SolarWinds Patch Manager Evaluation Guide

SolarWinds
Patch Manager
Version 2.1.3
Evaluation Guide
Last Updated: Friday, September 23, 2016
1
About SolarWinds
SolarWinds, Inc. develops and markets an array of network management, monitoring, and discovery tools
to meet the diverse requirements of today’s network management and consulting professionals.
SolarWinds products continue to set benchmarks for quality and performance and have positioned the
company as the leader in network management and discovery technology. The SolarWinds customer base
includes over 45 percent of the Fortune 500 and customers from over 90 countries. Our global business
partner distributor network exceeds 100 distributors and resellers.
Copyright
© 2016 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published
or distributed, in whole or in part, or translated to any electronic medium or other means without the prior
written consent of SolarWinds. All right, title, and interest in and to the software and documentation are
and shall remain the exclusive property of SolarWinds and its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED,
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING
WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS
BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN
IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds and other SolarWinds marks, identified on the SolarWinds website, as updated from
SolarWinds from time to time and incorporated herein, are registered with the U.S. Patent and Trademark
Office and may be registered or pending registration in other countries. All other SolarWinds trademarks
may be common law marks or registered or pending registration in the United States or in other countries.
All other trademarks or registered trademarks contained and/or mentioned herein are used for
identification purposes only and may be trademarks or registered trademarks of their respective
companies.
Contacting SolarWinds
You can contact SolarWinds in a number of ways, including the following:
Team
Contact Information
Sales
1.866.530.8100
2
www.solarwinds.com
Technical Support
www.solarwinds.com/support
User Forums
thwack.com
thwack.com/community/application-and-server_tht/patchzone
3
Table of Contents
2
About SolarWinds
Copyright
2
Contacting SolarWinds
2
Table of Contents
4
Introduction
7
Patch Manager Server
8
Microsoft SQL Server
9
Administration Console
9
Web Console
9
Managed Computers
9
Agents (Optional)
9
10
Installing Patch Manager
Requirements
10
Notes on Windows Server 2008 R2 with SP1
14
Port and Firewall Information
14
Port 135 TCP – RPC Endpoint Mapper
14
Port 445 TCP – SMB over TCP
14
Port 4092 – Console-to-Server Communication
14
Port 8787 TCP – Web Console Connections
15
Port 17777 TCP – SolarWinds Information Service
15
Port 389 TCP – Lightweight Directory Access Protocol
15
Dynamic Ports 1024-65536 – DCOM or RPC
15
Installing the Patch Manager PAS
15
Configuring Email Settings
16
Configuring Proxy Settings
17
4
Configuring Console Proxy Settings
17
Configuring Server Proxy Settings
17
Patch Manager Licensing
18
Going from Evaluation to Production
18
Licensing Servers with Internet Access
18
Licensing Servers without Internet Access
19
20
Getting Started
First Time Usage Wizard FAQ
21
Why does it take so much time to install an update?
21
What is the First Time Usage Wizard doing when it is installing packages?
21
How can I decrease the amount of time the wizard takes?
21
Can I mass add computers?
21
Initial Configuration
22
Configuring Managed Resources
22
Configuring Credentials and Credential Rings Rules
23
Configuring Update Services
24
Configuring Publishing Servers
24
Configuring Managed Clients
25
Using Group Policy to Configure Managed Clients
25
Exporting the WSUS Certificate
25
Configuring the Group Policy Object
26
Configuring Clients from the Patch Manager Console
27
Client Certificate Management
27
Windows Update Local Policy Management
28
Configuring the Web Console
29
Configuring the Patch Manager Web Console
29
5
Creating a Third Party Updates View
29
Third-party Updates View for WSUS
30
Saved Searches in ConfigMgr 2007
30
32
Updating Multiple Computers
Publishing Trial Updates
32
Publishing Adobe Reader Updates
32
Publishing Java Runtime Environment Updates
33
Publishing Adobe Flash Updates
34
Approving Updates
35
Installing Updates
35
37
Next Steps
6
Introduction
SolarWinds Patch Manager extends native Microsoft Windows Server Update Services (WSUS) and
Microsoft System Center Configuration Manager (ConfigMgr) functionality using an enhanced Microsoft
Management Console (MMC) interface. For ConfigMgr, Patch Manager integrates with the new ribbon-style
console to extend ConfigMgr's functionality.
The Patch Manager console has the following functionality:
l
l
View and manage Microsoft updates on your WSUS server or ConfigMgr software update point
(SUP).
Publish and manage third party updates using built-in WSUS functionality in both WSUS and
ConfigMgr environments.
l
Deploy updates on demand by leveraging the Windows Update Agent on target systems.
l
Execute configuration management tasks on one or more managed computers.
l
Run flexible and detailed reports about the updates and assets in your publishing environment.
Patch Manager is composed of several components to integrate with the WSUS or ConfigMgr servers in
your publishing environment. Each of the following components is modular to allow a high level of
flexibility in large or complex deployment scenarios:
l
Patch Manager Server
l
Microsoft SQL Server
l
Administration Console
l
Web Console
l
Managed Computers
l
Agents (Optional)
The following diagram illustrates a typical Patch Manager installation. For additional information about
alternative deployment scenarios, see "Advanced Deployment Scenarios" in the Administrator Guide .
A Typical Patch Manager Deployment Scenario
7
Note: In ConfigMgr environments, the WSUS Server in this diagram corresponds to the ConfigMgr software
update point (SUP).
Patch Manager Server
The Patch Manager server consists of several components, which you can install on a single server or
distribute across several servers by the three Patch Manager server roles.
Application Server
Interfaces with the MMC-based or integrated ConfigMgr administration consoles, and manages all
communication between the console and the rest of the Patch Manager environment.
Management Server
Maintains all inventory and discovery data for specific systems in the Patch Manager environment.
Each Management role server has a defined collection of managed entities, specified by their
corresponding domain, workgroup, or WSUS server.
Automation Server
Manages the local Patch Manager worker processes on each Patch Manager server. The worker
processes perform the inventory and configuration management tasks and interface with the
Windows Management Instrumentation (WMI) providers to collect data and supervise remote
management capabilities.
8
The Express installation option installs all three server roles and the Patch Manager console on a single
server. You can also deploy multiple Patch Manager servers in one or more of these roles in a distributed
environment.
By default, the first Patch Manager server you install is the Primary Application Server (PAS). It contains the
primary configuration management database for the application and also serves as a Certificate Authority
for the certificates used to register and encrypt Patch Manager communications.
All Patch Manager servers run as the EminentWare Data Grid Server service, named for the original
developer of the product. This service runs automatically at system startup, and manages all aspects of the
Patch Manager server except those provided by SQL Server.
Microsoft SQL Server
Patch Manager stores all of its configuration and inventory data on a Microsoft SQL Server database. You
can install a local copy of SQL Server Express directly on the Patch Manager server, or connect Patch
Manager to a remote SQL server.
Administration Console
The Patch Manager administration console is an MMC 3.0-based snap-in that connects to the Patch
Manager PAS. In ConfigMgr environments, there is an additional Patch Manager console integrated with
the ConfigMgr console. In any case, you can install the administration console directly on the Patch
Manager server, or on one or more remote administration workstations.
Web Console
The Patch Manager web console is a read-only interface that displays detailed information from a Patch
Manager Application role server. You can install the web console server on any Windows web server that
can connect to the Patch Manager Application role server. Access the web console from any computer with
access to the host web server's website.
Managed Computers
Managed computers include all WSUS servers, ConfigMgr servers, and managed clients in the enterprise.
For optimal inventory and reporting functionality, deploy the Patch Manager Windows Management
Interface (WMI) providers to all managed clients.
Agents (Optional)
Agents are an optional component that you can choose to deploy to managed computers. Agents are
usually deployed to computers if the computers cannot be managed directly over the network with WMI.
9
Installing Patch Manager
Install Patch Manager on a server that exceeds or meets the minimum requirements. After installing the
initial Patch Manager server, use the automated configuration wizards to complete setup. This section
addresses the following topics regarding the initial setup:
l
Requirements
l
Installing the Patch Manager PAS
l
Patch Manager Licensing
Requirements
The following table provides the minimum requirements for a SolarWinds Patch Manager installation.
SOFTWARE/HARDWARE
REQUIREMENTS
Operating System (Patch
Install the Patch Manager web console server on a 32- or 64-bit
Manager servers and consoles) computer running IIS on any of the following operating systems:
l
Windows Server 2008 R2 with SP1
l
Windows Server 2012
l
Windows Server 2012 R2
Additionally, SolarWinds supports the following operating systems for
evaluation purposes:
Operating System (managed
clients)
l
Windows 7
l
Windows 7 SP1
l
Windows 8
l
Windows 8.1
l
Windows 10
Patch Manager manages 32- or 64-bit computers running any of the
following operating systems:
l
Windows XP Professional SP3 or later
l
Windows Vista Business, Enterprise, or Ultimate SP2 or later
l
Windows 7 Professional, Enterprise, or Ultimate
l
Windows 8
l
Windows 8.1
l
Windows Server 2003 SP2 or later
10
Operating System (web
console)
l
Windows Server 2003 R2 SP2 or later
l
Windows Server 2008 SP2 or later
l
Windows Server 2008 R2
l
Windows Server 2012
l
Windows Server 2012 R2
l
Windows 10
Install the Patch Manager web console server on a 32- or 64-bit
computer running IIS on any of the following operating systems:
l
Windows Server 2008 R2 with SP1
l
Windows Server 2012
l
Windows Server 2012 R2
Additionally, SolarWinds supports the following operating systems for
evaluation purposes:
l
Windows 7
l
Windows 7 SP1
l
Windows 8
l
Windows 8.1
l
Windows 10
Internet Browser (web console) The Patch Manager web console is compatible with the following
Internet browsers:
l
IE11, Edge (Spartan)
l
Firefox - two most recent versions at the time of shipping
l
Chrome - two most recent versions at the time of shipping
l
l
CPU Speed
IE6, IE7, IE8, IE9, IE10 and other non-supported browsers are not
supported but are not blocked.
Safari - latest version
Pentium 1.5 GHz equivalent or faster (x86, x64, or AMD64)
Dual Core recommended
Memory
1 GB RAM
2 GB or more recommended if running both the Patch Manager server
and web console server
4 GB or more recommended if x64
Hard Drive Space
5 GB*
11
10 GB or more recommended
Database
Patch Manager is compatible with Microsoft SQL Server instances
running the following versions:
l
SQL Server 2008
l
SQL Server 2008 R2
l
SQL Server 2008 R2 SP1
l
SQL Server 2008 R2 SP2
l
SQL Server 2008 R2 SP3
l
SQL Server 2008 SP1
l
SQL Server 2008 SP2
l
SQL Server 2008 SP3
l
SQL Server 2008 SP4
l
SQL Server 2012
l
SQL Server 2012 SP1
l
SQL Server 2012 SP2
l
SQL Server 2012 SP3
l
SQL Server 2014
l
SQL Server 2014 SP1
l
SQL Server 2016
Express, Standard, or Enterprise editions
WSUS
Patch Manager supports WSUS servers running the following versions:
l
l
l
l
ConfigMgr (if applicable)
Windows Server Update Services 3.0 SP2 or later with Microsoft
KB2734608 applied
Windows Server Update Services 6.0 installed on
Windows Server 2012
Windows Server Update Services 6.2 installed on
Windows Server 2012
Windows Server Update Services 6.3 installed on
Windows Server 2012 R2
Patch Manager supports SCCM (ConfigMgr) servers running the
following versions:
l
System Center Configuration Manager 2007 SP2 or later
l
System Center Configuration Manager 2012
l
System Center Configuration Manager 2012 R2
l
System Center Configuration Manager 1511
12
l
System Center Configuration Manager 1602
Note: System Center Configuration Manager must be installed before
Patch Manager.
Visual C++ Runtime
Microsoft Visual C++ Secure Runtime 9.0 SP1
Note: The Patch Manager installer installs this component if it is not
already installed.
Web Server
Microsoft IIS 6.0 or later
(web console server)
.NET Framework
Internet Access
l
Version 3.5 for Patch Manager server
l
Version 4.5 for Web server
Install Patch Manager on a server that can access the following:
www.microsoft.com if you do not have a local copy of the WSUS installer
3pupcontent.solarwinds.com if you plan on evaluating the third party
update functionality
Ports
Server and console components use port 4092 TCP
Servers communicate with managed computers using the following
ports:
l
135 TCP
l
445 TCP
l
Dynamic ports 1024 to 65536 (varies by operating system)
The Patch Manager web console server uses the following ports:
l
8787 TCP
l
17777 TCP
*Note: Patch Manager is not likely to use the recommended 5-10 GB of hard drive space when properly
managed. However, we recommend the higher capacity to accommodate fluctuations in space
requirements over the course of operating the product.
13
Notes on Windows Server 2008 R2 with SP1
Complete the following additional setup tasks if you plan to use or manage servers running
Windows Server 2008 R2 SP1 with Patch Manager:
l
To ensure Remote Procedure Call (RPC) connectivity to deploy the WMI Provider, enable the WMI
and Remote Administration Inbound rules on managed computers running Windows Firewall on
Windows Server 2008. Windows Server 2008 blocks these firewall rules by default.
l
If any workgroups are exclusively hosted on Windows Server 2008 or Windows Server 2008 R2
resources, enable and start the Computer Browser service and enable Network Discovery on at
least one system in the workgroup. This system provides a Master Browser for the Managed
Resource Enterprise Configuration Wizard.
For additional information about these tasks, see the Microsoft TechNet Library for Windows Server 2008,
http://technet.microsoft.com/library/dd349801.
Port and Firewall Information
The following sections describe the ports used in the Patch Manager environment.
Port 135 TCP – RPC Endpoint Mapper
The Patch Manager server uses this port to establish WMI connections to remote computers. It also uses
this port to connect to the Service Control Manager (SCM) when it provisions the WMI providers
dynamically on the remote computer.
Create a firewall exception to allow traffic from the Patch Manager server to your managed computers over
this port. To do this if you are using Windows Firewall on your managed computers, enable the Inbound
Rules in the Windows Management Instrumentation (WMI) group.
Port 445 TCP – SMB over TCP
The Patch Manager server uses this port when it provisions the WMI providers to a remote computer.
Enable File and Print Sharing on the client systems using the applicable network management tools.
Port 4092 – Console-to-Server Communication
The Patch Manager console uses this port to communicate to an independent Patch Manager application
server. This is a one-way communication channel, so it only requires inbound TCP traffic on the application
server.
14
Patch Manager servers in a distributed environment also use this port in the same manner for
"downstream" communication. For example, the Patch Manager Primary Application Server (PAS) uses port
4092 to communicate with remote Patch Manager servers in secondary server roles.
Port 8787 TCP – Web Console Connections
By default, users connect to the Patch Manager web console server on port 8787. You can specify an
alternative port in the SolarWinds Configuration Wizard on the server running the Patch Manager web
console server.
Port 17777 TCP – SolarWinds Information Service
The SolarWinds Information Service (SWIS) facilities data exchange for the Patch Manager web console,
along with the web console Application Programing Interface (API). Ensure this port is not blocked on
servers running the Patch Manager web console server.
Port 389 TCP – Lightweight Directory Access Protocol
Patch Manager servers use this port for Active Directory authentication.
Dynamic Ports 1024-65536 – DCOM or RPC
WMI technology is based on Distributed Component Object Model (DCOM)/RPC communication. DCOM/RPC
allocates the ports used by the server within a dynamic port range. This range is typically between 1024
and 65536. To configure these ports using Windows Firewall on your managed computers, enable the
Inbound Rules in the Windows Management Instrumentation (WMI) group.
Installing the Patch Manager PAS
Complete the following procedure to install the initial Patch Manager server and console with the Primary
Application Server (PAS) server role. Patch Manager installs components that you may be missing, such as
C++ Runtime and/or Microsoft .NET Framework. Depending on the number of prerequisites your computer
is missing and the number of components you are installing, the Patch Manager install process may take
an hour or more. Pre-installing Microsoft .NET versions 4.0 and 3.5 SP1 may save you time during the
installation process.
Notes:
l
l
l
SolarWinds does not support Patch Manager installed on domain controller servers.
You must set the server's Region and Language to English (United States) when you install Patch
Manager.
If you plan on integrating Patch Manager with ConfigMgr, the ConfigMgr console must already be
installed before installing Patch Manager consoles and servers.
15
l
l
To install Patch Manager using a remote SQL instance, you must run the installer as an existing,
fully qualified domain account with SysAdmin rights on the remote SQL server and select
Advanced Install.
Products using the Orion platform cannot be installed on a computer with a WSUS server on
Windows 2003 x64.
l
l
Install the Patch Manager PAS on Windows 2012 to manage WSUS v6 (Windows 2012) servers.
Install the Patch Manager PAS on Windows 2012 R2 to manage WSUS v6.3 (Windows 2012 R2)
servers.
To install the Patch Manager Primary Application Server:
1. Log on as an administrator to the server on which you want to install Patch Manager.
2. Temporarily disable any antivirus software.
3. Run the SolarWinds Patch Manager installer. The installer will prompt you to install any missing
prerequisites.
4. Select Install the Patch Manager server components and Install the Patch Manager
administration console, and click Next.
5. Click Next.
6. If you choose to install the Patch Manager Orion web interface and you do not have IIS installed,
select Continue with Orion installation (Recommended). The installer will install IIS.
7. Accept the End User License Agreement (EULA), and then click Next.
8. Click Next to use the default installation folder. Click Browse to choose a different folder.
9. Select Express Install - Recommended, and click Next. This selection will also install a
WSUS server and SQL Express.
Note: If you have a WSUS server or an SQL instance you want to use, or if you want to install
different server roles, select Advanced Install. To complete your PAS installation, select Primary
Application Server (Recommended) when prompted.
10. Click Next. The Patch Manager components are installed.
11. Click Finish.
12. Configure the Microsoft Management Console for a WSUS or SCCM environment by selecting either
the WSUS Extension Pack or the System Center Configuration Manager Extension Pack.
13. Click Continue.
14. Enter the local Administrator credentials, and click Save.
Configuring Email Settings
When you create tasks in Patch Manager, you have the option to configure email notifications for when the
task is finished. For this option to work, you need to configure SMTP settings on the Patch Manager server.
To configure SMTP settings on the Patch Manager server:
16
1. In the left pane of the Patch Manager console, expand Patch Manager System Configuration > Patch
Manager Servers, and then select Application Servers.
2. In the upper-center pane, select the Patch Manager server.
3. In the lower-center pane, click the Application Server Settings tab.
4. Filter the Category column for Email Configuration:
a. On the Category column, click
.
b. Select Email Configuration.
5. Select each of the settings in the Email Configuration category, and then click Modify Setting in the
Actions pane (right) to open a dialog for that setting.
6. Modify the settings as appropriate, and then click OK to close the dialog. .
Configuring Proxy Settings
Both the Patch Manager console and Application role server need to connect to the Internet. If you require
either component to connect to the Internet using a proxy server, enter the proxy server information in the
applicable dialogs.
Configuring Console Proxy Settings
Complete the following procedure to configure proxy settings for connections from the Patch Manager
console.
To configure proxy settings for the console:
1. In the left pane of the Patch Manager console, select Administration and Reporting.
2. In the center pane, click General Settings.
3. Click Proxy Configuration.
4. In the Console Proxy Settings window, select Use a proxy server while synchronizing, and then
complete the form for your environment.
5. Click OK to save your settings and close the dialog.
Configuring Server Proxy Settings
Complete the following procedure to configure proxy settings for connections from the Patch Manager
Application role server(s).
To configure proxy settings for the Patch Manager Application server:
1. In the left pane of the Patch Manager console, expand Administration and Reporting, and then
select Software Publishing.
17
2. In the Actions pane (right), click Synchronization Settings.
3. In the Third Party Updates Options window, click the Proxy Settings tab.
4. Select Use a proxy server when synchronizing, and then complete the form for your environment.
5. Click OK to save your settings and close the dialog.
Patch Manager Licensing
SolarWinds licenses Patch Manager according to its number of managed computers. Managed computers
include all WSUS, ConfigMgr, and Patch Manager servers, along with all managed clients. The Primary
Application Server (PAS) calculates the number of managed computers using two sources:
l
The Enterprise > Managed Computers node
l
The Administration and Reporting > Task History node
Going from Evaluation to Production
After you have purchased a license from SolarWinds, activate Patch Manager using the SolarWinds
Licensing application. If you have not purchased a license, you can do so from the SolarWinds Licensing
application, which links you to www.solarwinds.com.
Note: If you have deployed multiple Patch Manager servers in various server roles, you only have to
activate the Primary Application Server (PAS). By default, this is the first server you deployed.
Licensing Servers with Internet Access
Complete the following procedure to license your Patch Manager PAS if it has access to the Internet.
To license Patch Manager on a server with Internet access:
1. Click Start > All Programs > SolarWinds > Patch Manager > SolarWinds Licensing.
2. Click Enter Licensing Information.
3. Select I have internet access and an activation key.
4. Click the http://customerportal.solarwinds.com link to access the customer portal on the
SolarWinds web site.
5. Log on to the portal using your SolarWinds customer ID and password.
6. On the left navigation bar, click License Management.
7. Navigate to your product, choose an activation key from the Unregistered Licenses section, and
then copy the activation key.
8. If you cannot find an activation key in the Unregistered Licenses section, contact SolarWinds
customer support.
9. Return to the Activate Patch Manager window, and then enter the activation key in the Activation
Key field.
18
10. If you access Internet web sites through a proxy server, select I access the internet through a
proxy server, and then enter its proxy address and port.
Note: If your Patch Manager server accesses the Internet through an authenticated proxy server, complete
the procedure for activating without Internet access instead.
11. Click Next.
12. Enter your email address and other registration information, and then click Next.
Licensing Servers without Internet Access
Complete the following procedure to license your Patch Manager PAS if it does not have access to the
Internet.
To license Patch Manager on a server without Internet access:
1. Click Start > All Programs > SolarWinds > Patch Manager > SolarWinds Licensing.
2. Click Enter Licensing Information.
3. Select This server does not have internet access, and then click Next.
4. Click Copy Unique Machine ID.
5. Paste the copied data into a text editor document.
6. Transfer the document to a computer with Internet access.
7. On the computer with Internet access, complete the following steps:
a. Browse to
http://customerportal.solarwinds.com/customerportal/LicenseManagement.aspx, and then
log on to the portal with your SolarWinds customer ID and password.
b. Navigate to your product, and then click Manually Register License.
c. If the Manually Register License option is not available for your product, contact
SolarWinds customer support.
d. Provide the Machine ID from Step 5, and then download your license key file.
8. Transfer the license key file to the Patch Manager server.
9. Return to the Activate Patch Manager window, browse to the license key file, and then click Next.
19
Getting Started
After you have installed Patch Manager, the First Time Usage Wizard displays. This wizard guides you
through updating your first computers. If you want to launch the wizard after you have closed it, open the
Patch Manager Console and select Administration and Reporting. Launch the wizard from the center
pane. You must run Patch Manager as an administrator to run the First Time Usage Wizard.
Before you begin, have the following information available:
n
Client computer information such as the host name or IP address
n
Any additional local administrator credentials needed to access the client computers
To patch your computer using the wizard:
1. Click Tell Us About Your Environment.
2. Click Add a computer.
3. Enter the client computer information.
Tip: Click Resolve to have Patch Manager gather the information about the computer and fill out the
rest of the information.
4. Click Add. You can add another computer or click Next to continue.
5. Enter credentials.
6. If you want to use the credentials for all the computers you have added, select Use these
credentials for all the computers I've selected.
7. If you want to use different credentials for some computers, select Use these credentials, but
let me enter different credentials for some computers.
8. Click Next.
Patch Manager uses the credentials you supplied to gather information about the computers, such
as OS and installed software, configure them for use with Patch Manager, and determine which
patches are available for the software.
If errors occur during this process, Patch Manager will alert you to the error and either provide the
error or steps to correct the error. You also have the option to ignore the computers with errors.
After Patch Manager has successfully connected to and configured at least one client computer, the
Install Patches option is available.
9. Click Install Patches.
10. Expand a computer and select a patch to apply.
Tip: Select one or two available patches.
11. Click Finish. The patches are downloaded to the PAS, pushed to the client, and installed on the client.
For more information on what the wizard does, see the First Time Usage Wizard FAQ.
20
First Time Usage Wizard FAQ
This section addresses some of the most common questions about the First Time Usage Wizard.
Why does it take so much time to install an update?
When the First Time Usage Wizard installs patches, it takes some time to complete. The wizard must first
download the package from the vendor site and then push the package to the client computer. The size of
the package and your network speed can negatively impact the length of time you spend waiting for the
patch to install. Additionally, the wizard performs some checks on the client computer(s) to ensure that the
package can be installed.
What is the First Time Usage Wizard doing when it is installing packages?
After the First Time Usage Wizard has downloaded and pushed a package to a client computer, the wizard
checks the package revision against the software installed on the computer to ensure that the downloaded
package is compatible with the software already installed on the computer. If the package is compatible,
the wizard precedes to install the package. If the package is not compatible or otherwise unable to be
installed, the wizard will return an error message with the most likely failure cause.
How can I decrease the amount of time the wizard takes?
To decrease the amount of time it takes for the First Time Usage Wizard to download or push the packages,
try running the wizard during non-peak networking hours or only updating one or two computers at a
time.
Can I mass add computers?
While you can add multiple computers to the wizard, you cannot add all computers from a domain or
workgroup to the wizard. You must add managed resources outside of the First Time Usage Wizard.
After you have used the First Time Usage Wizard to apply patches to your first computers, use the
following information to configure your Patch Manager server to emulate your production environment
more closely. This information will help you add multiple managed computers, configuring your managed
computers, managing other WSUS instances, and configuring the included web console.
n
Configuring the Server
n
Configuring Managed Clients
n
Configuring the Web Console
21
You must dismiss the First Time Usage Wizard to enter the Patch Manager Console.
Initial Configuration
After you finish installing Patch Manager and installed your first updates, use the following wizards to
further configure your Patch Manager server:
l
Configuring Managed Resources
l
Configuring Credentials and Credential Rings Rules
l
Configuring Update Services
l
Configuring Publishing Servers
Configuring Managed Resources
Use the Managed Resource Enterprise Configuration Wizard to configure the domains, workgroups,
ConfigMgr Site servers, and WSUS servers you want to manage with Patch Manager.
To configure managed resources:
1. In the tree view in the left pane of the application, select Patch Manager System Configuration.
2. Click Configure Managed Resources in your Enterprise in the center pane.
3. On the first page of the wizard, select the appropriate domains and workgroups, and then click
Next.
4. Manage ConfigMgr Site servers by adding them on the next page:
a. Enter the server name, and then click Resolve.
b. Fill in any missing information.
c. Click Add.
d. Repeat these steps for any additional ConfigMgr Site servers.
3. Click Next.
4. Manage WSUS servers (SUPs) by adding them on the next page:
a. Enter the server name, and then click Resolve.
b. Fill in any missing information.
c. Click Add.
d. Repeat these steps for any additional WSUS servers.
22
5. Click Next.
6. Patch Manager automatically creates the Managed Enterprise management group on the PAS. Click
Next.
7. Review the summary screen, and then click Finish.
Configuring Credentials and Credential Rings Rules
Use the Credential and Credential Rings Rules Wizard to configure the credentials and credential rings
rules Patch Manager needs to use to communicate with each of the managed resources defined in the
previous section.
Patch Manager needs administrator permissions on managed resources to execute certain tasks. The
following procedure allows you to specify the credentials for each group, or type of system. You can also
limit Patch Manager users' access to resources using User Preferences and additional credential rings.
To configure credentials and credential rings rules:
1. In the tree view in the left pane of the application, select Patch Manager System Configuration.
2. Click Configure Security and User Management in the center pane.
3. On the first page of the wizard, enter new credential information for each managed resource:
a. In the User Name field, enter the username in UPN or flat format. For example, enter
DOMAIN\user.
Note: To add a common local computer account, enter .\ before the username. For example, enter
.\administrator to specify the local Administrator account for several computers.
b. Enter and confirm the password for that user account.
c. Click Add.
d. Repeat these steps for any additional accounts you want to add.
2. Click Next.
3. If you entered more than one credential, map each resource to the appropriate credential:
a. Select the resource you want to modify, and then click Change Assigned Credential.
b. Select the credential you want to assign to that resource.
c. Click OK.
d. Repeat these steps to customize any additional resources.
4. Click Finish.
23
Configuring Update Services
Use the Third Party Updates Configuration Wizard to configure the Patch Manager server to synchronize
with the SolarWinds third party update library.
Note: The evaluation version of Patch Manager includes access to a limited selection of third party
updates. When you purchase a Patch Manager license, it includes complete access to all available catalogs.
To configure update services:
1. In the tree view in the left pane of the application, select Administration and Reporting, and then
select Software Publishing.
2. Click Patch Manager Update Configuration Wizard from the Actions pane.
3. Verify you meet the requirements listed on the first page of the wizard:
l
You can browse to 3pupcontent.solarwinds.com from the server.
l
If you use a proxy server to access the Internet from the Patch Manager server, you
have the server name, port number, and user credentials for the proxy server.
4. Click Next.
5. If the Patch Manager server accesses the Internet using a proxy server, enter the required
information.
6. Click Next.
7. Click Start Connecting.
8. After the wizard scans for the available catalogs, click Next.
9. Select the products you want to synchronize with the Patch Manager server.
10. Click Next.
11. Configure the synchronization and notification preferences.
12. Click Finish.
Configuring Publishing Servers
Use the Server Publishing Setup Wizard to generate the WSUS self-signed publishing certificate, if
necessary, and copy it to the Patch Manager server's certificate store.
Note: This task establishes a WMI connection with your publishing servers to configure them. If you
installed Patch Manager on its own server and opted not to allow Patch Manager to automatically deploy
the SolarWinds WMI Providers, this wizard will not work. Manually deploy the WMI Providers to your WSUS
servers, or distribute the publishing certificate using Group Policy.
To configure Patch Manager as a publishing server:
24
1. In the tree view in the left pane of the application, select Administration and Reporting, and then
select Software Publishing.
2. Click Server Publishing Setup Wizard from the Actions pane.
3. On the first page of the wizard, select the upstream WSUS server from the WSUS Server menu.
4. If the wizard returns details for an existing publishing certificate, select Distribute existing
WSUS signing certificate to required servers.
5. If the wizard does not return details for an existing publishing certificate, select Create selfsigned certificate.
6. Click Next.
7. Select the Patch Manager servers, publishing servers, and downstream WSUS servers to which you
want to distribute the publishing certificate, and then click Next.
8. Review the summary screen for any errors, and then click Finish.
9. On the dialog that instructs you to configure your managed clients, click OK. Review the following
section for additional information about this process.
Configuring Managed Clients
There are two methods to provision the WSUS publishing certificate to all clients you want to manage, and
then configure those clients to accept updates from the Patch Manager server:
l
Using Group Policy to Configure Managed Clients (recommended)
l
Configuring Clients from the Patch Manager Console (alternative)
Note: The second method requires WMI connections with the managed clients to configure them. If you
opted not to allow Patch Manager to automatically deploy the SolarWinds WMI Providers to your managed
clients, this method will not work. Manually deploy the WMI Providers, or use the Group Policy method to
configure the clients.
Using Group Policy to Configure Managed Clients
Use Group Policy to configure managed clients if you do not want to use the WMI connections required by
the Client Publishing Setup Wizard. This process consists of the following procedures:
l
Exporting the WSUS Certificate
l
Configuring the Group Policy Object
Exporting the WSUS Certificate
Use the following procedure to export the WSUS publishing certificate to a file from the Patch Manager
console.
25
To export the WSUS publishing certificate to a file:
1. Open the Patch Manager console.
2. In the left pane, expand Enterprise > Update Services.
3. Select the WSUS server from which you want to export the certificate.
4. In the Actions pane (right), click Software Publishing Certificate.
If this dialog does not display the WSUS server's certificate information:
a. Click Close.
b. Click Refresh Update Server in the Actions pane (right).
c. Re-open the Software Publishing Certificate dialog.
6. Click […].
7. Click the Details tab.
8. Click Copy to File.
9. Click Next.
10. Leave DER encoded binary X.509 (.CER) selected, and then click Next.
11. Specify a name and location in the File name field, and then click Next.
12. Click Finish.
13. Click OK.
Configuring the Group Policy Object
Use the following procedures to configure the Group Policy Object (GPO) to push to managed clients. The
GPO puts the WSUS certificate into the appropriate certificate stores and configures the managed clients
to accept third-party updates from non-Microsoft sources.
To configure managed clients using Group Policy on Windows Server domains:
1. Using an account with sufficient privileges, open Group Policy Management on a
Windows Server domain controller: Start > Administrative Tools > Group Policy Management.
2. Create or edit a Group Policy Object to configure the clients.
3. In the Group Policy Editor, expand Computer Configuration > Policies > Windows Settings >
Security Settings > Public Key Policies.
4. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted
Publishers stores:
a. Under Public Key Policies, select Trusted Root Certification Authorities.
b. Click Action > Import.
26
c. Click Next.
d. Click Browse, and then browse to the certificate you saved in the previous procedure.
e. Click Next.
f. Click Next again.
g. Click Finish.
h. Click OK on success dialog.
i. Repeat these steps for the Trusted Publishers certificate store.
5. Expand Computer Configuration > Administrative Templates > Windows Components, and
then select Windows Update.
6. Enable the Allow signed updates from an intranet Microsoft update service location policy:
a. In the center pane, select Allow signed updates from an intranet Microsoft update
service location.
b. Click Action > Edit.
c. Select Enabled.
d. Click OK.
Configuring Clients from the Patch Manager Console
Provided you have already provisioned your managed clients with the SolarWinds WMI Providers, use the
following tasks in the Patch Manager console to configure those clients to receive third-party updates from
Patch Manager:
l
Client Certificate Management
l
Windows Update Local Policy Management
Client Certificate Management
Use the Client Certificate Management task, also known as the Client Publishing Setup Wizard, to
distribute and install the WSUS self-signed publishing certificate to managed clients.
To complete the Client Certificate Management task:
1. In the left pane of the Patch Manager console, select Administration and Reporting.
2. In the center pane, click Client Certificate Management.
3. On the Client Certificate Management window, specify the WSUS publishing certificate to
distribute:
27
a. Select Distribute and install Update Services Signing Certificate.
b. If you want to distribute the certificate directly from the WSUS server, select Select
certificate from WSUS server, and then select the WSUS server from the active menu.
c. If you want to distribute the certificate from a .CER file, select Select certificate from
file, and then click […] to browse to the file location.
If the managed clients require SSL for remote connections:
a. Select Distribute and install Update Services Server SSL Certificate.
b. Next to the File Name field, click […] to browse to the file location.
5. Click Distribute.
6. Complete the Task Options Wizard to specify the target systems and schedule and/or execute the
task.
After you complete this task, Patch Manager notifies you that you must configure Windows Update Group
Policy on your managed clients to enable them to allow third-party updates from Patch Manager. The
following section addresses this requirement using Local Policy. When possible, enable the requisite policy
in Group Policy instead.
Windows Update Local Policy Management
Use the Windows Update Local Policy Management task to configure your managed clients to accept
third-party updates from Patch Manager using Local Policy.
To complete the Windows Update Local Policy Management task:
1. In the left pane of the Patch Manager console, select Administration and Reporting.
2. In the center pane, click Windows Update Local Policy Management.
3. On the Windows Update Local Policy Settings window, create a new local policy template for the
managed clients:
a. Click the check box next to Allow signed content from intranet Microsoft update service
location twice so the value in the State column is Enabled.
b. Modify any other policies you want to configure for the managed clients.
Note: Changes made to Local Policy do not override any policies already enforced by Group Policy.
c. Enter a name for the new template, and then click Save.
4. Click OK.
5. Complete the Task Options Wizard to specify the target systems and schedule and/or execute the
task.
28
Configuring the Web Console
The Patch Manager web console is a read-only interface that displays detailed information from a Patch
Manager Application role server. You can install the web console server on any Windows web server that
can connect to the Patch Manager Application role server. Access the web console from any computer with
access to the host web server's website. Run the installer and select Install the Patch Manager Orion
web interface.
Configuring the Patch Manager Web Console
After you launch the Patch Manager web console for the first time, complete the following procedure to
configure it for first use.
To configure the Patch Manager web console:
1. On the Discovery Central web page, click Go to Orion Home.
2. Click the hyperlink in any of the resources to add your Patch Manager server:
a. In the Server name or IP address field, enter the hostname or IP address of your Patch
Manager server.
b. In the Port field, specify a port or accept the default.
c. In the Windows Credentials section, specify the username and password to use to access
the Patch Manager server.
d. Click Test.
e. Click Submit.
3. To view Patch Manager resources, click the Patches tab.
Creating a Third Party Updates View
One extension Patch Manager offers is the ability to publish, manage, and deploy third party updates from
the Patch Manager server. Create a third party updates view in the Patch Manager console to separate
these types of updates from the Microsoft updates you would normally see in your WSUS console.
The procedure for this is different for the Patch Manager console in WSUS, ConfigMgr 2007, and ConfigMgr
environments. See the applicable section for the correct procedure:
l
Third-party Updates View for WSUS
l
Saved Searches in ConfigMgr 2007
l
Creating a Third Party Updates View for ConfigMgr
29
Third-party Updates View for WSUS
Complete the following procedure to create a third-party updates node under your WSUS server in the
Patch Manager console.
To create a third party updates view in WSUS environments:
1. In the left pane of the Patch Manager console, expand Enterprise > Update Services, and then
expand your WSUS server.
2. Under your WSUS server, select Updates.
3. In the Actions pane (right), click New Update View.
4. Under Step 1: Select properties, select Updates have a specific approval and installation status and
Updates are from Microsoft Update, Third Parties, or both.
5. Under Step 2: Edit the properties (click an underlined value), define the properties:
a. Click any update source.
b. Select Only updates from a Third Party.
c. Click OK.
d. Click approved and needed.
e. In the Approved State menu, select All.
f. In the Update Status menu, select Any.
g. Click OK.
6. Under Step 3: Specify the update view name and description, enter a name and description for the
new view.
7. Click OK.
Saved Searches in ConfigMgr 2007
ConfigMgr 2007 uses search folders to save searches in the ConfigMgr console. Search folders make it easy
to differentiate between third-party update vendors.
To create a search folder in ConfigMgr 2007 for third-party updates:
1. In the left pane of the ConfigMgr console, expand Site Database > Computer Management >
Software Updates > Update Repository.
2. Right-click Search Folders, and then select New Search Folder. The system displays the Search
Folder Criteria window.
3. In the Step 1 area, select Vendor.
4. In the Step 2 area, click the underlined value, and then select the vendor for which you want to
create the search folder.
5. In the Step 3 area, select Search all folders under this feature.
30
6. In the Step 4 area, enter a name for the search folder. For example, enter the name of the vendor
you selected in Step 2.
7. Click OK.
31
Updating Multiple Computers
After you have configured managed clients, security certificates, security policies, and your server to more
closely emulate your production environment, you can deploy updates to multiple computers.
Use the following steps to deploy updates:
1. Publishing Trial Updates
2. Approving Updates
3. Installing Updates
Note: The "Approving Updates" and "Installing Updates" sections do not apply to ConfigMgr
environments. If you use ConfigMgr to manage your updates, use the typical ConfigMgr methods to deploy
the updates you publish using Patch Manager.
Publishing Trial Updates
If you configured third party updates, the next step is to publish some trial packages to your WSUS server.
For evaluation purposes, we recommend you complete the following procedures in this order:
l
Publishing Adobe Reader Updates
l
Publishing Java Runtime Environment Updates
l
Publishing Adobe Flash Updates
Publishing Adobe Reader Updates
Use the Publishing Wizard to download the Adobe Reader update package and copy the installation file
and update definition to the WSUS server.
To publish the Adobe Reader updates:
1. In the left pane of the Patch Manager console, expand Administration and Reporting > Software
Publishing.
2. Select Adobe Systems, Inc. Packages.
3. In the center pane, select the Reader <version> Update package you want to publish.
4. In the Actions pane (right), click Publish Packages.
5. Click Next.
6. After the publishing wizard downloads the package, select it, and then click Next.
7. Click Finish.
32
Publishing Java Runtime Environment Updates
Use the Package Download Assistant to download the Java Runtime Environment update files. Then use the
Publishing Wizard to copy the installation file and update definition to the WSUS server.
The following video illustrates the steps in this procedure:
"Prevent Failed Java Updates," http://www.youtube.com/watch?v=-SBd_9jinRY
To publish the Java Runtime Environment updates:
1. In the left pane of the Patch Manager console, expand Administration and Reporting > Software
Publishing.
2. Select Sun Packages.
3. In the center pane, select a Java Runtime Environment (JRE) update that you want to publish.
4. In the Actions pane (right), click Download Content.
5. Click OK.
6. In the Package Download Assistant window, double-click the download link.
7. Select Accept License Agreement, and then download the following files:
l
Windows x86 Offline
l
Windows x64
8. Return to the Package Download Assistant window, and then click Import Source.
9. Browse to the folder that contains the file you want to import, and then click Open.
Note: The file you select here must match the update you selected in Step 3. The Package Download
Assistant provides the correct filename by default, so you do not need to select the file after you browse to
the appropriate folder.
10. Click OK.
11. If you want to publish another JRE update, select it back in the Patch Manager console, and
then import the file into the Patch Manager server:
a. In the Actions pane (right), click Download Content.
b. Click OK.
c. On the Package Download Assistant window, click Import Source.
d. Browse to the file you want to import, and then click Open.
e. Click OK.
f. Repeat these steps for any other JRE updates for which you want to import files.
33
12. To view the files you imported, click Refresh in the Actions pane (right).
13. Select the JRE update packages you want to publish.
14. In the Actions pane (right), click Publish Packages.
15. Click Next.
16. Click Finish.
Publishing Adobe Flash Updates
Use the Package Download Assistant to download the Adobe Flash update files. Then use the Publishing
Wizard to copy the installation file and update definition to the WSUS server.
To publish the Adobe Flash updates:
1. In the left pane of the Patch Manager console, expand Administration and Reporting > Software
Publishing.
2. Select Adobe Packages.
3. In the center pane, select the Flash Player <version> ActiveX package you want to publish.
4. In the Actions pane (right), click Download Content.
5. Click OK.
6. In the Package Download Assistant window, double-click the download link.
7. Download the archive for the version you want to publish.
8. Extract the contents of the archive to your local computer.
9. Return to the Package Download Assistant window, and then click Import Source.
10. Browse to the folder that contains the file you want to import, and then click Open.
Note: The file you select here must match the update you selected in Step 3. The Package Download
Assistant provides the correct filename by default, so you do not need to select the file after you browse to
the appropriate folder.
11. Click OK.
12. To view the files you imported, click Refresh in the Actions pane (right).
13. Select the Flash update packages you want to publish.
14. In the Actions pane (right), click Publish Packages.
15. Click Next.
16. Click Finish.
34
Approving Updates
After you have published the updates you want to evaluate, approve them for the appropriate WSUS target
groups. Complete the following procedure to approve any update from the Patch Manager console.
Note: This section does not apply to ConfigMgr environments. If you use ConfigMgr to manage your
updates, use the ConfigMgr console to deploy the updates you publish using Patch Manager.
To approve published updates:
1. In the left pane of the Patch Manager console, expand Enterprise > Update Services > Your WSUS
Server > Updates.
2. Select your third party updates view.
3. In the center pane, select one or more of the update packages you published. Use Ctrl+click to
select multiple packages.
4. In the Actions pane (right), click Approve.
5. On the Approve Updates window, select the WSUS computer groups for which you want to approve
the updates. Use Ctrl+click to select multiple groups.
6. At the top of the window, click the appropriate approval option.
7. Click OK.
8. On the Approval Progress window, click Close.
Installing Updates
Use the Update Management task to install updates on a WSUS server on the approved target systems.
The following procedure is an alternative to waiting for the Windows Update Agent on the target systems
to sync with the WSUS server for scheduled updates.
Note: This section does not apply to ConfigMgr environments. If you use ConfigMgr to manage your
updates, use the ConfigMgr console to deploy the updates you publish using Patch Manager.
To deploy updates using the Update Management task:
1. In the left pane of the Patch Manager console, expand Enterprise > Update Services > Your WSUS
Server > Updates.
2. Select your third party updates view. If you have not yet created this view, see "Creating a Third
Party Updates View" on page 29.
3. In the center pane, select one or more of the update packages you published. Use Ctrl+click to
select multiple packages.
4. In the Actions pane (right), click Update Management.
5. On the Update Management window, click OK.
6. In the Task Options Wizard window, add the computers on which you want to install the updates.
35
7. Click Next.
8. Complete the Scheduling and Notification Options form, and then click Next.
9. Click Finish.
36
Next Steps
For additional information about the next steps and deeper functionality, see the Patch Manager
Administrator Guide.
In this guide, you'll find information and instructions to address topics like:
n
How to run reports for WSUS servers and managed clients
n
How to administer WSUS from the Patch Manager console
n
How to expand your deployment to server a variety of environment needs.
For additional resources, including several video tutorials, see the Patch Manager library on thwack.
37