These are the questions asked during Patch Management Training
FAQ's
Can Endpoint Central limit the storage space used for downloading patches? You can configure Patch Cleanup Settings, which will automatically removed superseded/unused patches from the patch repository.
If Microsoft "pulls" a bad patch, in the new distributed model, how can Endpoint Central remove it?It is recommended to use "Test and Approve" feature, which can test the patches on lab machine and then approve it automatically before deployment. We also have patch removal/roll back option, which can be used to handle these situations.
Can I schedule a reboot for a specific time after patches are installed? For servers as well as desktops?We do not have an option to schedule the reboot, however, you can customize the deployment to a specific time interval and configure a reboot to meet your requirement.
Is there a way to be alerted about when zero day patches become available to download so we can ensure to get those pushed instead of having to wait for the scheduled policy?You can create a separate "Deployment Policy" for such requirements and get them deployed automatically.
How often should the patch scan be ran, is there a manual setting?It depends on the number of computers. Usually in an enterprise, it is done at least once in a week using Automated Patch Deployment (APD) task.
Should the computer need to be connected to admin account, for getting the patches deployed? Or can it be regular user account?Managed computers can be use regular user account, since the agent is running in the system account it would have the privilege to install the patches.
How to specify languages for patches? The product will automatically detect the language based on the operating system.
What will happen when the patches was installing and user accidentally turns off the computer? The product will retry to install the patch during the subsequent deployment window and the installation status would be updated.
I didn't catch the part about, patch approval. Is there a way to automatically approve patches or you have to approve the patch manually? It is about testing the patches before deployment. You can choose to approve the patches automatically or manually. We also have the feasibility to test the patches before approving them automatically. The tested patches can be approved automatically after specified number of days if no failures found. Alternatively, you can manually approve it based on the result.
The patch management solution that we are using currently tells us what we need to download and then we manually download the patches. After the patches are deployed we can remove the downloaded patches which we no longer need. But this is manually done. How deos Endpoint Central handle this requirement.? Endpoint Central will allow you to automate the complete process. You can create an APD task, which will automatically scan computers, detect missing patches, automatically download the required patches and deploy it to the target computers. You can configure "Patch Clean up settings, to automatically delete the unwanted patches.
Can you limit patches to just laptops or desktops?Yes, you can. You can target machines based on system type such as laptops and desktops. You can also create a custom group with system type as criteria.
Do we have the feasibility to split the scan & download from the patch deployment? You can create separate APD task for scanning and downloading the patches. You will find four different options such as scan, download, draft and deploy. You can choose any of them based on your requirement
When there are patches in "yet to apply" status, is there a way to get notified about the patches, after deployment/failure? Yes. You can configure notification settings for the APD task which can send you the status report multiple times based on the different status including scanning, downloading and deployment of patches.
When you initiate patch scanning, does it start scanning all the computers at a same time or does it scan them incrementally? Scanning will be initiated incrementally in order to avoid bandwidth bottlenecks.
Can we make single store for all MAC patches? Endpoint Central maintains a single patch store for all the patches, including Windows, Mac Linux and 3rd party patches. You can customize it from Patch Mgmt -> Downloaded Patches -> Settings -> Download Settings.
Is it possible to schedule the patches to be installed and then the computer rebooted and then shut down after the reboot?Deployment Policy can be used to schedule the patch and reboot/shutdown. However, if you want to shut down after reboot, you can use the remote shutdown/reboot tool to perform this operation.
Before I start creating a configuration for patching, should I be running a Vulnerability Database update? Once I update it, should I click "Sync Now" or should I run a "Scan Systems" and then sync?Patch database will be synchronized automatically as per built-in-scheduler Patch Mgmt -> Patch Database Settings -> Enable Schedule. You can verify the latest sync time from, Patch Mgmt -> Update Vulnerability DB -> last updated time. However, you can sync it manually, using “sync now” option.
Right now we use WSUS for MS patches. What is the best way to switch over to Endpoint Central?You can disable auto-updates from WSUS and install Endpoint Central agent on the computers to be managed, scan the computers and start deploying the patches.
I need to deploy the newest Mozilla updates to certain computers but exclude some, how do I do this?You can create a custom group with the computers which you wanted to exclude. Decline the application from, Patch Mgmt -> Decline Patch -> Decline Patch for Group -> specify the application.
How would I automatically download and deploy the latest flash updates as they are released?You should configure “Automated Patch Deployment Task” and ensure that the schedule is run every day to keep your computers up-to-date.
How to ensure the individual computers do not download patches from the internet? I do not want any 3rd party application in our organization to take the updates from the internet? You can see the “Installed Time”, against the patch, if it is installed using Endpoint Central. If you do not find the “Installed Time”, then it could be patched using automatic updates. In such cases, you will have to disable auto-updates from, Configurations -> Script Repository ->Templates tab -> Search for AutomaticUpdates.exe -> add to repository. Create a configuration, select the target computers and deploy it.
Will there be a feature to pull local logs of failed deployments from the Endpoint Central site? Yes, you can pull local agent logs from remote computers and upload it to support for analysis from, Support -> Create Support File.
Is the ability to create a test group of several computers and giving them patches before they are made available to all the computers in company? You can create a custom group and test the patches before deploying them to all computers in the company. Ability to "Test and deploy" patches, will be available at the end of this quarter.
How to setup automatic deployment of JRE to the latest release. It seems that computers that have JRE 1.7 are not flagged to receive JRE 1.8 automatically. JRE update from 1.7 to 1.8 is considered as an upgrade and not as an update, which means, both the versions can co-exist. You can use software deployment to install JRE 1.8 and uninstall JRE 1.7.
Is there a way to configure the lists of computers, etc., permanently display more than 25 at a time? You can customize the count of computers, displayed. The changes you make will persist only for the technician and the view.
If I want to schedule patches to run in the next 20 minutes, is there a way to force the Endpoint Central agent on client machines to talk to the server, thus getting that task quicker than the 90 minute policy refresh? (Example - McAfee anti-virus has a feature called "wake up agent" that tells the agent to pull down fresh You can achieve this by using “deploy immediately option”, whenever you deploy a patch configuration. This will wake up the target computer on-demand, to perform the task.
When viewing the results of an "Automate Patch Deployment", is there a way to see the history of what patches were installed by previous runs of this task?You can view the status of the “Automate Patch Deployment Task” from, Patch Mgmt -> Automated Patch Deployment Tasks. You can also generate reports of these tasks and schedule it.
Does "Service Packs" include the new Windows 10 "Builds”. In my environment, I have some Windows 10 machines on build 10240 and some on 10586. How can I update those machines on build 10240 to build 10568?Yes, this can be achieved using software deployment. Refer this article, to upgrade Windows 10 and any later versions. https://www.manageengine.com/products/desktop-central/deploy-windows-10-how-to.html
I do not see where I can push Anti-virus definitions using Endpoint Central.Yes, you can deploy definition updates using Endpoint Central from, Patch Mgmt -> Automate Patch Deployment -> Schedule Anti-Virus Task
Java updates -- is it possible to allow update for compatibility with app X and preserve legacy version for compatibility with app Y or app Z? You can create a dynamic custom group and choose to decline the patches for the specific application like JRE. By doing this, you can maintain multiple versions of the JRE in your network.
I have the patches set to automatically deploy how can I check the deployment since it is not making a configuration deployment?Automated patch tasks are not regular configurations. You can view the status of the You can view the status of the "Automate Patch Deployment Task -> System View". You can also configure notification settings, Patch Mgmt -> Automate Patch Deployment -> Notification Settings, to receive email updates, whenever there is any change in the status of the task.
How do you make a separate policy that is specifically for server OSs and does not automatically restart the server? This can be achieved by configuring the deployment policy and excluding servers from reboot, Patch Mgmt -> Deployment Policies -> Create Deployment Policy ->Deployment Window -> Reboot Policy -> Exclude Servers from Reboot
We currently use McAfee encryption on some of our devices. We are trying to figure out how to continue auto deployment after hours once everything is encrypted. Does Endpoint Central have a method of handling this? This can be achieved by configuring the deployment to happen after the encryption time window. You can configure it from, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Deployment Window
I want to patch computers which are not live. How does "wake-up & deploy" work?You can wake up the computers and deploy the patches by configuring, Patch Mgmt -> Deployment Policies -> Create Deployment Policy -> Turn on computers before deployment.
Under all patches, I don't have "filter" option, decline patch option is shown , install patch, download patches, decline patch are the only options. there is no "mark as option" Nor "filter". How do I approve patches? “Mark As” - option, will be available only when you choose to approve patches Manually, Patch Mgmt-> Settings -> Approval settings - > Approve Patches -> Manually. If you have chosen to approve all patches automatically, all the patches will be marked as approved by default.
How come I have not seen updates for Windows 10 or MS 2016? Both Windows 10 and Microsoft Office 2016 are supported by Endpoint Central. You should ensure that your Patch Database is successfully synchronized in the recent past. Verify it from, Patch Mgmt -> Update Vulnerability DB -> Last update time.
Can I create a report for systems that need patches older than 30 days? You can, create a report from, Patch Mgmt -> All Patches -> Missing Patches Tab -> Computer View and create a filter based on the “Release Date”
What is the timeline for adding McAfee antivirus to virus mgt section? You can use the File Folder operations configuration, Software deployment, custom script configuration to update the definition updates and engine upgrades. We are also looking into the possibility to include this to Patch Management section.
Can you install the Endpoint Central server in the cloud and have remote clients grab updates from that server to conserve bandwidth at the home office? It is currently not available in cloud. However, we are looking at cloud based solution.
Is it possible to set patch deployment Policy schedule to run every 3rd Sunday of the month? Yes, when you create an APD task, under scheduler select Monthly option and choose 3rd Sunday
Why are dynamic custom groups not always available? Dynamic custom groups are evaluated on the client side during deployment based on the criteria you have defined.
In previous versions of Endpoint Central, when selecting targeting computers under "Define Target" to install software/ patches you were able to see a list of all computers and check mark each device. Now it seems as if you select "computers" you have to type each device's computer name. Is there a way to have the previous layout? The new UI is developed based on the usage. When you have more number of computers, you can move it to a group or an OU and add them as target
Can you disable windows automatic updates?Yes, under Patch Mgmt->Disable Automatic Updates, choose templates and disable
If I want to scan computer for missing patches during the day to approve the patches for deployment overnight, how would I schedule that? You might need to create 2 separate APD tasks as below to achieve this: • Create the first task to just scan the computers and schedule this at 10 AM. This will complete by 12 noon and you will get the list of missing patches, which you can choose and approve • Create a second task scheduled to run at 3PM (assuming that you would approve the patches by then). For this task, define a Deployment policy with o Deployment Window with start and end times as required, say start at 8 PM o Select this option “Download Patches/Software during subsequent Refresh Cycle”The second task will start at 3 PM and scan the computers again and download the necessary patches to the agents. Assuming that all the target computers are up, this will complete and keep things ready for deployment by 6 PM. The deployment will begin at the scheduled deployment window, 8 PM
We currently have a large number of Laptops which need to be updated. These laptops are rarely connected to the domain, and when they are it is via a VPN. How do we push patches to these laptops without impacting user experience or poking holes in our firewall?When these computers connect to the network via VPN, the deployment will be initiated during the next refresh cycle (90 minutes)
Endpoint Central now patches Linux?Yes, Ubuntu flavors are supported. The update will be made available by next month for existing users
What is the average turn around for patches to be updated by you guys. For instance the latest flash patch took until the next day to come out.We usually support within 24 hours
How do you select which catagories of windows updates are included? Specifically, we can not find KB3102467 in our Endpoint Central database.This is a feature pack; not supported in patch. • Can use Software Templates - > Search with Microsoft .NET Framework 4.6.1 and create package and deploy
How much disk space does a Distribution Server need to have to cache patches?It depends on the number of systems and patches that are maintained, maybe upto 1 GB. It is recommended to configure patch cleanup settings to remove older patches automatically. This will also cleanup the distribution server.
If you do the cleanup and then put a newer machine and it needs an older patch what will happen?It will automatically be downloaded and installed
How do I know which updates to run and the order to run them?Patch inter-dependencies and sequencing will be automatically be taken care by Endpoint Central.
In the architecture, what is the cache server? it is the Distribution server?Yes, it is the Distribution Server
After the initial agent deployment, will patch management scan subnets for new machines that do not have the agent going forward?No, agent should be deployed prior to scanning. You can define SoM Sync Policy to automatically identify new computers added to Active Directory and install agents on them.
Can you deploy as administrator? No, this is not possible
Can you send a process on how to disable windows 10 creep update for Windows 7 computers?Under Configuration Templates, we have a template to disable windows10 creep update (Disable Windows 10 Notification.)
Can one distribution Server support multiple remote offices?Yes, it is technically possible if all the remote offices use the same agent and if all the remote office computers can reach the Distribution Server.
Is it possible to deploy patches to specific computers?Yes, the ideal way to do this is go to the All Systems View, select the computer and install all missing patches to this computer.
Can Endpoint Central support updating of iTunes app on a Mac OS?No, this is not feasible as download URL to this update is not publicly available
If distribution server is stopped so whether client will be able to communicate to main server?Yes, the agents will contact the server to post the failure messages. But, no deployment will happen
How can I host my Patch Repository in another computer? Go to Patch Mgmt->Settings->Cleanup Settings->Settings. Against Patch Repository Location, enter the new Patch Repository's location. For example, \\machine_name\example_patch_repository