6.3 Deploying Patches Manually

To distribute patches manually, use the Deploy Remediation Wizard, which provides an interface to create or edit patch deployment schedules for multiple recipients or devices. The wizard assists in selecting devices, scheduling deployment of patches, and if required, setting recurrence. After completing the wizard, the deployment will be listed in the Bundles page.

NOTE:To deploy a Windows patch, it is recommended that the minimum disk space required is at least 5x the largest available patch. If you are deploying multiple patches, then the minimum disk space required is at least 5x the total size of the patches.

You can access the Deploy Remediation Wizard from the Action menu on one of the following pages:

  • Security > Dashboard > Recently Released Patches

  • Security > Patches

  • Devices > [selected device] > Patches

You can also click the Deploy Remediation link under Patch Management shortcuts in the navigation menu. These shortcut options appear when the Patch Management > Patches page is open.

If you select multiple patches in the Deployment Remediation Wizard, the wizard automatically selects all the applicable devices and packages. If any device is selected, the wizard automatically selects all patches that are applicable for that device. If a group is selected, the wizard includes all patches applicable for the devices in that particular group.

IMPORTANT:Once you initiate a patch remediation and the patch bundles are created for the remediation, the patch bundles should not be modified. If patch remediation bundles get modified, they may not replicate to Primary servers leaving the intended devices not patched.

6.3.1 Create a Deployment Schedule

To create a deployment schedule for one or more patches on one or more devices:

  1. Go to Security > Dashboard or Security > Patches.

  2. Select one or more patches that you want to deploy.

  3. Select Deploy Remediation in the Action menu.

The Deploy Remediation steps vary, depending on the remediation option chosen in Step 5 of the wizard, Default or Custom. For information about a specific step, click its applicable link in the table below:

Deploy Remediation Steps

Auto Reboot

No Reboot

Advanced

  1. Confirm Devices

  2. Remediation Schedule

  3. Deployment Order and Behavior

  4. Remediation Options

  5. Notification and Reboot Options

  6. Choose Deployment Name

  7. Deployment Summary

  1. Confirm Devices

  2. Remediation Schedule

  3. Deployment Order and Behavior

  4. Remediation Options

  5. Choose Deployment Name

  6. Deployment Summary

  1. Confirm Devices

  2. Remediation Schedule

  3. Deployment Order and Behavior

  4. Remediation Options

  5. Pre-Install Notification Options

  6. Distribution Schedule

  7. Notification and Reboot Options

  8. Choose Deployment Name

  9. Deployment Summary

6.3.2 Confirm Devices

The Confirm Devices page allows you to select and confirm the devices for which you need to schedule a deployment.

The page indicates the total number of devices to which the selected patch will be deployed. You can change how many items are listed on the page by using the show items drop-down menu.

  1. Select one of the following options to determine the devices to which the patches are to be deployed:

    • All non-patched devices: Deploys the patch to those devices that are in a non-patched state. Selecting this option deploys the patch to all the devices that are not patched.

    • Select applicable devices: Deploys the patch to the devices you select from the devices list. You can deploy a patch to a device regardless of its existing patch status, which can be patched or not patched.

      NOTE:If you deploy a patch from the Patch Management page, the list of devices that appears is based on the patch Status filter you choose.

      Column Heading

      Description

      Device Name

      The name of the device.

      The name of the device registered with ZENworks Patch Management to which the patch is to be deployed.

      Last Contact

      The status of the device when they were last contacted.

      Platform

      The operating system of the device.

      DNS

      The name of the DNS server.

      IP Address

      The IP address of the device.

    • Select devices, folders and groups: Deploys the patch to specific devices, folders, or groups that are in a non-patched state.

      To select a device, folder, or group for deployment:

      1. Click the Add menu item on the Confirm Devices page.

      2. Click the arrow next to the Devices option on the left side of the window to display the available devices, folders, and groups.

      3. Click the desired device to add it to the Selected panel on the right side of the window.

        or

        To remove a device from the panel, click the Delete button in the Remove column for that device.

      4. Click OK to confirm device selection.

        The window closes and the Confirm Devices page displays the selection.

  2. After choosing an option and selecting one or more devices, click Next to open the Remediation Schedule page.

6.3.3 Remediation Schedule

In the Remediation Schedule page you configure how a patch is scheduled and deployed for selected devices.

To start setting the remediation schedule, you need to select the schedule type. Patch Management offers three types of schedules to determine when the patches are actually applied to the target device, Now, Date Specific, and Recurring:

  • Now: Schedules the deployment to your selected devices immediately after you complete all the steps in the Deployment Remediation Wizard.

  • Date Specific: Schedules the deployment to your selected devices according to the selected date.

    When you select Date Specific, you can choose from the following schedule options:

    • Start Date: Enables you to pick the date when you need to start the deployment. To do so, click the plus icon to open the calendar and pick the date. To remove the selected date, click the minus icon .

    • Run event every year: Ensures that the deployment starts on a selected date at a selected time, repeats every year, and if defined, ends on a specific date.

    • Process immediately if device unable to execute on schedule: Ensures that the deployment starts immediately if the device could not execute on the selected schedule.

    • Select when schedule execution should start: There are two options to enable you to select the start time of the schedule execution using a 24 hour clock, namely:

      • Start immediately at Start Time: Deactivates the End Time panel and starts the deployment at the start time specified. In this option, you must set the start time in the Start Time panel:

      • Start at a random time between Start Time and End Times: Activates the End Time panel next to the Start Time panel. You can specify the end time and the start time so that the deployment occurs at a random time between them. The End Time panel appears as follows:

      Selecting the Use Coordinated Universal Time check box enables you to schedule the deployment of all devices at the same time, regardless of time zone differences. Coordinated Universal Time (UTC), also known as World Time, Z Time, or Zulu Time, is a standardized measurement of time that is not dependent upon the local time zone. Deselecting UTC schedules the distribution at the local time.

  • Recurring: Starts the deployment on the selected day at a selected time, repeats the deployment every day/week/month, and if defined, ends on a specific date.

    By default, the bundle install frequency is set to Install once per device. For a recurring deployment, change it to Install always, after finishing the Deploy Remediation Wizard. For more information, see Install Action Set Options in the ZENworks Software Distribution Reference.

    In the Recurring Remediation Schedule, you can set the following options for a recurring deployment:

    • When a Device is Refreshed: This option enables you to schedule a recurring deployment whenever the device is refreshed. In this option, you can choose to delay the next deployment until after a specific time.

      To set the delay, select the Delay execution after refresh check box, and specify the days, hours, and minutes of the time to delay the deployment:

      NOTE:The device is refreshed based on the settings in the Device Management page under the Configuration page. Click the Device Refresh Schedule link under Device Management to open the page displaying the option for either a Manual Refresh or Timed Refresh. Alternatively, you can refresh the device by selecting a device under the Devices page and clicking the Refresh Device option under the Quick Tasks menu.

    • Days of the Week: This option enables you to schedule the deployment on selected days of the week:

      To set the day of deployment, select the Days of the week button, select the required day of the week, and set the start time of deployment. If you click the More Options link, additional deployment options appear:

      • Select the Use Coordinated Universal Time check box to schedule the deployment of all devices at the same time, regardless of time zone differences. Coordinated Universal Time (UTC), also known as World Time, Z Time, or Zulu Time, is a standardized measurement of time that is not dependent upon the local time zone. Deselecting UTC schedules the distribution at local time.

      • Select the Start at a random time between Start Time and End Times check box to activate the End Time panel in addition to the Start Time panel. You can specify the end time and the start time so that the deployment occurs at any random time between the start and end times.

      • The Restrict schedule execution to the following date range option enables you to schedule a recurring deployment at the selected time, repeat the deployment on the days specified, and if defined, end at the specific time. This option also enables you to restrict the deployment to the period between the start date and the end date. To set this option, select the Restrict schedule execution to the following date range check box and click the icon to open the calendar and pick a start date or end date. Click the Close button when you have finished selecting the date.

    • Monthly: In the Monthly deployment option, you can specify the following:

      • Days of the month: Enables you to schedule the deployment on a specific day of the month. You can specify any number between 1 and 31.

      • Last day of the month: Enables you to schedule the deployment on the last day of the month.

      • Particular days of the month: Enables you to schedule the deployment on specific days of every month. The valid options for the day are first, second, third, fourth, and fifth. The valid options for the weekday are Sunday through Saturday. To select one particular day of the month, use the drop-down arrows. An example is shown as follows.

        To select an additional day of the month, click the Plus icon and use the drop-down arrows in the second row.

        To remove a particular day from the list, click the Minus icon.

        If you click the More Options link, additional deployment options appear as shown below.

        NOTE:The Restrict schedule execution to the following date range option enables you to schedule a recurring deployment at the selected time, repeat the deployment on the days specified, and if defined, end on the specific time. This option also enables you to restrict the deployment to the period between the Start Date and the End Date. To set this option, select the Restrict schedule execution to the following date range check box and click the Time icon to open the calendar and pick a start date or end date. Click the Close button when you have finished selecting the date.

    • Fixed Interval: This option enables you to schedule a recurring deployment that runs after a fixed duration on a regular basis. You can choose the number of months, weeks, days, hours, and minutes of the interval and the start date for the deployment schedule.

      If you click the More Options link, additional deployment options appear:

By default, the Device Refresh Schedule is set to twice a day. For testing and demonstration purposes, you could increase the frequency to once every five to fifteen minutes.

All of the schedule settings above also have the option to configure the Wake-on-LAN setting, which can schedule a deployment to devices that are powered off. For more information, see Remediation Schedule: Wake On LAN.

Remediation Schedule: Wake On LAN

The Wake on LAN function is an option in Remediation schedule. It can be used to set a deployment even if the managed devices are powered off. The parameters can be changed by pressing the (options) button, where you can select different servers for the wake up request and wake up broadcast.

NOTE:The default settings for this function are to automatically detect the Primary Server.

To change the parameters:

  1. Select the Wake On LAN check box.

  2. Click Options. This opens the Wake Up window.

  3. Select the desired parameters, and click OK.

6.3.4 Deployment Order and Behavior

The Deployment Order and Behavior page enables you to set the order for each deployment schedule by two prioritized lists, Vendor Patches and Custom Patches. Vendor patches, if present, will always deploy first, followed by any custom patches. If you have more than one patch in either list, use the arrow buttons to set the priority for deployment.

Each list consists of the following:

  • Patch Name: The name of the patch that has been selected for deployment.

  • Order: The order of execution of the deployment. The arrow appearing next to the column heading enables you to sort in ascending or descending order.

  • Reboot: The reboot settings applicable for the corresponding patch.

NOTE:Chained patches can be moved only after removing their chained status.

Click Next to open the Remediation Options page.

6.3.5 Remediation Options

The Remediation Options page enables you to select the required remediation option for each deployment schedule.

The following table describes the configuration for each option available in the Remediation Options page:

Table 6-1 The Remediation Options

Remediation Option

Functionality

Auto Reboot (silent install with optional reboot)

Automatically sets all possible patches to deploy with QChain enabled. Enables you to configure notification and reboot settings defined for each patch.           

No Reboot (silent install, never reboot)

Automatically sets all possible patches to deploy with QChain enabled. All necessary reboots must be performed manually.

Advanced (individually set all possible deployment options)

Enables you to customize the following settings for the selected patch or patches:

6.3.6 Pre-Install Notification Options

The Pre-Install Notification Options page allows you to define whether users receive any notification when patches are downloaded and installed, and to customize the notification. This page is only shown if you have selected the Custom remediation option in Step 5 of the wizard.

NOTE:The Pre Install Notification Option only displays if the Advanced option is selected in Step 5: Remediation Options.

Refer to the information below to understand how to define Pre Install options:

  • Use values assigned to system variables or defaults: Select this option to use the default pre-install notification options defined within Patch Policy Settings.

  • Override Settings: Select this option to override the default options and choose new ones. Selecting this option makes the remaining options available.

    • Notify Users of Patch Install: Select this option to notify the user prior to the installation of the patch. There are two additional options:

      • Prompt before download: Select this option to notify the user when the patch download process begins.

      • Prompt before install: Select this option to notify the user when the patch installation process begins.

    • Description text: The text of the notification message. You can edit this field only if you override the default settings.

    • Options: When you define installation options, you can specify whether to use the values in the default settings (the Use values assigned to system variables or defaults check box) or the custom settings. There are three options:

      • Allow User to cancel: Allows the user to cancel the patch installation.

      • Allow User to snooze: Allows the user to delay the installation.

        • Snooze interval: The duration the install is delayed when the user snoozes.

        • Install within: The deadline that the user can no longer snooze the installation.

          NOTE:Even if you snooze the installation, the popup window will continue to appear every few seconds until you proceed with or cancel the installation.

      • Show tray notification: On selecting this option, a notification for a pending installation is displayed in the system tray. If you select this option, define the following:

        • Tray notification duration: Enter a value in hours, minutes or seconds for how long the system tray notification is displayed before being hidden.

        • Tray notification text: Type the text you want to appear in the notification.

Click the Next button to proceed to the Notification and Reboot Options Distribution Schedule page.

6.3.7 Distribution Schedule

The Distribution Schedule page of the Deploy Remediation Wizard allows you to determine when a patch will be distributed to and installed on the devices. This page is only shown if you have selected the Custom remediation option in Step 5 of the wizard.

To start setting the distribution schedule, you need to select the schedule type. Patch Management offers three types of schedules to determine when the patches are actually distributed to the target device: No Schedule, Date Specific, and Recurring.

  • No Schedule: If you select No Schedule, the distribution to your selected devices begins immediately after you complete all the steps in the Deploy Remediation Wizard.

  • Date Specific: If you select Date Specific, the distribution to your selected devices occurs according to the selected date that you set in the wizard’s Distribution Schedule page, as follows:

    • Start Date: Enables you to pick the date when you need to start the distribution. To do so, click the plus icon to open the calendar and pick the date. To remove the selected date, click the minus icon .

    • Run event every year: Ensures that the distribution starts on a selected date at a selected time, repeats every year, and if defined, ends on a specific date.

    • Process immediately if device unable to execute on schedule: Ensures that the distribution starts immediately if the device could not execute on the selected schedule.

    • Select when schedule execution should start: There are two options to enable you to select the start time of the schedule execution namely:

      • Start immediately at Start Time: Deactivates the End Time panel and starts the distribution at the start time specified. In this option, you must set the start time in the Start Time panel:

      • Start at a random time between Start Time and End Times: Activates the End Time panel next to the Start Time panel. You can specify the end time and the start time so that the distribution occurs at a random time between them. The End Time panel appears as follows:

      In both time panels, the first drop-down list enables you to select the hour, the second drop-down list enables you to select the minute, and the third drop-down list enables you to select am and pm.

      Selecting the Use Coordinated Universal Time check box enables you to schedule the distribution to all devices at the same time, regardless of time zone differences. Coordinated Universal Time (UTC), also known as World Time, Z Time, or Zulu Time, is a standardized measurement of time that is not dependent upon the local time zone. Deselecting UTC schedules the distribution at the local time.

  • Recurring: If you select Recurring, you can start the distribution on the selected day at a selected time, repeat the deployment every day/week/month, and if defined, end on a specific date.

    In the Recurring page, you can set the following options for a recurring deployment:

    • When a device is refreshed: This option enables you to schedule a recurring distribution whenever the device is refreshed. In this option, you can choose to delay the next distribution until after a specific time.

      To set the delay, select the Delay execution after refresh check box, and specify the days, hours, and minutes of the time to delay the distribution.

      NOTE:The device is refreshed based on the settings in Configuration > Device Management menu > Device Refresh and Removal Schedule (Manual Refresh or Timed Refresh). Alternatively, you can refresh the device by selecting a device in the Devices page and clicking the Refresh Device option in the Quick Tasks menu.

    • Days of the week: This option enables you to schedule the distribution on selected days of the week.

      To set the day of distribution, select the Days of the week button, select the required day of the week, and set the start time of distribution. If you click the More Options link, additional distribution options appear. Click the Hide Options link to hide the additional distribution options and show only the default distribution options.

      • Selecting the Use Coordinated Universal Time check box enables you to schedule the distribution to all devices at the same time, regardless of time zone differences. Coordinated Universal Time (UTC), also known as World Time, Z Time, or Zulu Time, is a standardized measurement of time that is not dependent upon the local time zone. Deselecting UTC schedules the distribution at local time.

      • Selecting the Start at a random time between Start Time and End Times check box activates the End Time panel in addition to the Start Time panel. You can specify the end time and the start time so that the distribution occurs at any random time between the start and end times.

      • The Restrict schedule execution to the following date range option enables you to schedule a recurring distribution at the selected time, repeat the distribution on the days specified, and, if defined, end at the specific time. This option also enables you to restrict the distribution to the period between the start date and the end date. To set this option, select the Restrict schedule execution to the following date range check box and click the calendar icon to open the calendar and pick a start date or end date. Click the Close button when you have finished selecting the date.

    • Monthly: This option enables you to specify the monthly distribution options, where you can specify the following:

      • Days of the month: Enables you to schedule the distribution on a specific day of the month. You can specify any number between 1 and 31.

      • Last day of the month: Enables you to schedule the distribution on the last day of the month.

      • Particular days of the month: Enables you to schedule the distribution on specific days of every month. The valid options for the day are first, second, third, fourth, and fifth. The valid options for the weekday are Sunday through Saturday. To select one particular day of the month, use the drop-down arrows. An example is shown as follows.

        To select an additional day of the month, click the plus icon and use the drop-down arrows in the second row shown as follows:

        NOTE:To remove a particular day from the list, click the minus icon .

        If you click the More Options link, additional distribution options appear. Clicking the Hide Options link hides the additional distribution options and shows only the default distribution options.

        NOTE:The Restrict schedule execution to the following date range option enables you to schedule a recurring distribution at the selected time, repeat the distribution on the days specified, and, if defined, end on the specific time. This option also enables you to restrict the distribution to the period between the Start Date and the End Date. To set this option, select the Restrict schedule execution to the following date range check box and click the calendar icon to open the calendar and pick a start date or end date. Click the Close button when you have finished selecting the date.

    • Fixed Interval: This option enables you to schedule a recurring distribution that runs after a fixed duration on a regular basis. You can choose the number of months, weeks, days, hours, and minutes of the interval and the start date for the distribution schedule.

      If you click the More Options link, additional distribution options appear as shown in the following figure.

By default, the Device Refresh Schedule is set to twice a day. For testing and demonstration purposes, you could increase the frequency to once every five to fifteen minutes.

6.3.8 Notification and Reboot Options

In the Notification and Reboot Options page you can define whether users receive notification of patch deployments and reboots. You can also customize the notification. This page is only shown if you have selected the Custom remediation option in Step 5 of the wizard.

The page provides the following options:

  • Define Reboot Options: Allows you to use the default reboot options you’ve set in options or override them and set them manually for the deployment.

    • Use values assigned to system variables or defaults: Uses reboot options set for deployments.

    • Override Settings: Overrides the default reboot settings and lets you choose from the options below.

  • Notify Users: Select this option to notify the user prior to a reboot required for installation of the patch.

  • Description Text: The text of the message that appears before patch installation completes and the computer reboots. You can edit this field only if you override the default settings.

  • Options: When you define reboot options, you can specify whether to use the values in the default settings (the Use values assigned to system variables or defaults check box) or the custom settings. There are four options:

    • Suppress Reboot: If a patch requires a reboot by default, and no reboot is desired, select the Suppress Reboot option to stop this action. This will prevent a reboot after installation.

    • Allow User to cancel: On selecting this option, the user is allowed to cancel the reboot option.

    • Allow User to snooze: On selecting this option, the user is allowed to snooze (pause) the reboot for a particular time.

      • Snooze interval: The amount of time before a user is prompted again to reboot after snoozing.

      • Reboot within: The amount of time before a user is forced to reboot for the deployment.

    • Show tray notification: On selecting this option, a notification for a pending reboot is displayed in the system tray. If you select this option, define the following options

      • Tray notification duration: Option to select how long the system tray notification is displayed before being hidden.

      • Tray notification text: Option for text that appears in the notification.

      A a message prompt appears when a reboot is required.

      Depending on the notification settings configured, the prompt may include delay and cancellation options.

Click Next to define a deployment name.

Variables

The following is a list of the system variables which can be used through the console. These are the calls made to set the defaults. Each Variable has the variable name and the default setting. The values can be set by the user depending on their requirements.

  • ConfigManager.SetDefaultConfigValue(PATCH_MANDATORY_NOTIFY_REBOOT_REBOOT_TIMEOUT, “7200”); Time to do prompts before rebooting, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_MANDATORY_NOTIFY_REBOOT_POPUP_SHOW_TRAY, "true"); Whether to show the popup in the corner.

  • ConfigManager.SetDefaultConfigValue(PATCH_MANDATORY_NOTIFY_REBOOT_POPUP_DURATION, "20"); How long to display the popup, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_MANDATORY_NOTIFY_REBOOT_SNOOZE_INTERVAL, "600"); The time to wait before showing popup again. In seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_REBOOT_REBOOT_TIMEOUT,"7200"); The time to wait before the system notifies a time out, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_REBOOT_POPUP_SHOW_TRAY,"true"); The value indicates whether or not the system will show a popup before reboot.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_REBOOT_POPUP_DURATION,"20"); This value indicates the length of time for the popup to remain.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_REBOOT_SNOOZE_INTERVAL,"600"); The value sets the length of time for the snooze interval before reboot prompt, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_INSTALL_REBOOT_TIMEOUT,"7200"); The value shows the amount of time before the system reboots after an install timeout, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_INSTALL_POPUP_SHOW_TRAY,"true"); The value determines whether a popup appears to notify of install.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_INSTALL_POPUP_DURATION,"20"); This value sets the length of time that the popup will show for on install, in seconds.

  • ConfigManager.SetDefaultConfigValue(PATCH_NOTIFY_INSTALL_SNOOZE_INTERVAL,"600"); The value sets the length of time for the snooze interval after install, in seconds.

The following are no longer used:

  • PATCH_NOTIFY_REBOOT_SNOOZE_TIMETOLIVE

  • PATCH_NOTIFY_REBOOT_DIALOG_TIMEOUT

  • PATCH_NOTIFY_INSTALL_SNOOZE_TIMETOLIVE

  • PATCH_NOTIFY_INSTALL_DIALOG_TIMEOUT

  • PATCH_MANDATORY_NOTIFY_ALLOW_SNOOZE

  • PATCH_MANDATORY_NOTIFY_DIALOG_TIMEOUT

  • PATCH_MANDATORY_NOTIFY_DIALOG_TIMEOUT_ENABLED

  • PATCH_MANDATORY_NOTIFY_SNOOZE_HOURS

  • PATCH_MANDATORY_NOTIFY_SNOOZE_MINUTES

  • PATCH_MANDATORY_NOTIFY_SNOOZE_DAYS

6.3.9 Choose Deployment Name

The Choose Deployment Name of the Deploy Remediation Wizard lets you customize the name of the deployment you have scheduled.

The page provides the following options:

  • Deployment Name: The name you give to the deployment.

  • Folder: The location where the deployment is saved. The default location is /Bundles/ZPM.

  • Description: A description of the scheduled deployment.

6.3.10 Deployment Summary

The Deployment Summary page displays a summary of the configuration made in the previous steps:

  • Deployment Name: The name of the deployment as defined on the Choose Deployment Name page.

  • Delivery Schedule: The schedule selected for distribution of patches as defined on the Distribution Schedule page.

  • Deployment Schedule: The schedule selected for the deployments as defined on the Remediation Schedule page.

  • Total Selected Packages: The total number of patches selected for deployment.

  • Order: The order of deployment of the patches as defined on the Deployment Order and Behavior page.

  • Package Name: The name of the patch you have selected for deployment.

  • Reboot: The reboot setting of the selected patch as defined in the Deployment Order and Behavior page.

To complete the process of scheduling the deployment of a selected patch, click Finish. Click Back to return to the previous page. Click Cancel to exit the wizard.