Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Respected Contributor.. mhalderman Respected Contributor..
Respected Contributor..
291 views

Windows Patching - Vendor Recommended patch Policy Compliance.

We have been patching our Windows servers with SA for the last few years using the Vendor Recommended Patch Policies and it has worked great for us. We have one dilemma we are facing.

 

After patching a Windows server with all the patches it needs, the server is still listed as 'Non-Compliant' after running a patch compliant scan. Looking deeper - The patches SA says are needed, are patches we do not import into SA. (Grayed out) We only import Security patches from Microsft (Patches related to Security Bulletins.)

 

We use the 'populate-opsware-update-library' script to import patches from Microsoft on patch Tuesdays. We have the script set to download patches from the Windows versions we need, and do not import service packs or update-rollups.

 

The Fix!! - Set exceptions on the patches that we do not import.

 

HOWEVER -- It looks like you can only set patch exceptions on the managed server or device groups level. This makes it practically impossible to set the exceptions on 1000's of servers.

 

Is there a way to automate this? Or is there a way to set the patch exceptions globally on the patch level?

 

***I attched a screenshot for reference.***

0 Likes
4 Replies
Absent Member.. Gonzo_SA Absent Member..
Absent Member..

Re: Windows Patching - Vendor Recommended patch Policy Compliance.

There is a way to set a patch exception on a patch at a global level. For this you will need to use the Availability flag. If you set the patch availability to Limited or Deprecated, it will not ba available to any server in your mesh.

 

Now, the big point here to remember is that you will need some very specific permissions on the user that will be running the patch jobs. See below for the exact persmissions:

 

Patch Management 
    Manage Patch (Read) 
    Manage Windows Patch Policy (Read) 
    Allow Install Patch  
    Allow Uninstall Patch  
    Manage Patch Compliance Rules  

 

Policy Management 

    Manage Windows Patch Policy (Read)
    Manage Software Policy (Read) 
    Allow Attach/Detach Software Policy  

Servers 
    Reboot Server  
    Allow Install/Uninstall Software  
    Allow Remediate Servers  

 

The reason for this is that the above permissions will explicitly following the Patch Availability flag. An Administrator or Super User will ingore this flag and attempt to install the patch and/or scan for it.

 

Let me know if this answers your question.

0 Likes
Respected Contributor.. mhalderman Respected Contributor..
Respected Contributor..

Re: Windows Patching - Vendor Recommended patch Policy Compliance.

Good information! Thank you.

 

A few questions:

- If a pacth is set to 'Not Imported', the patch will still be considered in compliance scans if the user running the scan is a Super User/Admin? What about non-super user users?

 

- If a patch compliance scan (Not-remediations) is ran as a Super User, and the patch availability is not set to limited or depricated, will that patch show as non-compliant in the scan?

 

Following your last post, I'll do some testing.

0 Likes
Absent Member.. Gonzo_SA Absent Member..
Absent Member..

Re: Windows Patching - Vendor Recommended patch Policy Compliance.

In response to your questions:

 

- If a pacth is set to 'Not Imported', the patch will still be considered in compliance scans if the user running the scan is a Super User/Admin? What about non-super user users?

 

Yes, because the meta-data has been imported once the latest wsusscn2.cab is imported. The same for non-super users.

 

 

- If a patch compliance scan (Not-remediations) is ran as a Super User, and the patch availability is not set to limited or depricated, will that patch show as non-compliant in the scan?

 

Most likely. Again, Super User accounts ignore this setting.

 

 

0 Likes
Highlighted
Respected Contributor.. mhalderman Respected Contributor..
Respected Contributor..

Re: Windows Patching - Vendor Recommended patch Policy Compliance.

After doing some testing, this doesn't seem to be the case.

 

- I created a test user and applied the patch permissions you noted to that user. (Also added the "Managed Servers and Groups" permission so the test user could see the managed servers in the GUI.)

- Set all "Not-Imported" patches to Availability = Limited.

- Reran a patch scan on a test managed server that is fully patched, as the test user.

 

The patch scan still showed as Non-Compliant, listing patches that are not imported and set to 'Limited' as needing to be installed.

 

Any thoughts?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.