danblee.com

Tutorials & Knowledge Base Articles for System Administrators who wear many, many hats.

LabTech Automate Patch Manager Configuration for Successful Windows Updates

by Leave a Comment

Patch Manager can be very annoying, so annoying that plugins for Automate now rule the patch management space. However, the plugins don’t do any more than what Patch Manager is capable of and with some configuration help you can benefit from the features and reporting inside Patch Manager. Here’s the baseline configuration for Patch Manager so you can successfully deploy patches in an easy-to-use way.

Patch Manager is divided up into a few different configuration settings so you can more easily manage the settings within. For this configuration you’re going to want to use the full (thick) Automate Control Center and launch Patch Manager by heading to Automate > Patch Manager. From there, click on Configuration at the top right. You’ll be spending the majority of your time here. Here are the configuration categories we’ll be covering:

  • Groups
    • Autojoin Search
  • Microsoft Update Policies
  • Third Party Update Policies
  • Reboot Policies
  • Approval Policies
  • General

Groups

For groups, I split up each MSP customer into three groups:

  • Customer Workstations
  • Customer Servers Without Special Roles
  • Customer Servers With Special Roles

Each MSP customer is different and has special needs but I find that this works best as a baseline for our customers. In the future, we can always go back and edit these groups. Splitting the customer machines into these three groups gives us a chance to spread out installation and reboot times.

Before you can create a group, you need to have an Autojoin Search created. I create a new Autojoin Search for each of my MSP customer machine groups and I don’t use them anywhere else in LabTech Automate so I know they aren’t being altered.

To create a new group with an Autojoin Search:

  1. Click on the icon under groups and choose Create New Group.
  2. Name your group. For this group I’m going to name it Patching – ABC Workstations, ABC being the fake company.
  3. Click New Autojoin Search
    1. Name it Patching – ABC Workstaions
    2. Choose Patching for Save to Folder
    3. Update the criteria so the computer is not a server, is a Windows OS, and is part of the client ABC
    4. Click Test. You should see the machines you expect to see here. If you don’t, you’ll need to review the criteria and make sure it’s accurate.
    5. Save the Autojoin Search
  4. Choose the Autojoin Search you created and make sure the Current Members populate on the right.

Here’s a screenshot of the Autojoin. There are more Autojoin screenshots at the bottom of this article that are a little more advanced since Autojoins are stupidly difficult to learn and remember how to use unless you’re spending a lot of time in Automate.

And here’s a screenshot of the Autojoin properly listed in the group settings once the group is highlighted:

Microsoft Update Policies

Rather than give you the what and why of this, I’m joining going to show you how I set up the Microsoft Update Policy for all my Workstations and one for Servers:

I call this policy the Default Workstations Policy as we use it for all of our customers by default and rarely change from it unless there are special conditions for certain customers:

The update policy above will do the following:

  • Put the Update Agent on the computer into Management Mode, so if a user on a machine goes to the update settings it will tell them that some of the settings on the page are managed by an administrator.
  • Have a maintenance window of Thursday 10a to Friday 3a, which is when the machine will install updates and then prompt for reboot (more on that on the reboot policy).
  • Create a Windows Restore point in case something breaks.
  • Defers major feature updates for 60 days as it takes a bit for us to get fully comfortable with the big changes, although that’s changing as MS is getting better with full feature deployments.

Here’s a policy that I use for Servers, although I have a few as I don’t want all of my servers for all of MSPs updating on the same night or it would be a hell of a next morning if something breaks:

Some notes for the above policy:

  • Naming the policy with the day and time really helps.
  • I added more time as servers sometimes take longer for updates.
  • No need to worry about the Windows 10 settings on the far right

Be sure and add the policy you just created to the group by clicking on Not Set under the Microsoft Update Policy when looking at the Groups page. I have pointed that out in the screenshot below:

Third Party Update Policy

I don’t use it. I’m not licensed to use it. I’ve never had a need for it.

Reboot Policy

Again, a lot of this is preference but here are my reboot policies I apply across the board:

Workstation Reboot Policy:

  • Choose to suppress reboot and alert so the reboot can be timed with other settings.
  • There should only be workstations in this group so:
    • Suppressed Reboot Options for Server: None
    • Suppressed Reboot Options for Workstation: 180 minutes with a friendly reboot prompt message
    • Reboot deadline: 48 hours
    • Deadlinee prompt duration: 30 seconds

For Server Reboot Policy, we have two policies: With Special Roles and Without Special Roles. We’re a small enough team that we can be more delicate with servers that have special roles so we can manually reboot those, although patches are still pushed to them. Maybe this is something you’d like to consider in the way you handle things. Maybe not.

  • Reboot during the Windows Update, which will only happen during the maintenance window set at the Microsoft Update Policy settings
  • Extend it 60 minutes in case it needs more time than the window
  • Reboot now. Don’t ask, just go.
  • Set maintenance window for instance of reboot, so if a machine reboots it still has 30 minutes to be in a maintenance period during and after that reboot

Last, make sure you’ve given the Group the reboot policy you’ve just created:

Approval Policies

We have two approval policies for all of our customers. We don’t see a need to get more granular than that:

  1. *Default – Will always be applied
  2. Zero Day – For immediately approving and denying patches

Default Approval Policy

  • Stage Delay Times:
    • Test Duration: 5 days – This gives us a few days in case there’s a real issue with a patch. We don’t really depend on this too much as you’ll see below we automatically approve quite a bit
    • Pilot Duration: 0 Days – We don’t put machines in a pilot group but it might be helpful for people with big deployments and the manpower to audit the patching
  • Automatic Approve – These will skip the 5 day wait period:
    • Critical Updates
    • Definition Updates
    • Office 2010, 2013, 2016, 365 Client
    • Security Updates
  • Automatic Ignore – We use ignore instead of Deny. It lists things a bit better when searching for patches and I believe this doesn’t download them, but I’m not certain.
    • Bing Bar
    • Drivers – Note: Very important. This breaks machines all the time
    • Exchange Server 2013, 2016 – We manage these specially and we are doubling our efforts to avoid installs we don’t know about
    • Dynamics
    • Lync
    • Online Services Sign-In Assistant
  • Automate Deny: None

Here’s a screenshot of the above:

Zero Day Approval Policies

We Deny and Approve by KB Number in the event that we catch something that needs to be approved right away to skip the Test phase. I’ll just show you a screenshot of that:

Both of these policies are then applied to all groups. So you should see at least a 2 in the Approval Policies column on the far right of the Groups page like below:

General

  • Compliance: There’s not much here, we set the thresholds to 85%, 95%, and 100% for green. We’re always in the 99% range so we’re pretty happy with it and don’t depend on these too much.
  • Gather Patch Information: Should be relatively updated by default.
  • Apply Patch Policy Setting: Every time you make a change, this will take some time in bigger environments.
  • Evaluate All Patch Approvals: This checks every single machine’s patch status. Don’t do this unless something is really screwed up. Mine hasn’t been done since 2019.

Extra Autojoin Searches

Here are some other searches that will really help you out. Remember, Groups and Searches can be edited outside of Patch Manager. So to edit an Autojoin you can go to Automation > Searches > View Searches > and search for your autojoin search by name.

This will find all machines that have special roles so we can install updates during the maintenance window on the weekend but we don’t want reboot without some hand holding:

This will find servers without those special roles so we can just reboot them whenever we schedule:

Hope this helps. Cheers!