Enhancements in Automated Patch Deployment

Enhancements in Automated Patch Deployment

To keep up with the cyber industry's security demands and requests from a few customers, ManageEngine's Patch Management module has undergone a few  enhancements in the 'Automated Patch Deployment'(APD) functionality. We will shed light on what's new with the latest APD feature.

 

What's new?

The newly upgraded APD calls for an automated scan(instead of manually scheduled scan) as soon as the server synchronizes with the Patch Database. The missing patches are detected on each of the machines in accordance with the next refresh cycle after the patch sync is complete. The patches are then downloaded on to server from vendors' site and deployed automatically as specified in the deployment window. The whole new APD process aims at eliminating the manual efforts for scheduling a scan and the later downloading of missing patches, in order to be up to date with the most recent patches. 

 

Benefits of new-feel Automated Patch Deployment

  • Deployments are fast, and security is tightened due to the readily available patches for deployment
  • All the approved patches will be deployed in the very next deployment window immediately after their download. There's no need to wait for the next APD scheduler to invoke the deployment.
  • Whenever the computer in the network goes offline and encounters the network connectivity again, there could be new vulnerabilities and patches that the computer be missing. In the new APD, when the agent comes into contact with the server, it gets automatically scanned in the next refresh cycle, the missing patches are detected and updated in the server. The agent deploys them in the subsequent refresh cycle during the deployment window. Hence, there is no need to worry about the agent contact time and its prolonged vulnerable status. In the old APD, patch installation might be delayed because the agent contacted the server only after APD schedule.
  • Deployment in agent continues until it gets zero missing patches for the APD criteria.
  • In the new APD, you can also see the history of patching in a more detailed view. 

 

Enhanced Automated Patch Deployment - Workflow




More clarifications to help you with:

 

1. If "Schedule scan" is removed, will I be able to scan my machines at all?

 

Vulnerabilities keep increasing every day, we must have up to date scanned data of which computers on our network are missing critical and important patches. So, we have automated the scan task. After the patch database sync, if new patches are released when compared to the previous sync, agents will automatically scan in the subsequent refresh cycle.

 

2. Will an automatic scan overburden the server with multiple requests? Will it choke the network traffic? 

 

Definitely not. The scan happens right after the database is synced. Every time the scan happens, the latest missing patches are detected and downloaded on to the server. We employ this effective mechanism of posting only the diff scan data(difference in the scan data between two consecutive scans), it will not overburden the server. 

 

Also, it will not affect the network traffic, since we don't initiate an on-demand scan from the server. It is similar to a configuration, the agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval and hence undisturbed.

 

3. How to get reports of missing patches after the scan is completed?

 

You can use Schedule Report. Reports -> Schedule Reports. You can get it easily by scheduling the reports to be emailed 2 hours from the database sync. Also, you can configure it at any frequency as you wish.

 

4. How to control deployment under the new APD process?

 

We can use the "Deployment policy" to control our date and time of deployment of the latest available patches. While the scan process is automated, you can set your own choice of deployment policies in accordance with the requirements that best suit your network environment

 

5. I was earlier using 'scan and download' option for downloading the missing patches. How will I be impacted?

 

The download of approved patches which are required for the task will automatically be triggered, once they were found missing during the scan phase. The patches will be downloaded in the server, ready for deployment in their refresh cycle as per deployment policy.

 

6. How do I view the report of patches to be installed in APD?

 

You can just navigate to 'Patch View' from APD.           

APD --> Patch View

 

7. I usually delay the patch installation by scheduling it 2 weeks after the 'Patch Tuesday'. How will things be different for me?

 

No problem at all, you can still use "Delay deployment" option under APD, using which you can:

  • Deploy patches after 'x' days from release
  • Deploy patches after 'x' days from approval after testing

You can also tweak the deployment policy settings for a suitable deployment window. 

If you have further queries, please feel free to write to desktopcentral-support@manageengine.com


 

 

 

 

 

 

 




                New to ADSelfService Plus?