Creating a New Patch Task

A patch task is used to define how and when the target machines will be scanned for missing patches. It can also be used to optionally deploy any patches identified as missing. If you do not create a patch task, then no patch scanning or patch deployment will be performed by agents that are assigned this policy.

You can create multiple patch tasks for one agent policy. Each task can be expanded and collapsed using the chevron (Chevron.gif) that resides on the task title bar. This enables you to view just the task you are working on at any one time.

While there is no theoretical limit to the number of patch tasks you can create for an agent policy, there is a practical limit.  For example, it may become difficult to track and manage a policy if it contains too many patch tasks. Also, it may be problematic if you enable patch deployment on several different patch tasks. This is because that while scanning is relatively transparent to the user, deploying patches is not, as it often involves a reboot of the user's machine. In addition, you run the risk of multiple deployments occurring on one machine at the same time.

You configure agent patch tasks on the Patch tab. You can edit an existing patch task, or you can create a new task by clicking Add a Patch Task. Be sure to give the task a descriptive name because this is the name the users will see from within the client program.

PatchTasksTab.gif

 

Patch Scan Template

You must specify the template to use when an agent performs a patch scan. The patch scan template dictates exactly what will be scanned for and what will be ignored during a scan. The list of templates available for selection will include the two predefined templates (Security Patch Scan and WUScan) plus any custom templates you've already defined. You can also do the following:

  • New: Enables you to create a new patch scan template from scratch.

  • Edit: Enables you to edit an existing, custom patch scan template. The predefined templates cannot be edited. If you edit and save a template that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

If you click New or Edit, the Patch Scan Template dialog is displayed. See Creating a New Patch Scan Template for details on configuring the template.

Note: The automatic deployment function on the patch scan template is not supported by NetPt Agent . If it is enabled it will be ignored.

Enable Patch Deployment

If you want the agent to be able to automatically deploy patches that are identified as missing by the patch scan, enable this check box. The patch deployment is performed using the template specified in the Deployment Template box.

Note: There may be limitations as to which missing patches will be automatically deployed. See Patches Approved for Deployment for more information.

Deployment Template

You must specify the template to use when an agent performs a patch deployment. The list of templates available for selection will include the predefined deployment templates (Agent Standard and Standard) plus any custom templates you've already defined. You can also do the following:

  • New: Enables you to create a new deployment template from scratch.

  • Edit: Enables you to edit an existing, custom deployment template. The predefined deployment template cannot be edited. If you edit and save a template that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

If you click New or Edit, the Deployment Template dialog is displayed. See Creating a Deployment Template for details on configuring the template.

Note: On the patch deployment template that you specify, if the agent machines will download missing patches from a distribution server rather than from the vendor Web sites, make sure the Use Server by IP Range check box is enabled. This is particularly important if you have custom patches to deploy. See Deployment Template: Distribution Servers tab for more information.

Also Note: Remote dialogs and custom actions that may be specified in the deployment template are not supported by NetPt Agent . In addition, the deployment template you use for agents should specify full-file Office patches on the Office tab. Agents do not use the Original Media paths specified in deployment templates, so binary Office patches may fail to install on agents.

Patches Approved for Deployment

When the agents perform a patch deployment they will deploy only those patches that are:

  1. Scanned for by the patch scan template, and

  2. Reported as missing, and

  3. Defined as approved patches.

The approved patches can be either all patches detected as missing by a scan, or they can be limited to those patches you define in a patch group and/or to those patches deemed critical by the patch vendor. The list of approved patches defined here is bound to this particular patch task. The list will not be used by other patch tasks within the agent policy.

  • All patches detected as missing: Specifies that any patch identified as missing will be eligible for deployment.

  • Patch group: Only those patches contained in the specified patch group will be deployed by the agent. If a scan detects missing patches not included in this group, those patches will not be deployed.

  • Plus all vendor critical patches: Specifies that in addition to the patches defined in the patch group, the list of patches approved for deployment should also include any patches identified as critical by the patch vendor. This gives you the security of knowing that if your patch group is out of date you will still always be able to deploy any new critical patches.

    To deploy only vendor critical patches, create an empty patch group and select it as the approved patch group.

  • New: Enables you to make a new patch group. For more information see Creating and Editing a Patch Group.

  • Edit: Enables you to make modifications to the selected patch group. Be careful here, because any modifications you make will affect any other scan templates that are using the patch group. If you edit and save a patch group that is currently being used by an agent policy, the agents using that policy will be updated the next time they check in with the console.

Schedule Area

The patch schedule specifies how often the task will run on a target machine. It allows you to regularly run the task at a specific time or using a specified recurrence pattern. A built-in scheduler will be provided for each agent. The scheduler will check for new patch data immediately before starting a scheduled patch task.

The agent scheduler will serialize executions of the same agent engine.  For example, if you define a policy with two patch tasks that both start at 1:00 AM, they will not both start at 1:00; rather, they will be serialized (run back-to-back). If you have a patch task and a threat task both scheduled for 1:00 AM, however, they will both be started at 1:00 AM as they use different agent engines.

Hourly

 

Allows you to schedule the task to be run on an hourly basis.

  • Run every hh hours: You can specify exactly how many hours there should be between scans. Valid values are from 1 - 100 hours.

  • starting at this time: The first scan will begin at the specified time. Subsequent scans will be performed at the interval specified on Run every hh hours.

Daily

 

Indicates that the task will be run on the specified days, at the time of your choosing. For example, using this option a scan could be run every night at midnight, or every Saturday at 9:00 pm, or at 1:00 am the first Sunday of every month , etc.

Randomize scheduled time (minutes)

Staggers the exact time the task will be performed so as not to overtax the console or designated distribution server with simultaneous requests to download patch files, scan engines, etc.

Run on boot if schedule missed

If a scheduled task is missed while a target machine is powered off, this option enables you to force the task to automatically run whenever the machine is restarted. The task will run immediately unless you enable the Delay after boot (minutes) check box, in which case the execution will be delayed by the specified number of minutes.

Save and Update Agents

Saves all changes to the policy file and stores it on the console. Also updates any agent machines that are currently assigned this policy as follows:

  • If an agent machine is online and configured to listen for policy updates, the updated policy will be pushed out to that machine immediately.

  • If an agent machine is online but is not configured to listen for policy updates, the updated policy will be pushed out the next time the agent checks in with the console.

  • If an agent machine is not currently online, the updated policy will be pushed out the next time the agent checks in with the console.

The Agent Policy Editor will be closed.

Cancel

Indicates you want to exit the Agent Policy Editor without saving your most recent changes. A "Do you want to save your changes?" prompt will appear that gives you a second chance to save your changes. If you click Yes the policy will be saved and the associated agents updated (the same as Save and Update Agents).  If you click No the Agent Policy Editor will be closed without saving your changes.