Jump to content

Search the Community

Showing results for tags 'patch manager'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • MSPGeek
    • The Geek Cast
    • Code of Conduct
  • ConnectWise Automate / Labtech
    • ConnectWise Automate / LabTech
    • ConnectWise Automate / LabTech - Development


  • ConnectWise Automate
    • Scripts
    • Plugins
    • SQL Snippets
    • Role Definitions
    • Automate PowerShell Code
    • Reports
    • Internal Monitors
    • Remote Monitors
  • ConnectWise Manage
    • API Interacting Code

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



About Me


Agent Count













Found 10 results

  1. Hello All- I was wondering how most of you are handling zero day patches in your environment and how you schedule and push deployments for some of these CVE's / KB's to the applicable devices outside of your normal patch schedule. I configured our environment to run on a test group of clients the week of patch Tuesday and then run against the bulk production the week after that. This works great when most of the patches released are not exploited out in the wild. I know that i can push some action with patch manager, but is there a better way to schedule and apply this globally same day that works even if i my schedule does on the week of patch Tuesday. Thanks for the replies and suggestions
  2. Is anyone using Patch Manager to patch large client sites based on groups set by autojoin searches based on OU? I was thinking of setting up a script to populate an EDF that contained the workstations default OU, then creating an autojoin search based on that EDF. Am I trying to reinvent the wheel or is there a better way to break up 1000+ agent sites by groups for patching?
  3. I decided we were going to update our patch policies to have a dropdown with all 24 hours available for patching, with a set patching window of 4 hours. I wanted to have every day available to select, as well as the end of the quarter. I also wanted to be able to toggle daytime patching with an EDF. Some quick math tells us that this would be 8*24*2 groups, or 384 groups, and 384 searches for your EDFs. This would be extremely tedious, and would absolutely cripple any automate database. I also have EDFs at the computer and location level, and allow computer specific settings to overwrite location based settings. So these searches are particularly complex. So, how to accomplish this? To start with, I named all groups <Day> <Hour> Day<+/-> and nested each of them under a specific Patch Manager group, and each day under it's own group Custom Patch Manager > Fri > Fri 12 Day- Custom Patch Manager > Fri > Fri 12 Day+ Custom Patch Manager > Fri > Fri 13 Day- etc This is still a ton of work, so to generate those groups I used the following powershell scriptlet #This should be 1 higher than the current SELECT MAX(GroupID) from mastergroups; $GroupID = 3033#Change these as needed for setting up your group names, they are referenced in the 3rd query. $Day = 'End of Quarter' $pm = ('-','+')#Adjust your loops as needed as well. I happened to have a need for a +/- in my group names here $pm | Foreach-Object { For ($hour = 0; $hour -lt 24; $hour++) { #First statement uses the direct parent of whatever group you are creating, second statement has all parents in the chain for the FIND_IN_SET @" INSERT INTO MasterGroups (ParentID,Parents,NAME,Depth,fullname,Children,GroupType,`GUID`) (SELECT GroupID,CONVERT(CONCAT(Parents,GroupID,',') USING latin1), 'New Group', (SELECT `Depth` + 1 FROM `MasterGroups` WHERE `GroupId`=2552), CONVERT(CONCAT(Fullname,'.New Group') USING latin1),',',GroupType,UUID() FROM MasterGroups WHERE GroupID=2552);UPDATE MasterGroups SET Children=CONCAT(Children,'$($GroupID),') WHERE FIND_IN_SET(GroupID,'2382,1179,2384,2552');UPDATE MasterGroups SET NAME='$($Day) $($hour) Day$($_)', Permissions=0,Notes='',Template=0,GroupType=0,MaintenanceID=0,AutoJoinScript=0,MASTER=0,NetworkJoin=0,NetworkJoinOptions=0,ContactJoin=0,ContactJoinOptions=0,Priority=5,Control=0,ControlID=0,MaintWindowApplied=NOW(),LimitToParent=0 WHERE GroupID=$($GroupID);UPDATE mastergroups mg SET mg.fullname=f_GroupFullName(mg.GroupID) WHERE FIND_IN_SET(mg.groupid,'$($GroupID)'); "@ | out-file -append -filepath ".\GeneratedSQL.txt"$GroupID++} } You basically run this once for each day, using it's specific parent group . You can see here my end of quarter stuff since it's the last thing I did. This generates the SQL needed to create the groups Once the groups are created, you do the following: INSERT INTO patchgrouppolicies SELECT GroupId, `Name` AS GroupName, NULL AS Priority, 1 AS Membership, -1 AS InstallPolicy, -1 AS SoftwarePolicy, -1 AS RebootPolicy, -1 AS ComputerLevelOverride FROM mastergroups WHERE parentid IN (2552); This links the groups to the patch manager. At this point we need to create actual update policies that match the settings you want INSERT INTO installsoftwarepolicies SELECT NULL AS Id, `Name`, 5 AS UpdateMode, 7 AS `Day`, TRIM(RIGHT(SUBSTRING_INDEX(`Name`,' ',4),2)) AS StartTime, 14 AS Duration, 1 AS CustomAction, 1 AS Dates, 1170 AS MonthlyOccurrence, 0 AS LastDay, 16 AS Occurrence, 1 AS CustomDays, IF(`Name` LIKE '%+',68,64) AS `Options`, 0 AS Uptime, 0 AS CVSS, 0 AS PromptInterval, 0 AS RebootDeadline, '' AS SoftwareUpdateMessage, 0 AS IsThirdParty, '' AS BeforeScript, '' AS AfterScript, 0 AS DaysAfter, 0 AS ServiceBranch, -1 AS FeatureUpdatesDelay, -1 AS QualityUpdatesDelay FROM mastergroups WHERE parentid = 2552; This accomplishes that. For the vast majority of groups the TRIM(RIGHT(SUBSTRING_INDEX(`Name`,' ',4),2)) AS StartTime, needs to be TRIM(RIGHT(SUBSTRING_INDEX(`Name`,' ',2),2)) AS StartTime, This is just based on the number of spaces in your group name. End of Quarter 22 has 3 spaces before the time, whereas Fri 22 has only 1, so you're taking the 4th, or the second value respectively. Once this is done you need to link your newly created policies back to the groups using this query, and everything is set up and ready to go. UPDATE patchgrouppolicies JOIN installsoftwarepolicies ON patchgrouppolicies.`GroupName`=installsoftwarepolicies.`Name` SET InstallPolicy = installsoftwarepolicies.`ID Now we have to tackle the problem of not putting a million searches in your database. this is done with the following script: You'll replace the groups in step 3 with your own groupIDs that you created. The 6th step in this script is as follows: INSERT INTO subgroups (computerid,groupid) VALUES (%computerid%,( SELECT groupid FROM mastergroups WHERE `name` =( SELECT CONCAT(IF(IFNULL(efd3.Value,'Default')='Default',IF(IFNULL(efd4.Value,'Fri')='Default','Fri',IFNULL(efd4.Value,'Fri')),efd3.Value), ' ', IF(IFNULL(efd1.Value,0)=0,IF(IFNULL(efd2.Value,0)=0,1,IF(efd2.Value='Default',1,efd2.Value)),IF(efd1.Value='Default',IF(IFNULL(efd2.Value,0)=0,1,IF(efd2.Value='Default',1,efd2.Value)),efd1.Value)), ' ', IF(IFNULL(efd5.Value,0)=0,IF(IFNULL(efd6.Value,0)=0,'Day+','Day-'),IF(efd5.Value=1,'Day-','Day+'))) AS PatchGroup FROM computers LEFT JOIN extrafielddata AS efd1 ON computers.computerid=efd1.`ID` AND efd1.`ExtraFieldID`=959 LEFT JOIN extrafielddata AS efd2 ON computers.locationid=efd2.`ID` AND efd2.`ExtraFieldID`=960 LEFT JOIN extrafielddata AS efd3 ON computers.computerid=efd3.`ID` AND efd3.`ExtraFieldID`=898 LEFT JOIN extrafielddata AS efd4 ON computers.locationid=efd4.`ID` AND efd4.`ExtraFieldID`=899 LEFT JOIN extrafielddata AS efd5 ON computers.computerid=efd5.`ID` AND efd5.`ExtraFieldID`=890 LEFT JOIN extrafielddata AS efd6 ON computers.locationid=efd6.`ID` AND efd6.`ExtraFieldID`=892 WHERE computers.computerid = %computerid%))) You'll have to use your extrafield IDs. my evenly numbered ones are my location EDFs and my odd numbered ones are my computer based EDFs. At this point you now have a flexible patch management system that lets you define a starting hour and day, as well as daytime or not for any location or computer, that doesn't rely on the built in search system. You just schedule your script to run daily spread your runs out over a period of time that makes sense for your agent count
  4. So, i am trying to find an alternative to patch manager that does not rely on windows update for inventory, but can be managed by automate. I know it sounds weird but we have a client that double checks our patch cycles with GFI and recently, for the second time, found a bug in windows update agent regarding the October Security Rollups. GFI showed the patch ready and needed and labtech doesn't. After troubleshooting we found an issue with windows update on his servers and because of that he wants a new solution used or for us to patch all 72 manually. What options are out there? I know this sounds insane (at least to me) but it is an honest ask...
  5. I am having a rash of workstations in the patch manager that are not updating at the Next Microsoft Window date is set in the past. Workstations show with no available jobs, but are members of the proper default workstation patching group.
  6. Hi, I'm trying to work out how best to manage different server patch time windows for customers with the new Patch Manager. For example, we have Customer A to be patched each Monday 1 - 3 AM, Customer B to be patched each Tuesday 1 - 3 AM and so on. I understand that we create a Microsoft Update policy for each window and assign these to groups. My question is how best to manage adding the customers (or locations) to the relevant groups? The best we've come up with so far is to add a custom location field that would be a dropdown of each window and have an auto-join search based on that value. However, that seems overkill to me. Surely there's a native way to do this with the Patch Manager? I hope that makes sense. Thanks, D.
  7. Hey all, Just been speaking to CW about how to get Automates Patch manager to install the creators update and their response was "you cant because you have to accept the EULA". Has anyone come up with a way to do this via Automate? Thanks Chris
  8. I am the lucky recipient of a Labtech system that has been passed around for a few years now and I am about the 4 or 5th admin. Each admin has put their spin on how things should be setup and it is to the point now where the Patch Manager is pretty much a mess. I am wondering if there is an easy way to wipe it out and start over? We are current with our LT updates and it is just that the existing policies are all over the place. I would like to see a clean fresh start to help make some sense of this. Thanks for any assistance.
  9. We're working on moving from Ignite-driven patching to the new Patch Manager in LT11, and I'm trying to figure out what determines when patches actually start installing once the patch window begins. We have a few Windows VMs (Server 2k8R2, 2k12R2, 2k16, and Windows 10) setup and while our Server 2012 R2 VM began patching immediately (evidenced by TiWorker.exe sitting at the top of the process list sorted by CPU utilization), the others started sometime after I left the office for the day and as I've been monitoring them today, I havent observed the process start yet. Should I be tightening up the patch windows to only an hour or so until we're done testing so I can force patches to start installing during business hours when I'm there to monitor?
  10. Hi all We are pushing out Meltdown and Spectre patches and we are trying to find in the patch manager the Meltdown patch for Windows10 v1507 (build 10.0.10240). Online it says we should be looking for rollups KB4056893 or KB4075199 .We are on LT11 with the old patch manager but they are not appearing - and was wondering if anyone had a similar experience? https://support.microsoft.com/kn-in/help/4056893/windows-10-update-kb4056893 Thanks in advance PCTS
  • Create New...