IEM: Microsoft patch deployment step 3

Configure the deployment

Select the Fixlets you want to deploy using common Windows selection methods (click on first Fixlet then shift-click last Fixlet to select Fixlets in a series , or ctrl-click on each Fixlet you wish to include/exclude from the group). Right click and select the Take Default Action option.

Known issues will be listed in red text. These should ALWAYS be reviewed. Its a good idea to at least skim through the entire description.

Some fixlets will have the option for multiple actions in the dropdown. For example Java. The default Java action will not close running instances of Java but a second option is available that will close any running Java instances.

Change the name

Provide a descriptive name for the patch cluster. The name should begin with USGS-<site> and include a general description.

Action settings are all contained in the tabs on the Take Action window. The first tab is the Target Tab.

Target Tab

Lots of USGS sites are patching by targeting specific systems (ie adobe, flash updates). It’s generally best practice, unless you really want to target certain machines (ie testing a patch) , is to target using dynamic option. This is especially important if new machines come online that need the patch. If you target one by one, you end up having many actions for a single patch because a new action is needed for freshly built machines or ones that weren’t relevant at the time of assignment. With dynamic targeting by group (or all computers), it catches any system now or in the future (until the action expiration date) that needs the patches.

Using All Computers or picking a Group will make sure to catch systems that need the patch but have been offline/recently built. IEM will automatically pick target systems by evaluating them for applicability.

Patch Step1

ChooseDynamically target by property -> All Computers and switch to the Execution Tab.

Execution Tab

The Ends on time determines when an action will expire, the best practice is not to have too many open actions. Ideally this should be set just long enough for the action to complete on applicable systems. The default is probably fine.

Some sites are forgetting to set an “End” date for the patch or action. You should almost ALWAYS set something here otherwise you’ll have a patch that never expires or stops. Remember that Flash, Java, adobe etc. come out with new patches all the time. Set a reasonable end date based on how often you think a new patch would be available (ie one month later).

Change the Behavior to On failure, retry, if the update fails for whatever reason it will re-run once after the system is rebooted. (this setting will not reboot the system however).

Enable the setting: Start client downloads before constraints are satisfied, this will force required files to download and cache on relay’s and clients before the action starts. This setting is best combined with a Starts on time in the future. In this example we leave Starts on blank which means the action will begin immediatly.

Review other options and select the Users Tab.

patch_step3

The Reapply this action option can be very useful but be careful with it. For patching it can be useful to reapply a set of patches because if they become relevant again, they will reinstall. For example with things like Flash and Java, it’s possible for an older version to get reinstalled as part of another application.

ALWAYS set a limit to how many times it reapplies (even if it’s 50 or 100). This is a safety net so if you have a situation where a patch is constantly applicable (ie some error), it doesn’t constantly reapply until the end of time.

If your site has more than one relay, it’s a good idea to set a Stagger action downloads over value so that all relays won’t download the patch (cache it), all at the same time. Even a 15 minute stagger can help.

Users Tab

The defaults are usually fine here. There is no user interface for most all patches and updates because it is suppressed by the IEM and Most fixlet patches and updates run just fine while users are logged on, so this tab is not used often. Click the Messages Tab.

patch_step4

Some (but not all) patches/updates install more successfully when you check the option to “Only run when user is not logged in”. Many patches take care of ending in-use programs (Make sure to review the description before taking action) but some don’t. Testing deploying with IEM in various conditions (user logged in with app open etc) can help them determine what the best option is for wide-spread patching.

Messages Tab

The default settings are usually fine here. Enabling a message will popup a small window as soon as the client finds the action is applicable and any time constraints are met. We have heard from sites that the messages are really more annoying to users then they are useful. Select the Offer Tab.

patch_step5

Offer Tab

This functions similar to the Advertisements feature in MECM, its probably not very useful for patching. Select the Post-Action tab.

patch_step6

Post-Action Tab

The default is to do nothing but many patches and updates require a restart to fully complete.

For example: Selecting Restart computer after action completes with a deadline set to 2 days will give the user a notification window and two days of grace time before automatically restarting the system.One posible method is to patch all systems within a scheduled maintenance window (use start and end times, something like Sunday from 5-11pm). Then set the forced restart deadline to 5 minutes or less. This will ensure systems will fully apply the patches.

Select the Applicability Tab.

patch_step7

Applicability Tab

Generally this is only useful for custom made Fixlets or to review the IEM relevance language. Select the Success Criteria Tab.

patch_step8

Success Criteria

Generally this is only useful for custom made Fixlets. Select the Action Script Tab.

patch_step9

Action Script Tab

Generally this is only useful for custom made Fixlets or to review the IEM action script language.

Review the information, paying extra attention to the Target, Execution and Post-Action Tabs. Click the OK button to complete the action.

patch_step10