We just released ZENworks 11 SP 4 System Update 2 (11.4.2) so I thought I’d take a minute to tell you about the great enhancements we’ve made in Patch Management. As always, we fixed a number of defects (see TID 7017469 for details), but we’ve also made some important feature, functionality, and performance improvements.
Improved delivery performance for Patch policies
In the past, when a Patch policy included a large number of patches, it could take a long time for the ZENworks Server to deliver the patches to its managed devices. This happened because the ZENworks Server was computing patch data for each individual device as the device requested patches, and a large number of patches increased both the computation and transfer time.
The ZENworks Server now pre-computes patch data for devices, compresses the data, and saves the compressed data in the database. This provides quicker response time for devices and reduces the amount of data that is transferred between the ZENworks Server and the devices. The net result is better, faster delivery of patches to managed devices.
To take advantage of this performance enhancement, you need to update both your ZENworks Servers and managed devices to 11.4.2.
Improved performance for vulnerability detection
Vulnerability detection speed has been improved on managed devices by removing disabled patches from the Discover Applicable Updates (DAU) process.
Clean up of content for disabled patches
Content for disabled patches can now be automatically removed from your ZENworks Servers. When you enable the option, you configure how long to wait after a patch is disabled to delete its content. You can choose to wait 3 months, 6 months, 1 year, 2 years, or 5 years.
When you update to 11.4.2, your ZENworks system might already have a large number of disabled patches. To ensure that ZENworks Server performance is not negatively impacted, patch cleanup does not start until the configured wait period is reached and is then limited to removal of 10 to 50 patches per day until all disabled patch content (at the time of update) is cleaned up.
For example, if you update your ZENworks Server on June 1 and set the cleanup wait period to 3 months, content for the currently disabled patches will begin to be removed on September 1, with 10 to 50 patches removed each day until all patches that were disabled at update time are removed.
Pre-install notification for Patch policies
The Patch Policy Pre-Install Behavior configuration settings now include a Prompt before install option that allows you to prompt users before patches are installed, including options to allow the user to cancel or snooze the installation.
Run patches as secure system user
The default Executable Security Level for installing patches has been changed from Run as dynamic administrator to Run as secure system user. This stops all interaction with the desktop, effectively hiding the patch installation from the user. This change applies to all newly cached patches or recached patches. Existing cached patches are not changed.
New patch reports
Five new pre-defined reports have been added for use with ZENworks Reporting Server:
- DAU Status: The breakdown of devices that have and have not run a vulnerability detection (DAU) in the last 7 days.
- Device Status: For each device, the dates for last contact, last full refresh, last inventory scan, and last DAU.
- Overall Patch Percentage: The percentage (and number) of patched and non-patched devices in your system.
- Not Patched Patches by Device: For each device, the list of patches that have not been applied to the device.
- Patch Percentage by Folder: The percentage (and number) of patch compliant devices broken down by device folders.