Best practices for using Patch Manager
Getting started with Patch Manager includes more than just publishing updates and generating reports. These best practices help you fine tune your deployment to avoid any issues along the way.
Managed systems
Inventory the WSUS server and Windows network before you generate a report
Reports query the Patch Manager database and convert the data into information you can use to manage the deployment. If you do not inventory the WSUS server or Windows network each day, the reports will not contain the latest information.
Create an inventory only for the organizational units you want to include in the reports
Patch Manger collects licenses from managed systems and task history and compares the total amount to your purchased license. If you inventory the entire domain, the inventory includes disabled systems that still exist in Active Directory®.
This process includes irrelevant systems that exceed your license count and generate a system error. Any Windows-based system that you patch counts toward the node count. These systems include the Patch Manager server, standalone WSUS server, SCCM server, and all client systems. The Primary Application Server (PAS) determines the node count in the Windows domain. A Patch Manager license includes 11 license tiers and is licensed on the node level.
Microsoft updates
Synchronize your WSUS server to download the latest Windows updates every day
Microsoft releases security patches on the second Tuesday of each month (also known as Patch Tuesday). Create a daily schedule to synchronize the WSUS server with the Microsoft Updates Catalog each day. This process ensures that you receive the scheduled and non-scheduled Windows updates, patches, and hotfixes software updates when they are available.
Check the Microsoft Security Response Center each week for the latest information
Located on the Microsoft TechNet website, the Security Response Center identifies and posts security risks and vulnerabilities discovered in Microsoft software. This site also posts white papers and additional resources to help you be informed about Windows-related security risks.
See Best Practices for Patch Management on THWACK for additional security best practices.
Third-party updates
Remove all custom filters from the Third Party Updates list
This ensures that all third-party updates are published to the systems.
- In the navigation pane, expand Enterprise > Update Services > Patch_Manager_Server > Updates.
- Select Third Party Updates.
-
Examine the filter icons in the table columns.
If a filter icon is clear , no filters are applied.
If a filter icon is blue , click the icon, select All, and click OK.
-
Click Refresh in the Actions pane to apply the changes.
Enable Patch Manager to automatically download third-party updates every day.
By default, Patch Manager does not automatically download third-party updates after you install the software. Download the third-party updates and create a daily or weekly schedule to synchronize with the SolarWinds Third Party Update Library. When you are finished, Patch Manager downloads the latest third-party updates when they are available.
Review the latest third party updates
The Table of Third Party Patches posted on THWACK lists the most recent patches added to the Patch Manager third party catalog. Review this list often to ensure that your managed systems have the latest updates.
Patch Manager server
Update and publish the group policy to all servers and systems managed by Patch Manager.
Create and export a software publishing certificate from the WSUS server to a certificate file. When you are finished, configure the Group Policy Object (GPO) on the domain controller with the certificate file and the supporting Windows Update policies to enable the managed systems to receive Windows and third-party updates from the WSUS server. Patch Manager signs all packages with the software publishing certificate. This certificate must be installed in the Trusted Root Certification Authority and Trusted Publishers keystores so each managed computer can receive and install third-party updates.
Ensure that the Patch Manager servers are associated with a management group
This process helps you minimize errors with translating system names in the deployment.
- In the navigation pane, expand Patch Manager System Configuration and select Patch Manager Servers.
-
In the Patch Manager Servers pane, ensure that the Management Group column includes a management group. In this example, the WSUS server (
SPM-MGOM
) is associated with the Managed Enterprise management group.
Run the Server Cleanup Wizard on the WSUS server each month
The wizard performs several housekeeping tasks to optimize the WSUS server performance. These tasks include removing unused updates, unneeded update files, expired or superseded updates, and systems that no longer access the WSUS server for updates.
- In the navigation pane, expand Enterprise > Update Services and select the WSUS server.
- In the Actions pane, click Server Cleanup Wizard.
-
In the WSUS Server Cleanup Options window, select your cleanup options, and click OK.
- In the Task Options Wizard, run the task now or create a schedule for the task.
- Complete the wizard.
Ensure that WSUS is configured and running at an optimal level
See the Microsoft TechNet® website for information about best practices with WSUS and managing the Windows updates.
Ensure that port 4092 is open on your firewall
If you are running the Patch Manager agent on your remote systems, ensure that this port is open so the application can manage these systems.
SQL Server database
Select the appropriate Windows Server operating system for your deployment
For optimal performance, use Microsoft SQL Server Standard or Enterprise Edition for a Production deployment and SQL Server Express to evaluate the product.
The data capacity in SQL Server Standard and Enterprise Edition is only limited to the storage capacity of your database server. SQL Server Express can only store up to 10GB of data. If you exceed this storage limit, the application will generate errors.