Friday, March 14, 2008

Using TPM for patching Windows

TPM (and TPMfSW) provides the ability to patch Windows computers through a couple different methods. In this blog, I will summarize the various methods.

There are 2 ways of doing Windows patching in TPM
1. Using the Deployment Engine
2. Using Scalable Distribution (SOA)

So the first thing is to determine the method you are using.

The Deployment Engine is better designed for a data center environment where the network is not a concern. This is because using the DE does not provide any bandwidth control or checkpoint restart. It does not use the depots for fan out distributions. It is a straight file copy. With the DE there are actually two methods that can be used. The first (and best) is to have the Windows Update Agents (WUA) talk to an internal WSUS server. The second (would not recommend) is to have the WUA talk directly to Microsoft.

SOA is used for the distributed environment. If you have many computers to distribute to and there are targets on the other end of a slow link you will want to use this method. This requires that the TCA (Tivoli Common Agent) is installed on all target computers and that the SOA-SAP has been enabled. You will also require at least one depot server (CDS).

If you are using SOA, the TPM server will have to discover and download the patches directly from Microsoft (there is a proxy config you can set too).

Ok so now you have the method you want to use. How to implement it?

In order to use the DE method the following tasks need to be completed (I am going to assume that you are using the WSUS server method)
1. Install and Configure the WSUS server (approve and download desired patches)
2. Set the global variable WSUS server
After this the steps between DE and SOA are the same so I will list them after listing the SOA tasks

1. Configure the Windows Updates Discovery discovery configuration.
2. Execute the Windows Updates Discovery. This will populate the DCM with all patches available according to the filters you set (much like WSUS). Remember, this is only the definitions for the patches not the binaries required to install them.
3. Approve patches
4. Execute the MS_SOA_DownloadWindowsUpdates to download the files from Microsoft.

Common Steps
Now that the desired repository is setup you need to complete the following.
1. Install the WUA on all targets
2. create a patching group. Under the compliance tab, add a security compliance check called Operating System Patches and Updates.
3. Execute the Microsoft WUA Scan discovery configuration
4. In the Compliance tab, select Run -> Run Compliance Check. Once the task is complete, the Compliance tab will show if there are computers out of compliance.
5. Click on the number under the Compliant header (something like 0/1)
6. Select the desired patches and computers and press the Approve button.
7. Select the desired patches and computers and press the Run/Schedule button (Note: the Run button does not work for SOA distributions)
8. Once the distributions are complete, run the Microsoft WUA Scan again and then the Run Compliance Check.


Let me know if you have any comments/questions. Complaints > /dev/nul ;)

Thanks to Venkat for all his help!

Martin Carnegie
martin dot carnegie at gulfsoft dot com

No comments: