Jump to content
ltuser13

Patch Staging in LT11

Recommended Posts

Wanted to submit what I am currently doing by using staging:

 

I enabled staging. Originally, in previous versions, we were only updating security/critical windows updates, and leaving the Updates/Feature Packs/Drivers, etc.

 

We found out that at least one patch within the Updates category is useful for us (one of the KBs that fixes the SVCHOST.exe issue taking up a lot of memory, which is linked to Windows Updates service). I'm sure there are others that are good to have, but our policy was that we don't want to break things by installing updates that are not security or critical-related.

 

So, now that staging is available, we have done the following:

 

* In new patch management create two Approval Policies: *Staging, Production

** Staging is the starred policy

* Only Automatic Approve patches set here are everything but security and critical patches (drivers, definition updates, feature packs, etc). Staging is enabled with Test and Pilot duration specified.

* Production policy has security and critical updates configured

 

Idea behind this is that all computers will get security and critical patches immediately, while non-critical patches are staged across client-base.

 

Next, I chose how I will apply staging and piloting:

* Workstations

** I choose a percentage of workstations for test stage, and a percentage to pilot stage sorted by CLIENT (we have about 1000 workstations)

** I choose 20% in test, and 20% in pilot = 40% total in Staging Type, while 60% in Production Type

* Servers

** I choose a percentage for test then pilot sorted by ALL CLIENTS (since we have a lot less servers, ~100)

** I choose same percentages as above

 

Idea behind this, is that each client has different applications the patches can affect, and if it does cause issues, we can address a few computers per client instead of a bunch. For servers, i could have done the same thing, but can remember the reasoning behind this now. And i chose the workstations and servers at random (based on SQL random).

 

Now, I verified with LabTech that the only way to set staging is at the per-computer level on the Patching tile. You would have to change it for EACH computer. As you can see, i was not going to do that. So lastly, you can use your SQL as your friend to do the math and toggling of stage type based on the above!

 

WORKSTATION SCRIPT

 

 

 

What you guys think? I've found that the computerpatchingstats table manages the pilot/test/production setting. It appears to be working:

 

pm.png.95fae6082fa60fc582890409dc6db3ce.png

srv1.png.5b5e8cc5f64e98b508b9568c8a316f9d.png

srv2.png.2f9ae841cb9dd7c3bfd2e19b3707cdb0.png

Share this post


Link to post
Share on other sites

Your lucky that patching with the new patch manager is even working. labtech still cannot get mine to work yet. Have you confirmed that PC's and servers are being rebooted after the patches are installed?

Share this post


Link to post
Share on other sites

reboots not working correctly, and I do have a ticket open with LT because of this. All else seems to be working so far (as far as the staging is going)

Share this post


Link to post
Share on other sites

None of my patching is working in Labtech 11 either. Not even a little bit. It just never tries to execute.

Share this post


Link to post
Share on other sites

quick update on servers not rebooting for new patch manager: confirmed this is a known issue today. does not affect workstations, AFAIK.

 

Per support, aused by following Remote Monitor running on all servers: Server Patch Reboot Alert Monitor.

 

I attempted to mass delete from DB (Agents table), but they came back. Do not see to be a part of Ignite Dashboard remote monitors.

 

Support suggested turning their alert template to Do Nothing.

 

Here is SQL command to update all of them to do nothing if you have them:

 

UPDATE agents SET alertaction = 1 WHERE `name` LIKE '%server patch reboot%'

 

testing to see if this helps

Share this post


Link to post
Share on other sites

I also have a ticket in with Labtech for at least 2 months for this problem at it's still not resolve. I was part of the initial LT11 pilot (We have a stand alone LT server, not hosted) and I'm currently on what they are calling their production version.

 

My workstations have been set to update and reboot every night with the option to run a before and after script sending me a e-mail notification both before and after, and have not received one email. If I run a custom search it clearly shows that the up time on my work stations do not reflect they are being rebooted when/if updates are applied. I also tested this by spinning up 2 virtual W7 machines with zero patches and they have yet to get a single update or reboot.

 

If you have the resources, you may want to set up a test to make sure your agent are getting windows updates. You cannot go by the legacy reporting because when they developed the new patch manager they swapped the flags (1,0) and it has skewed the reports showing PC's that were once at 99% are not only 2 % patched, and the compliance scores are wrong because it is actually adding non critical patches into it's logarithm boosting the scores higher then what it should be, and the new report manager still does not work.

 

Don't get me wrong, yours maybe working, but if I were you I would spend a day spot checking PC and servers, create customer search's for up times to see if they are being rebooted, and set up a couple of test pc's to see if in fact, what you think is being patched and rebooted, is really happening. That's how I uncovered that it was not working in our environment.

 

I am actively working with LT support and engineers to try and put Humpty back together again, but so far its not looking so good.

Share this post


Link to post
Share on other sites

Any chance you could upload the scripts so we can import please?

 

I am having a hard time working out the correct script functions for some of these lines.

Great idea what you have done!

Share this post


Link to post
Share on other sites

Has anyone gotten patch Staging to work? Or even the new patch manager to work? I've opened several tickets with labtech and they've been anything but helpful.

 

I wish I could go back to 10.5. LT11 is hands-down the worst product update I've ever seen.

Share this post


Link to post
Share on other sites

We too are affected by the lack of reboots. Tracing it down, ours is doing an Ask then Deny instead of Now. Our default template for reboots is Ask then Allow. Just applied Patch 4 and same behavior. Most patches are applying except 3012973 (Windows 10 1607). We switched from Kaseya to LT and had 94% compliance, now we are at 100% (between 99.5-100). To fix the reboot issue, LT Support said to go to the all agents group and apply template Do Not Patch with a priority of 0. This didn't do anything for us.

 

For us, I created a search Computer.OS.IsRebootPending is true. I then created several sub searches and groups for servers, workstations, AD/HV, and Not AD/HV that are pending reboots. The different groups are for making mass reboots easier and not worrying about trying to reboot AD and HV at the same time as the others. I also created a script to reboot a workstation if a user is not logged in. This is working well for us but I'd love not to wake up to numerous workstations in the pending reboot group. I just thought of an obvious answer to that problem too, schedule a reboot script to run early AM on the group.

Share this post


Link to post
Share on other sites

Sorry to necro this thread, but I just wanted to post the script I came up with to set 20% of computers (including workstations AND servers) to the pilot stage. It is a bit more concise than the previous examples given and should be more efficient to run as well since it avoids all the looping and therefore only randomly resorts the list a single time.

Capture.PNG.517911057a8637875e720d6b4225d6a2.PNG

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×