID
Provides a link to the Common Vulnerabilities and Exposures article that
describes the threat addressed by this patch.
Description
Identifies the product that is affected by this patch, and describes how the
product is vulnerable.
Summary
Provides a concise description of the threat addressed by this patch.
Comments
If shown, provides comments from ScriptLogic Corporation about this patch.
Registry key
table
Identifies the registry key information used to determine whether the product
in question exists on the target machines. This table can be sorted by clicking
within a column header.
File name table
Shows the file criteria used for determining whether or not a patch is installed.
This table can be sorted and customized. See Customizing the Column
Headers for more information.
Viewing Machines That Are Missing A Selected Patch
The Machines Missing tab in the bottom pane displays the machines that
are missing the patch that is selected in the middle pane. These machines are
vulnerable to the threat corrected by the patch.
The Machines Missing table can be sorted and customized. See Customizing
the Column Headers for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
136
Viewing the List of Machines That Contain the Selected Patch
The Machines Installed tab in the bottom pane displays the machines that
contain the patch that is selected in the middle pane. For example:
This table can be sorted and customized. See Customizing the Column
Headers for more information.
DOWNLOADING PATCHES
Downloading Patches and Service Packs
Patch Authority Ultimate automatically downloads necessary patches as part
of the deployment process, removing the need to manually download them in
advance. Patch Authority Ultimate also provides the ability to download
patches to the download center prior to deployment. There are multiple ways
to do this.
For English language patches:
To download a single patch
ƒ From within the middle pane of the Scan View view, on the Patch
Information tab click Download.
ƒ
From within the bottom pane of Machine View, on the Patch Information
tab click Download.
ƒ
From within the bottom pane of Patch View, on the Patch Information
tab click Download.
To download multiple patches
ƒ From within the middle pane of the Scan View view, right-click the
selected patches and select Download Selected.
ƒ
From within the middle pane of Machine View, right-click the selected
patches and choose Download Selected.
ƒ
From within the top pane of Patch View, right-click the selected patches
and choose Download Selected.
ƒ
From within a patch group, click View in Patch View. From the resulting
patch view, select all the patches, right-click the patches, and then select
Download Selected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
137
To download service packs
ƒ From within the middle pane of the Scan View view, right-click a service
pack and choose Download Selected.
ƒ
From within the middle pane of Machine View, right-click a service pack
and choose Download Selected.
If you have trouble downloading a patch, try clearing your Internet Explorer
cache files before attempting another download.
Further Reference
ƒ For international patches, please see About International Patches.
ƒ
For information about downloading any custom patches you may have
created, please see Overview of the Custom XML Process.
Downloading Non-English Language Patches
If Patch Authority Ultimate is configured to support non-English language
patches (see Accessing language support options), a dialog similar to the
following appears when you initiate the download of one or more patches
using the right-click menu from Scan View, Machine View, or Patch View:
Simply enable the check boxes next to the language versions of the patch you
wish to download and then click OK. If one or more language versions are not
available for a patch then:
ƒ
ƒ
The download icon will not be displayed for those languages.
The check box will not be enabled, even if the language is specified as a
default download language.
This dialog also contains the following options:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
138
ƒ
Save the checked languages as the defaults: Enable this check box if
you want the languages you chose to be considered your default
languages. Another way to set your default languages is to select Tools
> Options > Patch Languages from the Patch Authority Ultimate menu
(see Patch Language Options).
ƒ
Don't show this dialog again: Enable this check box if you want Patch
Authority Ultimate to automatically download patches in the default
languages without first displaying this prompt. To re-display this dialog,
select Tools > Options > Patch Languages from the Patch Authority
Ultimate menu and enable the Prompt for language(s) on download
check box.
Downloading Non-English Language Patches Individually
If Patch Authority Ultimate is configured to support non-English language
patches (see Accessing language support options), a dialog similar to the
following appears when you initiate the download of a patch from Scan View,
Machine View, or Patch View using the Download button:
Simply click the Download link next to the desired language. Each language
version of the patch must be downloaded one at a time.
This dialog contains the following icons:
ƒ
ƒ
: Deletes the specific language patch from the download center.
: Specifies which languages are already downloaded.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
139
Patch Downloads Are Performed As Background Tasks
All patch downloads are performed as background tasks, regardless of how
they are initiated. In other words, the download is launched as its own
separate Windows task. This means you can initiate a patch download and
then move on to other work within Patch Authority Ultimate without having to
wait for the download to complete. This also means you can have multiple
patch downloads active at the same time.
Download Considerations
ƒ
Is there a practical limit to the number of patch downloads you can have
active at the same time?
Yes. It is dependent on the CPU and memory size of the console machine.
It is also dependent on the number of other tasks currently active (for
example, other patch scans, patch deployments, etc.). While there is no
exact answer, you'll know you've reached a practical limit if Patch
Authority Ultimate starts responding slowly.
ƒ
How will I know when a download completes?
The Download Manager dialog will display the download status. When
the download is complete you can clear the dialog, close the dialog, or the
dialog will close automatically when the downloads are complete if the
Close after all downloads are complete check box is enabled.
DEPLOYING PATCHES
Patch Deployment Overview
Patch Authority Ultimate allows local and remote patch deployment via a few
simple mouse clicks. From one management console you can deploy missing
patches and service packs to a single machine or to many machines.
Note: Service packs should be applied before all patches. For this reason
Patch Authority Ultimate will not allow you to deploy service packs and
patches in the same deployment.
Patch Deployments Are Performed As Background Tasks
All patch deployments are performed as background tasks, regardless of how
they are initiated. In other words, the deployment is launched as its own
separate Windows task. This means you can initiate a patch deployment and
then move on to other concurrent work within Patch Authority Ultimate
without having to wait for the deployment to complete. This also means you
can have multiple patch deployments active at the same time.
Deployment Considerations
ƒ
Is there a practical limit to the number of deployments you can have
active at the same time?
Yes. It is dependent on the CPU and memory size of the console machine.
It is also dependent on the number of other tasks currently active (for
example, other patch downloads, patch deployments, etc.). While there is
no exact answer, you'll know you've reached a practical limit if Patch
Authority Ultimate starts responding slowly.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
140
Is there a problem if the same machine is included in two or more
concurrent deployments?
You should avoid concurrent deployments to the same machine. Exactly
what will happen is dependent on a number of issues. The second
deployment may overwrite the patch files already deployed, it may fail if
the files are currently in use by the first deployment, or it may fail if the
first deployment reboots the machine while the second deployment is still
in progress.
ƒ
How will I know when a deployment is complete?
Each deployment dialog will have its own window. The window will remain
on the screen showing the status until you close it, or it will close
automatically when the deployment(s) are complete if the Close this
dialog when finished check box is enabled. From the Patch Authority
Ultimate console's perspective, the deployment is complete when all
necessary files have been copied to the target machine and the
deployment is scheduled.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
141
Patch Deployment Prerequisites
In addition to the scanning prerequisites, the following are required in order
to successfully deploy patches to target machines:
ƒ
When deploying patches on Windows Vista or later operating systems, the
Windows Update service Startup type must be set to either Manual or
Automatic.
ƒ
A scheduler is required on the machines being patched to ensure a
successful deployment. If you are not using the default ScriptLogic
Scheduler (see Scheduling Options), you will need to enable the Windows
Task Scheduler on the machines being patched. On most Windows
machines you can access the Task Scheduler by selecting Start >
Settings > Control Panel > Administrative Tools > Services and
then right-clicking Task Scheduler.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
142
Patch Deployment Security
Patch Authority Ultimate takes the security of patch deployment very
seriously. To that end, each patch undergoes up to three signature validation
checks and is stored in a location on the remote machine with tight security
permissions. If any of the signature checks fail, the patch will not be
deployed.
During deployment, when a patch is copied to a remote system, the copy is
not initiated unless the patch is signed. This is to prevent someone from
tampering with the copy of the patch stored in the download center. Before a
patch is pushed out, it is always checked for a valid signature to ensure you
are getting a legitimate patch.
Once the patch is copied to the deployment target it might sit for a period of
time for a scheduled deployment. To prevent against someone from
tampering with the patch, the signature is checked again before deploying on
that machine. Additionally, the patch directory that Patch Authority Ultimate
creates on the remote machine has permissions set to LOCALSYSTEM and
Local Administrators only so other users will not be able to modify, add or
remove files from the deployment directory.
Testing the Deployment
Patch Authority Ultimate includes the ability to perform a test deployment to
one or more machines. This is especially useful for patch deployment that has
been scheduled for a later time. Testing the deployment allows you to correct
any potential problems in a deployment and make it less likely that a
deployment will fail.
You perform a test deployment from Machine View or Scan View. Simply
right-click the machine, machine group, or domain you want to test and then
select Test Patch Deployment. For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
143
Test deployment results are reported in the Operations Monitor. A test deploy
returns either a success or a failure depending on what it finds. For example,
if the workstation or scheduling services are not started in a particular
machine, Patch Authority Ultimate cannot deploy patches to it and a test
deploy will return a failing result. If a test does fail you can click the available
link for information on why the test failed.
The sample results below show a successful test deployment.
Deploying One or More Patches to a Machine
From the Middle Pane of Scan View or Machine View
1. In the middle pane of Scan View or Machine View, select the patches that
you would like to deploy to the selected machine.
Multiple patches can be selected by holding down the CTRL key while
selecting patches. A contiguous group of patches can be selected by holding
down the SHIFT key while selecting the starting and ending patch in the list.
2. Right-click one of the patches that are to be deployed and select Deploy
> Selected Patches from the shortcut menu.
This will launch the Deployment Configuration dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
144
From the Machines Missing Tab
You can deploy a selected patch from the Machines Missing tab available
within Scan View, Machine View, or Patch View. For example:
Deploying All Missing Patches to a Machine
You can easily deploy all patches that are missing from a machine. There are
a couple of ways to do this within Patch Authority Ultimate .
From the Top Pane of Scan View or Machine View
1. In the top pane of Scan View or Machine View, select the desired machine.
2. Right-click the machine and select Deploy All Missing Patches.
This will launch the Deployment Configuration dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
145
From the Middle Pane of Scan View or Machine View
1. In the top pane of Scan View or Machine View, select the desired machine.
2. In the middle pane, right-click a missing patch and select Deploy All
Missing Patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deploying Patches to Multiple Machines
From the Machines Missing Tab
You can deploy patches to multiple machines from the Machines Missing
tab. This works in all available views: Scan View, Machine View, and Patch
View. The Machines Missing tab is generally the best place to deploy a
single patch to multiple machines. Here's an example using Machine View:
Updated 22 February 2011
146
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
147
Alternative Method Using Machine View
The following figure illustrates another method for deploying a patch to
multiple machines using Machine View. In the top section select the machines
that are missing the patch, and then in the middle section right-click the
patch and select Deploy > Selected Patches. You can also select multiple
patches in the middle section and it will deploy them to all machines selected
in the top section that are missing them.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
148
Deploying Third-Party Applications
Note: Click here for information on how to scan for third-party applications.
You deploy (install) third-party applications to selected machines in the exact
same manner that you deploy missing patches to selected machines. Patch
Authority Ultimate will treat the missing application exactly like a missing
patch and will simply install the application on the selected machines. Here's
an example showing how to deploy third-party applications from Scan View.
The procedure is very similar using Machine View or Patch View.
1. Select the third-party application you want to deploy.
2. To view the list of machines missing the selected application, select the
Machines Missing tab.
3. Select the machines you wish to deploy this application to, and then rightclick the selected machines and select Deploy Selected Patch.
Deploying Patches to Virtual Machines and Virtual Machine Templates
The method for initiating a patch deployment is the same regardless of
whether you are deploying to a physical machine, to an online virtual
machine, to an offline virtual machine, or to a virtual machine template. It's
what happens after you initiate the deployment, however, that is slightly
different for virtual machines and for virtual machine templates.
Note: For deployments to virtual machines that are hosted on a server it is
recommended you use the Virtual Machine Standard deployment template.
Also, in all cases, during deployment the virtual network will need to remain
connected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
149
Immediate Patch Deployments
When you perform an immediate deployment to a physical machine, an online
workstation virtual machine, or an offline workstation virtual machine, the files
required for the deployment are copied to the target machine immediately and
the deployment is scheduled to occur immediately using the scheduler on the
target machine. The online/offline status of these machine types is determined at
the time you initiate the deployment. The actual patch installation is performed
on the target machines and the console is not actively involved in the patch
installation.
When you perform an immediate deployment to a virtual machine that is hosted
on a server, the entire deployment process occurs on the Patch Authority
Ultimate console machine. The console determines the online/offline status of
the hosted virtual machines and the console service is actively involved during
the patch installation. This allows the console service to modify the state of the
hosted virtual machines during the deployment.
This table summarizes what happens when you perform an immediate deployment
based on where the virtual machines are defined within the machine group.
Machine Group Tab
Target Machine is Online
Target Machine is Offline
Machine Name, Domain
Name, IP Address/Range,
Organizational Unit
Push files and initiate deployment
immediately.
Fail
Workstation Virtual
Machines
Fail
Push files and schedule on
target; deployment will occur
the next time the virtual
machine is brought online.
Hosted Virtual Machines
Push files and initiate deployment
immediately. The process is the
same as a physical machine
except that snapshots will be
taken as directed by the
deployment template.
*See steps below.
VMware tools must be installed
on the virtual machine in order
for the deployment to be
successful.
*During deployment to an offline hosted virtual machine or an offline virtual
machine template, the following steps occur:
1. [Conditional: Templates Only] Convert the virtual machine template to an
offline virtual machine.
2. (Optional) Take a snapshot if the deployment template is configured to
take a pre-deployment snapshot.
3. (Optional) Delete old snapshots if one of the snapshot thresholds defined
on the patch deployment template is exceeded.
4. Copy the patches to the offline virtual machine.
5. Reconfigure the following on the offline virtual machine:
ƒ
Disable the network adaptor's Connect at power on option. This is
done so that the machine is isolated from the network when the patch
process is run.
ƒ
Disable Sysprep so it will not automatically configure the machine's
operating system when the machine is first powered on.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
150
6. Power on the virtual machine.
7. Install the patches.
8. Power down the virtual machine.
9. Reset the machine configuration to its original network connection and
Sysprep settings.
10. (Optional) Take a snapshot if the deployment template is configured to
take a post-deployment snapshot.
11. (Optional) Delete old snapshots if one of the snapshot thresholds defined
on the patch deployment template is exceeded.
12. [Conditional: Templates Only] Convert the offline virtual machine back to
a virtual machine template.
Scheduled Patch Deployments
When you schedule a deployment to a physical machine, an online
workstation virtual machine, or an offline workstation virtual machine, the
files required for the deployment are copied to the target machine
immediately and the deployment is scheduled using the scheduler on the
target machine. The online/offline status of these machine types is
determined at the time you schedule the deployment. The actual patch
installation is performed on the target machines and the console is not
actively involved at the time the patches are installed.
When you schedule a deployment to a virtual machine that is hosted on a
server, the entire deployment process is scheduled to occur on the Patch
Authority Ultimate console machine using the scheduler on the console. The
online/offline status of the hosted virtual machines is determined at the
scheduled time, and the console is actively involved at the time the patches
are installed. This allows the console to modify the state of the hosted virtual
machines during the deployment.
The following table summarizes what happens at the time you schedule a
deployment based on where the virtual machines are defined within the
machine group.
Machine Group Tab
Target Machine is Online
When Scheduled
Target Machine is Offline
When Scheduled
Machine Name, Domain Name,
IP Address/Range,
Organizational Unit
Push files to the target and
schedule the deployment on
the target. The deployment
will occur the next time both
of the following are true:
Fail
ƒ
ƒ
The machine is online
The scheduled time has
passed
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
151
Machine Group Tab
Target Machine is Online
When Scheduled
Target Machine is Offline
When Scheduled
Workstation Virtual Machines
Fail
Push files to the target and
schedule the deployment on
the target. The deployment
will occur the next time both
these are true:
ƒ
ƒ
Hosted Virtual Machines
The machine is online
The scheduled time has
passed
Schedule the deployment on the console. At the scheduled
time, treat as an immediate deployment (see Hosted Virtual
Machines in the previous table).
If the scheduled deployment contains a mix of hosted virtual machines and other types of
machines, the machines are separated into two groups. The deployment of the hosted
virtual machines is scheduled to occur on the console at the scheduled time. For all
machines other than hosted virtual machines, the files are copied to the target machines
immediately and the deployment is scheduled to occur using the scheduler on the target
machine.
Power State and Credential Requirements for a Successful Deployment
Note: Keep in mind that, from Patch Authority Ultimate's point of view, the
definition of a successful deployment depends on where the virtual machine is
located. A successful deployment to a hosted virtual machine means the
machine is fully patched, while a successful deployment to a workstationbased virtual machine means the patches have been pushed to the offline
virtual machine.
An offline virtual machine (workstation-based or hosted on a server) is a file
or set of files. To scan or deploy to an offline virtual machine requires
permissions to the file system where the files reside. An online virtual
machine is almost indistinguishable from a physical machine. To deploy
patches to an online virtual machine requires credentials for an administrator
account on the virtual machine operating system.
Because of these differences between online and offline virtual machines, you
may need to provide two sets of credentials – one for when the virtual
machine is in the online state and one for when it is in the offline state.
For workstation virtual machines, if you wish to scan and/or deploy to the
virtual machine in either its online or offline state, you should add the virtual
machine to the machine group twice:
ƒ
For its online state, enter the machine identifier and online credentials in
the machine group as you would any physical machine – on the Machine
Name, Domain Name, IP Address/Range, or Organizational Unit
tab.
ƒ
For its offline state, enter the information and credentials for the virtual
machine file locations on the Workstation Virtual Machines tab.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
152
For hosted virtual machines, you only need to specify the machine once, on
the Hosted Virtual Machines tab. Separate credentials, however, are still
required to access the machine in either the online or offline state. The
browse credentials you enter when connecting to the VMware server are used
when the machine is in the offline state. You should enter online credentials
for each hosted virtual machine using the Set Admin Credentials option in
the bottom pane of the machine group editor.
The following table summarizes the credentials used for various machine
types.
Machine
Type
Machine
State
Machine Group Tab
Credentials Required
Physical
Machine
Online
Machine Name, Domain Name,
IP Address/Range, Org Unit
Machine or machine group
credentials
Workstation
VM
Online
Machine Name, Domain Name,
IP Address/Range, Org Unit
Machine or machine group
credentials
Workstation
VM
Offline
Workstation Virtual Machines
Machine or machine group
credentials
Hosted VM
Online
Hosted Virtual Machines
Machine or machine group
credentials
Hosted VM
Offline
Hosted Virtual Machines
Browse credentials (the creds
used to log on to the VM
server)
If you specify both online and offline credentials for virtual machines, you will
be able to scan and deploy to those virtual machines whether they are online
or offline.
Deploying Service Packs
Note: This describes the process for deploying service packs to agentless
machines. For information on deploying service packs to agent-based
machines, see Using a Service Pack Group.
Service pack deployments are handled differently than patch deployments.
Since Microsoft recommends that a service pack be applied before all patches,
Patch Authority Ultimate will not allow you to deploy service packs and
patches in the same deployment. It is because of this behavior that when you
select Deploy > All Missing Patches, it literally means to deploy all missing
patches; no service packs will be included with this operation.
Deploying a Service Pack to a Single Machine
To deploy the latest service pack to a single machine:
1. In the top pane select a machine.
2. In the middle pane, right-click the desired service pack and then select
Deploy > Service Pack > Latest Service Pack.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
153
In general, deploying the latest service pack will automatically include any
previous service packs. Sometimes, however, a previous service pack is a
prerequisite for a later service pack. In this case the program will only let you
deploy the prerequisite service pack.
To deploy the selected service pack (regardless of whether it is the latest
version), select Deploy > Service Pack > Selected Service Pack.
Finally, you can deploy a specific service pack (SP1, SP2, etc.). This may be
necessary if your organization has not approved the latest service pack or if
the latest service pack is not inclusive (does not include previous service
packs).
The following figure illustrates the deployment procedure from within Scan
View. Service packs can also be deployed in a similar manner from within
Machine View.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
154
Deploying a Service Pack to Multiple Machines from the Machines Missing
Tab
You can deploy a service pack to multiple machines from the Machines
Missing tab. This works in all available views: Scan View, Machine View, and
Patch View. The Machines Missing tab is generally the best place to deploy
a single service pack to multiple machines. Here's an example using Machine
View:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
155
Deploying by Criticality
Patches can also be deployed based on the need for the patch. For example, a
low impact patch might be applied over a weekend while a patch that
addresses a critical security vulnerability might be deployed immediately. To
this end, Patch Authority Ultimate allows the administrator to deploy patches
based on the user-defined criticality. Criticality for a patch can be set from the
grid in Patch View or from the middle pane of Machine View. Simply right-click
a patch and select Set Criticality.
Note: Don't confuse criticality (which is set by you) with severity (which is set
by ScriptLogic Corporation ).
To deploy patches based on criticality, right-click one or more patches and
select Deploy > Based on Criticality > { level of criticality for which to
deploy }.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
156
Deploying Patches to All Members of a Domain
Patches can be deployed to all members of a single domain. From within Scan
View or Machine View, group the display by domain by sliding the Domain
column to the first column. You can then deploy to the machines in the
domain using the right-click Deploy All Missing Patches menu.
This will launch the Deployment Configuration window.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
157
Automatically Deploying Patches
Patch Authority Ultimate can be configured to immediately deploy all missing
patches to machines immediately after a scan is performed. When
performing domain scans, this can be especially useful as it provides a onestep update. The automatic deployment is performed by enabling the Autodeploy check box on the Run Scan dialog. You access this dialog whenever
you click the Begin Scan button within a machine group or a Favorite
(assuming the Show 'Run Now' dialog option is enabled in the Tools >
Options > Scans dialog).
Scheduling and Configuring a Deployment
When a patch deployment is initiated the Deployment Configuration dialog
is displayed. This dialog enables you to specify exactly when and how the
patches will be deployed.
Deploy To
Indicates how many patches are being deployed and to how many
machines.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deploy How
Specify the deployment template you want to use. There are three
buttons associated with this field:
ƒ
ƒ
New: Enables you to create a new deployment template.
Edit: Enables you to permanently modify the selected
deployment template.
Note: The default templates (Agent Standard, Standard, and
Virtual Machine Standard) cannot be modified. Clicking Edit lets
you view but not change the default templates.
Deployment Tracker
IP Address
Specifies the IP address that Deployment Tracker will listen on.
See About Deployment Tracker for more information.
Deploy When
Specify when you want the patches to be deployed. Your options
are:
ƒ
Copy patch(es) to selected machine(s) but do not install:
Select this option if you want the patches made available to
(but not installed on) the target machines. You might select
this option if you want to manually start the patch installation at
the remote machines.
ƒ
Install immediately: The patch deployment process will begin
right after you click the Deploy button.
ƒ
Schedule at: Enables you to choose the date and time at
which the patches should be installed. The files will be copied
immediately but the installation of the patches will not begin
until the scheduled deployment time. It is not necessary for the
machine that performed the scan to be available at the
scheduled deployment time.
ƒ
Install at next reboot (no login required): The patch files will
be copied immediately to the target machines but the
installation of the patches will not begin until the next time each
machine is restarted.
Reboot How
Displays the current reboot instructions defined by the selected
template. If you want to override the reboot instructions for this
deployment, click Change. This will create and open a copy of the
selected deployment template, allowing you to change the reboot
options.
Patches to be
deployed by
machine
Expands the dialog to display detailed information about the
machines and the patches selected for deployment.
Deploy
When you are ready to deploy your patches using the selected
deployment options, click this button.
Updated 22 February 2011
158
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
159
Monitoring the Deployment
Throughout the deployment process, Patch Authority Ultimate provides status
information to keep the administrator informed as to what is happening. The
first piece of status information that presents itself is the download dialog.
This dialog provides the administrator with an at-a-glance status concerning
the patch download process. Each patch has to be downloaded before it can
be deployed. The download status window will not be displayed if all patches
being deployed already reside in the download center.
Once all of the selected patches have been downloaded, the actual machine
deployment begins. The Deployment Status dialog provides detailed
information about each step in the deployment process.
Scheduled patch deployments can be managed using the Scheduled Task
Manager.
Active patch deployments can be monitored using the Deployment Tracker.
When the deployment has completed, you can review the status of the
deployment by selecting the deployment in the Today's Items list of the
Patch Results pane. See Viewing Deployment Results for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
160
Tips for Monitoring Patch Deployments to Virtual Machines
ƒ
When using Deployment Tracker, if you notice that a server task has failed
for a virtual machine (for example, taking a snapshot or re-enabling the
network), you can complete the task using your client software.
ƒ
In addition to using the tracking tools provided by Patch Authority
Ultimate, for virtual machines that are hosted on a server you can also
use your client software to monitor the patch deployment progress. For
example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
161
Viewing Deployment Results
If you select a deployment from the Patch Results pane, details about the
deployment are displayed within two panes on the right side of the window.
The top pane displays a list of each machine involved in the deployment and
shows how many patches each machine received. The lower pane provides
information about how the patches were deployed. It shows many of the
settings that were in the deployment template used during the deployment.
When you click on a machine name in the top pane, details about the
deployment to that particular machine are displayed on the Deployment
Summary tab.
The dialog shown above displays the status of the deployment for the
selected machine. To get more data on the status of the process, click Query
remote log information. This will query the event log and the scheduler log
of the remote machine and provide more detailed information on a new tab
named Machine Details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
162
Canceling a Deployment
You can use the Scheduled Tasks Manager to delete any patch deployment
tasks currently scheduled on any of the machines in your network. Simply
right-click the task and select Delete Job(s).
Deployment History
Even after a series of deployments, all of the results of prior deployments are
just a click away. If deployments were performed today, an additional entry
will appear in the Today's Items list of the Patch Results pane. In addition
to deployments, Today's Items also maintains a list of recent scans.
After the day is done, Today's Items are moved to the Recent Items list.
After a certain number of days (the number is configurable) items are moved
from the Recent Items list to another list named Archive Items.
Additionally, you can get a complete list of available prior deployments by
choosing Manage > Items.
DEPLOYMENT TEMPLATES
About Deployment Templates
When deploying patches to a machine, Patch Authority Ultimate allows you to
specify a number of different options such as whether the deployment target
should be restarted after deployment, how fast the patches should be copied
to the remote machine, whether reports should be sent, and much more.
Patch Authority Ultimate provides three predefined deployment templates:
ƒ
The Agent Standard deployment template is designed to be used with
agents. It will perform a post-patch deployment reboot only when needed.
ƒ
The Standard deployment template is designed to be used with agentless
deployments initiated by the console. It will always perform a post-patch
deployment reboot.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
163
The Virtual Machine Standard deployment template is designed for use
with virtual machines. It will take a pre-deployment snapshot of any
virtual machine that is hosted on a server, and it will delete old snapshots
that are more than four days old.
If you wish to create your own unique deployment template, see Creating a
Deployment Template.
Creating or Editing a Deployment Template
1. In the button tray at the bottom of the navigation bar, click Templates.
2. In the Templates pane:
ƒ
To create a new deployment template, click New Template > Patch
Deployment.
ƒ
To edit an existing deployment template, click the template name.
Note: Alternatively, you can choose File > New > Deployment
Template from the main menu.
Tip: To speed the template creation process, copy an existing template that
is similar to the one you want to create. The contents of the copied template
will be populated in the new Deployment Template dialog and you can
simply modify the appropriate items. You copy an existing template by
selecting it in the Deployment Templates pane and then, in the summary
section of the template in the right-hand pane, clicking Copy. You can also
right-click on the template in the pane and select Copy.
The Deployment Template dialog contains several tabs that collectively
define the characteristics of a particular deployment template. The tabs are:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
General tab
Office tab
Pre-Deploy Reboot tab
Post-Deploy Reboot tab
E-Mail tab
Custom Actions tab
Distribution Servers tab
Hosted VMs/Templates tab
Used By tab
The dialog also contains Name and Description boxes that apply to the
entire template.
Name
The name you wish to assign to this deployment template.
Description
A comment that describes the purpose of this deployment template.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
164
Once you have made your selections for this deployment template, click the
Save button and then the Close button to save the template. Click the
Cancel button and then the Close button to close the window without making
any changes. Certain types of changes will require you to save the
deployment template earlier in the process.
Deployment Template: General Tab
Copy speed
Specify how quickly you would like patches copied to the remote
machine. The faster the copy speed, the more network bandwidth you
use.
Wait
If a patch copy fails, you can specify how long to wait between retries.
Valid values are from 0 to 100 seconds.
Hours until post
deployment
automatic emails
are sent
Enables you to specify how long to wait for patches to be successfully
deployed before sending any automatic e-mail messages. This field
forces the e-mail messages to be sent even if the console cannot
determine that all the machine deployments completed because
Deployment Tracker is not enabled or because a network connection
is lost.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deployment
Actions
There are a number of options that can be selected to take place
before, during and after patch deployment.
Before
You can choose to shut down the SQL Server and the IIS Server.
With the SQL Server you have the option to warn machines
connected to the SQL server that the services will be stopped. These
services will automatically be shutdown when an SQL or IIS patch
(respectively) is applied to a remote machine regardless of this
setting. Use this setting to shutdown these services when installing
OS or similar hotfixes, particularly if you are planning to reboot the
machine after installation.
During
During the deployment, you can require Patch Authority Ultimate to
backup any files that are modified in order to perform an uninstall if
something goes wrong. You can also choose to enable or disable
'Quiet Mode'. Quiet Mode does not present any evidence to the user
that the deployment is taking place. In addition, you can elect not to
send Deployment Tracker status messages from the machines being
patched. For example, clearing the Send Tracker status check box
makes sense if the machines will not be attached to the network when
the patch installation takes place.
After
After the scan is complete, you can choose to remove the patch files
that were copied during the deployment process.
Remote Dialog
Note: The Remote Dialog functions are not supported by Patch
Authority Ultimate Agent .
Show dialog on remote machine during execution: If this check
box is enabled, then if a user is logged on at the target machine at the
scheduled deployment time, a dialog box will be displayed to the user
when the deployment begins.
Title: Type the text you want to appear in the dialog box title.
Caption: Type the text you want to appear in the dialog box caption.
Updated 22 February 2011
165
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
166
Deployment Template: Office Tab
Office patches are handled differently from other patches. Many Office
patches require access to the original installation media. This is because the
patches do not contain complete files. Rather, the patch represents only the
differences required to modify the original file with the patched code.
Synchronize
clients with a
patched
Administrative
Office
Installation
Point
Administrators can create an Office Administrative Install Point (AIP), and
then install Office on client machines from this location. Hotfixes can then
be installed to the AIP, and the remote client machines can then be told to
'update' their installations from the AIP. The update process really means
re-installing all of Office on each machine— everything on the AIP will then
get copied down to the remote machine. The install point is technically
nothing more than a network share of the requisite files, with special setup
commands.
If you specify an AIP for Office patches, then when you choose to install
any Office patches using this deployment template the machine being
patched will synchronize with the specified Office AIP.
Push patches
to each
machine
Alternatively, you can choose to directly deploy patches to the remote
Office clients.
Push full-file
patches when
possible
For many Office patches, Microsoft provides two different patch files. A fullfile patch contains entire copies of updated files, while binary or client
patches contain only the differences between the original file and the
updated file. The full-file patches are generally much larger files than the
binary patches. The full-file patches, however, are less likely to require
access to the original media. Patch Authority Ultimate allows you to choose
which type of patch to deploy when both types are available.
Note: Only full-file patches are supported by Patch Authority Ultimate
Agent. Binary Office patches cannot be deployed by Patch Authority
Ultimate Agent.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Original Media
Locations and
Installation
Point
Locations
For each version of Office that you intend to patch, you need to provide the
location of the Original Office installation media to push individual patches,
or the location of the appropriate Administrative Installation Point (AIP) if
synchronizing with a network Installation Point. To specify a path, doubleclick on an Office version in the list, or select a version from the list and
click Edit.
If you need to specify the Original Media path for pushing Office patches to
machines, the path should be the full path name of the folder that contains
the original media image, as illustrated in the figure above. If you are
specifying the location of an Administrative Installation Point, type the full
path and file name of the .msi file (for example:
\\install\office11aip\pro11.msi). After defining the path name, specify the
credentials that the job on the target machine can use to access the share
that you specified.
Deployment Template: Pre-Deploy Reboot Tab
Never reboot
before deployment
This SafeReboot™ capability specifies that it is unnecessary to reboot
each machine before the patches are deployed. The remaining
options on this tab will be disabled.
Always reboot
before deployment
This SafeReboot™ capability specifies that each machine should be
reboot before the patches are deployed. It is considered a best
practice to reboot machines before installing significant new software,
especially for large software changes such as operating system
service packs.
Updated 22 February 2011
167
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
User Interaction
If you elect to reboot the machines, you can then specify the amount
of warning that a logged-on user will receive and you can choose the
degree of control the user will have over the reboot process. You can:
ƒ
ƒ
ƒ
ƒ
Alert the user that a restart will occur when they log off.
ƒ
Select the duration to display the standard Windows shutdown
message when the shutdown sequence is initiated.
ƒ
Allow the user to extend the time-out countdown up to a specified
maximum. The maximum can be specified as either a duration or
as a specific latest time that the restart will occur.
ƒ
Allow the user to cancel the time-out. If a time-out is cancelled
the patches will not be deployed until the user logs off or
manually restarts the machine.
ƒ
Allow the user to cancel the restart. The patches will not be
installed until the machine is restarted.
Elect to force a restart after a number of minutes have passed.
Elect to force a restart at a specific date and time.
Show a time-out countdown on the user's machine in advance of
the restart with a specified initial time-out value. To preview the
dialog box that the user will see, click Show Sample
Countdown. For example:
Updated 22 February 2011
168
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deployment Template: Post-Deploy Reboot Tab
Never reboot after
deployment
This SafeReboot™ capability specifies that it is unnecessary to reboot
each machine after the patches are deployed. The remaining options
on this tab will be disabled.
As a rule, you should only enable this option when you are deploying
patches that you know do not require a reboot.
Always reboot after
deployment
This SafeReboot™ capability specifies that each machine should be
reboot after the patches are deployed. This is the safest option when
deploying patches as most patches require a reboot in order to
complete, but there may be times when machines are rebooted
unnecessarily.
Reboot when
needed
This SafeReboot™ capability specifies that Patch Authority Ultimate
will determine whether or not a reboot of each machine is required.
Schedule reboot
If you elect to reboot the machines, you can specify when the reboot
should occur. You can:
ƒ
ƒ
ƒ
Reboot the machines immediately after installation
Reboot at a specific time
Reboot at a specific date and time
Note: If a target machine is rebooted before a scheduled reboot
occurs, the scheduled reboot is no longer necessary and will be
cancelled.
Updated 22 February 2011
169
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Restart and power
action
You can specify what state you want to leave the machines after the
reboot.
ƒ
Restart: The machines are restarted and left in a powered on
state.
ƒ
Shut down only, do not restart: The machines are powered off.
This option is also useful if you simply want to make sure noncritical machines are turned off each night or over a weekend,
saving energy.
Use defaults
This button is tied to the Restart and power action box. When you
click Use defaults, all remaining options on the dialog will be changed
to the values recommended for use with the currently selected Restart
and power action.
If a user is logged
on
If you elect to restart the machines, you can specify the amount of
warning that a logged-on user will receive and you can choose the
degree of control the user will have over the restart process. You can:
ƒ
ƒ
ƒ
ƒ
Alert the user that a restart will occur when they log off.
ƒ
Select the duration to display the standard Windows shutdown
message when the shutdown sequence is initiated.
ƒ
Allow the user to extend the time-out countdown up to a specified
maximum. The maximum can be specified as either a duration or
as a specific latest time that the restart will occur.
ƒ
Allow the user to cancel the time-out. If a time-out is cancelled
the patches will not be deployed until the user logs off or manually
restarts the machine.
ƒ
Allow the user to cancel the restart. The patches will not be
installed until the machine is restarted.
Elect to force a restart after a number of minutes have passed.
Elect to force a restart at a specific date and time.
Show a time-out countdown on the user's machine in advance of
the restart with a specified initial time-out value. To preview the
dialog box that the user will see, click Show Sample Countdown.
For example:
Updated 22 February 2011
170
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
171
Deployment Template: E-Mail Tab
Note: This tab applies only to agentless deployments initiated from the
console; it does not apply to agents that may also be using this template.
This tab enables you to specify which reports should be automatically sent
and to whom the reports should get sent. The specified reports will be sent
for each deployment that uses this template.
Available Reports
Report Recipients
There are three different deployment reports that can get sent:
ƒ
Deployment Notification: This report is sent after the deployment is
successfully scheduled. It identifies the patches that will be deployed
and the date and time of the pending installation.
ƒ
Deployment Status by Deployment: This report is sent after the
deployment is complete and verified or after the maximum time
specified on the General tab. The report provides general status
information about the deployment.
ƒ
Deployment Status by Machine: This report is sent after the
deployment is complete and verified or after the maximum time
specified on the General tab. The report identifies each machine
included in the deployment and indicates if the patch deployment on
each machine was successful or unsuccessful.
Lists the contacts you want to receive a particular report. The contacts
listed are those contained in the address book. You can add new contacts
or edit contact information by clicking the New Contact and Edit buttons,
respectively.
To specify which reports should be automatically sent and to whom they
should be sent:
1. Select a report in the Available Reports list.
2. In the Report Recipients list, select the groups and/or individuals you
want to e-mail the report to.
You can select all and clear all recipient check boxes using the Check All
and Uncheck All buttons, respectively. The selections you make are
added as report recipients in the Available Reports list.
3. Repeat Step 1 and Step 2 for each report you want to be automatically
sent.
4. When finished, click Save.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
172
Deployment Template: Custom Actions Tab
Note: The functions on this tab are not supported by Patch Authority Ultimate
Agent .
This tab gives you the ability to push custom files to the machines being
patched, and to program customized commands that will be executed during
patch deployment. A custom action may include executing a specific
command or invoking a custom batch file at specified time(s) during the
deployment process. You can specify custom files and actions that occur
during every deployment that uses the template, or only for those
deployments that install a specific patch or service pack.
To program a new action, click New and the Custom Action dialog appears.
For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
173
Step 1: Specify what patch deployment action will trigger the command.
Step 2: If in Step 1 you indicate that only the deployment of specific patches
or service packs will trigger the command, specify those files here.
Step 3: Specify when during the patch deployment process the command will
be triggered. The choices will depend on the selection made in Step 1.
ƒ
If the action is to be applied to all deployments that use this template,
then the choices are:
ƒ
ƒ
ƒ
ƒ
ƒ
Before any patches are installed
Before each patch is installed
After each patch is installed
After all patches are installed (but before reboot)
After reboot
This allows you to perform actions such as custom logging.
ƒ
If the action is to be applied to a specific patch or service pack, then the
choices are:
ƒ
ƒ
ƒ
ƒ
ƒ
Before any patches are installed
Before the patch/service pack file selected in Step 2 is installed
After the patch/service pack file selected in Step 2 is installed
After all patches are installed (but before reboot)
After reboot
This allows you to perform actions only when pushing a specific patch or
service pack to a target machine using this deployment template.
ƒ
You can also choose to push a custom file (such as a custom batch file or
custom executable file) to the target machines as part of the deployment
by selecting Push File.
Step 4: Specify the file to push or the command to execute. The command
will be inserted into the patch installation batch file at the point(s) specified in
Step 3. If Step 3 specifies Push File then the specified file will be copied to
the target machines and put in the ProPatches\Install directory. You can
reference the file in other custom actions by specifying
%PATHTOFIXES%Install\file_name.
Example 1: If you push the file myFile.exe, you can execute that file with
the following custom command: %PATHTOFIXES%Install\myFile.exe.
Example 2: If you push the batch file myCommands.bat to the target
machines, you can invoke the batch file at the appropriate point in the
deployment with the following custom command:
call %PATHTOFIXES%Install\myCommands.bat.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deployment Template: Distribution Servers Tab
Use Server by IP
Range
If enabled, indicates that one or more distribution servers will serve as
the source for the patches during deployments using this template. See
Configuring Distribution Servers and Assigning IP Addresses to Servers
for information on configuring the distribution servers.
When patches are deployed via distribution servers, patches are not
pushed to the target machines. Rather, the target machines will
download the patches from one or more distribution servers. Patches
must be copied from the console's download center to the servers before
they will be available for deployment. See Synchronizing Servers for
information on copying patches to your distribution servers.
Note: If you are using agents to deploy custom patches then this check
box must be enabled on the deployment template used by the agents.
This is because there is no download URL for custom patches, meaning
the agents cannot pull the custom patches from a vendor and therefore
must be able to pull them from one or more distribution servers.
Use Backup
Server
If desired, specify a backup distribution server that will be used if the
primary and secondary distribution servers specified on the Distribution
Servers dialog are unavailable.
Use vendor as
backup source
If the primary, secondary, and backup distribution servers are
unavailable, enabling this check box will allow the machine being
patched to try to download the patch from the patch vendor's Web site.
Note: This option does not apply to custom patches because custom
patches do not contain download URLs. Custom patches must be either
pushed to the target machines from the console's download center or
pulled by the target machines from a distribution server.
Distribute
scheduled start
times (in
minutes)
If you are deploying patches to a large number of machines at the same
time, all the machines will begin to download the patches from the
distribution server at approximately the same time. If you enable this
option, the start times for the machines will be randomly distributed over
the interval that you specify. This can help to reduce the peak network
load.
If the patch is
not on the
Distribution
Server, retry
If a patch cannot be obtained at the scheduled deployment time, you can
specify to retry:
ƒ
ƒ
ƒ
Never
After the machine is rebooted
After the machine is rebooted and every 4, 8, 12, 24, and 48 hours
after the machine is rebooted
Updated 22 February 2011
174
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
175
Deployment Template: Hosted VMs/Templates Tab
This tab only applies if you have virtual machines in your network that are
hosted on one or more VMware servers. It enables you to specify if snapshots
will be taken of the hosted virtual machines (or of hosted virtual machine
templates) immediately before and/or immediately after patches are deployed
to the virtual machines. This tab does not apply to virtual machines that
reside on workstations.
What is a virtual machine snapshot? A snapshot captures the state,
configuration, and disk data of a virtual machine at a given time. Snapshots
are useful for storing states that an administrator or user might want to
return to at some point in the future.
Complete snapshots are taken of offline virtual machines and of virtual
machine templates. If a virtual machine is online at the time of the patch
deployment the memory state will not be included in the snapshot—this will
quicken the process and reduce the amount of time that the online virtual
machine is affected.
There are reasons why you may choose to NOT take a snapshot. You may
have a limited amount of disk space, or you may have performance concerns.
Taking a snapshot reduces the performance of the virtual machine while the
snapshot is being created.
Take predeployment
snapshots
If enabled, indicates that Patch Authority Ultimate will take a snapshot of
the hosted virtual machine or the hosted virtual machine template before
deploying missing patches or service packs. Taking a snapshot of the
environment is a good precaution to take in the event there is a problem
with the deployment or if at some point you simply want to revert to the
original environment.
Take postdeployment
snapshots
If enabled, indicates that Patch Authority Ultimate will take a snapshot of
the offline virtual machine or virtual machine template after deploying
missing patches or service packs. Taking a post-deployment snapshot of
the environment is a good idea in the event there is a problem down the
road and you want to revert to a time immediately following the patch
deployment.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Maximum
snapshots Patch
Authority Ultimate
will manage
176
If enabled, indicates the maximum number of snapshots that will be
maintained for each offline virtual machine or virtual machine template.
Only snapshots created by Patch Authority Ultimate are counted. If the
threshold is exceeded the oldest snapshot is deleted. The threshold is
checked each time a new pre-deployment or post-deployment snapshot is
made.
Snapshots are saved to disk and require a certain amount of storage
space. It is important to limit the number of snapshots to avoid needless
consumption of storage space.
Delete old
snapshots created
by Patch Authority
Ultimate (age in
days)
If enabled, indicates the number of days a snapshot created by Patch
Authority Ultimate will be allowed to exist. Snapshots older than the
specified number of days are automatically deleted. The threshold is
checked each time a new pre-deployment or post-deployment snapshot is
made.
You can choose to manage snapshot retention both by the number of
snapshots and by the snapshot age. In this case, when a pre- or postdeployment snapshot is requested, all snapshots created by Patch Authority
Ultimate that are older than the specified number of days are deleted. If the
number of remaining snapshots still exceeds the maximum number specified,
the oldest of those will be deleted until only the maximum number specified
remain.
Deployment Template: Used By Tab
This tab shows you the patch scan templates and agent policies that are
currently using this deployment template. This is important to know if you are
considering modifying the deployment template, as it tells you what other
areas of the program are affected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
177
Managing a Deployment Template
Custom deployment templates are listed in the My Deployment Templates
section of the Templates pane. You can right-click a template and perform a
number of different actions.
Copy
Copies the selected template. This will open up the deployment
template dialog box with a name of 'Copy of { selected template name }'
and with the same description and settings as the current template.
Delete
Deletes the current template. You cannot delete a template that is
currently being used by an agent policy.
Edit
Choosing Edit opens up the deployment template dialog box and allows
you to make changes to it. If you edit and save a template that is
currently being used by an agent policy, the agents using that policy will
be updated the next time they check in with the console.
You can also edit an existing deployment template by double-clicking the
template name.
Make Default
Selecting this option will use the currently selected template as the
default.
Rename
Enables you to type a new name for the template.
USING DEPLOYMENT TRACKER
About the Deployment Tracker
Patch Authority Ultimate includes a feature called the Patch Authority Ultimate
Deployment Tracker. This feature is designed to give you a single console
from which to monitor the status of patch deployment tasks currently in
progress. Deployment Tracker utilizes the Patch Authority Ultimate Patch
Service, which receives status messages from the target machines that are
being patched. This service is installed and started during the Patch Authority
Ultimate installation. If this service is stopped, then Deployment Tracker will
not be able to provide updated state information. Deployment Tracker can
remain running even if the Patch Authority Ultimate console is closed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
178
You can configure Deployment Tracker from the Tools > Options >
Deployment dialog.
For the Patch Authority Ultimate Patch Service to work properly, it must be
assigned an IP address to listen on. The Patch Authority Ultimate Patch
Service listens on the same port as the other console services (TCP port
3121). If you are on a multi-homed machine, it is necessary to choose the IP
address that corresponds to the network that will be scanned. If this service is
stopped, then Deployment Tracker will not be able to provide updated state
information.
To start Deployment Tracker, select View > Deployment Tracker. For
information on how to use the dialog, see About the Deployment Tracker
Dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
179
About the Deployment Tracker Dialog
The Deployment Tracker dialog provides at-a-glance information pertaining to
patch deployment status. Each line in the dialog indicates a single task and
includes information about the task's current state, the machine affected by
the task, a description of the task, when the task is scheduled to be started,
and the time that the last status information was collected.
You can use the boxes at the top of the dialog to specify what deployment
information is displayed in the dialog.
ƒ
: Specify how often you want the patch
deployment information within Deployment Tracker to be updated. Each
update request causes the console to access the database and then report
the information within Deployment Tracker . You may want to specify a
slower update speed if you find that your database is being overtaxed by
frequent update requests.
ƒ
: Specify how many days worth of deployments to
show. This box is only available if the Deployments box is specified as
All deployments, use days to show instead.
ƒ
: Specify if you want to see
information about all deployments or just a specific deployment.
You can use the check boxes near the top of the dialog to specify what state
information is displayed. The state information can help you to begin
troubleshooting possible problems.
ƒ
: A patch deployment didn't fully take and more research is
necessary. One of the more common reasons for seeing a "Failed" item in
Deployment Tracker is because a patch that requires a reboot to complete
was deployed but 'Do Not Reboot' was specified in the deployment
template. If you receive a "Failed" status in Deployment Tracker , check
the Patch Details for the patch in question to see if a reboot is required to
complete the installation of this patch.
ƒ
: A patch has not completed installation. If the status
remains blue, it could be an indication that the remote machine cannot
communicate back to the Deployment Tracker .
ƒ
: The task was successfully implemented.
Canceling a Task
You cannot use Deployment Tracker to cancel incomplete deployment tasks.
You can, however, cancel deployments using the Scheduled Tasks Manager.
See Cancelling a Deployment for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
180
UNINSTALLING PATCHES
Patch Authority Ultimate provides the ability to uninstall selected patches.
Not all patches can be uninstalled; only patches identified by the rollback
icon
can be uninstalled. Uninstalling or "rolling back" patches restores a
machine to its original state before the patch was deployed. Patches must be
rolled back in the reverse order in which they were installed.
You can uninstall one or more patches from Scan View, Machine View, or
Patch View. There are a couple of ways to uninstall patches.
Uninstall From a Single Machine
1. In the top pane, select the desired machine.
2. In the middle pane, right-click the desired patch(es) and then select
Uninstall Selected.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
181
Uninstall From Multiple Machines
1. In the middle pane select the desired patch(es).
2. In the bottom pane, on the Machines Installed tab, select the desired
machines or domains.
3. Right-click and then select Uninstall Selected.
Note: The Uninstall Selected menu option is not available if the patch
cannot be uninstalled.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
182
INTERNATIONAL LANGUAGE PATCH SUPPORT
About International Patches
Patch Authority Ultimate provides the ability to download patches for a variety
of different languages in addition to English. See Accessing language support
options for information about the support for patches for different languages.
Accessing Language Support Options
To configure Patch Authority Ultimate to provide prompts for different
language patches, select Tools > Options > Patch Languages. The Patch
Languages Options dialog appears:
Select the options you want and then click Save. See Patch Language
Options for details about this dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
183
Creating a Foreign Machine Group
In addition to the support for multiple download centers (see Patch Download
Options), Patch Authority Ultimate has an additional feature that is very
useful when it comes to managing machines of different language types. The
machine group feature allows you to create a custom selection of machines
for scanning and patching.
To create a group, from the main menu select File > New > Machine Group
and type a name and description for the new group. For example:
Now add some machines to the group. You can do this in a number of ways.
You can enter machine names and IP addresses directly, or you can select
them from the Network Neighborhood by choosing the Browse Network
option.
You can now scan this group for missing patches, download any missing
patches and deploy them as normal.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
184
CREATING CUSTOM PATCH XML FILES
Overview of the Custom Patch XML Process
CAUTION! Creating and using custom patch XML files should only be
attempted by experienced administrators. Creating and deploying inaccurate
custom patches may have seriously adverse affects on the performance of the
programs in use at your organization.
Patch Authority Ultimate provides the ability to scan for and deploy patches
not supported in the primary XML patch data file (hf7b.xml). It does this by
allowing you to create your own custom patch XML files that contain the
information about the additional patches and products you want to support.
Patch Authority Ultimate will then combine your custom XML files with the
primary XML patch data file and use that modified file when performing scans
and deployments.
Within each custom XML file you can define multiple custom products,
bulletins, and patches.
ƒ
Custom product: A product not currently supported by the primary XML
patch data file. For example, you might have a product that was
developed strictly for use within your organization.
ƒ
Custom bulletin: Used to announce and describe a security update. A
custom XML file can contain multiple bulletins, and each bulletin can
contain multiple patches. Some of the information typically included in a
bulletin includes a summary, known issues, a list of all affected software,
and a link to the security update (patch) file. Of course, in this case the
patch is contained in the same XML file as the bulletin.
ƒ
Custom patch: A software update that is not currently supported by the
primary XML patch data file. A custom patch can be applied to either an
existing product or to a custom product. For example, you might receive a
special private patch from a vendor, you might create your own patch to a
vendor's product, or you might create a patch for your own custom
product.
One major difference between a regular patch and a custom patch is that you
cannot download a custom patch to the download center in advance of a
deployment. Rather, you must make the patch available by manually copying
the patch to all expected locations (typically to the console as well as any
distribution servers).
If you are using agents to deploy custom patches, be certain you enable the
Use Server by IP Range check box on the deployment template used by the
agents. Custom patches cannot be downloaded from a vendor and the agents
must therefore be able to download the custom patches from one or more
distribution servers. See Deployment Template: Distribution Servers Tab for
more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
185
Creating a New Custom XML File
To create a customized XML file you use the Custom Patch File Editor.
1. Access the Custom Patch File Editor by selecting Tools > Custom Patch
Editor.
The Custom Patch File Editor dialog is displayed.
2. Create a new custom XML file by selecting File > New or by clicking the
Create a new custom XML file link in the right-hand pane.
A dialog similar to the following is displayed.
3. Save the new custom XML file by selecting File > Save As and then
specifying the name and location of the file.
You can give the file any unique name you want. The file can be saved
anywhere you want, but a logical location is the program's DataFiles
folder.
ƒ
On Windows Vista and other newer operating systems the DataFiles
folder is located here: C:\ProgramData\ScriptLogic
Corporation\Patch Authority Ultimate\DataFiles.
ƒ
On earlier Windows operating systems like Windows XP the DataFiles
folder is located here: C:\Documents and Settings\All
Users\Application Data\ScriptLogic Corporation\Patch
Authority Ultimate\DataFiles.
This is the directory used to store all the other XML files used by the
program.
4. Use the fields in the right-hand pane to define the file characteristics.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Last Modified Time
This read-only field indicates the last time the custom XML file
was changed.
Custom XML Display
Name
Type a unique name for the file.
Custom XML
Description
Type a description that explains the purpose of the file.
Validate XML
To verify that the XML file is properly formed and valid, click
this button. You should validate the XML file anytime you
make modifications to the XML file. Be sure to save the file
before performing the validation to ensure that you are
validating the most current file.
Validation Results
Displays the results of the most recent validation check.
186
5. Define the bulletins, products, and patches you want included in this
custom XML file.
What order to define items in a custom XML file
If creating a patch for
a new product:
Then create the items in this order:
Create the new custom product.
Create a new bulletin, or tie the patch to an existing bulletin.
Create the new patch.
If creating a patch for
an existing product:
Then create the items in this order:
Create a new bulletin, or tie the patch to an existing bulletin.
Create the new patch.
For details, see the following topics:
ƒ
ƒ
ƒ
Creating a Custom Product
Creating a Custom Bulletin
Creating a Custom Patch
Creating a Custom Product
Your organization may use a custom or "home-grown" software product. In
order for Patch Authority Ultimate to be able to scan for and patch that
product it must be able to detect the product. Creating a custom product
provides the registry key information needed for Patch Authority Ultimate to
determine whether the custom product exists on the machines it is scanning.
If you have multiple versions of a custom product you must define a unique
custom product for each version. For example, assume you currently support
both the original version as well as an updated version of a custom CRM
product. Within the Custom Patch File Editor you must create a separate
custom product for each version.
Tip: After importing a new custom XML file, you can use Patch View to verify
the custom product is contained in the updated XML patch data file.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
187
1. To create a custom product, within Custom Patch File Editor select Insert
> Add Product or click the Add Product toolbar icon (
).
2. Select New Custom Product beneath the Custom Products folder.
The new custom product is selected and the product characteristics are
displayed in the right pane. For example:
3. Use the options in the right-hand pane to define the new product.
Note: To get the most current registry information we recommend using
the Microsoft Registry Editor (regedit), a tool for viewing settings in your
system registry. You can copy the required information from this tool to
the appropriate fields in this dialog.
Product Name
Provide a unique name for the product. The name cannot match a
product name already defined to Patch Authority Ultimate . Once
this custom product is defined and saved, the name you provide
here will be added to the Available Products list that is used
during the patch creation process. See the Targeting tab section
in Patch Scan Information Tab for more information.
Registry Key
You can only specify keys that are relative to the
HKEY_LOCAL_MACHINE hive. The easiest and most accurate
way to populate this box is to display the desired key from within
the Microsoft Registry Editor, copy the key name and then paste
the name into this box. The HKEY_LOCAL_MACHINE portion of
the name will likely be repeated so you'll need to remove that
portion of the name from the box.
Value Name
The name of the specific registry key.
Value Data Type
There are two options:
ƒ
ƒ
String: Specifies that the data must be a string.
DWORD: Specifies that the data must be a number.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
188
Value Data
The expected value of the registry key. You can find this value by
locating the key within the Microsoft Registry Editor and then
looking in the Data column.
Comparison Type
This specifies the test criteria you want to use when determining if
a product exists on a scanned machine. While there are many
different options here, they can basically be broken down into two
categories:
ƒ
Comparisons to value data: The first six options (EqualTo,
NotEqual, LessThan, LessThanOrEqual, GreaterThan,
GreaterThanOrEqual) all relate to the value data you
specified for the registry key.
ƒ
Exist or not exists: The last two options (Exists, NotExists)
have nothing to do with the value data but instead simply test
whether the registry key itself exists.
In either category, if the comparison test passes Patch Authority
Ultimate will consider the product installed.
Use 64 Bit Registry
Enable this check box if the registry key is in the 64-bit part of the
registry of a 64-bit architecture.
4. When complete, save and then validate the XML file (see Saving and
Validating Your Changes).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
189
Creating a Custom Bulletin
A security bulletin provides a summary describing why a custom product or
patch is being created. Many times a bulletin will describe a particular
software vulnerability that is being addressed by a patch. You must apply a
new custom patch to a bulletin, so if you are not tying a patch to an existing
bulletin then you must create a new bulletin.
1. To create a custom bulletin, within Custom Patch File Editor select Insert
> Add Bulletin or click the Add Bulletin toolbar icon (
).
The new custom bulletin is selected and the bulletin characteristics are
displayed in the right pane. For example:
2. Use the options in the right-hand pane to define the new bulletin.
Bulletin Name
Type a unique name for the bulletin. The name cannot match a
bulletin name already defined to the program.
Bulletin Title
Type a short description of the bulletin.
Bulletin Summary
Type a detailed summary that describes the purpose of the
bulletin and any related patches and products.
3. When complete, save and then validate the XML file (see Saving and
Validating Your Changes).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
190
Creating a Custom Patch
The Custom Patch File Editor is not used to create the actual patch file. The
patch itself is provided by a vendor (e.g. Microsoft) or is created by your
organization. When you create a custom patch within the Custom Patch File
Editor you are simply defining how to detect if the patch is missing from
target machines and how to deploy the patch.
1. To create a custom patch, within Custom Patch File Editor select Insert >
Add Patch or click the Add Patch toolbar icon (
).
The new custom patch is selected and the patch characteristics are
displayed in the right pane. For example:
2. Use the options in the right-hand pane to create the new patch.
Two major tabs are used in the right-hand pane. For detailed information
about the options on these two tabs please refer to the following topics:
ƒ
ƒ
Patch Scan Information Tab
Patch Deployment Information Tab
Important! You should avoid creating a custom patch that requires user
interaction. This is because this is no guarantee how the patch installation
process will react if there is no response to a user prompt. The most likely
scenario is that it will wait a number of hours before eventually timing out.
Use command line switches if necessary.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
191
Patch Scan Information Tab
When creating a custom patch, two major tabs are used in the right-hand
pane. This topic describes the options and sub-tabs contained on the Patch
Scan Information tab.
This tab contains two sub-tabs that enable you to specify criteria for
determining whether or not a patch is installed. You must use your own
discretion in determining whether to specify detection criteria on the Files
tab, the Registry Keys tab, or both. If your requirements are that a specific
file version and a specific registry key value must both be detected in order to
declare that the patch is installed, then by all means do it. The
recommendation, however, is to keep things as simple as possible. If
detecting an old file version is criteria enough to determine that a patch is
required, you probably don't need to also specify registry key information
(and vice versa).
Note: If you do not specify registry key information, patches that were not
installed by Patch Authority Ultimate will be reported as Effectively Installed.
In order for Patch Authority Ultimate to display a patch as Effectively Installed
you must use a scan template that scans for both missing and installed
patches. See Creating a New Patch Scan Template for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Patch
Number
192
An identifying number for this patch. You can follow whatever numbering
convention you want when defining the patch number. The only rule is that the
number must be no more than 10 alphanumeric characters. Although it is not
mandatory for the number to be unique, in almost all cases it makes sense to
make it unique. Only in extremely rare cases is it advisable to assign the same
patch number to two or more patches.
The patch number specified here will be the number shown within the Patch
Authority Ultimate interface when referring to the patch. It is also the identifier
used by such things as patch groups when specifying which patches belong to a
certain group. As a point of reference, the patch number is akin to the knowledge
base number (or QNumber) used to identify patches in the Microsoft world.
By default the first patch in the custom XML file is C000001. This number is
automatically incremented for each new patch.
Associated
Bulletin
You must associate each patch with an existing bulletin. The bulletin can be one
that you created or one that was issued by another vendor. To see the list of all
available bulletins, click the Browse button (
select the desired bulletin and then click OK.
Patch Type
Severity
). In the dialog that appears,
Specify the types of patch you are creating.
ƒ
Security Patches: Security bulletin related patches. This is the default
setting.
ƒ
Non-security Patches: The set of patches supported by Microsoft Software
Update Services (driver updates not supported).
ƒ
ƒ
Security Tools: Patches for the malware tool provided by Microsoft.
ƒ
Custom Actions: Enables you to perform custom actions even if you are
already fully patched. It does this by scanning for a specific QNumber and
patch (QSK2745, MSST-001) that will never be found. The process uses the
temporary file Nullpatch.exe.
Software Distribution: Free third-party applications that can be deployed by
Patch Authority Ultimate .
Assign one of the following four severity levels based on the perceived threat of
the vulnerability related to the patch.
ƒ
Critical: The problem or issue associated with the patch is deemed critical in
nature.
ƒ
Important: The problem or issue associated with the patch is deemed
important to fix.
ƒ
Moderate: The problem or issue associated with the patch is of moderate
severity.
ƒ
Low: While the problem or issue is real, the security risk or capability is
deemed to be low.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Files tab
193
One of the ways to determine if a patch should be installed is to check the version
number of the affected file on the machines being scanned. The Files tab is used
to specify the file version information.
Note: If you also specify criteria on the Registry Keys tab, the tests on that tab
must also be satisfied in order for the patch to be installed.
ƒ
ƒ
ƒ
Add: To add a new file definition, click this button.
ƒ
Filename: The name of the portable executable format file affected by the
patch. For most instances the file will therefore be either a .exe or a .dll file.
ƒ
Select File: Use this button to browse the local computer or network for the
file affected by the patch. When you use this button to find the file, the
program will use information about the file you select to also populate the
Location and Version boxes. For this reason you will typically use this button
when defining the Filename box.
ƒ
Location: Specify the location of the affected .exe or .dll file. You must
provide the full directory path when specifying the location. If this box was
automatically populated by the Select File button, you may need to edit the
path if the location represents the position of the file on the local machine and
is not representative of where it will be located on all other machines.
ƒ
ƒ
Version: Specify the version number of the affected .exe or .dll file.
ƒ
If the file exists, its file version must be equal to or greater than the
specified version: The only way to fail this test is if the file exists on the
scanned machined but its version number is less than the number specified in
the Version box. If the file does not exist on the scanned machine then the
patch does not apply.
ƒ
The file must exist and its file version must be equal to or greater than
the specified version: There are two ways to fail this test. (1) If the file does
not exist on the scanned machine then the test fails and the patch is required.
(2) If the file does exist but its version number is less than the number
specified in the Version box then the test fails and the patch is required.
ƒ
File Location Parameters: Shows the parameters that can be used when
specifying a file location. Rather than specifying one hard coded location that
Updated 22 February 2011
may not apply to every machine in your organization, you can use parameters
to specify variable locations. For example, if you want to specify the Windows
folder but the folder may be located at C:\Windows, D:\Windows, or C:\WinNT
on the different machines in your organization, you can accommodate all
Remove: To remove an existing file definition, click this button.
Edit: To edit an existing file definition, click this button.
After clicking Add or Edit, the Edit File Details dialog is displayed:
Comparison Type: This specifies the test criteria you want to use when
determining if a scanned machine needs this patch. The two available options
have very similar names so be careful when making your selection.
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Registry
Keys tab
194
Another way to determine if a patch should be installed is to check for the data
defined on certain registry keys on the machines being scanned. The Registry
Keys tab is used to specify the registry information. If the scanned machine
satisfies the criteria specified here then the patch will be applied.
Note: If you also specify criteria on the Files tab, the tests on that tab must also
be satisfied in order for the patch to be installed.
ƒ
ƒ
ƒ
Add: To add new registry key information, click this button.
Remove: To remove existing registry key information, click this button.
Edit: To edit existing registry key information, click this button.
After clicking Add or Edit, the Edit Registry Details dialog is displayed:
Note: To get the most current registry information we recommend using the
Microsoft Registry Editor (regedit), a tool for viewing settings in your system
registry. You can copy the required information from this tool to the appropriate
fields in the Edit Registry Details dialog.
ƒ
Registry Key: You can only specify keys that are relative to the
HKEY_LOCAL_MACHINE hive. The easiest and most accurate way to
populate this box is to display the desired key from within the Microsoft
Registry Editor, copy the key name and then paste the name into this box.
The HKEY_LOCAL_MACHINE portion of the name will likely be repeated so
you'll need to remove that portion of the name from the box.
ƒ
ƒ
ƒ
ƒ
ƒ
Value Name: The name of the specific registry key.
ƒ
Use 64 Bit Registry: Enable this check box if the registry key is in the 64-bit
part of the registry of a 64-bit architecture.
Value Data Type:
String: Specifies that the data must be a string.
DWord: Specifies that the data must be a number.
Value Data: The expected value of the registry key. You can find this value
by locating the key within the Microsoft Registry Editor and then looking in the
Data column.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Targeting
tab
195
This tab enables you to specify which products apply to this patch. By default all
available operating systems will be evaluated. You can greatly speed the
evaluation process if you can narrow the list of products. Targeting the patch to a
limited number of products can be a real time saver during the scan process as it
eliminates the scanning of unnecessary products.
Said Another Way: If you do not specify any products in the Selected Products
list, the patch will be associated with all available operating systems. The program
will scan for the patch regardless of what is installed on the target machines. This
can be useful if you want to perform a mass distribution of the patch, but it can
also be quite time consuming. If you specify one or more products in the Selected
Products list, the patch will be associated with only those products and not with
any unspecified operating systems.
Tip: After importing a new custom XML file, you can use Patch View to verify the
custom patch is associated with the correct product(s).
To narrow the list of products:
Enable the Target the patch to the selected operating systems and applications
check box.
In the Available Products list, select the desired product and move it to the
Selected Products list.
The Available Products list contains all products currently defined in the XML
patch data file (hf7b.xml), plus any new custom products you may have defined
using the Custom Patch File Editor.
Repeat Step 2 for each product that applies to this patch.
When complete, save and then validate the XML file (see Saving and
Validating Your Changes).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
196
Patch Deployment Information Tab
When creating a custom patch, two major tabs are used in the right-hand
pane. This topic describes the options contained on the Patch Deployment
Information tab.
Patch Install File
The patch file that will be used when the conditions specified on the
Patch Scan Information tab are met. This file is typically supplied by the
vendor of the product you are patching. You can use the browse button to
locate and select this file. Doing so will automatically populate the Patch
Install File Size box.
You are specifying just the file name here and not the full path name to
the patch install file. The actual file used in the patch process may have
several different names and may reside in several locations, including the
console and possibly one or more distribution servers. See the
description of the Patch Supported Languages option for more
information.
Patch Install File
Size (bytes)
Specifies the size of the patch install file. This box is automatically filled in
when you use the Browse button to select the Patch Install File.
Providing the file size enables the program to accurately determine the
progress during the installation process.
Patch Install File
Command Line
Switches
Specify any command line switches you want to use during the
installation of the patch. For example, you might want a silent install
(/quiet), you might want to dictate that the target machines are not
restarted (/norestart), etc.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Patch Supported
Languages
197
Enable the check boxes for the operating system languages you want to
support with this custom patch. There are two reasons for doing this:
ƒ
ƒ
It tells the program which languages are supported by the patch.
It tells you what identifying text should be added to the end of the
patch file name.
IMPORTANT! You must make as many copies of the file as is needed
using the appropriate names and then make those files available
everywhere the patch file is expected to reside.
Example 1: Assume your vendor supplied two versions of the same
patch, one for English language systems named
SamplePatchENGLISH.exe and one for French language systems named
SamplePatchFRENCH.exe. You must add the text shown in the
Expected File Name column to the end of the associated patch file. In
this example the updated file names would be
SamplePatchENGLISH.exe and SamplePatchFRENCH_FRA.exe. (The
English language patch does not require the suffix, although
SamplePatchENGLISH_ENU.exe would also work.) You then place
copies of each file in the console's download center and on the
appropriate distribution servers.
Example 2: Assume your vendor supplied a patch file named
SamplePatch.exe and that file supports English, French, and German
language systems. You must make three copies of the file, rename them
by adding the text shown in the Expected File Name column to the end
of each file name, and then place copies of each file on the appropriate
distribution servers. In this example the file names would be
SamplePatch.exe, SamplePatch_FRA.exe, and SamplePatch_GER.exe.
When complete, save and then validate the XML file (see Saving and
Validating Your Changes).
Saving and Validating Your Changes
Anytime you create a new custom XML file or make changes to an existing
custom XML file, you should save your changes and then perform a validation.
The validation ensures that the custom XML is properly formed and will
interact correctly with Patch Authority Ultimate 's primary patch XML file.
You should always save the custom XML file before performing the validation.
If you don't save the file the validation will be performed on the previously
saved version of the file.
To validate a custom XML file:
1. Save the file by selecting File > Save.
2. In the left-hand pane select the topmost folder.
This folder specifies the location of the custom XML file.
3. In the right-hand pane click Validate XML.
The results are displayed in the Validation Results section at the bottom
of the right-hand pane. If an error is detected you must correct that error
before attempting to use the custom XML file.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
198
Changing a Custom XML File
If you make changes to an existing custom XML file, you must use the Edit
Custom Patch Collection dialog to remove the old version of the custom
XML file and then re-import the updated file. If you just save the file without
removing and then re-importing it, the program will continue to use the old
version of the file.
Specifying Which Custom XML Files to Use
Patch Authority Ultimate enables you to create many different custom XML
files. However, you may not want to use all your custom XML files all the
time. For this reason Patch Authority Ultimate also enables you to specify
which of your custom XML files (if any) that you want to use in your scans
and deployments.
Note: For information on creating custom XML files, see Creating A New
Custom XML File.
To specify the custom XML files that will be used in your scans and
deployments:
1. From the Patch Authority Ultimate menu select Manage > Custom
Patches.
The Edit Custom Patch Collection dialog is displayed. It contains a list
of custom XML files you have previously imported into the dialog. For
example:
2. (Optional) If you have created additional custom XML files that are not
currently in the list, you can add them to the list by clicking Import.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
199
Navigate to the custom XML file you want to add and then click Open. The
new XML file is added to the list. Repeat this step for each new custom
XML file you want to add to the list.
Important! Any custom XML file that has been changed since it was
initially imported must be removed and then re-imported. If you just reimport a changed file without first removing it, the program will continue
to use the old version of the file.
3. Enable the check boxes for the custom XML files you wish to include in
your patch scans and deployments.
The XML files included in all future scans and deployments will be the
standard XML patch file (hf7b.xml) plus any of the custom XML files
enabled here. The available XML files are called your collection; the
custom XML files currently enabled for use is called your active collection.
4. Click OK.
Patch Authority Ultimate will perform a validation process to ensure that
all the selected custom XML files and the primary XML patch file can be
successfully combined. Although you should have already validated each
individual custom XML file, Patch Authority Ultimate must make sure that
the files collectively are okay. For example, if you inadvertently used the
same name for two different custom products in two different custom XML
files, the validation process will catch this.
If an error occurs during the validation process the custom XML files will
not be used. You must correct the problem and try again.
Removing a Custom XML File
To remove a custom XML file that has been previously combined with the
primary XML file:
1. On the Edit Custom Patch Collection dialog, clear the check box of the
custom XML file you no longer want to use.
2. Click OK.
Only those custom XML files still enabled will be included in the validation
process and used with the primary XML file.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
200
Viewing Custom Patches and Products
Once a custom XML file is used within a scan, the custom products and
patches defined within the custom XML file will be displayed in Patch View.
For example:
They will also be displayed when adding patches to a patch group. For
example:
Be careful though. Just because a custom product or patch is displayed in
Patch View or in a patch group doesn't guarantee it is still being used in scans
and deployments. It only indicates that the custom product or patch was at
some point included in a scan or deployment. If you remove a custom XML
file from the list of active custom XML files (see Specifying Which Custom XML
Files to Use), the products and patches within that custom XML file will not be
used in subsequent scans and deployments. A custom XML file must be active
in order to be used.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
201
USING PATCH VIEW
About Patch View
The Patch View is an extremely powerful and flexible tool. It enables you to
display detailed information about every product patch contained in the XML
patch data file. It organizes the information so it is displayed in one
comprehensive view, regardless of when the patches were released.
With Patch View you can:
ƒ
Quickly and easily display the list of products supported and the
associated patches with each product
ƒ
ƒ
Display detailed information about any patch
ƒ
ƒ
ƒ
Search for specific patches or patch components
Filter the information and drill down into the table for a more detailed
analysis
Perform actions on each patch
Quickly determine which machines have a selected patch installed or are
missing a selected patch
Accessing Patch View
Patch View is accessed by clicking the
selecting View > Patch View.
A sample Patch View is shown here:
Updated 22 February 2011
toolbar icon, or by
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
202
Navigating Patch View
Patch View consists of two panes. Each pane displays unique information and
provides unique functionality. The panes are interrelated in that the
information presented in the bottom pane is dependant on what is selected in
the top pane. This "top down" approach means you use the top pane to view
high-level information and the bottom pane to drill down to more detailed
information.
ƒ
The top pane displays all patches that are currently contained in the XML
patch data file. See the following topics for information on using the top
pane:
ƒ
ƒ
ƒ
ƒ
ƒ
Searching Patch View
Filtering Patch View
Performing Actions on Patches
Customizing the Column Headers
The bottom pane displays detailed information about the patch selected in
the top pane. See the following topics for information on using the bottom
pane:
ƒ
ƒ
ƒ
ƒ
Viewing Patch Details
Viewing Machines Missing A Selected Patch
Viewing Machines That Contain A Selected Patch
Customizing the Column Headers
Modifying the Look of Patch View
The Patches menu enables you to perform the following actions on the
product and patch trees in the top pane.
Expand All
Expands all product and patch trees in the top pane.
Collapse All
Collapses all product and patch trees in the top pane.
Export visible patches to
CSV
Export information about the patches contained in the top pane to a
Comma Separated Values (CSV) file. The CSV file can then be
used within a spreadsheet program.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
203
Customizing the Patch View Column Headers
You can easily customize the way information is displayed within any of the
panes in Patch View.
ƒ
You can reorder the columns by clicking and dragging the column headers
to new locations.
For example, if you want Bulletin ID information to be displayed in the
first column of the top pane, simply click on the Bulletin ID icon and drag
it to the first column.
Tip: When reordering columns, the column header you are moving will
always be placed in front of the column you drag it to.
ƒ
You can right-click within a column header and perform a number of
additional actions.
Sort Ascending
Sorts the selected column in ascending order.
Sort Descending
Sorts the selected column in descending order.
Column Chooser
Enables you to add and remove information from Patch View. When you
select Column Chooser the Customization dialog is displayed. This
dialog is used to store the columns you don't currently want displayed
within the table. Simply click and drag the desired column headers from
the table to the Customization dialog. For example, if you decide you don't
want User Criticality and Comment information displayed in the table,
simply drag those column headers into the Customization dialog.
If you decide you want an item back in the table, simply click and drag it
from the Customization dialog back to the table.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
204
Best Fit
Resize the width of the selected column so that the header text is
displayed in the optimal amount of space.
Best Fit (all
columns)
Resize the width of all columns in the table so that the header text is
displayed in the optimal amount of space.
Hide
Moves the selected column to the Column Chooser Customization dialog,
effectively removing the column from the table.
Group by
Moves the selected column to the first column in the table, effectively
grouping the table by that column.
USING THE TOP PANE
Understanding the Top Pane
The top pane in Patch View displays a table containing detailed information
about each patch contained in the XML patch data file. Click on a column
heading to sort the table by that information. You can also specify what
information is presented by right-clicking the table heading and selecting or
clearing the available items.
By default the table is ordered by product name. If you expand a product tree
you can see all of the patches and service packs associated with that product.
If you select a patch, information about that patch is displayed on the Patch
Information tab of the bottom pane.
No information is displayed on the Patch Information tab if you select a
service pack (represented by SP1, SP2, etc. in the QNumber column). In
addition, most products contain a unique entry whose Service Pack Name
and QNumber are both Gold. These entries represent the "out of the box"
base installation of a product, they contain no downloaded files, and are
therefore neither a patch nor a service pack.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
205
Searching Patch View
You can easily search for a number of different patch components contained
in the top pane of Patch View. All searches are performed using the Search
tool.
The Search tool contains two logic boxes. In the first box you select one of
the predefined category types, and in the second box you specify the patch
item you want to find. You initiate the search by pressing Enter or by clicking
the search icon ( ). Only those patches matching the search criteria are
displayed; all other patches are hidden.
Tips for Using the Search Tool
ƒ
The Search tool works only on the information currently visible in the top
pane.
ƒ
If a Smart Filter is applied, only patches matching BOTH the search
criteria and the smart filter criteria are displayed.
ƒ
All partial matches are displayed. For example, if you search for products
named acrobat, any product with "acrobat" in its name will be considered
a match (e.g. Acrobat Distiller, Acrobat Reader, etc.).
ƒ
The use of wildcards in the Search tool is not allowed.
Filtering Patch View
Information displayed in the top pane can easily be filtered to narrow the
focus to only those patches of interest. One way to do this is by using the
Smart Filter.
The Smart Filter initially contains one default filter (*All Patches). Any patch
groups you create will also become default filters. Default filters are identified
by a leading asterisk. Default filters cannot be modified or deleted.
Custom Filters
You can create your own custom filters. This is a powerful tool that enables
you to specify exactly which patches you want displayed in Patch View. Each
custom filter is comprised of one or more rules. You can define as many rules
in a filter as needed.
To create a new filter:
1. Click New.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
206
The Smart Filter dialog is displayed:
2. Specify which rules in the filter must be matched.
ƒ
All: Only those patches that match all the rules in the filter will be
displayed.
ƒ
Any: Patches that match at least one rule in the filter will be displayed.
3. Define one or more rules.
To define a rule, select an option in each of the first two logic boxes and
then type the criteria in the third box. To add another rule simply click
Add Rule.
4. Type a name for the filter.
5. When you are finished defining your custom filter, click Save/Rename.
Example
Assume you want to see a list of all critical patches for Internet Explorer 7. You
simply create a filter similar to the following:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
207
Performing Actions on Patches
Right-Click Menu
You can right-click on any patch in the top pane of Patch View and perform a
number of different actions. For example:
Download
Enables you to download the selected patches or service packs to the
download center. When you click this button the Select Patches to
Download dialog is displayed. Use this dialog to select which language
version(s) of the patch you want to download.
Delete
Enables you to delete the selected patches from the download center. If
the selected patches have never been downloaded, this command will be
unavailable.
Open Bulletin(s) in
Browser
Enables you to display, within your default Web browser, vendor
information about the selected patch bulletin.
Add to Patch
Group
Enables you to add the selected patches to a new or existing patch group.
See Creating and Editing a Patch Group for more information.
Set Criticality
Criticality is the user supplied threat and severity level associated with a
particular vulnerability. While ScriptLogic Corporation can reasonably
evaluate the general threat posed by a patch, even the most critical
patches will not always warrant a sense of urgency in organizations in
which the vulnerability poses little or no threat. Therefore, Patch Authority
Ultimate provides a mechanism to allow the administrator to assign a
custom level of criticality for each patch. Criticality can be assigned by
clicking Set Criticality and choosing one of the options from the shortcut
menu. If you assign a custom criticality to a patch, the flag displayed in
the lower pane will change to the appropriate color.
(Red) Critical
(Orange) High
(Yellow) Medium
(Brown) Low
(Gray) Ignore
(Clear) None (criticality not set)
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Add Comment
Enables you to provide a comment about the patch.
Expand All
Expands all patch trees in the top pane.
Collapse All
Collapses all patch trees in the top pane.
Export selected
patches to CSV
Export information about the selected patches to a Comma Separated
Values (CSV) file. The CSV file can then be used within a spreadsheet
program.
208
Keyboard Shortcuts
The following keyboard shortcuts are available:
ƒ
ƒ
Ctrl+A: Selects all patches.
ƒ
SHIFT+click: A contiguous group of patches can be selected by holding
down the SHIFT key while selecting the starting and ending patches in the
list.
ƒ
SHIFT+PAGE UP: Selects a range of patches from the one currently
selected to the top of the display. Each time you press Page Up an
additional range of patches is added to the selection.
ƒ
SHIFT+PAGE DOWN: Selects a range of patches from the one currently
selected to the bottom of the display. Each time you press Page Dn an
additional range of patches is added to the selection.
ƒ
ƒ
HOME: Moves the focus to the first cell in the table.
CTRL+click: Multiple patches can be selected by holding down the CTRL
key while selecting patches.
END: Moves the focus to the last cell in the table.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
209
USING THE BOTTOM PANE
Viewing Patch Details
The Patch Information tab in the bottom pane displays detailed information
about the patch, service pack, or informational item selected in the top pane.
Detailed information will not be displayed if multiple patch items are selected
in the top pane.
Download
Enables you to download the patch to the download center. When you
click this button the Patch Download Status dialog is displayed. Use
this dialog to select which language version of the patch you want to
download. On the dialog, if the download icon is grayed out ( ) it
indicates the patch has not yet been downloaded. If the icon is green
(
) it indicates the patch has already been downloaded and verified.
Bulletin ID
Provides a link to the Microsoft Security Bulletin article that describes the
threat addressed by this patch.
Superseded by
If shown, indicates that the patch is superseded by another more recent
patch.
Microsoft
Knowledge Base
Article
Provides a link to the associated Knowledge Base article that provide
more information about the flaw.
Vendor Severity
ScriptLogic Corporation assigns one of four severity levels based on its
perceived threat of the vulnerability related to the patch.
(Red) ScriptLogic Corporation has deemed the problem
associated with this patch to be Critical in nature.
(Orange) ScriptLogic Corporation considers the problem
related to this patch Important to correct.
(Yellow) The related vulnerability is of Moderate severity.
(Brown) While it poses a security risk, ScriptLogic
Corporation deems that risk to be Low.
Included in
If shown, indicates that the patch is contained in a service pack.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
210
CVEID
Provides a link to the Common Vulnerabilities and Exposures article that
describes the threat addressed by this patch.
Description
Identifies the product that is affected by this patch, and describes how
the product is vulnerable.
Summary
Provides a concise description of the threat addressed by this patch.
Comments
If shown, provides comments from ScriptLogic Corporation about this
patch.
Registry key table
Identifies the registry key information used to determine whether the
product in question exists on the target machines. This table can be
sorted by clicking within a column header.
File name table
Shows the file criteria used for determining whether or not a patch is
installed. This table can be sorted and customized. See Customizing the
Column Headers for more information.
Viewing Machines That Are Missing A Selected Patch
The Machines Missing tab in the bottom pane displays the machines that
are missing the patch that is selected in the top pane. These machines are
vulnerable to the threat corrected by the patch. For example:
The Machines Missing table can be sorted and customized. See Customizing
The Patch View Column Headers for more information.
Viewing the List of Machines That Contain the Selected Patch
The Machines Installed tab in the bottom pane displays the machines that
contain the patch that is selected in the top pane. For example:
This table can be sorted and customized. See Customizing The Patch View
Column Headers for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
211
Using Machine View
About Machine View
Machine View is an extremely powerful and flexible tool. It enables you to
display current information about every machine in your network that has
been previously scanned and whose information resides in the database. It
organizes all of the scanned machines so they are displayed in one
comprehensive view, regardless of when the machines were scanned.
Machine View provides an easier method to both view and manage the
current security state— across both agent-based and agentless systems.
Machine View differs from Scan View, which requires you to first locate the
scan in which the machine was assessed before drilling down to view the
machine’s scan summary.
The advantages of Machine View include:
ƒ
You are not restricted to viewing just those machines involved in a
particular scan. You can view all the machines that have ever been
scanned.
ƒ
You can quickly assess the status of all machines in your organization.
Accessing Machine View
Machine View is accessed by clicking the
by selecting View > Machine View.
Updated 22 February 2011
icon in the toolbar or
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
212
A very simple Machine View is shown here:
For information on using Machine View, see Navigating Machine View.
Note: Machine View will be empty if you view it immediately after installing
the program. This is because there is no machine information in the database
to display.
Navigating Machine View
Machine View consists of three panes. Each pane displays unique information
and provides unique functionality. The panes are interrelated -- the
information presented in a lower pane is dependant on what is selected in the
pane directly above it. This "top down" approach means you use the top pane
to view high-level information and the two lower panes to drill down to more
detailed information.
ƒ
The top pane displays all machines that have been scanned at some point
and that are "known" by the program. See the following topics for
information on using the top pane:
ƒ
ƒ
ƒ
ƒ
Searching Machine View
Filtering Machine View
Performing Actions on Machines
Customizing the Column Headers
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
The middle pane displays patch management information about the
machine selected in the top pane. See the following topics for information
on using the middle pane:
ƒ
ƒ
ƒ
ƒ
213
Viewing Patch Summaries
Performing Actions on Patches
Customizing the Column Headers
The bottom pane displays detailed information about the patch selected in
the middle pane. See the following topics for information on using the
bottom pane:
ƒ
ƒ
ƒ
ƒ
Viewing Patch Details
Viewing Machines Missing A Selected Patch
Viewing Machines Containing A Selected Patch
Customizing the Column Headers
Customizing the Column Headers
You can easily customize the way information is displayed within any of the
panes in Machine View or Scan View.
ƒ
You can reorder the columns by clicking and dragging the column headers
to new locations.
For example, if you want missing patch information to be displayed in the
first column of the top pane, simply click on the Missing Patch Count
icon and drag it to the first column.
Tip: When reordering columns, the column header you are moving will
always be placed in front of the column you drag it to.
ƒ
You can right-click within a column header and perform a number of
additional actions.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
214
Sort Ascending
Sorts the selected column in ascending order.
Sort Descending
Sorts the selected column in descending order.
Column Chooser
Enables you to add and hide information within a pane. When you select
Column Chooser the Customization dialog is displayed. This dialog is
used to store the columns you don't currently want displayed within the
pane. Simply click and drag the desired column headers from the table to
the Customization dialog. For example, if you decide you don't want
Language and Last Scan Template information displayed in the table, simply
drag those column headers into the Customization dialog.
If you decide you want an item back in the table, simply click and drag it
from the Customization dialog back to the table.
Best Fit
Resize the width of the selected column so that the header text is displayed
in the optimal amount of space.
Best Fit (all
columns)
Resize the width of all columns in the table so that the header text is
displayed in the optimal amount of space.
Hide
Moves the selected column to the Column Chooser Customization dialog,
effectively removing the column from the table.
Group by
Moves the selected column to the first column in the table, effectively
grouping the table by that column.
USING THE TOP PANE
Machine View Top Pane Summary
The top pane in Machine View displays a table containing detailed information
about every machine in your network that has been scanned and whose
information resides in the database. Click on a column heading to sort the
table by that information. You can also specify what information is presented
by right-clicking the table heading and selecting or clearing the available
items. Right-click on a column heading and select Column Chooser to add or
remove columns from the display.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
,
,
, or
215
Indicates whether the computer is a physical machine or an online
virtual machine defined by its name (
), or a physical machine
), or an offline virtual machine (
defined by its IP address (
a virtual machine template ( ).
), or
Machine Group
The assigned machine group at the time of the scan.
Domain
The domain of the scanned machine.
Machine
The machine name.
IP Address
The IP address of the scanned machine.
Found Patch Count
The total number of patches found on the scanned machine.
Missing Patch Count
The total number of patches missing on the scanned machine.
Missing Service Pack
Count
The total number of service packs missing on the scanned machine.
Agent State
The current state of the agent installed on the machine. If an agent is
not installed the No Agent icon is displayed.
Assigned Agent Policy
The name of the agent policy currently assigned to the scanned
machine.
Last Agent Check In
Shows the last time the agent checked in with the console.
Latest Patch Scan Date
Shows the last time a patch scan was performed on the scanned
machine.
Operating System
The operating system being used on the scanned machine.
Console
The console that most recently managed this machine.
Last Scan Tempate
The Patch Scan Template used in the latest patch scan of this
machine.
Offline Scan
Indicates if the most recent scan was performed while the machine
was offline.
Operating System
Language
The locale of the machine operating system (e.g., en-US).
Patch Definition
The version of the Patch Definition data used in the last patch scan
of this machine.
Reported Agent Policy
This applies only to agent machines. This is the agent policy last
reported by the agent. It may differ from the Assigned Agent Policy if
a new policy has been assigned but the agent has not checked in
since the assignment was made.
Machine Criticality
The criticality assigned to this machine in the Manage Machine
Properties dialog. Right-click one or more machines and select
Machine Properties to edit this value.
Custom1
These columns display text entered in the Custom tab of the
Manage Machine Properties dialog. Right-click one or more
machines and select Machine Properties to edit these values.
Custom2
Custom3
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
216
The Machines menu enables you to perform the following actions on the
machines in the top pane.
Expand all
Expands all machine trees in the top pane.
Collapse all
Collapses all machine trees in the top pane.
Export visible machines
to CSV
Export information about the machines in the top pane to a Comma
Separated Values (CSV) file. The CSV file can then be used within
a spreadsheet program.
In addition, the refresh icon (
) refreshes all machine information in the top
pane. The latest information for all machines is retrieved, and newly scanned
machines may appear.
Understanding Patch Count Data
The values for the Found Patch Count and Missing Patch Count columns
in the top pane may not always match the values shown in the middle pane.
This is because the top pane counts every patch on every machine, while the
middle pane counts only unique patches and ignores duplicates. You can use
the Machines Missing tab in the bottom pane to determine if a particular
patch is missing on multiple machines.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
217
Machine Group Information is Dynamic
The machine group information that is displayed is based on the machine
group used to perform the most recent action on each machine. So it is
possible for the machine group information to change. For example, if you
perform a scan of a group containing three machines, the information
displayed will be similar to the following:
If you then re-scan the first machine from a different machine group, the
refreshed display will reflect this change:
The first machine is no longer listed with its original group because the most
recent scan of the machine was initiated from a different machine group.
When agents check in with the console they will be listed with the machine
group from which they were last scanned from the console.
Searching for Machines in the Top Pane
You can easily search for machines contained in the top pane. All searches are
performed using the Search tool.
The Search tool contains two logic boxes. In the first box you select one of
the predefined category types, and in the second box you specify the machine
item you want to find. You initiate the search by pressing Enter or by clicking
). Only those machines matching the search criteria are
the search icon (
displayed; all other machines are hidden.
Tips for Using the Search Tool
ƒ
ƒ
The Search tool works only on the information currently visible in the top pane.
If a Smart Filter is applied, only machines matching BOTH the search
criteria and the smart filter criteria are displayed.
ƒ
All partial matches are displayed. For example, if you search for machines
named Test, any machine with "test" in its name will be considered a
match (e.g. TestMachine1, Contest, etc.).
ƒ
The use of wildcards in the Search tool is not allowed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
218
Using Smart Filter to Filter Information in the Top Pane
Information displayed in the list can be easily filtered to narrow the focus to
only those machines of interest. One way to do this is by using the Smart
Filter.
The Smart Filter contains several default filters. You can also define your own
custom filters.
Default Filters
The default filters are identified by a leading asterisk. Default filters cannot be
modified or deleted. The default filters include the following:
ƒ
*All Machines: All machines are displayed, including servers and
workstations.
ƒ
ƒ
ƒ
*Servers: Only servers are displayed.
ƒ
*Last 7 Days: Only those machines that have been scanned within the
last seven days are displayed.
ƒ
*Last 14 Days: Only those machines that have been scanned within the
last 14 days are displayed.
ƒ
*Last 30 Days: Only those machines that have been scanned within the
last 30days are displayed.
ƒ
*Last 60 Days: Only those machines that have been scanned within the
last 60 days are displayed.
ƒ
*Last 90 Days: Only those machines that have been scanned within the
last 90 days are displayed.
ƒ
*Missing at least 1 patch: Only those machines that are missing at
least one patch are displayed.
ƒ
*Has an Agent Policy: Only those machines that have Patch Authority
Ultimate Agent installed are displayed.
ƒ
*Does not have an Agent Policy: Only those machines that do not have
Patch Authority Ultimate Agent installed are displayed.
*Workstations: Only workstations are displayed.
*Today: Only those machines that have been scanned within the last 24
hours are displayed.
Custom Filters
You can create your own custom filters. This is a powerful tool that enables
you to specify exactly which machines you want displayed in the top pane.
Each custom filter is comprised of one or more rules. You can define as many
rules in a filter as needed.
To create a new filter:
1. Click the Create a New Smart Filter icon (
Updated 22 February 2011
).
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
219
The Smart Filter dialog is displayed:
2. Specify which rules in the filter must be matched.
ƒ
All: Only those machines that match all the rules in the filter will be
displayed.
ƒ
Any: Machines that match at least one rule in the filter will be
displayed.
3. Define one or more rules.
To define a rule, select an option in each of the first two logic boxes and
then type the criteria in the third box. To add another rule simply click
Add Rule.
Note: If you define a rule that does not make sense (for example,
"Machine Name is greater than 3") the rule will simply be ignored.
4. Type a name for the filter.
5. When you are finished defining your custom filter, click Save/Rename.
Example
Assume you want to see which machines in a particular machine group are
missing more than 20 patches. You simply create a filter similar to the
following:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
220
Performing Actions on Machines
Right-Click Menu
You can right-click on any machine in the top pane and perform a number of
different actions. For example:
Patch Scan / Scan
With
Enables you to initiate a patch scan of the selected machines using any
of the available patch scan templates.
Deploy All Missing
Patches
Enables you to deploy (install) all patches currently missing on the
selected machine. See Deploy to All Scanned Machines for more
information.
Test Patch
Deployment
Enables you to perform a test deployment to the selected machines. This
is especially useful for patch deployments you want to schedule for a
later time. Testing the deployment allows you to correct any potential
problems in a deployment and make it less likely that a deployment will
fail. See the Operations Monitor for more information.
Note: Test deployments will not work on offline virtual machines .
Power
Enables you to modify the power state of the selected machines. You
can immediately restart or shut down the machine(s).
Add to Machine
Group
Enables you to add the selected machines to a new machine group or to
an existing machine group. See Creating A New Machine Group for more
information.
Important! Machines you add to the machine group are automatically
assigned credentials. The credentials assigned will be either the
credentials used in the previous scan of the machine or, if no credentials
were assigned in the previous scan, the default credentials will be
assigned. In the latter case, if the default credentials are not valid for the
machines, and if the account credentials of the person currently logged
on to the program are also not valid for the machines, scans of the
machines you just added to the group will fail. To prevent scanning
errors, always supply credentials for machines you add to a machine
group. See Supplying Credentials for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Refresh
(Machine View only)
Refreshes the information displayed in the top pane.
Machine Properties
Enables you to view and edit machine properties. See Managing
Individual Machine Properties for more information.
Agents
Enables you to:
Delete
(Machine View only)
221
Note: This menu item is available in Machine View but not in Scan View.
ƒ
Install an agent, assign a different policy to the agent, or uninstall an
agent.
ƒ
Send a number of different commands to the selected agents. The
commands apply only to machines that already have agents
installed, that are online, and that are configured to be listening
agents. See the Send command description for detailed information
about the available commands.
ƒ
(Machine View only) Initiate any of the tasks currently defined
within the selected agents. When you select a task a confirmation
dialog is displayed. If you choose to continue, the task is
immediately started on the agent machines. See Creating a New
Agent Policy for information on the types of tasks that may be
available.
Deletes the selected machine from Machine View. If the machine is
rescanned it will be re-added to Machine View.
Deleting a machine from Machine View also affects the information
displayed for that machine within Scan View (see Accessing Patch Scan
Results). The machine will be moved to the Machines Not Scanned tab
and all previous scan information for that machine will be lost.
Note: This menu item is available in Machine View but not in Scan View.
Expand All
Expands all machine trees in the top pane. This can also be
accomplished using the Machines > Expand All menu.
Collapse All
Collapses all machine trees in the top pane. This can also be
accomplished using the Machines > Collapse All menu.
Export selected
machines to CSV
Export information about the selected machines to a Comma Separated
Values (CSV) file. The CSV file can then be used within a spreadsheet
program. This can also be accomplished using the Machines > Export
visible machines to CSV menu.
View Executive
Summary Report
(Scan View only)
Generates an Executive Summary report that provides a high-level
summary about the patches and the machines discovered by the scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
222
Keyboard Shortcuts
The following keyboard shortcuts are available:
ƒ
ƒ
Ctrl+A: Selects all machines.
ƒ
SHIFT+click: A contiguous group of machines can be selected by holding
down the SHIFT key while selecting the starting and ending machines in
the list.
ƒ
SHIFT+PAGE UP: Selects a range of machines from the one currently
selected to the top of the table.
ƒ
SHIFT+PAGE DOWN: Selects a range of machines from the one
currently selected to the bottom of the table.
ƒ
ƒ
HOME: Moves the focus to the first cell in the table.
CTRL+click: Multiple machines can be selected by holding down the CTRL
key while selecting machines.
END: Moves the focus to the last cell in the table.
USING THE MIDDLE PANE
Viewing Patch Summaries in Machine View
The Patches tab in the middle pane displays general patch information about
the machine(s) selected in the top pane. If multiple machines are selected in
the top pane, this tab will display patch information for all selected machines.
For example, if you select multiple domains in the top pane, summary
information about all the machines in all domains will be displayed. The
Affected Machine Count column indicates how many of the selected
machines are affected by a specific patch or service pack.
A patch that is scheduled for deployment is considered to be still missing. This
status will change after the patch is successfully installed.
The values for the Found Patch Count and Missing Patch Count columns
in the top pane may not always match the values shown in the middle pane.
This is because the top pane counts every patch on every machine, while the
middle pane counts only unique patches and ignores duplicates. You can use
the Machines Missing tab in the bottom pane to determine if a particular
patch is missing on multiple machines. Also, the middle pane breaks the
patches into different categories and does not consider patches that are
scheduled for installation or that are pending a reboot to be installed.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
You can customize the way information is displayed within this pane. See
Customizing the Column Headers for information.
Performing Actions on Patches
Right-Click Menu
You can right-click on any patch in the middle pane of Machine View and
perform a number of different actions. For example:
Deploy
Enables you to deploy (install) patches or service packs currently
missing on the machine(s) selected in the top pane. See Deploying
One or More Patches to a Machine for more information.
Updated 22 February 2011
223
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
224
Uninstall Selected
Enables you to uninstall (rollback) the selected patch. See How to
Uninstall Patches for more information.
Download Selected
Enables you to download to the download center the selected patches
or service packs. See Downloading Patches for more information.
Delete
Enables you to delete selected patches from the download center.
Open Bulletin(s) in
Browser
Displays the related Microsoft security bulletin within a Web browser.
Add to Patch Group
Enables you to add the selected patch(es) to an existing patch group or
to a new patch group. See Creating and Editing a Patch Group for more
information.
Set Criticality
Criticality is the user supplied threat and severity level associated with a
particular vulnerability. While ScriptLogic Corporation can reasonably
evaluate the general threat posed by a patch, even the most critical
patches will not always warrant a sense of urgency in organizations in
which the vulnerability poses little or no threat. Therefore, Patch
Authority Ultimate provides a mechanism to allow the administrator to
assign a custom level of criticality for each patch. Criticality can be
assigned by clicking Set Criticality and choosing one of the options
from the shortcut menu. If you assign a custom criticality to a patch, the
flag displayed in the lower pane will change to the appropriate color.
(Red) Critical
(Orange) High
(Yellow) Medium
(Brown) Low
(Gray) Ignore
(Clear) Criticality not set
Add Comment
Enables you to add your own specific comment about the patch.
Expand All
Expands all patch and informational trees in the middle pane.
Collapse All
Collapses all patch and informational trees in the middle pane.
Export selected
patches to CSV
Export information about the selected patches to a Comma Separated
Values (CSV) file. The CSV file can then be used within a spreadsheet
program.
Keyboard Shortcuts
The following keyboard shortcuts are available:
ƒ
ƒ
Ctrl+A: Selects all patches.
CTRL+click: Multiple patches can be selected by holding down the CTRL
key while selecting patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
225
ƒ
SHIFT+click: A contiguous group of patches can be selected by holding
down the SHIFT key while selecting the starting and ending patches in the
list.
ƒ
SHIFT+PAGE UP: Selects a range of patches from the one currently
selected to the top of the table.
ƒ
SHIFT+PAGE DOWN: Selects a range of patches from the one currently
selected to the bottom of the table.
ƒ
ƒ
HOME: Moves the focus to the first cell in the table.
END: Moves the focus to the last cell in the table.
USING THE BOTTOM PANE
Viewing Patch Information
The Patch Information tab in the bottom pane displays detailed information
about the patch, service pack, or informational item selected in the middle
pane. Detailed information will not be displayed if multiple patch items are
selected in the middle pane.
Download
Enables you to download the patch to the download center. When you
click this button the Patch Download Status dialog is displayed. Use this
dialog to select which language version of the patch you want to
download. On the dialog, if the download icon is grayed out ( ) it
indicates the patch has not yet been downloaded. If the icon is green
(
) it indicates the patch has already been downloaded and verified.
Bulletin ID
Provides a link to the Microsoft Security Bulletin article that describes the
threat addressed by this patch.
Superseded by
If shown, indicates that the patch is superseded by another more recent
patch.
Microsoft
Knowledge Base
Article
Provides a link to the associated Knowledge Base article that provide
more information about the flaw.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Vendor Severity
226
ScriptLogic Corporation assigns one of four severity levels based on its
perceived threat of the vulnerability related to the patch.
(Red) ScriptLogic Corporation has deemed the problem
associated with this patch to be Critical in nature.
(Orange) ScriptLogic Corporation considers the problem
related to this patch Important to correct.
(Yellow) The related vulnerability is of Moderate severity.
(Gray) ScriptLogic Corporation has not assigned a severity
level to this problem.
Included in
If shown, indicates that the patch is contained in a service pack.
CVEID
Provides a link to the Common Vulnerabilities and Exposures article that
describes the threat addressed by this patch.
Description
Identifies the product that is affected by this patch, and describes how the
product is vulnerable.
Summary
Provides a concise description of the threat addressed by this patch.
Comments
If shown, provides comments from ScriptLogic Corporation about this
patch.
Registry key table
Identifies the registry key information used to determine whether the
product in question exists on the target machines. This table can be
sorted by clicking within a column header.
File name table
Shows the file criteria used for determining whether or not a patch is
installed. This table can be sorted and customized. See Customizing the
Column Headers for more information.
Viewing Machines That Are Missing A Selected Patch
The Machines Missing tab in the bottom pane displays the machines that
are missing the patch that is selected in the middle pane. These machines are
vulnerable to the threat corrected by the patch.
The Machines Missing table can be sorted and customized. See Customizing
the Column Headers for more information.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
227
Viewing the List of Machines That Contain the Selected Patch
The Machines Installed tab in the bottom pane displays the machines that
contain the patch that is selected in the middle pane. For example:
This table can be sorted and customized. See Customizing the Column
Headers for more information.
Typical Uses of Machine View
Machine View is extremely powerful and flexible, and there are many, many
uses for it. Here are just a few examples.
ƒ
"Do I have any machines that are missing a large number of patches?"
To see if your network contains one or more machines that are "bad
eggs," simply click the Missing Patch Count column header and sort the
table in descending order. The machines that are missing the most
patches are shown at the top of the table. The following figure shows a
very simple example containing two scanned machines. One of the
machines needs a little work (it is missing 3 patches), but the other
machine needs immediate attention as it is missing 23 patches. You can
immediately rectify the situation by simply right-clicking the machine and
selecting Deploy All Missing Patches.
ƒ
"Can I compare all the machines within a machine group?"
Yes. Simply click and drag the Machine Group column header to the first
column. This will order the machines by machine group. Expand the
machine group to view all machines within the group.
ƒ
"A recently released patch has been deemed mandatory by my
organization. How do I see which machines have the patch installed and
which machines are missing the patch?"
You can do this very easily. In the top pane select the desired domain or
machine group, in the middle pane select the patch, and then in the
bottom pane use the Machines Missing and the Machines Installed
tabs.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
228
"How do I know which machines have Patch Authority Ultimate Agent
installed?"
Agent State column heading. This will
In the heading row, click the
sort the table, grouping together all machines that have Patch Authority
Ultimate Agent installed and placing that group at the top of the table.
Click the icon a second time to move to the top of the table the group of
machines without Patch Authority Ultimate Agent installed. For more
information, see Determining Which Machines Have Agents.
VIEWING SUMMARIES AND MACHINE PROPERTIES
Manage Items
You can get a complete list of available prior scans and patch deployments by
selecting Manage > Items.
If you want to delete certain items in a list, select the desired items in the list
and then click Deleted Selected. If you would like to remove all items in a
list, click Delete All. Deleting an item here also deletes it from its associated
list (Today's Items, Recent Items, or Archive Items) in the Patch Results
pane and permanently removes it from the database.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
229
Accessing Machine Properties
You can define several different properties for each machine contained in
Patch Authority Ultimate 's database of managed machines. You can assign
properties to individual machines or to a set of selected machines. You access
the Machine Properties dialog from within Machine View or Scan View by
right-clicking the desired machine(s) and selecting Machine Properties. For
example:
The Machine Properties dialog is displayed. See Managing Individual
Machine Properties if you are defining properties for an individual machine or
Managing Multiple Machine Properties if you are defining properties for two or
more machines.
Managing Individual Machine Properties
The Manage Machine Properties dialog contains several tabs that enable
you to define many different properties for an individual machine.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
230
General tab
Enables you to define a variety of general information about the machine. In
addition, you can define a custom port for the machine to use when
communicating with the ScriptLogic Scheduler service. The value you define
here overrides the value defined on the Tools > Options > Scheduling dialog. If
you select Global Default, the value defined on the Tools > Options >
Scheduling dialog is used.
Custom tab
Enables you to write custom notes about properties unique to the machine (for
example, serial numbers, physical location, etc.). The Custom Field section at
the bottom of this tab enables you to define an unlimited number of name/value
data pairs that can be used for reference purposes.
E-Mail tab
Enables you to specify which reports should be automatically sent and to whom
the reports should get sent. The specified reports will be sent whenever the
machine is involved in a scan or a deployment.
To configure reports:
Statistics tab
1.
Select a report in the Reports list.
2.
In the Report Recipients list, select the groups and/or individuals you want
to e-mail the report to.
3.
Repeat Step 1 and Step 2 for each report you want to be automatically sent.
4.
When finished, click Save.
Displays a trend chart showing the number of found and missing patches
detected in the last several scans. This enables you to quickly determine if the
patch security state of a machine is trending up or down.
Managing Multiple Machine Properties
The Machine Properties dialog enables you to define several common
properties for two or more machines.
Machines to
update
Contains a list of the machines that will be affected by the properties you
define.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
231
Patch drive path
Enables you to specify the drive and the path to use on the target machines
when patches are downloaded during a patch deployment. Do this only if
you do not want to use the default location (C:\Windows\ProPatches). For
example, if the C: drive on your target machines is low on space, you might
specify that the patches are instead written to the D: drive. The
"ProPatches" name is automatically appended to whatever path you
specify. For example, if you specify "D:\ABC," the final destination for the
patches will be "D:\ABC\ProPatches."
Criticality
Enables you to specify a custom criticality level for the listed machines. This
value is something you assign and use for your own purposes. For
example, if you have a set of machines that are of particular importance to
your company, you can assign a criticality level to the machines and then
use the filtering and sorting capabilities in Machine View to quickly locate
the machines and determine their status.
If you assign a custom criticality level, the flag displayed in the Machine
Criticality column of Machine View will change to the appropriate color.
(Red) Critical
(Orange) High
(Yellow) Medium
(Gray) Low
(White) Ignore
Custom 1,
Custom 2, and
Custom 3
These three fields enable you to write custom notes about properties that
are unique to the listed machines. For example, you might use Custom 1 to
specify the machine type (laptop, desktop, server, etc.), Custom 2 to
specify the machine location (St. Paul, Dallas, Seattle, etc.), and Custom 3
to specify the department that owns the machine (HR, Accounting, IT, etc.).
You can use the fields to filter or sort machines within Machine View or
Scan View.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
232
USING THE OPERATIONS MONITOR
About the Operations Monitor
The Operations Monitor is designed to give you a single console from which to
monitor background tasks. The background tasks currently monitored include
patch scans, agent installations, and test patch deployments.
The Operations Monitor is displayed automatically whenever one of these
background tasks is performed. To manually access the Operations Monitor,
select View > Operations Monitor
A dialog similar to the following is displayed:
Hide
Minimizes the Operations Monitor dialog.
Clear All
Completed
Removes all completed tasks from all tabs.
Patch scans
Displays a unique tab for each machine group, domain, or favorite that is
being scanned. The tab shows the steps involved in the patch scan and the
progress of each step. See Monitoring a Patch Scan for more information.
Agent
Installations tab
Displays status information about agents that have been "push installed"
from the console to the machines in your network.
Test Patch
Deployment tab
Patch Authority Ultimate includes the ability to perform a test deployment
for any patches that are to be deployed. This is especially useful for patch
deployment that has been scheduled for a later time. Testing the
deployment allows you to correct any potential problems in a deployment
and make it less likely that a deployment will fail.
The Test Patch Deployment tab displays the results of a test deployment.
A test deploy returns either a pass or a fail depending on what it finds. For
example, if the Workstation or Scheduling services are not started in a
particular machine, Patch Authority Ultimate cannot deploy patches to it
and a test deploy will return a failing result.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
233
USING THE SCHEDULED TASKS MANAGER
About the Scheduled Tasks Manager
The Scheduled Tasks Manager is designed to give you a single location from
which to monitor the patch scan and patch deployment tasks currently
scheduled on any of the machines in your network. Scheduled patch scans
will be displayed on the console machine, and scheduled patch deployment
tasks will be displayed on their respective target machines.
You can use the Scheduled Tasks Manager to modify and delete the scheduled
tasks. For example, if you know a certain machine will be unavailable on a
certain day you can reschedule any tasks that are set to be performed on that
machine. The Scheduled Tasks Manager requires the ScriptLogic Scheduler to
be installed and running on each managed machine. See Installing the
ScriptLogic Scheduler for more details. The Scheduled Tasks Manager can be
run even if the Patch Authority Ultimate console is closed.
Note: The Scheduled Tasks Manager is different than . The Scheduled Tasks
Manager enables you to monitor and modify scheduled scans and deployment
tasks, while Deployment Tracker only enables you to monitor active
deployment tasks (and not scans ).
You can access the Scheduled Tasks Manager the following ways:
ƒ
Select Manage > Scheduled Tasks
ƒ
ƒ
Click
on the toolbar
Select Start > Programs > ScriptLogic Corporation > Scheduled
Tasks Manager
A dialog similar to the following will appear:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
234
Note: If you recently upgraded to Patch Authority Ultimate 7.x and are
experiencing problems using the Scheduled Tasks Manager to communicate
with your machines, it could be you need to install the latest version of the
ScriptLogic Scheduler on your machines. See Installing the ScriptLogic
Scheduler for details.
The Scheduled Tasks Manager dialog contains three distinct panes:
ƒ
The left pane displays all the domains and machines currently residing in
the managed machines database (accessible via the Manage > Items
menu). The icon representing each machine changes depending on the
state of the machine:
ƒ
= ScriptLogic Scheduler service available on the machine but no
jobs currently scheduled
ƒ
= ScriptLogic Scheduler service available on the machine and one or
more jobs are currently scheduled
ƒ
ƒ
= ScriptLogic Scheduler service not available on the machine
= Machine data is currently being refreshed
You can also perform a number of actions by right-clicking on a domain or
machine, as illustrated here:
ƒ
The upper-right pane contains two tabs.
ƒ
The Jobs tab contains a table that displays the jobs (if any) that are
currently scheduled for the machine or domain selected in the left
pane. You can sort this table a number of different ways simply by
clicking the individual column headers. You can also perform a number
of actions by right-clicking on a job, as illustrated here:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
ƒ
235
The Log tab contains a table that displays the available log files for the
selected machine, providing a history of the jobs that have been
performed on the machines. You can sort this table a number of
different ways simply by clicking on an individual column header.
The Jobs tab contains a lower pane that displays detailed information
about the job selected in the upper pane.
Installing and Uninstalling the ScriptLogic Scheduler
The Scheduled Tasks Manager uses the services of the ScriptLogic Scheduler
when managing tasks on a machine. The Scheduled Tasks Manager cannot
manage machines that do not contain the ScriptLogic Scheduler. One
indication that the ScriptLogic Scheduler is not installed on a machine is if the
machine icon appears dimmed (
).
Note: You can manually verify if the ScriptLogic Scheduler is installed on an
individual machine by selecting Administrative Tools > Services and
looking for the ScriptLogic Remote Scheduler Service.
If the ScriptLogic Scheduler is configured to be the preferred scheduler for
Patch Authority Ultimate (see Scheduling Options), then it will be
automatically installed on each machine during patch scans and patch
deployments. If the ScriptLogic Scheduler is not configured to be the
preferred scheduler, you can manually install it on individual machines from
within the Scheduled Task Manager.
1. Right-click the desired machine and select Scheduler Service > Install.
2. Type the user name and password of an account on the machine that
contains administrative privileges.
3. Click Install.
If the installation is successful the machine icon will change from a
dimmed appearance to a normal appearance (
Updated 22 February 2011
).
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
236
CONFIGURING PROGRAM OPTIONS
Configuration Options Overview
You can configure a number of different options within Patch Authority
Ultimate . For example, you can define the physical appearance of the
program, you can define how machines are scanned, you can define how
patches are deployed, you can define which languages to support, etc.
The configuration options are all available from the Tools > Options menu,
which will cause the Options dialog to appear.
To configure an option category, simply select it from the list in the left-hand
pane and then configure the related options that appear in the right-hand
pane. Each option category is described in detail in the remainder of this
section.
Display Options
The Display Options dialog allows you to specify the buttons you want
displayed in the left-hand pane (the navigation bar).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Buttons
237
The following buttons are available for display in the button tray at the
bottom of the navigation bar. A button will be displayed only if the
associated check box is enabled.
Note: Another way to specify which buttons are displayed in the button
tray is by clicking the Configure Buttons icon (
) located in the
bottom-right corner of the button tray. See About the Home Page for more
details.
Optional features
ƒ
Machine Groups: Displays the machines, domains, and groups that
can be readily scanned.
ƒ
Patch Groups: Displays the patch groups you have defined. A
patch group enables you to scan for just the particular patches you
are interested in.
ƒ
Service Pack Groups: Displays the service pack groups you have
defined. A service pack group applies only to agents and enables
you to deploy just the service packs you are interested in.
ƒ
ƒ
Agent Policies: Displays the list of agent policies currently available.
ƒ
Deployment Templates: Displays the list of deployment templates
that are available. A deployment template specifies how patches are
installed on machines.
ƒ
Favorites: Displays the list of favorites you have defined. A favorite
consists of a collection of machines and a choice of how to scan the
machines.
ƒ
Patch Results: Displays the patch scans and deployments that have
been performed. There are three available lists:
ƒ
Today's Items: Displays the scans and deployments that have been
performed today.
ƒ
Recent Items: Displays a list of recent patch scans and
deployments. By default, after 15 days items in this pane are moved
to the Archive Items pane. You can use the last # days box to
change the number of days worth of information to display in the
Recent Items pane. You can specify a maximum of 100 days.
ƒ
Archive Items: Displays a list of scans and deployments that were
performed more than 15 days ago (or more than the number of days
specified on Recent Items).
Patch Scan Templates: Displays the available patch scan
templates.
Specify which of the following optional features you want to be available:
ƒ
Refresh every MM minutes: Specify how often Patch Authority
Ultimate will update the information in the navigation bar. Valid
values are 1 - 999 minutes.
ƒ
Show only items created by me: If enabled, shows only those
scans and templates that have been created by the current user.
ƒ
Show main toolbar: If enabled, displays the standard toolbar directly
beneath the menu bar.
ƒ
Show Informational items in patch scan results: If enabled,
displays informational items on the Patches tab in Scan View and
Machine View.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
238
Notification and Warning Options
The Display Options dialog allows you to specify the buttons you want
displayed in the left-hand pane (the navigation bar).
Show 'Run Now'
Dialog
Displays the Run Now dialog after you initiate a patch scan. The dialog
enables you to specify when the scan should be performed.
Enabling the Do not show this dialog again check box will prevent the Run
Now dialog from appearing again.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
239
Prompt for
language(s) on
download
Enable this check box if you want Patch Authority Ultimate to prompt you for
language options whenever you initiate the download of a patch (see
Downloading non-English language patches). If this option is not enabled,
Patch Authority Ultimate will automatically download patches for the
languages selected in the Default languages to download list.
Display the file
size
confirmation
dialog before
downloading
Specify if you want the program to inform you of the file size of the patch
before it is downloaded. You may want to enable this option if you have a
low-speed Internet connection and you want the option to cancel the
download of particularly large files.
Warn before
scheduling
deployments in
the past or
within 24 hrs
If enabled, will cause a warning dialog to be displayed anytime you attempt to
schedule a patch deployment to run within in the past 24 hours or within the
next 24 hours. The dialog is a reminder that the deployment may run
immediately depending on the time zone of the target machine(s).
Close status
dialog after
deployment
If enabled, will cause the deployment status dialog to automatically close
upon completion of a patch deployment.
Definition Download Options
The Definition Download dialog allows you to specify the location from
which the files used by the program will be downloaded and refreshed. The
files include the scan engines, the news file displayed on the home page, the
deployment information file, and other files that can be updated. The program
will check an Internet location or the specified distribution server to determine
if newer versions of the files are available.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Temporarily disable
auto-refresh for all files
(Run Disconnected)
240
If enabled, the program will not automatically check for and
download newer files. If this option is not enabled, the program will
check for updated files whenever a new scan is performed or
(optionally) whenever the program is started. This option can also
be toggled using the Tools > Run Disconnected menu item.
If you are running in disconnected mode, you can manually refresh
all files by selecting Help > Refresh Files from the main menu.
Download newer files
when the application
starts
If enabled, will cause the program to automatically check for and
download updated engines, XML files, and data definition files
each time the program is started. This option is not available if you
are running in disconnected mode.
Automatically download
engines and definitions
If enabled, will cause the program to automatically check for and
download updated engines, XML files, and data definition files to
the console on a regular basis. This can speed your scan
processes by making the necessary files available in advance of a
scan.
Definition download
source
ƒ
If you are using one or more distribution servers and you want
them to be automatically synchronized with the console
whenever an automatic download occurs, then enable the
Automatically synchronize distribution servers after
download check box. The files will be copied to your
distribution servers immediately after they have finished being
downloaded to the console. Enabling this check box will also
enable the Core engines and definitions check box on the
distribution server Synchronize tab.
ƒ
If you want the download to occur one or more times a day,
use the Download every hh hours beginning at option to
specify how often the downloads should occur. The available
download values are all factors of 24 in order to preserve the
time of day the first download will occur.
ƒ
If you want the download to occur on a weekly basis, use the
Download weekly on option to specify the day and time you
want the download to occur.
You can specify where the latest scan engines and data files
downloaded by this console are located. The available options are:
ƒ
Default (http://xml.shavlik.com): Indicates you want to use
the default location when downloading the files. The files are
located at http://xml.shavlik.com.
ƒ
Custom share or URL: You must specify the path name of
the share or the URL of the Web site that will be used when
downloading files. It is the administrator's responsibility to
make the files available at this location.
ƒ
Specific Distribution Server: You must select the name of
the distribution server that will be used when downloading
files. You must have previously configured one or more
distribution servers in order for the names to be pre-populated
in this box. For more information see Configuring Distribution
Servers. You can copy the latest files to the distribution
servers using the Synchronize Engines and XML button (see
Synchronizing Servers).
ƒ
Refresh Files: If you click this button, the latest versions of the
files used by the program will be downloaded from the
specified location.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
241
Patch Download Options
The Patch Downloads dialog allows you to specify how patches and service
packs will be downloaded by the console and where they will be stored.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Download
Center Path
242
A download center is used to store patches. Only one download center can
be specified at any one time. You can, however, define multiple download
centers to use to store patches. Separate download centers may be used for
international patch support. However, there may be times when you want to
use separate download centers for other reasons. For example, if you use
multiple servers to store patches, you can create download centers that point
to the patch location on each server.
Using a Remote UNC Share Directory
If desired, you can specify a remote share directory for the patch download
center. In order for this to work, appropriate permissions need to be set on
the remote directory. Both the Patch Authority Ultimate console user and the
console machine need to be granted access to the download center. The
console user should have read/write permission to the share and the console
machine needs read access. When specifying share permissions for a
machine, you must append a ”$” to the end of the machine name. For
example:
In some configurations additional users may need to be granted access to
the download center. If you specify machine or machine-group credentials for
machines that do not download patches from a distribution server, the
specified user names will require read access to the download center share.
Making the download center share readable by everyone may or may not be
an effective strategy. It depends on:
ƒ
Whether the credential users and the download center host belong to
the same (or trusted) domain(s)
ƒ
The specifics of the local security policy
New
Use this button to create a new download center.
Delete
Use this button to delete the currently selected download center.
Change
Use this button to modify the characteristics of the currently selected
download center.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Directory
Displays the location of the currently selected download center.
Vendor web
sites
Patches deployed from the console are downloaded directly from the Web
sites of the companies that author the patches. This is the default. The
location of the Web sites are stored in the patch information file.
243
The other options available on this dialog are used if this console does not
have an Internet connection or when the patches and service packs are
being pre-downloaded to some central location.
Custom share or
URL
If enabled, you must specify the path name of the share or the URL of the
Web site that will be used when downloading files. It is the administrator's
responsibility to make the files available at this location.
Specific
Distribution
Server
If enabled, you must select the path name of the distribution server that will
be used when downloading files. You must have previously configured one
or more distribution servers in order for the names to be pre-populated in this
box. For more information see Configuring Distribution Servers. You can
download patches and service packs using one console and push them to
the distribution servers using the Synchronize Download Center button
(see Synchronizing Servers).
One interesting but necessary side effect of enabling this option is that the
Enable synchronization between console and distribution server check
box on the Distribution Server dialog will be automatically disabled. Why?
Because in this particular case you do not want the console to synchronize
with the distribution server. Doing so would cause the contents of the
distribution server (the patches and service packs) to be overwritten by the
contents of the console (which may not contain anything at all).
If you later change from Specific Distribution Server to either Vendor web
sites or Custom share or URL, syncing is again permitted but the program
does not re-enable it automatically. You must remember to go to the
Distribution Server dialog and manually re-enable the Enable
synchronization between console and distribution server check box.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
244
Default Credential Options
The Default Credentials dialog allows you to specify the default
authentication credentials that will be used by the program.
Prompt when
needed
Specifies if the program will prompt you if the default credentials are
needed during a scan or deployment.
Save Default
Credentials
Specifies if the default credentials are saved by the program.
Set
Enables you to specify the default user name and password credentials.
Clear
Deletes the default credentials currently saved by the program. This
button is unavailable if the credentials are not currently defined.
Create a temporary
systemdrive share
if none exists
Enables Patch Authority Ultimate to create and use a temporary
administrator share name on a target machine during the authentication
process. The share name will be removed from the target machine when
the scan or deployment is complete.
While this option does not apply to most organizations, if you are an
organization that for whatever reason has disabled or renamed the
administrator share names (C$, D$, etc.) on your target machines, then
you must enable this check box in order for Patch Authority Ultimate to
access those machines.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
245
Patch Language Options
The Patch Language Options dialog enables you to specify which
language(s) to use when downloading patches.
Use this language
for the download
status indicator
Click the drop-down list and select the language that will be represented
by the download status indicator.
For example, assume you select German in this field. If you then view a
patch summary and the download status indicator for a particular patch
looks like this
(colored) it means the German language version of
the patch has been downloaded. If the download status indicator looks
like this
(clear), however, it means the German language version of
the patch has not been downloaded.
For details about the download status of other language versions of a
patch, see Downloading Non-English Patches Individually.
Default languages
to download
Select the languages in this list that you want to specify as your default
languages. The next time you download a patch, all default language
versions of the patch will be automatically downloaded.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
246
Scan Options
The Scan Options dialog allows you to specify scanning options.
Default Favorite
The group you wish to set as the default Favorite. A favorite defines
which machine groups to scan and how the machines will be scanned.
Default Patch Scan
Template
The scan template you wish to set as the default when performing
patch scans.
Use only the browse
list (scan by domain
only)
When scanning domains, the machines scanned are those contained in
the "browse list" of machines in your Microsoft network rather than all
the machines in the domain as specified by the domain controller.
Using this option will typically reduce the number of machines that the
program will attempt to connect to when performing the scan.
Disable
supersedence
Instructs the scan engine to scan for all patches, ignoring
supersedence. For example, instead of reporting one missing MS
Internet Explorer patch (the latest and most superseding), all missing IE
patches will be reported.
Connection timeout
(seconds)
The maximum amount of time to wait for a target machine to respond to
the console during a scan. If the console cannot make a connection to
the target machine in the specified number of seconds the machine is
skipped. A connection attempt may timeout earlier than the specified
value, this simply puts a maximum value on the wait time.
Generate MBSAformatted output for
patch scan results
Following a successful patch scan, MBSA-compatible data will be
written to an output file. You will then be able to use the file as input to
an MBSA viewer.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
247
Include only
unsupported MBSA
products in MBSAformatted output
MBSA-compatible data will be written to an output file, but only for the
Microsoft products no longer supported by Microsoft Baseline Security
Analyzer. This check box is only available if the Generate MBSAformatted output for patch scan results check box is enabled.
MBSA output
directory
Specifies the location of the MBSA-compatible output file that will be
created following a scan. The default location is one of the following:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic Corporation\Patch Authority
Ultimate\SecurityScans
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application Data\ScriptLogic
Corporation\Patch Authority Ultimate\SecurityScans
This box is only available if the Generate MBSA-formatted output for
patch scan results check box is enabled.
MBSA Output File
Name
Specifies the base file name that will be used for the file containing the
MBSA output. The machine name and the date/time stamp of the scan
will be appended to the base name. The full file name will therefore be:
YOURNAME-domain-computer(date time).mbsa. The file will reside in
the directory specified in the MBSA XML output directory box.
Deployment Options
The Deployment Options dialog allows you to specify how patches will be
deployed.
Default Deployment
Template
Specifies the deployment template to use as the default. Any new
deployment templates you previously defined will be included in the dropdown list. For more information see About Deployment Templates.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deployment
Tracker address
248
Specifies the IP address used by Patch Authority Ultimate Deployment
Tracker . If you are on a multi-homed machine, it is necessary to choose
the IP address that corresponds to the network that will be scanned.
If desired, you can elect to specify the console host name rather than the
IP address.
Patch Authority Ultimate Deployment Tracker uses the same port as the
other console services (3121 by default).
Scheduling Options
The Scheduling Options dialog enables you to specify which scheduler
service you prefer to use on each machine when performing patch scan and
patch deployment tasks. The scheduler is used to initiate the tasks at the
specified time, whether immediately or at some specified time.
Microsoft
Scheduler
Use this scheduler service in those circumstances where it provides the
needed functionality.
ScriptLogic
Scheduler
The ScriptLogic Scheduler service is faster and more secure than the
Microsoft Scheduler service. A copy of the ScriptLogic Scheduler
service is pushed to each target machine where it is used to initiate the
tasks. With the ScriptLogic Scheduler service you can specify what
should happen to the service after it is finished performing its tasks. The
ScriptLogic Scheduler is required if you wish to use the Scheduled
Tasks Manager. You can also install the ScriptLogic Scheduler to
individual machines using the Scheduled Tasks Manager.
The ScriptLogic Scheduler is the default scheduler service.
Note: If the ScriptLogic Scheduler should for some reason fail or be
unavailable, the Microsoft Scheduler will be automatically invoked.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
249
Default Scheduler
Port
Specifies the port used by ScriptLogic Scheduler service. By default the
ScriptLogic Scheduler service listens on TCP port 5120. If desired, you
can override this global default on a machine-by-machine basis (see
Managing Individual Machine Properties).
Scheduler Lifetime
This specifies what to do with the ScriptLogic Scheduler service after it
completes its tasks on the target machine.
ƒ
Leave the service running: Leaves the service running so it is
instantly available for future scans or deployments.
ƒ
Stop the service and leave it installed in service control
manager: Stops the service and leaves it installed in service control
manager. This doesn't use CPU time on the target machine but it
keeps the service available for future use.
ƒ
Stop the service and remove it from service control manager:
Stops the service and removes it from service control manager.
Certain files are left on the system for easy reuse.
Agent Options
The Agent Options dialog allows you to specify how agents that are
manually installed will authenticate themselves to the console during the
registration process. The options are:
ƒ
Passphrase authentication: If the Enable passphrase in manual
Agent installations check box is enabled, users will be required to
specify a matching passphrase during the manual agent installation
process. Passphrase authentication is best used when individuals without
administrative credentials will be manually installing agents. For example,
in large organizations it may not be feasible for one administrator to
manually install agents on hundreds of different machines. Specifying a
passphrase allows individuals to install agents on their own machines
without the need for console credentials.
Tip: A blank passphrase is permissible and for simplicity may be the
preferred passphrase.
ƒ
Windows authentication: This will be used if the Enable passphrase
in manual Agent installations check box is not enabled. Credentials
with administrator rights on the Patch Authority Ultimate console will be
required when manually installing an agent on a machine.
CAUTION! Be careful when using Windows authentication. If the machine
on which you are installing the agent is already infected with malware that
is capable of capturing passwords, your credentials could be
compromised. For this reason, passphrase authentication is the
recommended option.
In some cases it may make sense to use a combination of methods. You
might use passphrase authentication to initially install the bulk of your agents
and then switch to Windows authentication for all future manual installations.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
250
Enable passphrase
in manual Agent
installations
ƒ
If enabled, indicates that a passphrase will be used to authenticate to
the console when manually installing an agent.
ƒ
If not enabled, indicates that Windows authentication will be used
when manually installing an agent.
Passphrase
If the Enable passphrase in manual Agent installations check box is
enabled, type the passphrase you want users to use during the manual
agent installation process. The passphrase can be any number of words
or characters and is case-sensitive. A blank passphrase is allowed,
although for security purposes this is not recommended.
Confirm
Retype the same passphrase in this box to confirm the passphrase.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
251
Logging Options
The Logging Options dialog allows you to specify how much data you want
the program to record in the program logs.
Logging levels
Log file
locations
Specify how much data you want the program to record in the program logs.
You can specify different recording levels for user interface activity and for
background services activity. For each category the options are:
ƒ
All: Records all events in the log, including Start, Stop, Suspend,
Transfer, and Resume events.
ƒ
Verbose: Records Critical, Error, Warning, Information, and Verbose
events in the log.
ƒ
Information: Records Critical, Error, Warning, and Information events in
the log. This is the default value.
ƒ
ƒ
ƒ
ƒ
Warnings: Records Critical, Error, and Warning events in the log.
Errors: Records Critical and Error events in the log.
Critical: Records only Critical events in the log.
Nothing: No entries are recorded in the log.
The logs are located in the following directory on the console:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic Corporation\Logs
ƒ
On earlier Windows operating systems like Windows XP: C:\Documents
and Settings\All Users\Application Data\ScriptLogic Corporation\Logs
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
252
Proxy Options
The Proxy Options dialog allows you to modify the proxy settings used by
Patch Authority Ultimate when accessing the Internet using your Web
browser. In general, Patch Authority Ultimate checks the proxy settings in
Internet Explorer and conducts an Internet connectivity test to determine
whether or not proxy server settings are necessary. If Patch Authority
Ultimate is unable to access the Internet using these settings, or if you are
required to enter a user name and password each time you launch your
browser and browse the Internet, you will need to configure the proxy options
if you haven't already done so via the Setup Wizard.
Do I need Proxy
Info?
To see if Patch Authority Ultimate can use your current proxy settings to
access the Internet and perform other operations, click this button. If the test
is successful then nothing further is required. If the test fails you need to
modify your proxy settings by specifying user name and password
credentials.
Use proxy
If enabled, indicates that you will supply proxy credentials and allows you to
specify user name and password information. If you clear the check box after
specifying credentials, the credentials will be saved but not used.
User name
Type the user name that should be used when accessing the Internet with
your Web browser. If you need to specify a domain as part of your
credentials, include the domain name here.
Password
Type the password used to authenticate the user name.
Verify Password
Retype the same password.
Test
To test the credentials specified in the Username, Password, and Domain
fields, click this button.
Clear
To remove existing proxy credentials defined by this dialog for this computer,
click this button.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
253
As stated above, Patch Authority Ultimate uses the Internet Explorer proxy
settings if no authorization is required by your proxy server. If you utilize
authorization, fill out the User name, Password and Verify Password
fields. After completing the required fields, conduct another connectivity test
by clicking Test. Once verified, click Save to save the settings.
E-mail Options
The E-Mail Options dialog enables you to specify if you want to use the
automatic e-mail feature and to define the properties of the SMTP server used
for sending the automatic e-mail messages and alerts. (See E-mail Overview
for more details). To use this feature, enable the Enable automatic EMailing of notifications and results check box and then specify the name
or IP address of the SMTP server you use.
Enable automatic e-mailing
of notifications and results
If you want to use the automatic e-mail feature, enable this
check box. Enabling this check box enables the related options
on this dialog.
Enter your e-mail server
name or IP Address
Specify the name or IP address of your local SMTP server. For
example: Exchange2.YourCompany.com
SMTP Port
Specify the port used by the SMTP server. 25 is the default.
Sender e-mail address
Specify the e-mail address that will be inserted into the From:
address field of messages that are sent to users. If the default
address causes problems for your SMTP server, change the
address to an e-mail address accepted by your SMTP server.
(Some SMTP servers only accept mail from particular addresses
or domains.)
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Use authentication
If enabled, indicates that authentication is required when
sending an e-mail message.
User name
Specify the user name used when authenticating to the SMTP
server.
Password
Specify the password used when authenticating to the SMTP
server.
Verify password
Re-type the password used when authenticating to the SMTP
server.
Test recipient e-mail
address
Specify a known e-mail address you want to use when testing
the e-mail process.
Send a test e-mail
To verify the program can use the specified credentials to
contact the SMTP server, click this button.
254
Arrivals/Data Rollup Options
The Arrivals/Data Rollup dialog enables you to specify how this console will
interact with agents and with other consoles.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
This console's directory
for spooling results
255
Specifies the directory that will be used to store results sent to this
console by Patch Authority Ultimate Agent and/or by other
consoles. The default value is one of the following:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic Corporation\Patch Authority
Ultimate\Arrivals
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application
Data\ScriptLogic Corporation\Patch Authority
Ultimate\Arrivals
If you change the directory path and want to return to the default
path, click Default.
Enable Data Rollup
If you want this console to roll up and send its scanning and
deployment data to a central console, enable this check box. The
other options in the Send this console's results to a Data
Rollup server area are not available unless this check box is
enabled.
Import Settings
If you want this console to roll up and send its scanning and
deployment data to a central console, you have the option to
import the settings file that was exported from the central console.
To import the settings of the console to which you want rollup data
sent, click Import Settings and then navigate to the location of
the file.
IP Address/hostname to
send this console's results
to
This field will be populated automatically by importing the settings
file from a central console, or it can be set manually. It reports the
name of the central console or the IP address that the central
console is listening on.
Port to send this console's
results to
This field will be populated automatically by importing the settings
file from a central console, or it can be set manually. It reports the
port number that the central console is listening on. The default
value is 3121.
Minutes between sending
console's results
Specify how often you want data from this console to be rolled up
and sent to the console containing the aggregate database. Valid
values are from 10 - 10080 (10 minutes - one week). The default
value is every 240 minutes (four hours).
Although you can roll up data as often as once every 10 minutes,
this is typically impractical. How often you choose to roll up data
will depend on a number of things, including how often the
console is performing scans and deployments, and how often you
want that information reflected in the aggregate database.
IP Address
Specifies the IP address of this console. The program will
automatically detect the console's address and add it to the list of
available addresses for this field. If the console is multi-homed
then there will be multiple IP addresses populated in the list and
you must select the address you want the remote consoles to use
when connecting to this console.
Note: If the central console is multi-homed, the rollup service will
listen on all its network interfaces. So if the central console
communicates with two different subnets, you can define one IP
address and export the data rollup information to remote consoles
on one subnet and then define a different IP address and export it
to remote consoles on the other subnet.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
256
Listen on port
Specifies that 3121 is the TCP port used by the console to listen
for incoming data from agents and other consoles. This value
cannot be changed.
Export Settings
To enable other consoles to roll their results up to this console,
you should export this console's settings and import those settings
at the other consoles. To export this console's settings to a data
file, click Export Settings. The file can then be used to import
these settings on other consoles.
SENDING E-MAIL REPORTS AND NOTIFICATIONS
E-mail Overview
The e-mail feature enables you to send e-mail alerts and messages to
specified users. This feature has a wide range of applications. You can send
scan results and scan reports and you can notify users of pending actions
such as patch deployments and reboots.
The e-mail capability is very easy to use. You simply:
ƒ
ƒ
ƒ
ƒ
Define your e-mail contacts in the local Address Book
Define the SMTP server used for e-mail
If necessary, specify the credentials required to send e-mail messages
Use the icons in the program interface to send messages to specified
recipients as needed
Populating the Address Book
The address book is used to store the e-mail addresses of those users you
want to send messages or alerts. You can also define one or more e-mail
groups. To add, delete, or modify the contents of the address book, select
Manage > Address Book. The Address Book dialog is displayed:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
257
The address book initially contains default entries for the machine
administrator, the machine owner, and a ScriptLogic Corporation
administrator. More than one contact can be defined as a ScriptLogic
Corporation administrator.
Defining a New Contact
1. Click New Contact.
2. Type the name of the contact as you want it to appear in the address
book.
3. Type the e-mail address of the contact.
4. If you want the contact to receive messages that are automatically sent to
all ScriptLogic Corporation administrators, enable the ScriptLogic
Administrator check box.
5. If you want this contact to be visible to other users when defining report
recipients for scan and deployment templates, enable the Make available
to other users check box. If this check box is not enabled it is the
equivalent of a BCC (blind carbon copy) -- the contact will be on the email report distribution list but not visible to other users.
Defining a New E-mail Group
1. Click New Group.
2. Type the name of the group you want to create.
3. If you want this group to be visible to other users when defining report
recipients for scan and deployment templates, enable the Make group
available to other users check box. If this check box is not enabled it is
the equivalent of a BCC (blind carbon copy) -- the group will be on the email report distribution list but not visible to other users.
4. To populate the group, enable the desired check boxes in the list of
available contacts and then click Save.
ƒ
You can select multiple entries at one time by pressing and holding the
Ctrl key while you select each entry.
ƒ
You can also select blocks of entries in the list by pressing and holding
the Shift key and then selecting the first and last entry of the desired
block.
ƒ
If you want to add every contact in the list to the group, click Check
All.
ƒ
ƒ
If you want to define a new contact, click New Contact.
ƒ
You can create nested groups. A nested group is a group that consists
of other groups.
If you are unsure about a certain contact you can view their full e-mail
address by selecting the contact and then clicking Properties.
Deleting an Existing Contact or Group
1. Select the contact or group you want to delete.
2. Click Delete.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
258
Automatically Sending E-Mail Reports and Notifications
Note: This feature applies only to agentless scans and deployments initiated
from the console; it does not apply to agents that may also be using this
template.
Messages containing scan reports or deployment reports can be automatically
e-mailed by Patch Authority Ultimate . You simply configure the scan
template, the deployment template, the machine group, or the machine of
your choosing so that reports are automatically sent each time the template
or group is used. You can designate which reports should be sent and to
whom the reports should be sent.
Templates
You can configure scan templates to automatically:
ƒ
Send PDF versions of reports upon completion of a scan
You can configure deployment templates to automatically:
ƒ
ƒ
Notify users of pending patch deployments
Send a report upon completion of a deployment
For information on configuring templates to automatically send e-mail
reports:
ƒ
ƒ
Scan templates: Please see Creating a New Scan Template .
Deployment templates: Please see Creating a Deployment Template.
Machines and Machine Groups
For information on configuring the program to automatically send e-mail
reports when individual machines are scanned, see Managing Individual
Machine Properties. For information on configuring a group of machines to
automatically send e-mail reports when the machine group is scanned, see
Working With A Machine Group.
Manually Sending E-Mail Reports and Notifications
There are a number of different ways to manually send an e-mail message
that contains a scan or deployment report. Patch Authority Ultimate
automatically determines which report to generate and send based on the
context currently being viewed (for example, the entire scan or a single
machine in the scan).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
259
From Scan View
When viewing results within Scan View, you can send an Executive Summary
report by clicking the link within the Scan Summary pane. You can also send
a Machine Status Summary report by right-clicking on a machine and
selecting E-mail Machine Status Summary. This is illustrated in the
following figure:
From Patch Deployment Results
When viewing patch deployment results, you can initiate an e-mail message
by clicking on the E-mail Deployment Status Report link. This is illustrated
in the following figure:
From the Report Viewer Window
While viewing a report you generated from the Report Gallery, you can e-mail
the report by selecting File > Send To. This is illustrated in the following
figure:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
260
RUNNING IN DISCONNECTED MODE
Enabling Disconnected Mode
Disconnected mode is useful when you are scanning from a Patch Authority
Ultimate console that is not connected to the Internet. Disconnected mode
can also be useful if you would like to perform scans and deployments and
not download data files from the Web site.
Note: If you intend to deploy patches while in disconnected mode, the
patches must already reside in the download center. If the patch files are not
already in the download center, Patch Authority Ultimate will try to download
the patch files and the process will fail.
There are two ways to enable disconnected mode:
ƒ
ƒ
Select Tools > Run Disconnected from the menu bar
Select Tools > Options > Definitions and then enable the Temporarily
disable auto-refresh for all files (Run Disconnected) check box.
When disconnected mode is enabled the data files already resident on your
local machine will be used during the offline scan. See Managing Data Files for
more information.
Managing Data Files in Disconnected Mode
When running in disconnected mode from a console that is not connected to
the Internet, it is necessary to manually manage your data files. You must
download the data files from the proper locations and then transfer the files
to the Patch Authority Ultimate console. To determine the locations currently
being used as the source for the scan engines, data files, and patches, select
Tools > Options > Definitions and Tools > Options > Patch Downloads.
Note: If you are running in disconnected mode, the best way to ensure that
you have the latest data files is to go to a console that is connected to the
Internet, select Help > Refresh Files, and copy all the downloaded files to
the disconnected machine. The files reside in the \DataFiles directory.
File Locations
For information on how to download the data files using a machine with
Internet access and then transfer the files to the console machine, see the
following Web page:
http://forum.shavlik.com/viewtopic.php?f=10&t=15656&p=35775&hilit=sum
#p35775
The data files need to be located in the following directory on the Patch
Authority Ultimate console:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic Corporation\Patch Authority
Ultimate\DataFiles
ƒ
On earlier Windows operating systems like Windows XP: C:\Documents
and Settings\All Users\Application Data\ScriptLogic
Corporation\Patch Authority Ultimate\DataFiles
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
261
REPORTS
Available Reports
The following reports are available in Patch Authority Ultimate . The reports
you have access to is dependent upon your current license level.
To choose a report, select Tools > Create Report from the main menu and
then select a report from the drop-down list at the top of the Report Gallery
dialog. The list is divided by the different types of security programs available
within Patch Authority Ultimate .
Security Program
Report
Description
All
Item History
This report lists all the actions that were
performed in the entire system, and displays who
performed each action.
Seat License Status
This report provides information about the
number of license seats available and the
number of seats used.
Note: There is no filtering capability for this
option.
Patch Reports
Condensed Patch
Listing
A concise, six-column report displaying the
machine name and patch status for each
scanned host. Patch items are displayed as
bulletin numbers (MS00-000).
Deployment Detail
This report provides detailed information about a
particular patch deployment.
Deployment
Percentage by Patch
This report displays the percentage of machines
that have each patch installed. The percentage is
based on the number of machines that require
the patch.
Deployment Status by
Deployment
This report provides information about the
success or failure of one or more specified patch
deployments.
Deployment Status by
Machine
This report provides information about patch
deployments made to one or more specified
machines.
Detailed Summary
This report shows a summary of the scan, plus it
provides a list that shows each machine that was
scanned and detailed information about each
machine.
Executive Summary
This report provides a high-level summary about
the patches and the machines discovered by the
scan.
Machine Inventory
This report provides a complete list of all software
products installed on each machine discovered
by the scan.
Machine Status by
Patch Count
This report displays the number of machines in
groups based on the number of missing patches.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Security Program
262
Report
Description
Machine Status
Summary
This report provides the patch status of each
machine discovered by the scan.
Machine/OS Listing
This report lists the operating systems for each
machine scanned.
Machines by Patch
Displays patch status for each machine sorted by
Bulletin ID and QNumber.
Machines Not Scanned
This report lists all machines not scanned and the
reason they were not scanned.
Missing SP
This report is a quick overview of all machines
that are missing service packs for supported
products. This report skips the simple criteria filter
and displays the advanced criteria filter
immediately.
Patch Annotation
Information
This report lists all patch annotations.
Patch Criticality
Information
This report lists all patches grouped by criticality.
It allows a network administrator to quickly view
the patches they have categorized as 'Critical' or
'High'.
Patch Listing
A concise listing (one line per patch processed)
of all patches for all scanned machines sorted by
'Missing', 'Found', 'Informational' and 'Warning',
then sorted by user preference.
Patch Status Detail
This report provides detailed information about
each patch discovered by the scan.
Patch Status Summary
This report provides a descriptive summary about
each patch discovered by the selected scan(s).
The report includes both found and missing
patches. Use the Next Page and Previous Page
icons to navigate through the report.
Patches by Machine
Displays patch status for each machine sorted by
machine name.
Patches by Machine
Detail
A detailed listing of every patch found sorted by
machine name. For each patch, the entire
summary and reason is listed in the report. Note
that this report can take very long if executed
against thousands of computers.
Top Ten Missing
Patches
This report lists the ten patches that are missing
the most often.
Top Ten Vulnerable
Machines
This report lists the ten most vulnerable machines
discovered by the program during the selected
scan(s). The machines with the most missing
patches and service packs are judged to be the
most vulnerable.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
263
Report Gallery
The Report Gallery is designed to provide you with an assortment of different
report filtering options. You can open the Report Gallery using the Tools >
Create Report menu or by clicking the Reports toolbar icon (
). The
Report Gallery consists of a single dialog in which you make all of your
selections.
Pick a Report
Use the Select report to view box to select which report you want to
generate. When you select a report from the list, the description of that
report is displayed and a sample of the report is displayed on the right side of
the dialog.
Pick Filtering Options
Patch Authority Ultimate 's reporting utility includes powerful filtering options.
Depending on the report you choose, you have choices between basic and/or
advanced filtering options.
ƒ
If you want the report to contain information from the most recent scan of
each machine managed by the console (and of each machine managed by
the associated remote consoles, if this is a data rollup console), enable the
View current status check box. Not all reports allow the use of this
check box. Enabling this check box will make the Scan to report on
option unavailable.
ƒ
The basic filtering options allow you to choose which deployments, which
scanning databases, which patch groups, what level of criticality, and what
products would you like to report on.
ƒ
If you need even more granularity or different sorting options, enable the
Use advanced filter check box. The advanced filter options are
presented in a separate dialog when you click Generate Report.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
264
View the Report
Once you have made your selections, click Generate Report to see the
results. If the Use advanced filter check box is enabled this will cause the
Advanced Report Settings dialog to appear; the report will be generated
after you specify your advanced filtering options.
Generating a Report from a Data Rollup Console
If a console is a data rollup console, in addition to containing information
about each machine it manages, it will also contain information about all the
machines managed by the associated remote consoles. The information sent
by the remote consoles and collected by the data rollup console is stored in
an aggregate database. When you generate reports from the rollup console
you automatically have access to all the information contained in the
aggregate database.
Advanced Filtering
The Advanced Report Settings dialog enables you to effectively drill deeper
into your scan and deployment/remediation results and extract more
meaningful information. It does so by enabling you to select exactly which
information you want to include in the report. The following figure illustrates
the Advanced Report Settings dialog.
To use the Advanced Report Settings dialog:
1. Select each of the available options one at a time from the list on the left
and on the right-hand side specify the items you want to include or
exclude.
2. When you are ready to generate the report, click OK.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
265
Exporting Reports
After a report is generated, it can be exported to a different format from the
report viewer.
1. Select File > Export or click Export on the toolbar.
The Export icon is illustrated in the following figure.
The ActiveReports Export dialog then appears, as illustrated here:
2. Select the export format and any available options and then click OK.
The Save As dialog appears.
3. Specify the name and location of the report file and then click Save.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
266
USING DISTRIBUTION SERVERS
Why Use a Distribution Server?
Distribution servers can be used in a number of different scenarios:
ƒ
Distribution servers can be used to store patches that you wish to deploy.
Distribution servers can be physically located near each group of machines
you are managing. The console can copy patches to the distribution
servers only, rather than to each individual machine. Each machine can
then download the patches it needs from the nearest distribution server.
This can greatly reduce network traffic in a distributed environment and
be of huge benefit in wide-area networks. This is true in both agentless
environments and agent-based environments. In agentless environments,
using distribution servers means the console does not need to push
patches to individual machines and individual machines do not need to
download patches from patch vendor. In an agent-based environment, it
can keep each machine from downloading the patches it needs from the
patch vendor over the Internet.
ƒ
Distribution servers can be used to store the most up-to-date engines and
XML files that are available. In a multi-console or agent-based
environment, this can reduce the number of machines that need to
download updated files over the Internet.
ƒ
Distribution servers allow consoles and agents to operate in environments
where they do not have Internet access but still need access to the most
up-to-date engines and XML files. See What is a Disconnected Console
Configuration for more information.
ƒ
Distribution Servers can be used to store any custom patches you may
have defined. This is particularly important for agent-based environments.
See Preparing to Use Agents for more information.
Determining How Many Distribution Servers to Use
Do You Need a Distribution Server?
To determine if you should use one or more distribution servers with Patch
Authority Ultimate , apply the following formula:
ƒ
If # of machines * 10Kb > available bandwidth, then you need at
least one distribution server.
Examples
Assume available bandwidth = 500 Kb:
ƒ
100 machines: 100 machines * 10Kb = 1000Kb > 500Kb (need
distribution server)
ƒ
20 machines: 20 machines * 10Kb = 200Kb < 500Kb (do not need
distribution server)
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
267
If You Need Distribution Servers, How Many?
If (using the formula above) you determine you need one or more distribution
servers, you still need to determine exactly how many distribution servers are
needed. Determining the number of distribution servers that are needed is
very simple. The general rule is:
ƒ
Use one distribution server for every 2500 machines
For example, if you have 7500 machines you should plan on using three
distribution servers.
Configuring a New or Existing Distribution Server
Important! In addition to using the Distribution Servers dialog to
configure the distribution server within Patch Authority Ultimate , under
certain conditions you will need to provide the LOCAL SYSTEM machine
account with the proper sharing and security permissions. See Configuring
System Account Permissions for details.
To configure a distribution server, select Manage > Distribution Servers
and then select the Servers tab. Any currently defined distribution servers
are shown in the Name list. For example:
Note: You cannot delete a distribution server that is currently being used by
an agent policy. Also, if you edit and save a distribution server that is being
used by an agent policy, the agents using that policy will be updated the next
time they check in with the console.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
268
To configure an existing distribution server, select the distribution server and
then click Edit. To configure a new distribution server, click New. The
Distribution Servers dialog appears:
In the top half of the dialog be sure to specify a location and authentication
method that all the target machines can use when accessing the server. The
lower half of the dialog is used to specify how the console will connect to this
same location on the distribution server. Although the physical location you
specify must be the same in both halves of the dialog, in the top half you can
specify the method used by the target machines when accessing the data
(UNC vs. Anonymous HTTP vs. Authenticated HTTP).
Name
The name you want to give to the distribution server you are
configuring. The name can contain letters, numbers, and special
characters.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Specify the UNC or
HTTP Path
269
Specifies how the target machines will access the file repository on
the distribution server.
ƒ
UNC: If you want to specify both the path name of the
repository on the distribution server and the logon credentials
used by the target machines when logging on to the distribution
server, enable this option. You must also define the UNC Path
field and the Username and Password options.
ƒ
Anonymous HTTP: If you want the target machines to access
the repository via the Internet using an anonymous
(unauthenticated) Web connection, enable this option. You
must also define the URL option.
ƒ
Authenticated HTTP: If you want the target machines to
access the repository via a Web browser using a secure Web
connection, enable this option. You must also define the Port,
URL, Username, and Password options.
Use SSL (HTTPS)
If you want the target machines to contact the distribution server
using an SSL connection, enable this check box. This check box is
not available if UNC is selected as a client connection.
Port
Specifies the port used by the target machines when contacting the
distribution server via the Web. The default value is 80, or 443 if
SSL is selected.
URL / UNC Path
The name of this field changes depending on whether UNC or
HTTP is selected in the client connection field. Specify the UNC
path name or the URL path to the repository on this distribution
server.
Note: The physical location you specify here for the target
machines to use should be the same as the location you specify for
the console to use (on the UNC Path option). The method (UNC,
Anonymous HTTP, Authenticated HTTP) the target machines use
when connecting to the distribution server may be different, but the
physical location should be the same.
Enter username and
password
The Domain\Username, Password, and Verify Password boxes
apply only if UNC or Authenticated HTTP is selected. Specify the
user name and password used by the target machines to access
the distribution server.
Test Connection
If you want to test the authentication credentials used to access the
distribution server, click Test Connection. For HTTP[S] distribution
servers, a default content page (default.htm) is needed in the
distribution server directory in order for the test to work.
The lower half of the dialog is used to specify how the console will connect to
the distribution server.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Enable
synchronization
between console and
distribution server
270
If you want to use the Patch Authority Ultimate console to update the
distribution servers, enable this option. If enabled, you must also
define the UNC Path option and the credentials options. Enabling this
option will cause this distribution server to be displayed on the
Synchronize tab. Patch Authority Ultimate gives you the ability to
synchronize distribution servers with your patch download center and
data files, either manually or automatically.
Note: This check box will be automatically disabled if you specify a
distribution server as the download source on the Tools > Options >
Patch Downloads dialog. See Patch Download Options for details
about the Specific Distribution Server check box.
UNC Path
The Universal Naming Convention (UNC) path name of the patch
repository share on the server. This share must be accessible by the
console and is used when synchronizing the contents of the
distribution server with the contents of the download center.
If you don't remember the exact path you want to specify in the UNC
Path box, or if you need to create a new folder, click
or create the path name.
Current credentials
to search for
Access to the distribution server requires authentication. To use the
authentication credentials of the person currently logged on to the
console machine, enable this option.
Note: If you use Current credentials AND you are using the
automatic synchronization feature, you must provide the console
machine's LOCAL SYSTEM account with read and write access to the
distribution server folder. See Configuring System Account
Permissions for details.
Use credentials listed
below
Access to a remote distribution server requires authentication. If you
want to specify credentials, enable this option. You must also define
the Domain\Username, Password, and Verify Password options.
Use credentials listed below is the recommended option if you are
using the automatic synchronization feature. If automatic
synchronization is being used and there are multiple administrators in
your organization using Patch Authority Ultimate, at least one of the
administrators must specify their credentials here.
User name
Type the domain and user name (domain\username) used to
authenticate to this distribution server.
Password
Type the password used to authenticate to this distribution server.
Verify Password
Retype the same password in this box to verify the password.
Test Connection
If you want to test the authentication credentials used to access the
distribution server, click Test Connection. The credentials cannot be
verified if the current session is already connected to the share.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
271
Configuring System Account Permissions
In addition to using the Distribution Servers dialog to configure the
distribution server within Patch Authority Ultimate, if the following conditions
apply you will need to provide the SYSTEM machine account with the proper
sharing and security permissions:
ƒ
If the distribution server resides on the same machine as the console, the
local machine's SYSTEM account must have read and write access to the
distribution server folder.
ƒ
If an agent will be installed on the distribution server machine, the
machine's SYSTEM account must have read access to the distribution
server folder.
ƒ
If you elected to use Current credentials when authenticating the
console to the distribution server AND you are using automatic
synchronization, the Patch Authority Ultimate console machine's SYSTEM
account must have read and write access to the distribution server folder.
In these three special cases it is the SYSTEM account that is used to access
the distribution server and not the credentials supplied on the Distribution
Servers dialog. If sharing and security permissions are not set, distribution
server synchronization errors may occur and/or the local agent may fail to
update.
Use Windows Explorer to set the account permissions by right-clicking the
distribution server folder, selecting Properties, and the clicking the Sharing
and the Security tabs. When setting permissions for the console machine's
SYSTEM account (per bullet item #3), you will need to add the console
machine's SYSTEM account name to the Group or user names list before
you can set its permissions. Be sure you specify Computers as an object
type when adding the name (see Example 2).
Example 1: Local SYSTEM Account
Example 2: Console Machine SYSTEM Account
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
272
When adding the console SYSTEM account name...
... verify that Computers is enabled on the Object
Types dialog.
Assigning IP Addresses to Distribution Servers
You define which target machines will use a particular distribution server by
assigning the IP addresses of the target machines to the distribution server.
To assign one or more IP address ranges to a distribution server, select
Manage > Distribution Servers and then select the IP Ranges tab. Any
currently defined IP address ranges are shown in the table. For example:
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
273
To modify an existing entry in the table, select the entry and then click Edit.
To define a new range of IP addresses, click New. The Distribution Server
Group dialog appears:
Group Name
The name you want to give to this collection of target machines.
Primary Distribution
Server
Select the distribution server you want to use as the primary distribution
server for this collection of target machines.
Backup Distribution
Server
(Optional) Select the distribution server you want to use as the
secondary distribution server for this collection of target machines. The
secondary distribution server is only used if the primary distribution
server is unavailable.
IP Ranges
This table shows the IP ranges that are currently associated with the
distribution servers selected above.
Add
To define a new range of IP addresses, click Add and then use the
Low and High fields that appear to define the IP address range.
Edit
To modify an existing IP address range, select the address range and
then click Edit.
Delete
To remove an existing IP address range, select the address range and
then click Delete.
Save
To accept the current settings, click Save.
Cancel
To cancel without saving your changes, click Cancel.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
274
Synchronizing Distribution Servers
When you synchronize a distribution server it means you are updating the
server with the latest patches and/or scan engines and XML definition files
contained on the console. To synchronize your distribution servers, select
Manage > Distribution Servers and then select the Synchronize tab.
You can manually synchronize the distributions directly from this dialog. You
can also choose to have distribution servers automatically synchronized on a
periodic basis. This section will cover both options.
Make sure the console contains the necessary files before attempting to
synchronize all your distribution servers. For information on downloading
patches to the download center, see Downloading Patches. To download the
latest engines to the console, select Help > Refresh Files.
Note: Another option for automatically synchronizing your distribution
servers is to use Distributed File System (DFS) Replication. DFS Replication is
available beginning with Windows Server 2003 R2 and requires the use of
Active Directory.
Creating a Status Report
If you want to create a report that shows which patches that have been
downloaded are missing or are out-of-date on the distribution servers, select
the distribution server(s) in the list and then click File Status Report. The
report will list which downloaded patches are not contained on the selected
distribution servers or are out of date. The report does not report if engines
and data files are missing or out of date.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
275
Manually Synchronizing Selected Distribution Servers with Patches
To manually update a distribution server with the patches that are currently
in the download center:
1. If you have more than one download center, specify the desired download
center by selecting Tools > Options > Patch Downloads.
2. Make sure the download center contains all the patches you want on your
distribution server(s). See Downloading Patches for details.
The patches are contained in the default patches directory:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData \ScriptLogic\Patch Authority\Patches
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application Data
\ScriptLogic\Patch Authority\Patches
3. Select Manage > Distribution Servers and then select the
Synchronize tab
4. Select one or more distribution servers in the available list.
5. Click Synchronize Download Center.
This will copy the patches from the download center to the specified
distribution server(s).
Manually Synchronizing Selected Distribution Servers with Engines and
Definitions
To manually update a distribution server with the latest scan engines and XML
data files, you synchronize the server with the engine and XML files contained
on the console. To do this you simply:
1. Make sure you have the latest files on the console by selecting Help >
Refresh Files.
This will download the latest files from the location specified on the Tools
> Options > Definitions dialog and store them in the console's default
data directory:
ƒ
On Windows Vista and other newer operating systems:
C:\ProgramData\ScriptLogic\Patch Authority\DataFiles
ƒ
On earlier Windows operating systems like Windows XP:
C:\Documents and Settings\All Users\Application
Data\ScriptLogic\Patch Authority\DataFiles
2. Select Manage > Distribution Servers and then select the
Synchronize tab.
3. Select one or more distribution servers in the available list.
4. Click Synchronize Engines and Definitions.
This will copy the scan engines and XML data files from the console to the
distribution server(s).
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
276
Manually Synchronizing All Distribution Servers
The Synchronize tab also provides a simpler way to synchronize patches,
engines, and XML data files with all distribution servers. Simply choose which
of these components to synchronize and click the Start automatic
synchronization of all Distribution Servers button. A background task will
be created in a separate window to perform the synchronization. You can
minimize this window and continue using the rest of the program.
The components that you can choose to synchronize are:
ƒ
Core engines and definitions: If enabled, the latest versions of the
patch scan engine and all XML data files will be copied to the distribution
servers. Enabling this check box will also enable the Automatically
synchronize distribution servers after download check box on the
Tools > Options > Definitions dialog.
ƒ
Download Center: If enabled, all patches contained in the console's
download center will be copied to the distribution servers.
Automatically Synchronizing All Distribution Servers
The selections that you make on the Synchronize tab work together with the
automatic data-download feature that you can choose in Tools > Options >
Definitions.
At the interval selected in Tools > Options > Definitions, the latest engines
and data files will be downloaded from the specified download source. If you
enable the Automatically synchronize distribution servers after
download check box, then following the automatic download, all components
selected in the Distribution Servers Synchronize tab will be synchronized
with all download centers.
Note: If you elected to use Current credentials when authenticating the
console to the distribution server, in order for automatic synchronization to
work the console machine's SYSTEM account must have read and write access
to the distribution server folder. See Configuring System Account Permissions
for details.
If you want to initiate a synchronization without waiting for the next interval,
click Start automatic synchronization of all Distribution Servers. All of
your distribution servers will be synchronized immediately with the data
specified by the enabled check boxes. This button is not available if no check
boxes are enabled.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
277
Managing Multiple Consoles
WHY USE MULTIPLE CONSOLES?
Organizations with many office sites located across the country may choose to
maintain multiple Patch Authority Ultimate consoles. One console is typically
deemed the central console. The central console will typically reside at a
central site, such as your company headquarters. Each remote office site will
contain a remote console. Each remote console is responsible for performing
scans and patch deployments on the machines in their local network and for
rolling up the results of these actions to the central console.
The central console can be thought of as a Central Policy Manager. It is the
console capable of tracking the results of actions performed on all the other
consoles. Likewise, a remote console can be thought of as a Distributed Policy
Manager. It is responsible for enforcing your organization's patch policies at
remote locations. By adding a distribution server into the mix you can
implement a Distributed Policy Service. The distribution server can be used to
store the XML data files that effectively represent your organization's policy.
The files are downloaded and used by the remote consoles, thus
implementing your policy.
There are several additional advantages to maintaining multiple consoles:
ƒ
The consoles can reside at physically distinct locations and be close to the
machines they are managing
ƒ
ƒ
ƒ
You can distribute the workload across multiple consoles
ƒ
It cuts down on a lot of network traffic, especially over WANs (which can
be expensive)
ƒ
The results from each console can be rolled up to and viewed from one
central location
The scans and deployments are performed much quicker
You won't tie up your network trying to scan hundreds of geographically
distinct machines from one location
There are many possible multiple console configurations, from a basic data
rollup configuration to an advanced configuration that combines multiple
consoles with Patch Authority Ultimate Agent . Each of these multiple console
configurations is described in detail in the following sections.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
278
DATA ROLLUP CONFIGURATION
What is a Data Rollup Console Configuration?
In a data rollup console configuration, one console acts as the central console.
In addition to receiving scan and deployment data from the machines it
manages, the central console also receives data about machines managed by
other consoles. The central console is therefore also known as the rollup
console because the data from all the other consoles is rolled up to it. This
enables you to track what is happening throughout your organization from
one central site.
The following figure illustrates a data rollup console configuration.
Implementing a Data Rollup Configuration
Implementing a data rollup console configuration is very easy. You simply
perform a few configuration steps on the central console and on each remote
console.
Note: If your SQL Server does not run on the same machine as the Patch
Authority Ultimate console, you will need to run Patch Authority Ultimate with
user credentials that have access to SQL Server. For more detailed
information see SQL Server Notes.
On the Central Console
1. Select Tools > Options > Arrivals / Data Rollup.
2. In the This console's directory for spooling results box, specify the
directory to use for receiving results from other consoles.
In most cases you can simply take the default value. See Arrivals/Data
Rollup Options for more detailed information.
3. In the Configure Data Rollup settings file area, select the IP address of
the central console.
4. Export the settings to a file by clicking Export Settings.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
279
The remote consoles will need access to this file when importing the data
rollup configuration settings. For this reason you will typically save the
exported file to a network share or to removable media.
Note: Included in the exported file are credentials that allow the remote
consoles to authenticate themselves to the central console. Importing the
file at a remote console is the sole means of establishing a security
association between it and the central console. You must therefore ensure
that only authorized users have access to the exported file. It is a good
idea to delete the exported file once you have set up your remote
consoles. If needed, you can always export a new file.
On Each Remote Console
You must configure each remote console to roll up its results to the central
console.
1. Select Tools > Options > Arrivals / Data Rollup.
2. In the Send this console's results to a Data Rollup server area,
enable the Enable Data Rollup check box.
3. Click Import Settings and open the Data Rollup Settings (.drs) file that
you exported from the central console.
Importing the file will automatically populate the IP address and port
number settings.
Tip: Importing the file will also automatically generate an entry in the
Edit Console Description dialog on the central console. You can use this
dialog to track how many remote consoles are configured to roll up their
results to the central console. See Editing the Console Description for
more details.
4. In the Minutes between sending console's results box specify how
often the data will be rolled up from the remote console to the central
console.
See Data Rollup Options for more detailed configuration information.
Watching For Data Rollup Activity
A notification dialog box is displayed in the lower-right corner whenever a
remote console rolls data up to the central console. The dialog box will be
displayed for several seconds before slowly fading away. You can pin the
dialog box in place by clicking the pin icon. In order to view within the
program the new information related to the data rollup, you can click the
notification dialog box or you can select View > Refresh from the main
menu.
Notification dialogs are not displayed if Patch Authority Ultimate is not running
on the console machine.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
280
UNATTENDED CONSOLE CONFIGURATION
What is an Unattended Console Configuration?
An unattended console is a console you set up once. After that the console
automatically updates its own files and manages its machines without human
assistance.
Here's how it works: The unattended console is configured to automatically
perform periodic scans and to automatically deploy any patches it finds
missing on its target machines. The console will contain a patch scan
template that is defined to look for a particular set of patches. The set of
patches is contained in a patch list that resides on a distribution server.
Now, when new patches are released by a vendor (for example, the monthly
patches released by Microsoft Corporation), an administrator simply updates
the patch list on the distribution server. When the unattended console
performs its next scheduled scan it will automatically reference the updated
list and will patch its target machines, all without human intervention.
Of course, the unattended consoles can also be configured to use the data
rollup feature so that you can track what is happening on each of your
unattended consoles from one central site.
The following figure illustrates an unattended console configuration.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
281
Implementing an Unattended Console Configuration
Note: This scenario assumes all the consoles have Internet access.
On the Distribution Server
Create a text file that contains the list of patches you want each unattended
console to scan for and deploy. You manually create the text file and save it
on the distribution server. The text file must contain just the QNumbers
associated with each patch, one entry per line. For example:
Each QNumber refers to the Microsoft Knowledge Base article that contains
information about a patch.
Hint: Here are a couple of easy ways to determine the QNumber associated
with each patch. (1) In the Patch and SP Groups pane click New Group >
Patch Group, and then on the resulting Patch Group dialog click Add
Patches. A list of all available patches and their associated QNumbers is
displayed. (2) In patch view, sort all patches by their QNumbers.
On Each Unattended Console
1. Create a patch scan template that scans for just the patches specified in
the custom patch file.
a.) In the Templates pane click New Template > Patch Scan and type
a descriptive name.
b.) On the Filtering tab, in the Patch filter settings area select Scan
Selected.
c.) In the File box specify the UNC path to the patch text file that is
located on your distribution server.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
282
For more detailed information about creating patch scan templates, see
Creating a New Patch Scan Template.
2. Near the bottom of the template, enable the Deploy missing patches
using check box and select the desired deployment template.
Ongoing Maintenance
You simply update the patch list on the distribution server as needed. The
unattended console will automatically reference the updated list the next time
it performs a scan and will deploy the missing patches to each of its managed
machines.
DISCONNECTED CONSOLE CONFIGURATION
What is a Disconnected Console Configuration?
A disconnected console is a remote console that does not have Internet
access. The remote console does, however, have access to a local WAN. In
this scenario the remote consoles must retrieve patch, scan engine, and XML
data files from a networked distribution server rather than from the Web. The
central console (which does have Internet access) is responsible for
downloading the latest scan engines, XML data files, and patches from the
Web and for placing these files on one or more distribution servers. The
remote consoles can then use the distribution servers to download the
required information before performing their scans.
Once the central console has copied the necessary files to the distribution
servers, the basic process is as follows:
1. The remote console downloads the latest files from a distribution server.
2. The remote console performs a scan.
3. Based on the scan the remote console performs the necessary patch
deployments.
4. The remote console then rolls up the results to the central console, which
contains an aggregate database of all scan and patch deployment activity
in the network.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
283
The following figure illustrates this process.
Tasks Performed by the Central Console
In this scenario, the main functions of the central console are to:
ƒ
Download the latest patches, scan engines, and XML data files from the
Web
ƒ
Copy the scan engines, XML data files, and patches to one or more
distribution servers
ƒ
Act as the data rollup console by collecting the results of the scans and
deployments performed by the remote consoles
Tasks Performed by the Remote Consoles
Each remote console is responsible for patching itself and any managed
machines that are located at the same site. There may or may not be an
administrator at the remote site and the remote sites may or may not have
Internet access. The main functions of each remote console in this scenario
are to:
ƒ
Get the latest scan engines and XML data files over the WAN from a
distribution server
ƒ
Scan all the machines at their site
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
ƒ
ƒ
284
Download the missing patches from a distribution server
Deploy all approved patches that are missing
Roll up the results of the scans and deployments to the central console
Configuring the Central Console in a Disconnected Configuration
I. Configure the Data Rollup Service
1. Select Tools > Options > Arrivals / Data Rollup.
2. In the This console's directory for spooling results box, specify the
temporary directory to use for receiving results from the disconnected
consoles.
In most cases you can simply take the default value. See Arrivals/Data
Rollup Options for more detailed information.
3. In the Configure Data Rollup settings file area, select the IP address of
the central console.
4. Export the settings to a file by clicking Export Settings.
The remote consoles will need this file to import the data rollup
configuration settings, so be sure to save the file to a location they can all
access.
II. Set Up a Distribution Server
You must set up a distribution server that the remote consoles can access.
The central console will download required files to the distribution server and
the remote consoles will download these same files from the distribution
server.
See Configuring Distribution Servers for detailed information on configuring a
distribution server.
III. Update the Distribution Server with the Latest Files
You must first download the latest scan engines, XML data files, and patches
from the Web to the central console's download center.
1. Download the patches that have been approved by your organization.
See Downloading Patches for detailed information on downloading
patches.
2. Download the latest scan engines and XML data files by selecting Help >
Refresh Files.
Copy the patches from the central console's download center to the
distribution server by synchronizing the central console's download center
with the distribution server. To do this:
1. Select Manage > Distribution Servers and then click the Synchronize
tab.
2. Select the desired distribution server and then click Synchronize
Download Center.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
285
Copy the scan engines and XML data files from the central console to the
distribution server. To do this:
1. Select Manage > Distribution Servers and then click the Synchronize
tab.
2. Select the desired distribution server and then click Synchronize
Engines and Definitions.
You can also configure Patch Authority Ultimate to automatically download the
latest engines and XML data files and synchronize all your distribution
servers. See Synchronizing Servers for details.
Configuring the Remote Consoles in a Disconnected Configuration
Here are the major steps you must perform when configuring each remote
console in a disconnected console configuration.
I. Configure the Data Rollup Service
You must configure each remote console to roll up its results to the central
console.
1. Select Tools > Options > Arrivals / Data Rollup.
2. In the Send this console's results to a Data Rollup sever area, enable
the Enable Data Rollup check box.
3. Configure the settings on each remote console by clicking Import
Settings and opening the .drs file that was exported by the central
console.
4. In the Minutes between sending console's results box, specify how
often the data will be rolled up from the remote console to the central
console. The default value is every 240 minutes (four hours).
II. Set Up a Distribution Server
You must set up a distribution server that each remote console can access.
The remote consoles will download all necessary files (such as patch files,
scan engines, and XML data files) from the distribution server. The
distribution server should be the same distribution server you set up on the
central console.
See Configuring Distribution Servers for detailed information.
III. Create a Machine Group of the Machines at This Site
1. In the Machine Groups pane click New Machine Group and name it All
Machines (or something similar).
2. Add all the machines that are managed by the remote console.
IV. Specify Where to Download Files
Configure the remote console so that prior to a scan it will automatically
download the latest files from the distribution server.
1. Select Tools > Options > Definitions.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
286
2. Specify the appropriate distribution server to use when downloading the
latest scan engines and XML data files.
3. On the options dialog select Patch Downloads.
4. Specify the appropriate distribution server to use when downloading the
patches and service packs.
V. Create a Patch Scan Template
1. In the Templates pane, click New Template > Patch Scan.
2. On the Filtering tab, enable the Deploy missing patches using check
box and select the desired deployment template.
3. Configure the remainder of the patch scan template as desired.
See Creating a New Patch Scan Template for details.
Note: If you want to scan for a particular set of patches in an unattended
console configuration, see Implementing an Unattended Console
Configuration for more information.
VI. Create a New Favorite and Schedule a Periodic Scan
Create a favorite containing the machine group and the scan template you
created earlier and then use the favorite to schedule a scan.
1. In the Favorites pane click New Favorite.
2. In the Select at least 1 group list, select the new machine group you
created earlier.
3. In the Template box, select the patch scan template you created earlier.
4. Click Save.
5. Click Begin Scan.
6. On the Run Patch Scan dialog, schedule the recurring scan.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
287
Multiple Console Configuration with Agents
It is possible to combine the use of agentless and agent-based machines with
multiple consoles, as illustrated in the following figure. Agent-based machines
are implemented using Patch Authority Ultimate Agent . Detailed information
about using Patch Authority Ultimate Agent is provided in the following
section.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
288
Agent Overview
AGENTLESS VS. AGENT-BASED SOLUTIONS
Patch Authority Ultimate provides both agentless and agent-based solutions.
This section describes, in general terms, the benefits of each solution. The
sections that follow explain in more detail how to use an agent.
Agentless Solution
Agentless systems are based on push technology and on a centralized design.
A central authority is responsible for scanning the machines in the enterprise
and for initiating all actions on those machines. Agentless systems have a
number of advantages over agent-based systems. Strict agent-based
systems can only report on machines that have the agent actively running. If
the agent has been disabled the machine will appear to not exist. In addition,
new machines can be introduced to a network and these rogue machines will
not only be agentless, they may well be invisible. Agentless systems, on the
other hand, can scan ranges of IP addresses and report on machines it finds.
Even if it cannot access the system, the agentless scanner will at least report
that a new IP address is present on the network. In many cases agentless
systems lower the cost of ownership, reduce management overhead, and
provide for quick and easy deployment. This is especially true in large
enterprises managing 10,000 or more machines. An administrator can be
scanning and fixing their network within minutes using an agentless system.
In Patch Authority Ultimate , all patch management tasks can be performed
without agents.
Agent-based Solution
Patch management
Certain types of users or systems can pose problems for agentless solutions.
Machines that must reside in a ”de-militarized zone” (DMZ), roaming users,
and disconnected or inactive machines can all prove problematic. In these
cases an agent-based solution is often the best answer. Agent-based
solutions consist of proprietary client-side communications software that
resides on a computer and facilitates communications with server-based
administrative software. The agent scans the client machine for information
and then provides the information directly to the server console.
An agent-based solution is a useful complement to an agentless patch
management solution. Outfitting your troublesome systems with agents
provides the best of both worlds--agentless solutions to protect machines
permanently or newly introduced to the network, and agent-based solutions
for the hard-to-reach machines.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
289
Summary
Agentless
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Designed for centralized environments
Based on push technology
Ideal for networks with large amounts of bandwidth
Dependent on network connectivity
A central authority does all the scanning and deploying
Best for performing patch management tasks on networked machines
Agent-based
ƒ
ƒ
ƒ
ƒ
Best for frequently disconnected machines or machines in the DMZ
ƒ
Each agent does its own scanning and deploying based on policies defined
on the central console
ƒ
Best for performing patch management tasks on disconnected machines
Based on pull technology
Ideal for distributed networks with remote locations that have limited bandwidth
Less dependent on network connectivity; ideal for mobile computers that
are not always connected to the network
When Should I Use Agentless and Agent-based Solutions?
Patch Authority Ultimate is, at its roots, an agentless solution. With a few simple
configuration steps, however, Patch Authority Ultimate can also provide agentbased services. This section explains when to implement each solution.
For Patch Management Tasks
Start with the Agentless Features of Patch Authority Ultimate
For large enterprises containing thousands of machines, the ease of use provided
by the agentless technology of Patch Authority Ultimate can be used to address
the patch management needs of the vast majority of the machines in your
enterprise. Patch Authority Ultimate can be used to discover which target
machines are missing patches and automatically deploy the missing patches.
Using Patch Authority Ultimate you can scan and fix, from one central location,
the vast majority of the machines in your network within minutes.
Polish Things Off with the Agent-based Features of Patch Authority Ultimate
Most large enterprises have machines in hard-to-reach places: machines in
remote locations, laptops that roam to different locations or that park and
dock outside the office, machines in protected zones (DMZs), etc. For these
devices you can use the agent-based features provided by Patch Authority
Ultimate , which are implemented using Patch Authority Ultimate Agent . With
Patch Authority Ultimate Agent you can be sure that these machines are
scanned regularly, even if they are disconnected from your enterprise
network.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
290
What Exactly is Patch Authority Ultimate Agent ?
Patch Authority Ultimate Agent is an agent service. The agents configured by
Patch Authority Ultimate Agent are distributed agents, meaning they are
installed on physically distinct machines and have the ability to independently
initiate specific actions. They are configured via the Patch Authority Ultimate
interface and then installed on the desired machines either by pushing them
from the Patch Authority Ultimate console or by manually installing them on
individual machines.
Depending on how they are configured, when installed on a machine a Patch
Authority Ultimate Agent can:
ƒ
ƒ
Scan for and deploy missing patches
ƒ
Report the results to the local console
Listen to the console for policy updates and download the new policy
immediately
The following figure illustrates how Patch Authority Ultimate Agent works in
your environment.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
291
How the Agent Process Works
Agents are configured via the Patch Authority Ultimate interface and then
installed on the desired machines. Once installed, each agent will periodically
check-in with the console. It may also optionally check in with an assigned
distribution server. How often an agent checks in is a configurable item, but
the check-ins typically occur at least once a day. An agent can also be
configured to listen to the console for policy updates and download the new
policy immediately.
During each check-in the agent first checks with the console and does the following:
ƒ
It refreshes its license. An agent license is valid for 45 days from the most
recent check-in.
ƒ
ƒ
It checks for any policy configuration changes.
It checks if it is assigned a distribution server, and if so, which one. If the
agent is assigned to a distribution server it will check in with the server
and download any new scan engines and XML data files. If it is not
assigned to a distribution server the agent will instead download any new
scan engines and XML data files from the default Web site.
Note: If configured to use a distribution server, an agent will also look on
the server for new files every time it performs a scan.
ƒ
It receives any credential information it needs in order to authenticate
itself to any distribution servers or proxy servers, and for accessing any
Microsoft Office original media it may need.
The following figure illustrates the agent process.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
292
PREPARING TO USE PATCH AUTHORITY ULTIMATE AGENT
All agents are configured on the Patch Authority Ultimate console and then either
push installed from the console to the desired target machines or manually
installed by an administrator. This section provides a roadmap of tasks you must
perform when preparing to use Patch Authority Ultimate Agent .
I. (Optional) Set Up and Synchronize a Distribution Server
Setting Up a Distribution Server
You have the option of setting up a distribution server that the agents can
periodically access to download various files. There are several reasons for
using a distribution server, including:
ƒ
If some of your agents do not have Internet access and therefore won't be
able to download the latest scan engines, XML data files, and patch files
from the default Web sites. In this case you will need to store these files
on a distribution server that the agents can access.
ƒ
If you have defined custom patches that are not available from the default
Web sites. You must make the custom patches available by manually
copying the patches to one or more distribution servers.
See Configuring Distribution Servers for detailed information on configuring a
distribution server. You will also need to define which agent machines will use
the distribution server by assigning the IP addresses of the agent machines to
the distribution server. For information about this see Assigning IP Addresses
to Distribution Servers.
Synchronizing the Distribution Server
To update a distribution server with the latest patches, scan engines, and XML
data files you synchronize the server with the files contained on the console.
See Synchronizing Servers for detailed information. Custom patches must be
manually copied to the distribution server.
II. Create and Configure a Patch Authority Ultimate Agent Policy
1. In the button tray at the bottom of the navigation bar, click Agent Policies.
2. In the Agent Policies pane, click New Agent Policy.
3. Type a unique name for the policy.
There are many features you can configure within an agent policy. See
Creating A New Agent Policy for complete details.
III. Install the Agent on the Desired Machines
There are a number of ways you can install an agent on one or more
machines.
ƒ
For machines that have been scanned at least once and are contained in
the program database, you can use the Install / Reinstall with Policy
button in the Agent Policy Manager.
ƒ
For machines that have not been scanned and are not contained in the
database, you can create a machine group containing all the machines
that will run a particular agent policy and then use the Install Agent
button to install an agent on those machines that are online.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
293
See Installing Agents from the Console for detailed information on installing
agents on target machines.
Note: Each target machine must have a network connection to the console
during the Patch Authority Ultimate Agent installation. This connection is
required in order to exchange security information that will be used to
establish an encrypted link for all future communication between the console
and its agents. The agent machines must also be able to perform name
resolution in order to locate the console machine.
How to Install Patch Authority Ultimate Agent from the Console
You can use the console to "push install" the Patch Authority Ultimate Agent
service to connected target machines. In order to perform the push install,
each target machine must be online and have an active network connection to
the console during the Patch Authority Ultimate Agent installation. This
connection is required in order to exchange security information that will be
used to establish an encrypted link for all future communication between the
console and its agents. The agent machines must also be able to perform
name resolution in order to locate the console machine.
Some target machines may have a firewall enabled that blocks the incoming
ports required to install Patch Authority Ultimate Agent. On these machines
you must manually install Patch Authority Ultimate Agent. See Manually
Installing Agents for details.
Note: If you are installing an agent on a Windows 2000 machine, make sure
the machine contains the latest version of Windows Installer that is supported
by Windows 2000 (e.g. Windows Installer 3.1). The version of Windows
Installer that is contained in Windows 2000 SP4 is not sufficient. Windows
Installer is available from the Microsoft Download Center.
Also Note: Installing an agent on a distribution server is a special case that
requires the server machine's SYSTEM account to have read access to the
distribution server folder. See Configuring System Account Permissions for
details.
You can perform a push install of the Patch Authority Ultimate Agent service a
number of ways from the console.
For Machines That Have Been Previously Scanned
There are a couple of ways to install agents onto machines that have been
previously scanned and that are contained in the program database.
ƒ
From within the Agent Policy Manager, select the desired machines and
then click Install / Reinstall with Policy. See About the Agent Policy
Manager for details.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
ƒ
294
From within Scan View or Machine View, right-click the selected machines
and then select Agents > Install/Reinstall with Policy and then select
the desired agent policy. For example:
For Machines That Have Not Been Previously Scanned
You can install agents on machines that have not been previously scanned
and are therefore not contained in the machine database. You simply create a
machine group that contains all the machines that will run a particular agent
policy and then use the Install / Reinstall Agent button to install an agent
policy on those machines.
There are a couple of caveats:
ƒ
The machines must be added to the machine group using a machine
name, domain name, or IP address. You cannot use the Install /
Reinstall Agent button to install agents on machines that were added as
organizational units, nested groups, or IP address ranges.
ƒ
The machines must be online and connected to the network. If the console
cannot make a connection to a machine the install will fail for that machine.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
295
Note: In each of the examples shown above you will be prompted to select
the policy you want installed. See Creating A New Agent Policy for information
on configuring policies.
The following occurs when you push install the Patch Authority Ultimate Agent
service to a machine:
ƒ
The Operations Monitor is displayed and shows the status of the
installation request.
ƒ
You can verify the installation was successful by doing the following:
ƒ
By using Machine View to check the status of the machine. You'll have
to wait until the next time the agent machine checks in with the
console, but once that occurs the Agent State column should indicate
that the machine contains an agent.
ƒ
By using the Service Control Manager on the agent machine to verify
that the agent services are running (stDispatch, stAgent ).
ƒ
Once the Patch Authority Ultimate Agent configuration is successfully
installed on a target machine, the agent is automatically started on the
machine. See Using Agents on a Target Machine for information on using
the agent.
ƒ
After an agent is installed on a machine, that machine becomes a
managed machine and can be viewed using Machine View.
MANUALLY INSTALLING PATCH AUTHORITY ULTIMATE AGENT
You must manually install Patch Authority Ultimate Agent on machines that
are guarded by a firewall. You do this by copying the agent installation files to
the desired target machines and then running the Patch Authority Ultimate
Agent installation wizard on each machine.
Requirements
ƒ
The target machines must be on your network and able to communicate
with the console.
ƒ
You must configure at least one Patch Authority Ultimate Agent policy
before manually installing an agent. See Preparing to Use Agents for
details.
ƒ
You must specify how the agent will authenticate itself to the console
during the registration process. See Agent Options for details.
ƒ
If you are installing an agent on a Windows 2000 machine, make sure the
machine contains the latest version of Windows Installer that is supported
by Windows 2000 (e.g. Windows Installer 3.1). The version of Windows
Installer that is contained in Windows 2000 SP4 is not sufficient. Windows
Installer is available from the Microsoft Download Center.
ƒ
Installing an agent on a distribution server is a special case that requires
the server machine's SYSTEM account to have read access to the
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
296
distribution server folder. See Configuring System Account Permissions for
details.
Installation Procedure
1. On the Patch Authority Ultimate console, locate the AgentInstaller.msi
file.
ƒ
On Windows Vista and other newer operating systems the file is
located in the C:\ProgramData\ScriptLogic\Patch
Authority\DataFiles directory.
ƒ
On earlier Windows operating systems like Windows XP the file is
located in the C:\Documents and Settings\All Users\Application
Data\ScriptLogic\Patch Authority\DataFiles directory.
2. Copy the .msi file to the desired target machines.
You can distribute this file using Active Directory, or you can simply copy
it to a physical media such as a CD or flash drive and manually distribute
it to the desired machines.
Note: When distributing this file you may choose to create an installation
script that automatically passes all necessary information to the
installation wizard.
3. Log on to the target machine using an administrator account.
4. Double-click the file named AgentInstaller.msi.
The Patch Authority Ultimate Agent Setup Wizard is displayed.
5. On the Welcome dialog, click Next.
The Agent Registration dialog is displayed.
6. Type the required information and then click Next.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
297
ƒ
Console URI: The URI consists of the Patch Authority Ultimate
console's machine name or IP address and the port number used for
forwarding information to the console. 3121 is the default port number.
ƒ
Authentication Type: You must choose the authentication method
dictated by the Tools > Options > Agents dialog.
ƒ
If the Enable passphrase in manual Agent installations check
box is enabled on that dialog, then choose Shared Passphrase
and type the matching passphrase.
ƒ
Otherwise, choose Windows Authentication. The lower portion of
the Agent Registration dialog will change, providing you the
opportunity to specify credentials.
If the credentials you used to log on to the target machine can also be
used to log on to the Patch Authority Ultimate console, then simply
enable the Use Current Credentials check box. Otherwise, do not
enable this check box but instead provide the necessary administrator
credentials for the Patch Authority Ultimate console. The credentials
must be in domain\user.name format and they must have
administrator rights on the Patch Authority Ultimate console.
You will know you have specified the right information if the Policy
Selection dialog is displayed after you click Next. For example:
7. From the list of available policies, select the policy you want assigned to
this agent and then click Next.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
298
8. On the Ready to Install Patch Authority Ultimate Agent dialog, click
Install.
9. On the Installation Complete dialog, click Finish.
The agent installation routine will:
ƒ
Install the necessary .exe and other supporting files in the
C:\Program Files\ScriptLogic Corporation\Patch Authority
Ultimate Agent directory
ƒ
ƒ
ƒ
Install the certificates needed to communicate securely with the console
Acquire an agent license
Retrieve the assigned policy, the scan engines, and the XML data files
and store them.
ƒ
On Windows Vista and other newer operating systems the files are
stored in the C:\ProgramData\ScriptLogic\Patch
Authority\Agent Data directory.
ƒ
On earlier Windows operating systems like Windows XP the files are
in the C:\Documents and Settings\All Users\Application
Data\ScriptLogic\Agent Data directory.
When the download is complete the agent will be started automatically.
You can check the status of the agent using the Patch Authority Ultimate
Agent client program, available by selecting Start > Programs >
ScriptLogic > Patch Authority Ultimate Agent . You can use this
program to configure any settings that were marked as user-configurable.
Creating and Using a Manual Installation Script
When manually installing Patch Authority Ultimate Agent on machines, one
option is to create a script that will automatically pass all necessary agent
information to the installation wizard. You can copy the script to a key fob or
a USB flash drive and then easily move from machine to machine installing
the agent.
Note: The following script is provided only as an example. Do not attempt to
use this script in your organization without modifying the input values and
performing adequate testing.
Example script for passphrase authentication:
C:\Windows\System32\msiexec.exe /i <path to installer>\AgentInstaller.msi
/qn /l*v install.log SERVERURI=https://consolename:3121
POLICY=policyname AUTHENTICATIONTYPE=PASSPHRASE
PASSPHRASE=secret
Example script for Windows authentication:
C:\Windows\System32\msiexec.exe /i <path to installer>\AgentInstaller.msi
/qn /l*v install.log SERVERURI=https://consolename:3121
POLICY=policyname AUTHENTICATIONTYPE=WINDOWS
SERVERUSERNAME=domainname\Your.Name PASSWORD=secret
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
299
Where:
ƒ
ƒ
Msiexec is the program that installs msi packages.
ƒ
ƒ
/qn means no user interface activity from the installer.
ƒ
SERVERURI is the address, port, and scheme (e.g. https://) used to
connect to the console for registration and check-in.
ƒ
ƒ
POLICY is the name of the agent policy that will be assigned to the agent.
ƒ
PASSPHRASE is the passphrase used to authenticate the agent to the
console (used only if AUTHENTICATIONTYPE=PASSPHRASE).
ƒ
SERVERUSERNAME is the name of a user who has rights to install an
agent (used only if AUTHENTICATIONTYPE=WINDOWS).
ƒ
PASSWORD is the password used to authenticate the user to the console
(used only if AUTHENTICATIONTYPE=WINDOWS).
ƒ
USECURRENTCREDENTIALS=1 can be used in place of
SERVERUSERNAME and PASSWORD if you want to authenticate using the
credentials of the person who logged on to run the script.
/i means install. It has one parameter that specifies the path to the
AgentInstaller.msi file.
/l*v means write a log for the installation attempt. It has one parameter
that specifies the log file name.
AUTHENTICATIONTYPE is either PASSPHRASE or WINDOWS (this is
dictated by the Tools > Options > Agents dialog).
Troubleshooting Agent Installation Errors
If an error occurs during an agent installation, the error messages displayed
in the Operations Monitor are the best place to begin the troubleshooting
process.
ƒ
Failure copying files: This normally indicates a problem with the
credentials being used to connect to the agent machine. The default
credentials or "last used" credentials may not be the correct credentials to
use for a particular machine.
ƒ
Registration failure: This normally indicates that the agent cannot
establish a connection with the console. There may be a firewall issue,
there may be ports that are unopened, there may be a DNS issue, or the
agent service may not be active on the agent machine.
Another possibility is if you are reinstalling over an existing agent. In this case
the problem may be that you do not have the most current files. Select Help
> Refresh Files to download the most current files to the console. If you are
using a distribution server you will also want to re-synchronize the server with
the console. You should then try the agent installation again.
ƒ
Check-in failure: This normally indicates a timeout or network issue, and
the agent will fail to download all necessary files.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
300
You can also view the Patch Authority Ultimate Agent installation log on the
agent machine. The log file is located in the C:\WINDOWS\Temp\<GUID>
directory. The installation log will show any error messages that were
generated during the agent installation process.
USING THE AGENT MANAGER
The Agent Manager is used to manage the agent policies you have created
using the Agent Policy Editor. With the Agent Manager you can install an
agent onto machines, you can assign a different policy to machines that
already contain an agent, and you can uninstall agents from machines. It also
provides a convenient place to determine which machines have Patch
Authority Ultimate Agent installed.
You can access the Agent Manager using any of the following methods:
ƒ
ƒ
ƒ
Click the
toolbar icon
Select Manage > Agents from the main menu
Click the Agent Manager button within the Agent Policy Editor
The machines displayed within the Agent Manager are those machines that
are contained within the Patch Authority Ultimate database. If a machine you
are looking for does not appear it simply means the machine has not been
scanned. Any machines that do not contain an agent will be contained in the
No Policy list.
Note: All of the following functions can also be performed using the rightclick menu.
Install / Reinstall with
Policy
Installs an agent on the selected machine(s). If an agent already
exists on a machine, it will reinstall the agent with the selected
policy. The installation process will begin immediately.
The target machine(s) must be online and able to communicate
with the console. If a machine is not online the installation will fail.
Uninstall
Will remove the agent from the selected machine(s).
ƒ
If an agent machine is online and configured to listen for
policy updates, the agent will be uninstalled immediately.
ƒ
If an agent machine is online but is not configured to listen for
policy updates, the agent will be uninstalled the next time the
agent checks in with the console.
ƒ
If an agent machine is not currently online, the uninstall will be
performed the next time the agent is online and checks in with
the console.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Assign Policy
301
Applies only to machines that already have agents installed. It will
assign a different policy to the selected agent machines.
ƒ
If an agent machine is online and configured to listen for
policy updates, the new policy will be assigned immediately.
ƒ
If an agent machine is online but is not configured to listen for
policy updates, the new policy will be assigned the next time
the agent checks in with the console.
ƒ
If an agent machine is not currently online, the new policy will
be assigned the next time the agent is online and checks in
with the console.
The advantage of Assign Policy over Install / Reinstall with
Policy is that it is quicker. This is because it is only updating policy
files and not installing an entire agent.
Send command
Enables you to send a number of different commands to the
selected agents. The commands apply only to machines that
already have agents installed, that are online, and that are
configured to be listening agents.
ƒ
Check-in request: It will force the selected agent machines
to immediately check-in with the console and download the
latest policy.
ƒ
Update patch data: Directs the agents to download the latest
patch data.
ƒ
Update binaries: Directs the agents to download the latest
scan engines and data files.
ƒ
Clear retry counts: Clears all patch counters on the agents.
A unique patch counter exists for every patch an agent tries to
download and for every patch an agent tries to install. A patch
counter will increment whenever a patch download or a patch
installation fails. Failed download and installation attempts will
be recorded in the patch log. If a patch fails to download after
11 attempts or fails to install after 3 attempts the agent will
stop trying to deploy that particular patch. The only way to
resume the deployment of that patch is to clear the counter.
Run task from policy
Enables you to initiate any of the tasks currently defined within the
selected agents. When you select a task name a confirmation
dialog is displayed. If you choose to continue, the task is
immediately started on the agent machines. See Creating a New
Agent Policy for information on the types of tasks that may be
available.
Machines
The Machines button enables you to perform the following actions
on the machines in the list:
ƒ
ƒ
ƒ
Refresh (
Expand all: Expands all machine trees in the list.
Collapse all: Collapses all machine trees in the list.
Export visible machines to CSV: Export information about
the machines in the list to a Comma Separated Values (CSV)
file. The CSV file can then be used within a spreadsheet
program.
Refreshes all information being displayed in the Agent Manager.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Search
302
The Search tool contains two logic boxes. In the first box you
select one of the predefined category types, and in the second box
you specify the machine item you want to find. You initiate the
).
search by pressing Enter or by clicking the search icon (
Only those machines matching the search criteria are displayed;
all other machines are hidden.
Tips for using the Search tool:
Smart Filters
ƒ
The Search tool works only on the information currently visible
in the list.
ƒ
If a Smart Filter is applied, only machines matching BOTH the
search criteria and the smart filter criteria are displayed.
ƒ
All partial matches are displayed. For example, if you search
for machines named Test, any machine with "test" in its name
will be considered a match (e.g. TestMachine1, Contest, etc.).
ƒ
The use of wildcards in the Search tool is not allowed.
A Smart Filter can be used to filter the information displayed in the
list, narrowing the focus to only those machines of interest. The
Smart Filter contains several default filters. You can also define
your own custom filters. For more information see Using Smart
Filter.
MONITORING PATCH AUTHORITY ULTIMATE AGENT
You cannot use the console to watch the actual scans, patch deployments,
etc. as they are performed by agents on each target machine. For that you
must use the agent client program. You can, however, view the most recent
results of agent scans and deployments using Machine View. The results are
reported to the console and displayed on the appropriate tabs in the middle
pane. The top pane can be used to determine which machines have
successfully installed Patch Authority Ultimate Agent; it does this by
Agents Installed icon in the Agent State column. The top
displaying the
pane of Machine View will also display the Assigned Agent Policy, the
Reported Agent Policy, the Last Agent Check-In, and the time of the last
scans. See Determining Which Machines Have Agents for more information.
When agents check in with the console they will be listed in the machine
group from which they were last scanned from the console. See Machine
Group Information is Dynamic for more information.
If you wish to produce one or more reports that show the agent activity that
has been reported to the console you can do so using the Report Gallery.
Determining Which Machines Have Patch Authority Ultimate Agent
Determining which machines in your network have Patch Authority Ultimate
Agent installed is easy. You can do it using either Machine View or the Agent
Policy Manager. The procedure is the same using either tool.
1. Select either View > Machine View or Manage > Agent Policies to
view a list of all machines that have been scanned at least once by the
program.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
303
Note: If you want to make sure you get a list of all machines in your
network, perform a scan of all machines in your network before going to
Machine View.
2. In the heading row, click the Agent State column heading (
).
This will sort the table, grouping together all machines that have Patch
Authority Ultimate Agent installed and placing that group at the top of the
table. Click the icon a second time to move to the top of the table the
group of machines without Patch Authority Ultimate Agent installed.
There are two possible states:
ƒ
ƒ
= Patch Authority Ultimate Agent is active on the machine
= Patch Authority Ultimate Agent is not active on the machine
(meaning the service is either stopped or not installed on the machine)
3. To sort the list by policy name, click the Assigned Agent Policy column
heading.
Tip: Another option in Machine View is to select Has an Agent Policy in the
Smart Filters box. Only machines with Patch Authority Ultimate Agent
installed will be displayed.
Ongoing Maintenance Tasks
If the agents do not have Internet access, in most cases this means they will
be downloading the latest scan engines, XML data files, and patch files from
one or more distribution servers rather than from the default Web sites. In
this case you will need to make sure the files on the distribution server(s) are
updated on a regular basis. This can be done either automatically or
manually. See Synchronizing Servers for complete details.
Using an Agent on a Machine
The users of each agent machine can, if you permit, control many of the
Patch Authority Ultimate Agent features on their machine. They do this using
the Patch Authority Ultimate Agent client program. To access this program
they either:
ƒ
Select Start > Programs > ScriptLogic Corporation > Patch
Authority Ultimate Agent
ƒ
Double-click the Patch Authority Ultimate Agent service icon that may
reside in their machine's system tray
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
304
A window similar to the following is displayed:
If users want information on how to use the client program they can simply
click Help > Contents from the main menu.
Note: If multiple users are logged on to a machine, only one of the users will
have access to the client program. The first user to launch the program will
succeed, for all other users the program will fail.
Administrator Tools within the Client Program
The Patch Authority Ultimate Agent client program contains a few tools that
are intended for use by you, the system administrator.
ƒ
The lower left corner of the status bar displays the name of the console
that configured the agent. It also displays the name of the agent policy
that is being used. This can be extremely useful, especially if you maintain
multiple consoles and/or multiple agent policies.
ƒ
The client program Patch function contains a Clear Retry Counts button
within the Patch Administration list. This button clears all patch counters.
A unique patch counter exists for every patch the program tries to
download and for every patch the program tries
to install. A patch counter is incremented
whenever a patch download or a patch
installation fails. If a patch fails to download
after 11 attempts or fails to install after 3
attempts the client program will stop trying to
deploy that particular patch. The only way to
resume deployment attempts for that patch is to
click Clear Retry Counts. Users may notice the
deployment error messages in the Patch Log but
they are unlikely to know to click this button
unless directed to do so by an administrator.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
305
Uninstalling Patch Authority Ultimate Agent
Uninstalling Patch Authority Ultimate Agent from Machines
You may not always know if the machines containing agents are connected to
or disconnected from the network. The easiest and most reliable way to
uninstall agents from machines (connected or disconnected) is to:
1. Go to the Agent Policy Manager by selecting Manage > Agent Policies
from the main menu.
2. Select the desired machines and then click Uninstall.
The next time an agent checks in with the distribution server it will see it is no
longer assigned to a policy and it will uninstall itself from the agent machine.
Uninstalling Patch Authority Ultimate Agent from Connected Machines
You can uninstall the Patch Authority Ultimate Agent service from machines
that are online and that are able to communicate with the console. From
within Machine View, right-click the selected machines and selecting Agents
> Uninstall.
Note: The following method does not work for machines that are
disconnected from the network.
Manually Uninstalling Patch Authority Ultimate Agent from Machines
To manually uninstall Patch Authority Ultimate Agent from a target machine:
1. Select Start > Settings > Control Panel > Add or Remove Programs.
On Windows Vista and other newer operating systems this is Start >
Settings > Control Panel > Programs and Features.
2. Locate the program named Patch Authority Ultimate Patch Engine,
select it, and then click Remove.
3. Locate the program named Patch Authority Ultimate Agent , select it,
and then click Remove.
The disadvantage of using this method is that the uninstall will not be
reported back to the console.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
306
CONFIGURING AN AGENT POLICY
Creating a New Patch Authority Ultimate Agent Policy
An agent policy defines exactly what an agent can or cannot do. With Patch
Authority Ultimate Agent you can create as many different agent policies as is
needed. This provides a great deal of flexibility, enabling you to assign
different agent policies to different machines in your organization.
All agent policies are configured on the Patch Authority Ultimate console and
then either "push installed" to the desired target machines or installed
manually.
To create a new Patch Authority Ultimate Agent policy:
1. In the button tray at the bottom of the navigation bar, click Agent
Policies.
2. In the Agent Policies pane, click New Agent Policy.
Tip: Another option is to select File > New > Agent Policy from the
main menu.
3. Type a name for the new agent policy and then click OK.
The Agent Policy Editor window is displayed.
4. See the following topics for information on configuring the agent policy:
ƒ
ƒ
Configuring General Settings
Configuring Patch Tasks
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
307
Configuring General Settings for a Patch Authority Ultimate Agent Policy
There are a number of general settings to configure for a Patch Authority
Ultimate Agent policy. You must configure these settings before installing the
agents on the desired target machines.
Display an
icon in the
notification
area
The agents can be configured to run invisibly on each target machine, or
you can elect to install an icon in the notification area of each machine
that provides the users of the machines a certain amount of control over
the service. If you want to allow users to control certain aspects of the
Patch Authority Ultimate Agent service, enable this option. Users will be
able to launch the client-based program by double-clicking the icon.
Note: The notification area icon will not be visible on the target machine
for any currently logged on user until the next time the user logs on, or if
the user starts the Patch Authority Ultimate Agent program using the
Windows Start menu.
Perform
manual scans
Enables a user on a target machine to manually initiate a patch scan.
Cancel scans
Enables a user on a target machine to stop a scan that is in progress.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Logging Level
Specify the amount of logging you want the agent to perform. The options
are:
ƒ
None: No entries are recorded in the log. This is the recommended
value.
ƒ
ƒ
ƒ
Errors Only: Records Error messages in the log.
ƒ
On Windows Vista and other newer operating systems the files are
stored in the C:\ProgramData\ScriptLogic Corporation\Logs
directory.
ƒ
On earlier Windows operating systems like Windows XP the files are
in the C:\Documents and Settings\All Users\Application
Data\ScriptLogic Corporation\Logs directory.
Normal: Records Error and Warning message types in the log.
Verbose: Records Error, Warning, Informational, and Verbose
message types in the log.
Logging is typically only necessary when performing troubleshooting
tasks. The log files will reside on each agent machine.
Maximum log
size
Specify the maximum log size. Specifying a very large log size will enable
you to record a longer log history but it will of course require more system
resources. The default value is 5 MB.
If the log file becomes full a new log file is opened and logging will
continue. If the second log file becomes full, the first log file is deleted and
a new log file will be created. This means there will always be a maximum
of two log files on the console.
Check-In
Interval
Specifies how often the agents will check in with the console. At each
check-in the agent refreshes its license and looks for any policy changes.
It also checks if it is assigned a distribution server. If it is assigned a
distribution server it will use it to download the latest scan engines and
XML data files. If it is not assigned to a distribution server then the agent
downloads the engines and data files from the Web. If an agent machine
is offline when the next check-in interval occurs, the agent will
immediately check in when network connectivity is restored.
Note: Agent licenses must be refreshed at least once every 45 days or
they will expire.
ƒ
Minutes: Use this option if you want the agents to check in more
than once a day, or if you don't care what time of day the agents will
check in with the console and with the distribution server. Valid
values are from 1 - 600 minutes.
ƒ
Days: Use this option if you want the agents to check in at a specific
time of the day (for example, late at night when there is more network
bandwidth available).
ƒ
Distribute check-ins over MM minutes: Staggers the exact time
the agents will check-in so as not to overtax the console (and the
default Web site or the optional distribution server) with simultaneous
requests.
Updated 22 February 2011
308
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Engine and
Data
Download
Location
Network
Specifies if a distribution server will be used by the agents when
downloading the latest scan engines and XML data files. The agents will
look for updated files every time they perform a scan. The available
options are:
ƒ
Vendor over Internet: Specifies that the agents will download the
latest scan engines and XML data files from the default Web sites. A
distribution server will not be used.
ƒ
Distribution Server: Specifies that a distribution server will be used.
You must specify which server(s) to use.
ƒ
Specific: You can select the name of an existing distribution
server. You must have previously configured one or more
distribution servers in order for the names to be pre-populated in
this box. For more information see Configuring Distribution
Servers.
ƒ
By Agent IP range: If you have multiple distribution servers
defined for your network, each distribution server is typically
assigned to service a particular IP address range. The
distribution server used when downloading files to a target
machine will be determined by the target machine's IP address.
See Assigning IP Addresses to Servers for more details.
ƒ
Use vendor as backup source: If the designated distribution
server is not available, the agent will download the latest scan
engines and XML data files from the default Web sites.
ƒ
Agent listens for updates on port: Specifies that the agent will
listen to the console for policy updates. If an agent's policy is
updated, or if it is assigned a different policy, the console will issue a
"check in now" command to the agent. The agent will immediately
download the new or updated policy from the console. Only agent
machines that are online and able to communicate with the console
will be able to receive the command.
ƒ
Port: Specifies the port used by the agent on the target machine
when communicating with the Patch Authority Ultimate console. The
default value is 4155.
ƒ
Internet proxy credentials: If the agent machines must authenticate
themselves to a proxy server when accessing the Internet, you must
provide the proper credentials to the agents. Click the button, select
Set Credentials, and then specify the following:
ƒ
User Name: Type the domain\user name used to authenticate
the agent to the proxy server.
ƒ
Password: Type the password that will be used by the agent
when authenticating to the proxy server.
ƒ
Verify Password: Retype the same password.
Updated 22 February 2011
309
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Save and
Update Agents
310
Saves all changes to the policy file and stores it on the console. Also
updates any agent machines that are currently assigned this policy as
follows:
ƒ
If an agent machine is online and configured to listen for policy
updates, the updated policy will be pushed out to that machine
immediately.
ƒ
If an agent machine is online but is not configured to listen for policy
updates, the updated policy will be pushed out the next time the
agent checks in with the console.
ƒ
If an agent machine is not currently online, the updated policy will be
pushed out the next time the agent checks in with the console.
The Agent Policy Editor will be closed.
Cancel
Indicates you want to exit the Agent Policy Editor without saving your
most recent changes. A "Do you want to save your changes?" prompt will
appear that gives you a second chance to save your changes. If you click
Yes the policy will be saved and the associated agents updated (the
same as Save and Update Agents). If you click No the Agent Policy
Editor will be closed without saving your changes.
Creating a New Patch Task
A patch task is used to define how and when the target machines will be
scanned for missing patches. It can also be used to optionally deploy any
patches identified as missing. If you do not create a patch task, then no patch
scanning or patch deployment will be performed by agents that are assigned
this policy.
You can create multiple patch tasks for one agent policy. Each task can be
expanded and collapsed using the chevron ( ) that resides on the task title
bar. This enables you to view just the task you are working on at any one
time.
While there is no theoretical limit to the number of patch tasks you can create
for an agent policy, there is a practical limit. For example, it may become
difficult to track and manage a policy if it contains too many patch tasks.
Also, it may be problematic if you enable patch deployment on several
different patch tasks. This is because that while scanning is relatively
transparent to the user, deploying patches is not, as it often involves a reboot
of the user's machine. In addition, you run the risk of multiple deployments
occurring on one machine at the same time.
You configure agent patch tasks on the Patch tab. You can edit an existing
patch task, or you can create a new task by clicking Add a Patch Task. Be
sure to give the task a descriptive name because this is the name the users
will see from within the client program.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Patch Scan
Template
You must specify the template to use when an agent performs a patch
scan. The patch scan template dictates exactly what will be scanned for
and what will be ignored during a scan. The list of templates available for
selection will include the two predefined templates (Security Patch Scan
and WUScan) plus any custom templates you've already defined. You
can also do the following:
ƒ
ƒ
New: Enables you to create a new patch scan template from scratch.
Edit: Enables you to edit an existing, custom patch scan template.
The predefined templates cannot be edited. If you edit and save a
template that is currently being used by an agent policy, the agents
using that policy will be updated the next time they check in with the
console.
If you click New or Edit, the Patch Scan Template dialog is displayed.
See Creating a New Patch Scan Template for details on configuring the
template.
Note: The automatic deployment function and the automatic e-mail
function on the patch scan template is not supported by Patch Authority
Ultimate Agent. If these functions are enabled they will be ignored.
Enable
deployment
If you want the agent to be able to automatically deploy patches and/or
service packs that are identified as missing by the patch scan, enable this
check box. You then use the Deploy patches and the Deploy service
packs check boxes to specify exactly what you will permit to be
deployed. There may be limitations as to which missing patches and/or
service packs will be automatically deployed. See the descriptions of the
Deploy patches and Deploy service packs check boxes for more
information.
If you choose to enable the deployment of both patches and service
packs, on an agent machine that is missing both service packs and
patches, service packs are deployed first.
Updated 22 February 2011
311
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deployment
Template
You must specify the template to use when an agent performs a patch
deployment. The list of templates available for selection will include the
predefined deployment templates (Agent Standard, Standard, and Virtual
Machine Standard) plus any custom templates you've already defined.
You can also do the following:
ƒ
New: Enables you to create a new deployment template from
scratch.
ƒ
Edit: Enables you to edit an existing, custom deployment template.
The predefined deployment template cannot be edited. If you edit
and save a template that is currently being used by an agent policy,
the agents using that policy will be updated the next time they check
in with the console.
If you click New or Edit, the Deployment Template dialog is displayed.
See Creating a Deployment Template for details on configuring the
template.
Note: On the patch deployment template that you specify, if the agent
machines will download missing patches from a distribution server rather
than from the vendor Web sites, make sure the Use Server by IP Range
check box is enabled. This is particularly important if you have custom
patches to deploy. See Deployment Template: Distribution Servers tab for
more information.
Also Note: Remote dialogs, custom actions, and automatic e-mail
notifications that may be specified in the deployment template are not
supported by Patch Authority Ultimate Agent. In addition, the deployment
template you use for agents should specify full-file Office patches on the
Office tab. Agents do not use the Original Media paths specified in
deployment templates, so binary Office patches may fail to install on
agents.
Updated 22 February 2011
312
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deploy
patches
When the agents perform a patch deployment they will deploy only those
patches that are:
1.
Scanned for by the patch scan template, and
2.
Reported as missing, and
3.
Defined as approved patches.
The approved patches can be either all patches detected as missing by a
scan, or they can be limited to those patches you define in a patch group
and/or to those patches deemed critical by the patch vendor. The list of
approved patches defined here is bound to this particular patch task. The
list will not be used by other patch tasks within the agent policy.
ƒ
All patches detected as missing: Specifies that any patch identified
as missing will be eligible for deployment.
ƒ
Patch Group: Only those patches contained in the specified patch
group will be deployed by the agent. If a scan detects missing
patches not included in this group, those patches will not be
deployed.
ƒ
Plus all vendor critical patches: Specifies that in addition to the
patches defined in the patch group, the list of patches approved for
deployment should also include any patches identified as critical by
the patch vendor. This gives you the security of knowing that if your
patch group is out of date you will still always be able to deploy any
new critical patches.
To deploy only vendor critical patches, enable this check box and
then specify an empty patch group in the Patch Group box.
ƒ
New: Enables you to make a new patch group. For more information
see Creating and Editing a Patch Group.
ƒ
Edit: Enables you to make modifications to the selected patch group.
Be careful here, because any modifications you make will affect any
other scan templates that are using the patch group. If you edit and
save a patch group that is currently being used by an agent policy,
the agents using that policy will be updated the next time they check
in with the console.
Note: If you also choose to enable the deployment of service packs (see
the Deploy Service Packs option), on an agent machine that is missing
both service packs and patches, service packs are deployed first.
Patch Deployment Process
Once the list of approved patches is determined, the patches are
downloaded and installed according to their priority. Security patches are
downloaded first, followed by all other patch types. The downloads occur
in the background using idle bandwidth not being used by other
applications. Foreground tasks such as Web browsing are not affected by
the patch download process.
Each patch task is allotted a 60 minute window to download the missing
patches. (This is part of a two hour total maintenance window that is
allocated for downloading missing service packs and patches.) Only
those patches that are successfully downloaded during this 60 minute
window will be installed by the active patch task. If the patch task cannot
finish downloading all missing patches during the 60 minute window, the
remaining patches will be identified, downloaded, and installed the next
time the patch task is run.
If an agent machine becomes disconnected from the network during a file
download, the process will be suspended and will automatically resume
where it left off when the network is available again. This technique is
called checkpoint/restart and is extremely useful for machines that are
frequently disconnected.
Updated 22 February 2011
313
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Deploy service
packs
When the agents perform a service pack deployment they will deploy only
those service packs that are:
1.
Scanned for by the patch scan template, and
2.
Reported as missing, and
3.
Approved for deployment.
The approved service packs can be either all service packs detected as
missing by a scan, or they can be limited to those service packs you
define in a service pack group. The list of approved service packs defined
here is bound to this particular patch task. The list will not be used by
other patch tasks within the agent policy.
ƒ
More info: A link to the About Service Pack Groups Help topic that
explains how service pack groups are used by the program.
ƒ
All SPs detected as missing: Specifies that any service pack
identified as missing will be eligible for deployment.
ƒ
Service Pack Group: Only those service packs contained in the
specified service pack group will be deployed by the agent. If a scan
detects missing service packs not included in this group, those
service packs will not be deployed.
ƒ
Limit deployments (per day): Specifies the maximum number of
service packs that can be deployed to a machine in one day. Service
packs can take a long time to deploy and almost always require a
reboot of the machine, so you typically want to keep this number
rather small. If you do not limit the number of service pack
deployments in a day you run the risk of overwhelming a machine if it
is missing a large number of service packs. If a machine is missing
more service packs than the specified limit, the additional service
packs will be deployed the next time the patch task is run.
Tip: Note that a "day" in this case is considered to be a calendar
date and not a 24 hour period. This means the day is reset at
midnight. If you were to schedule the patch task to run on an hourly
basis (not recommended), it would allow you to maximize an
overnight maintenance window by deploying the maximum number of
service packs before midnight and then again immediately after
midnight.
ƒ
New: Enables you to make a new service pack group. For more
information see Creating and Editing a Service Pack Group.
ƒ
Edit: Enables you to make modifications to the selected service pack
group. Be careful here, because any modifications you make will
affect any patch task that references the service pack group. Also, if
you edit and save a service pack group that is currently being used
by an agent policy, the agents using that policy will be updated the
next time they check in with the console.
Service Pack Deployment Process
If an agent machine is missing multiple service packs, only one service
pack will be installed at a time. The patch task will begin by initiating the
download of all missing service packs. Operating system service packs
are downloaded at a higher priority, but whichever service pack gets
downloaded first is the one that is first installed. After the service pack is
successfully installed, the machine is restarted, rescanned, and the
process is repeated until all service packs are deployed or until the daily
limit is reached [see the Limit deployments (per day) option].
In addition, each patch task is allotted a 60 minute window to complete
the download > install > restart > rescan process. (This is part of a two
hour total maintenance window that is allocated for downloading missing
service packs and patches.) Only those service packs that are
successfully downloaded during this 60 minute window will be installed by
Updated
22 IfFebruary
2011
the active
patch task.
the patch task
cannot finish downloading all
missing service packs during the 60 minute window, the remaining
service packs will be identified, downloaded, and installed the next time
the patch task is run.
314
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Schedule area
The patch schedule specifies how often the task will run on a target
machine. It allows you to regularly run the task at a specific time or using
a specified recurrence pattern. A built-in scheduler will be provided for
each agent. The scheduler will check for new patch data immediately
before starting a scheduled patch task.
The agent scheduler will serialize executions of the same agent engine.
For example, if you define a policy with two patch tasks that both start at
1:00 AM, they will not both start at 1:00; rather, they will be serialized (run
back-to-back).
Hourly
Allows you to schedule the task to be run on an hourly basis.
ƒ
Run every hh hours: You can specify exactly how many hours there
should be between scans. Valid values are from 1 - 100 hours.
ƒ
starting at this time: The first scan will begin at the specified time.
Subsequent scans will be performed at the interval specified on Run
every hh hours.
Daily
Indicates that the task will be run on the specified days, at the time of
your choosing. For example, using this option a scan could be run every
night at midnight, or every Saturday at 9:00 pm, or at 1:00 am the first
Sunday of every month , etc.
Randomize
scheduled
time (minutes)
Staggers the exact time the task will be performed so as not to overtax
the console or designated distribution server with simultaneous requests
to download patch files, scan engines, etc.
Run on boot if
schedule
missed
If a scheduled task is missed while a target machine is powered off, this
option enables you to force the task to automatically run whenever the
machine is restarted. The task will run immediately unless you enable the
Delay after boot (minutes) check box, in which case the execution will
be delayed by the specified number of minutes.
Save and
Update Agents
Saves all changes to the policy file and stores it on the console. Also
updates any agent machines that are currently assigned this policy as
follows:
ƒ
If an agent machine is online and configured to listen for policy
updates, the updated policy will be pushed out to that machine
immediately.
ƒ
If an agent machine is online but is not configured to listen for policy
updates, the updated policy will be pushed out the next time the
agent checks in with the console.
ƒ
If an agent machine is not currently online, the updated policy will be
pushed out the next time the agent checks in with the console.
The Agent Policy Editor will be closed.
Cancel
Indicates you want to exit the Agent Policy Editor without saving your
most recent changes. A "Do you want to save your changes?" prompt will
appear that gives you a second chance to save your changes. If you click
Yes the policy will be saved and the associated agents updated (the
same as Save and Update Agents). If you click No the Agent Policy
Editor will be closed without saving your changes.
Updated 22 February 2011
315
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
316
SERVICE PACK GROUPS
About Service Pack Groups
Patch Authority Ultimate provides the ability for agents to use a service pack
group to deploy a particular set of service packs.
Example 1: Suppose Company A has a patch approval process under which
they've certified four service packs as being mandatory for their organization.
They do not want to deploy any patches, just the four service packs. They
also want to be able to receive compliance reports. By creating a service pack
group they can deploy only the specified service packs and receive a variety
of deployment reports.
Example 2: Suppose you identify a certain service pack as being critical for
your organization. You can create a service pack group that contains just this
service pack. When your agents perform a deployment, the only service pack
that will be deployed will be the service pack defined in the group.
For information on implementing and using service pack groups, see Creating
and Editing a Service Pack Group and Creating and Configuring a Patch Task.
Notes About Service Pack Groups
ƒ
Service pack groups apply only to agents and not to agentless
deployments.
ƒ
Agent-based service pack deployments are tracked the same way as any
other agent activity. See Monitoring Agents for details.
ƒ
If an agent machine is missing multiple service packs, only one service
pack will be installed at a time. Patch Authority Ultimate Agent will begin
by initiating the download of all missing service packs. Operating system
service packs are downloaded at a higher priority, but whichever service
pack is available first is the one that is first installed. After that service
pack is successfully installed, the machine is restarted, rescanned, and the
process is repeated until all service packs are deployed or until the daily
limit is reached.
ƒ
The downloads occur in the background using idle bandwidth not being
used by other applications on the agent machine. Foreground tasks such
as Web browsing are not affected by the service pack download process.
ƒ
The number of service packs that can be deployed in one day is defined by
the Limit deployments (per day) option on the agent patch task.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
317
Creating and Editing a Service Pack Group
To create a new service pack group or edit an existing service pack group:
1. From within an agent patch task, enable Deploy Service Packs.
2. Enable Service Pack Group and then click either New or Edit.
Note: Other options for creating a new service pack group are to select
File > New > Service Pack Group from the main menu or to select
New Group > Service Pack Group from within the Patch and SP
Groups pane. Another option for editing an existing service pack group is
to double-click the group from within the Service Pack Groups list.
This will display the Service Pack Group dialog.
Note: Be careful when editing an existing service pack group. Any
modifications you make will affect any patch task that references the
service pack group. Also, if you edit and save a service pack group that is
currently being used by an agent policy, the agents using that policy will
be updated the next time they check in with the console.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Name
Type a name that you would like to assign to this service pack
group.
Copy
Makes a copy of the service pack group. Type a new name for the
group and then click OK.
Delete
Deletes the service pack group. This button only applies if you
access the Service Pack Group dialog by double-clicking an
existing group in the Service Pack Groups list.
318
Displays Help information about this dialog.
Service Pack Group
Members
This tab enables you to add service packs to this group. The
available service packs are separated into four product categories
that are represented by the tabs shown along the left side of the
dialog. For each product category you can:
ƒ
Exclude all: Excludes every service pack in the product
category. This is the default value.
ƒ
Use latest: Sets all service packs in the category to Latest.
This means that the latest service pack available for a product
always will be deployed. The advantage to this setting is that
if a new service pack becomes available it will be the one that
is automatically deployed.
ƒ
Use current: Sets the value to the service pack that is
currently available for each product. This value will not
change if a new service pack becomes available.
You can also manually set the service pack value for each
individual product.
Used By tab
This tab shows you the agent policies that are currently using this
service pack group. This is important to know if you are
considering modifying the group, as it tells you what other areas of
the program are affected.
IMPORTANT! If a new product becomes available, the product will be added
to the appropriate product category the next time the Patch Authority
Ultimate XML files are refreshed. Keep in mind that the default value for any
new product service packs will be Exclude all. If you want the new product's
service pack to be included in the group you must revisit the service pack
group and update the product service pack setting.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
319
Using a Service Pack Group
A service pack group is used within an agent patch task to specify exactly
which service packs should be deployed. For more information, see Creating
and Configuring a Patch Task.
Copy, Delete, or Rename a Service Pack Group
To copy, delete, or rename an existing service pack group:
1. In the button tray at the bottom of the navigation bar, click Patch and SP
Groups.
2. In the Patch and SP Groups pane, right-click an existing service pack
group and then select the desired menu item.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
320
Database Maintenance
In order to keep Patch Authority Ultimate operating at peak efficiency, it is
important to perform periodic maintenance on your database. Patch Authority
Ultimate's database maintenance tool enables you to:
ƒ
ƒ
ƒ
Delete old results
Rebuild your SQL Server indexes
Create backup copies of your database and your transaction log
You do this by selecting Tools > Database maintenance and then
specifying exactly when and how your database maintenance tasks should be
performed.
Enable weekly database
maintenance
If enabled, will perform database maintenance tasks on the specified
day and time. The scheduled job is managed by the Patch Authority
Ultimate console service; the job cannot be tracked using the
Scheduled Task Manager. Maintenance tasks should be performed
after hours or on a weekend when database use is at a minimum.
If this check box is not enabled you can still configure the remaining
database maintenance options on this dialog, but in order to run the
maintenance task you must initiate it using the Run now button. The
database maintenance tasks will not be performed on a regularly
scheduled basis.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
For each result type,
choose at least one way
to delete old results
321
There are two ways to delete old results:
ƒ
Max results to keep: Enables you to specify the maximum
number of patch scans you want to store in the database. If the
specified number is exceeded, scans will be deleted based on
their age (the oldest scans are deleted first). Any patch
deployments that are associated with a scan are also deleted.
Valid values are 10 - 10,000 for each scan type.
Important! If you are using Patch Authority Ultimate Agent on
your machines you should NOT use this option. Agents report
their results to the console and if you have many agents this will
quickly overrun the threshold. You should instead use the Delete
results older than (days) option.
ƒ
Delete results older than (days): Enables you to specify the
maximum number of days that patch scan results are allowed to
be stored in the database before being deleted. Any patch
deployments that are associated with a scan are also deleted.
Valid values are 1 - 10,000 days. As a general rule, results that
are over 90 days old should be considered too old to accurately
depict the current state of your organization.
If you choose to implement both methods for a result type, the
method that deletes the least number of results is the one that will be
used.
Example: Assume that for patch results you specify Max results to
keep = 100 and Delete results older than (days) = 90. Also assume
that there are 150 patch results currently stored in the database but
only 10 of them have been there for more than 90 days. When the
database maintenance task is run the oldest 10 results will be
deleted; the 140 results that are less than 90 days old will be left
alone.
About the Different Result Types
Each result type consists of the following:
ƒ
Rebuild indexes
Patch: Patch scans and any associated patch deployments
If enabled, each time the database maintenance task is performed it
will instruct SQL Server to rebuild the database indexes after the old
result data are removed. Doing so will improve the performance of
your database. This is particularly valuable when deleting large
amounts of data.
Although this option will work on any of the supported editions of SQL
Server, it is recommended for use only with SQL Server Express
editions. If you are using a full edition of SQL Server you should
consider using the SQL Server Maintenance Wizard because it
provides more functionality.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Backup database and
transaction log
322
If enabled, each time the database maintenance task is performed it
will instruct SQL Server to create backup copies of the database and
the transaction log before removing any data.
You must specify where the backup files will be written. You can use
either a UNC path (for example: \\server\backup) or a local path (for
example: c:\backup) to specify the backup location. The
recommendation is to use a UNC path format that specifies a location
on a different machine than the one currently running SQL Server.
The path name you specify here is simply passed along for use
during the backup. No validation is performed on the name.
Notes:
Run now
ƒ
If you are using a remote SQL Server and you specify a local
path, the path you are specifying is located on the remote SQL
Server and NOT on the console machine.
ƒ
If you specify a UNC path to a location on SQL Server, your SQL
Server account must have access to the path. If a built-in
account is being used (such as Local System or Network
Service) then the machine account needs access to the path.
Immediately initiates the database maintenance task. The task is run
in the background and requires no user intervention. The task is
performed using the current configuration. The current configuration
is saved for future use, and if the Enable weekly database
maintenance check box is enabled this will also schedule the
database maintenance task.
You will not be able to use Patch Authority Ultimate to track the
progress of the maintenance task but you will be able to view the
result. For example, after the task completes there should be fewer
items in the Patch Results pane and in the Manage Items list. If you
have access to SQL Server Management Studio you can use its
Database Properties feature to track the progress of the task.
Save
Saves the current database maintenance configuration. If the Enable
weekly database maintenance check box is enabled this will also
schedule the database maintenance task.
Cancel
Exits the Database Maintenance dialog without saving your most
recent changes.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
323
Reporting Errors and Checking
for Possible Solutions
If an error occurs that requires the program to close in order to recover, the
following dialog will be displayed:
If your operating system is configured to allow the capture and reporting of
errors, after you click OK a second dialog will be displayed.
CHECK ONLINE FOR A SOLUTION
This dialog gives you the option to send information about the error to
ScriptLogic Corporation and to receive a possible solution to the problem.
ScriptLogic Corporation recommends selecting the Send Error Report option
. This option will:
ƒ
Send information about the problem to ScriptLogic Corporation so the
problem can be researched and fixed.
ƒ
Query an online database for a possible solution to the problem. If a
solution exists it will be displayed on the console machine in a separate
dialog.
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
324
PRIVACY AND SECURITY CONCERNS
Only information pertaining to the specific problem will be sent to ScriptLogic
Corporation ; no personal, machine, or network information is collected or
sent. The information is sent anonymously and the process will not impact
your network.
OBTAINING SUPPORT
For technical assistance with Patch Authority Ultimate , please refer to one of
the following support options:
ƒ
ƒ
ƒ
E-mail: support@scriptlogic.com
Web: www.scriptlogic.com/support/
Phone: 1-561-886-2450
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
325
Index
.drs file .......................................................................254
64-bit ............................................................................13
Activating the program ................................................28
Active Directory ..........................................................58
Active function pane ....................................................35
Address book .............................................................256
Administering roles ......................................................73
Administrative Installation Point ...............................166
Administrator privileges ..............................................28
Advanced report filter ................................................264
Affected machine count .............................................222
Agent
Agent
When to use .......................................................289
Agent client program .............................................303
Agent commands ...................................................300
Agent installation errors ........................................299
Agent installation options ..............................293, 295
Agent installation script .........................................298
Agent licenses ........................................................291
Agent listens ..........................................................307
Agent log ...............................................................307
Agent maintenance tasks .......................................303
Agent monitoring ..................................................302
Agent policies ........................................................306
Agent process ........................................................291
Agent proxy options ..............................................307
Agent uninstalling .................................................305
Agent-based solution .....................................288, 289
Agent configuration
General settings .....................................................307
Patch task ...............................................................310
Agent configuration ...................................................306
Agent Manager ..........................................................300
Agent options .............................................................249
Agent patch deployment process ...............................310
Agent service pack deployment process ....................310
Agent Standard template ............................................162
AgentInstaller.msi ......................................................295
Agentless solution ......................................................288
Agent .........................................................................290
Aggregate database ....................................254, 263, 282
AIP .............................................................................166
Always reboot ............................................................167
Approved patches ................................................84, 310
Archive Items list .........................................................37
Arrival options ...........................................................254
Assigning an agent policy ..........................................300
Assigning user roles .....................................................74
Asynchronous tasks ...............................................13, 96
Authentication options ...............................................244
Automatic synchronization ........................................274
Automatically download patches ...............................241
Automatically sending e-mail ....................................258
Background tasking ............................................. 96, 232
Backup files for uninstall .......................................... 164
Bandwidth throttling ......................................... 310, 316
Baseline patches ........................................................ 116
Best practices ............................................................ 167
Binary patches ........................................................... 166
Browse active directory ............................................... 58
Browse credentials ...................................................... 68
Bugtraq ........................................................................ 97
Button tray ................................................................... 35
Bypass proxy server check box ................................... 30
CAB file ...................................................................... 97
Cancel deployment .................................................... 162
Cancel task ................................................................ 179
Central console .......................................................... 277
Central Policy Manager ............................................. 277
Charts .......................................................................... 39
Check for new data files ............................................ 310
Check-in interval ............................................... 291, 307
Checkpoint/restart ..................................................... 310
Client patches ............................................................ 166
Client program .......................................................... 303
Close status dialog after deployment ......................... 247
Collect data for Tech Support ...................................... 85
Column chooser ......................................................... 123
Command-line ..................................................... 44, 298
Configuration options ................................................ 236
Connection timeout ................................................... 246
Console credentials ..................................................... 68
Consoles (multiple) ........................................... 277, 287
Context-sensitive Help ................................................ 44
Copy speed ................................................................ 164
Create a temporary system drive ............................... 244
Creating
Creating a custom XML file ................................. 185
Creating a new download center ........................... 241
Creating a patch group .......................................... 116
Creating a patch scan template .............................. 111
Creating an agent policy ....................................... 306
Creating favorites .................................................... 72
Creating machine groups ........................................ 46
Credential best practices .............................................. 68
Credentials
Browse credentials .................................................. 68
Default credentials ................................................ 244
Requirements for deploying to VMs ..................... 148
Supplying credentials .............................................. 68
Criticality level for machines .................................... 230
Criticality .................................................................. 223
Currently assigned role ................................................ 77
Custom
Custom Actions ............................................. 111, 172
Custom bulletin ..................................................... 189
Custom criticality .................................................. 155
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Custom filter ..........................................................205
Custom Patch File Editor .......................................185
Custom patch process ............................................184
Custom patch .........................................................190
Custom product .....................................................186
Custom XML .................................................185, 198
Customizing column headers .....................................123
CVEID .........................................................................97
Data files ....................................................................260
Data rollup options .....................................................254
Data rollup .................................................................278
Database description ....................................................42
Database maintenance ................................................320
Database setup .............................................................20
db_owner role ..............................................................19
Default credentials .....................................................244
Default patch scan template .......................................115
Definition download options ......................................239
Deploying patches
Deploying all patches ............................................144
Deploying one patch ..............................................143
Deploying to multiple machines ............................146
Deploying to virtual machines ...............................148
Deploying with an agent ........................................310
Deploying patches ......................................................143
Deploying service packs
Deploying SPs from the console ............................152
Deploying SPs with an agent .................................310
Deploying service packs ............................................152
Deployment
Automatic deployment ..........................................157
Cancelling a deployment .......................................162
Deploymen prerequisites .......................................141
Deployment configuration .....................................157
Deployment history ...............................................162
Deployment options ...............................................247
Deployment results ................................................161
Deployment seats ....................................................34
Monitoring a deployment ......................................159
Scheduling a deployment .......................................157
Deployment options ...................................................247
Deployment template .........................................162, 163
Deployment Tracker ..................................................177
Detailed patch information .........................................134
DFS replication ..........................................................274
Dialog ........................................................................167
Disable networking ....................................................148
Disable supersedence .................................................246
Disable Sysprep .........................................................148
Disconnected console configuration
Configuring the central console .............................284
Configuring the remote console .............................285
Disconnected console configuration ..........................282
Disconnected mode ....................................................260
Display icon in system tray ........................................307
Display options ..........................................................236
Display the file size confirmation dialog ...................241
Distributed Policy Manager .......................................277
Distributed Policy Service .........................................277
Distribution server status report .................................274
Distribution servers
Configuring ...........................................................267
326
Deployment template tab ...................................... 174
IP addresses .......................................................... 272
Synchronizing ....................................................... 274
Update distribution server ..................................... 281
Distribution servers ................................................... 266
Domains .............................................................. 55, 104
Download centers .............................................. 183, 241
Download individual non-English patches ................ 138
Download non-English patches ................................. 137
Downloading patches ................................................ 136
Download .................................................................. 136
Duplicate virtual machines .......................................... 90
Dynamic product detection .......................................... 96
Effectively installed patches ...................................... 100
E-mail feature
Address book ........................................................ 256
Automatically sending e-mail ............................... 258
Manually sending e-mail ....................................... 258
E-mail feature ............................................................ 256
E-mail options ........................................................... 253
E-mail tab .................................................................. 171
Enable automatic e-mailing ....................................... 253
Enable passphrase in manual agent installs ............... 249
Enumerating machines ................................................ 98
Error messages .......................................................... 299
ESX Server ............................................................ 61, 64
Excluding machines .................................................... 67
Executive summary report ......................................... 125
Explicitly installed patches ........................................ 100
Export data rollup settings ......................................... 254
Export machine group ................................................. 47
Exporting Reports ..................................................... 265
F1 ................................................................................ 44
Favorites ...................................................................... 72
File download options ............................................... 239
File locations ............................................................. 260
File version .................................................................. 99
Filter
Filter Patches ........................................................ 111
Filtering Machine View ........................................ 127
Filtering machines ........................................... 47, 127
Filtering Patch View ............................................. 205
Filtering reports ..................................................... 264
Find user ...................................................................... 74
Force reboot .............................................................. 167
Foreign language support .......................... 137, 138, 182
Found patch count ..................................................... 222
Full-file patches ......................................................... 166
Generate MBSA-formatted output ............................ 246
GUI ............................................................................. 39
Help system ................................................................. 44
hf7b.xml .............................................................. 97, 260
hfcli.exe ....................................................................... 44
History ............................................................... 109, 162
Home page .................................................................. 39
Hosted virtual machines .............................................. 61
How do I . . . ? ............................................................. 39
Ignoring machines ....................................................... 67
Import data rollup settings ......................................... 254
Import from file ............................................... 53, 55, 57
Import machine group ................................................. 47
Importing patch definitions ......................................... 28
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Installation log (agent) ...............................................299
Installation logs ............................................................85
Installed tab ................................................................136
Installing
Installing agents .............................................293, 295
Installing the program ..............................................20
Installing the Scheduler .........................................235
Interface .......................................................................35
International mode .....................................................182
Internet Explorer ........................................................252
Internet .................................................................30, 252
IP address .............................................................57, 105
Kerberos .......................................................................20
Keyboard shortcuts ....................................................129
Language support options ..........................................182
License information .....................................................34
Limited Edition ............................................................78
Linking text files ..........................................................67
Listening agent ...........................................................307
Listening port .............................................................307
Local machine credentials ............................................68
Local machine ............................................................103
Log files
Agent log files .......................................................307
Console log files ....................................................251
Event log ...............................................................161
Installation logs .......................................................85
Scheduler log .........................................................161
Version log ..............................................................33
Log files .....................................................................233
Logging options .........................................................251
Machine account credentials ........................................25
Machine criticality .....................................................230
Machine group
Add by IP ................................................................57
Add by OU ..............................................................58
Add domain .............................................................55
Add machine by name .............................................53
Add virtual machine ................................................61
Excluding machines .................................................67
Linking files to ........................................................67
Nested group ............................................................60
Machine group .............................................................46
Machine properties ....................................................229
Machine View
Accessing Machine View ......................................211
Filtering information .............................................127
Machine group information ...................................126
Navigating Machine View .....................................212
Searching for machines .........................................126
Viewing patch summaries .....................................222
Machine View ............................................................211
Machines Installed tab
Machine View .......................................................136
Patch View ............................................................210
Scan View .............................................................136
Machines Missing tab
Machine View .......................................................135
Patch View ............................................................210
Scan View .............................................................135
Machines not scanned ................................................121
Maintenance tasks for agents .....................................303
327
Maintenance window ................................................ 310
Manage items ............................................................ 228
Managing custom XML files ..................................... 198
Manual agent installation script ................................. 298
Manually installing agents ......................................... 295
Manually sending e-mail ........................................... 258
MBSA ................................................................. 78, 111
Menu commands ......................................................... 40
Microsoft Knowledge Base ......................................... 97
Microsoft Scheduler .................................................. 248
Missing patch count .................................................. 222
Missing tab ................................................................ 135
Mitre.org ..................................................................... 97
Monitoring
Monitoring agents ................................................. 302
Monitoring deployments ....................................... 159
Patch scan ............................................................. 109
MSST-001 ................................................................. 111
Multiple consoles ...................................................... 277
Multiple users ............................................................ 303
My Domain ................................................... 39, 45, 104
My Machine .......................................................... 39, 45
My Test Machines ....................................................... 45
Navigating the interface .............................................. 35
Navigation buttons ...................................................... 42
Nested group ............................................................... 60
Network isolation ...................................................... 148
Never reboot .............................................................. 167
Non-English patches ................................................. 137
Non-security patches ................................................. 110
Nullpatch.exe ............................................................ 111
Office Administrative Install Point ............................ 166
Office deployment ..................................................... 166
Offline virtual machines ........................................ 61, 89
Online Help ................................................................. 44
Operations Monitor ................................................... 232
Options
Agent options ........................................................ 249
Arrivals/Data rollup options .................................. 254
Credential options ................................................. 244
Definition download options ................................. 239
Deployment options .............................................. 247
Display options ..................................................... 236
E-mail options ....................................................... 253
Logging options .................................................... 251
Notifications and warnings options ....................... 238
Patch download options ........................................ 241
Patch language options ......................................... 245
Proxy options ........................................................ 252
Scan options .......................................................... 246
Scheduling options ................................................ 248
Options ...................................................................... 236
Organizational Unit ..................................................... 58
Passphrase ......................................................... 249, 295
Patch
Client patch ........................................................... 166
Effectively installed .............................................. 100
Explicitly installed ................................................ 100
Full-file patch ........................................................ 166
Patch agents .......................................................... 289
Patch deployment .................................................. 143
Patch download options ........................................ 241
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Patch group ............................................................116
Patch Info tab .........................................................134
Patch language options ..........................................245
Patch list ........................................................280, 281
Patch scan results ...................................................121
Patch scan template ...............................................110
Patch scan ......................................................103, 105
Patch status ..............................................................98
Patch supersedance ..................................................99
Uninstalling ...........................................................180
Patch Authority Agent
Agent policy ..........................................................306
Assigning an agent policy ......................................300
Icon ........................................................................302
Installing ........................................................293, 295
Maintenance ..........................................................303
Monitoring .............................................................302
Preparing ...............................................................292
Uninstalling ...........................................................305
Patch Authority Agent ...............................................290
Patch count .................................................................216
Patch deployment
Canceling a deployment ........................................162
Deploying one or more patches .............................143
Deploying service packs from the console ............152
Deploying service packs with an agent ..................310
Deploying to multiple machines ............................146
Deployment prerequisites ......................................141
Deployment process (agents) .................................310
Monitoring deployments ........................................159
Patch deployment .......................................................139
Patch download options .............................................241
Patch groups ...............................................................116
Patch Information tab
Machine View .......................................................134
Patch View ............................................................209
Scan View .............................................................134
Patch language options ..............................................245
Patch management .......................................................12
Patch scan results .......................................................121
Patch scan ..........................................................103, 105
Patch status ..................................................................98
Patch summaries ................................................131, 222
Patch task ...................................................................310
Patch View
Accessing Patch View ...........................................201
Filtering Patch View ..............................................205
Navigating Patch View ..........................................202
Searching Patch View ............................................205
Patch View .................................................................201
Performing actions on machines ................................129
Policy agent ...............................................................306
Port requirements .........................................................13
Post-deploy reboot .....................................................169
Predefined scan templates ..........................................110
Pre-deploy reboot .......................................................167
Prerequisites .................................................................18
Program Functions .......................................................37
Prompt for languages on download ............................245
Prompt when needed (credentials) .............................244
ProPatches folder .......................................................230
Proxy options .............................................................252
328
Proxy server ........................................................ 30, 252
Quiet mode ................................................................ 164
Randomize scheduled time ........................................ 310
Reboot options .................................................. 167, 169
Reboot when needed ................................................. 169
Recent Items list .......................................................... 37
Refresh files ........................................................ 40, 239
Registering .................................................................. 28
Remote console ......................................................... 277
Remote dialog ........................................................... 164
Remove temp files ..................................................... 164
Report filtering .................................................. 263, 264
Report Gallery ........................................................... 263
Reporting errors ......................................................... 323
Reports ...................................................................... 261
Requirements
Agent requirements ................................................. 13
Patch scan requirements ........................................ 101
Port requirements .................................................... 13
Requirements ............................................................... 13
Right-click menu ....................................................... 129
Role-based administration ........................................... 73
Rollback of patches ................................................... 180
Rollup console ........................................................... 278
Run on boot ............................................................... 310
Run Scan dialog ........................................................ 106
SafeReboot ........................................................ 167, 169
Save default credentials ............................................. 244
Scan history ............................................................... 109
Scan options .............................................................. 246
Scan summary ........................................................... 125
Scan template ............................................................ 110
Scan View ................................................................. 121
Scan/Deployment history .................................. 109, 162
Scanning
Scan history .......................................................... 109
Scanning domains ................................................. 104
Scanning machines ................................................ 105
Scanning overview ................................................ 100
Scanning prerequisites .......................................... 101
Scanning the local machine ................................... 103
Scheduling scans ................................................... 106
Scanning engine .......................................................... 97
Scans database ............................................................. 20
Schedule reboot ......................................................... 169
Scheduled scans ........................................... 72, 106, 233
Scheduled Tasks Manager ......................................... 233
Scheduler Lifetime .................................................... 248
Schedulers ......................................................... 235, 248
Scheduling
Scheduling options ................................................ 248
Scheduling patch deployments .............................. 157
Scheduling patch scans ......................................... 106
Script ......................................................................... 298
Search tool ......................................................... 126, 205
Security Patch Scan template .................................... 110
Security Patch Scan ................................................... 110
Send Tracker status ................................................... 164
Service pack group .................................................... 316
Service packs
Deploying service packs from the console ............ 152
Deploying service packs with an agent ................. 310
Updated 22 February 2011
ScriptLogic Patch Authority Ultimate 7.8 Administration Guide
Downloading from the console ..............................136
Setup Wizard ...............................................................30
Severity ......................................................................134
Shortcut on desktop .....................................................20
Show informational items ..........................................236
Show main toolbar .....................................................236
Show only items created by me .................................236
Show Run Now dialog ...............................................246
Shutdown IIS Server ..................................................164
Shutdown SQL Server ...............................................164
Simple file sharing .....................................................101
Smart filters .......................................................127, 205
SMTP server ................................................30, 253, 256
Snapshot .....................................................................175
Software distribution ..................................................111
SQL Server maintenance ...........................................320
SQL Server notes ...................................................19, 25
Standard deployment template ...................................162
Starting the program ....................................................28
Statistics .......................................................................39
Status report ...............................................................274
STExec role .................................................................25
Supersedence .......................................................99, 246
Supplying credentials ...................................................68
Support .......................................................................324
Synchronizing engines and data files .........................274
Synchronizing patches ...............................................274
Sysprep ......................................................................148
System account ..........................................................271
System drive share .....................................................244
System requirements ....................................................13
Technical Support ................................................85, 324
Temp files ..................................................................164
Templates
Creating a scan template ........................................111
Default scan template ............................................115
Deployment template .............................................162
Predefined scan templates .....................................110
Virtual machine template .........................................89
Test Machines group ....................................................45
Test Patch Deployment tab ........................................232
Testing patch deployment ..........................................142
Third-party applications .....................................120, 148
Timeouts ....................................................................246
Today's deployments ..................................................162
Today's Items list .........................................................37
Today's scans .............................................................109
Toolbar buttons ............................................................42
Tracker .......................................................................177
Troubleshooting agents ..............................................299
329
UAC .......................................................................... 101
Unattended console ........................................... 280, 281
UNC share ................................................................. 241
Uninstalling agents .................................................... 305
Uninstalling patches .................................................. 180
Update agent settings ................................................ 307
Update files ......................................................... 40, 239
Use backup server ..................................................... 174
Use only the browse list ............................................ 246
Use vendor as backup ................................................ 174
Used By tab
Deployment template ............................................ 176
Patch scan template ............................................... 111
User interface .............................................................. 39
User roles .................................................................... 74
Validating custom XML ............................................ 197
vCenter server ....................................................... 61, 64
Version information .............................................. 33, 99
Version log .................................................................. 33
View current status .................................................... 263
Viewing custom patches ............................................ 200
Viewing favorites ........................................................ 73
Virtual environments ................................................... 96
Virtual Machine Standard deployment template ....... 162
Virtual machines
Connection limits .................................................... 90
Duplicates ............................................................... 90
Network isolation .................................................. 148
Offline workstations ................................................ 64
Roadmap of tasks .................................................... 95
Snapshots .............................................................. 175
Viewing in machine group ...................................... 66
Virtual machine notes ............................................. 90
Virtual machine overview ....................................... 89
Virtual machine template ........................................ 89
VirtualMachine.Interact .............................................. 90
VirtualMachine.Provisioning ...................................... 93
VirtualMachine.State ................................................... 90
VMware permissions
Adding hosted VMs to a group ............................... 61
Changing power state of offline VM ....................... 90
Managing snapshots .......................................... 90, 93
VMware tools ............................................................ 148
VPN tunnels .............................................................. 290
Welcome ..................................................................... 12
Windows Update service ........................................... 141
Windows Vista .............................................. 13, 68, 101
WUScan .................................................................... 110
XML file (custom) .................................................... 185
XML patch data file .................................................... 97
}
Updated 22 February 2011
Download PDF
Similar pages