Highlighted
Absent Member.
Absent Member.
1140 views

Patch policy – general questions

I’m new to zpm but not new to zcm (17 years!)
I need some clarification please …on few things:

Vulnerability Detection Schedule is the time that the machine detects a new vulnerability based on the policy that the machine will get? What’s the ideal setting, one a day?

Patch Policy Pre-Install Behavior – I didn’t understand what is it…is that for a new machine?

Patch Policy Settings – this is the time that patches will be installed.
I read on “Cool Solutions” on PatchWatcher – are you using it? Is it helping the users to understand when the patches are installed? When you configure this, you leave the “Schedule Enforcement” on the default?
If I have few patch policy can I schedule one that will run one a week and other that will run once a month?
Should I have to cache every patch manually?

Thanks in advance for any help 🙂
Eyal
Labels (2)
0 Likes
3 Replies
Highlighted
Absent Member.
Absent Member.

eyals,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Vulnerability Detection Schedule is the time that the machine detects a new vulnerability based on the policy that the machine will get?
From what I understand, Vulnerability Detection Schedule will detect what patches are needed. The ideal setting is maybe as often as ZENworks is aware of new patches perhaps.
0 Likes
Highlighted
New Member.

Vulnerability Detection Schedule:
This is the schedule for which devices will run a Patch Scan task. Every day, when the Patch Management Server updates itself, it recreate the "Discover Applicable Updates" bundles. These contain the signatures for every patch that ZPM knows about. Workstations download this bundle and then compares itself to the signatures to identify what patches are needed. This information is then uploaded to the Primary Servers and can be seen in the Patches tab of the device object in ZCC. We run our Detection Schedule at 7:00 AM, on all workstations (except laptops, which run as soon as they connect to the network).

Patch Policy Pre-Install Behavior:
This is misnamed, in my opinion, but it does somewhat describe the function. Pre-Install details when the patches will actually be downloaded from the content repository (not installed). This is similar to setting a bundle to Distribute, but not checking the Install Immediately box. The settings also detail what kind of notification is given to the user before either download or install of the patches.

Patch Policy Settings:
These settings detail out how Patch Policies are applied, both the schedule and reboot. For our environment, we schedule patch policy enforcement to be during the overnight hours, every day (except laptops which install at 2:30 PM, every day). We also disable the reboot behavior because we have a task that restarts all computers at 4:00 AM anyway. No sense in having the computers restart twice during the wee-morning hours.

Other Notes:
You should not need to cache every patch manually. By using patch policies, you set either rules or manually add patches to the policy. ZENworks then takes care of caching the patches necessary in your system. We have an actual Patch Management Standards document, which details out when we cache patches and how we apply them. I would take the time to build out a schedule that works for your organization, so you are not having to manage the system daily. For example, we deploy patches to our Pilot locations (about 14 of our branches plus about 10% of our headquarters location) on Wednesday after Patch Tuesday. We run for 7-10 days, then publish the policies to all workstations. This same schedule works for all vendors we patch through ZPM (Adobe, Oracle, Microsoft, Mozilla, Google, etc.).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.