Before any security vulnerability detection on systems, the LANDesk Security Suite must be updated with security bulletins. These bulletins will be downloaded from a database hosted by LANDesk.

Unlike a traditional WSUS, EPM allows for managing patches from “standard” publishers.

Patch management interface showing standard publishers

Downloading Definitions

Creating Groups

We will create multiple groups to manage the approval of patches and pilot terminals.

In “Patch and Compliance” \ “Public Custom Groups”, we will create the following groups:
- _NewPatches => For new patches awaiting validation
- L1 => For technical recipe testing of patches on a small group of terminals
- L2 => For widespread deployment

Group management interface for patch compliance

Creating Scopes

We will create scopes that will be associated with the groups, consisting of:

L1_PilotTerminals
L2_Widespread

Scopes creation interface for patch management

Creating Rollout Projects

Rollout Projects

In “Rollout Projects”, we will initiate a new project

Rollout projects creation interface

The project will involve three key steps:
- Patch validation => _NewPatch (need validation)
- Technical recipe transition => Move Patch To L1
- Broaden the deployment of patches => Move Patch To L2

Step _NewPatch (Need Validation)

Create a new step
Rename it to _NewPatch (Need Validation)

Rollout project creation step

In Actions \ Tags, add a tag

Approval request interface

Patches will be moved to L1, provided they are validated.

Step Move Patch to L1

Create a new step.
Rename it to Move Patch To L1.
In Actions \ Autofix settings, change the autofix for the L1_PilotTerminals scope.

Autofix settings interface

In Actions \ Group membership,
- Add to the L1 group.
- Remove from the _NewPatch group.

Group membership settings

In Actions \ Tags, we will make the following changes:
- Add Tag_PatchL1.
- Remove Tag_WaitValidation.

Tag settings interface

In Exit criteria \ Minimum duration,
- Add 1 week

Exit criteria settings

Step Move Patch To L2

Create a new step
Rename it to Move Patch To L2
In Actions \ Autofix setting
- Add the autofix for the L2_Generalisation scope
- Remove the autofix for the L1_PilotTerminals scope

Autofix settings for L2

In Actions \ Group membership,
- Add to the L2 group
- Remove from the L1 group

Group membership settings for L2

In Actions \ Tags, we will add:
- Add Tag_PatchL2
- Remove Tag_PatchL1

Tag settings for L2

Downloading Signatures

Downloading

Select the “Download updates” button

Download updates button

Updates Tab

In Select update source site,
- Select “Europe”
In Definitions,
- At minimum, enable Microsoft vulnerabilities
In Definition grouping,
- Select “unassigned”

Updates tab settings

Click on “Definition download settings”,
- Apply the scan for critical and important patches (for example)

The scan does not apply the patch but simply identifies the devices where the patches are not installed

Definition download settings

ATTENTION: If you want to download drivers, you must configure the HII LANDesk first (it allows configuring the location of the drivers)

Patch Location Tab

In this tab, indicate the UNC and HTTP paths where the patches will be copied
Enable automatic patch cleaning

Patch location settings

Filter Definition Tab

Create a new filter
Under the Name tab,
- Indicate a name for this filter

Filter definition settings

Under the OS tab,
- Select the OS you want to manage

OS selection for filter

Under the Products tab,
- Select the applications you want to manage

Products selection for filter

Under the Severity tab,
- Indicate at least Critical Patches

Severity selection for filter

Under the Groups tab,
- Add patches to the _NewPatch group

Groups selection for filter

Under the “Rollout Project” tab,
- Associate with the previously created Rollout Project

Rollout project association for filter

Scheduled Tasks

There will be 3 tasks for patching, so you can create a folder to “organize tasks”.

“Rollout Projects”

If you don’t want to schedule the project, simply click the “Process selected Item Now” button

Process selected item now button

Otherwise, schedule the project with the Create a task button

Create a task button

Downloading Patches

Click on “Schedule Download” to create a scheduled task that will download new definitions.
You can change the task name. Click “Ok”.

Schedule download interface

The task is scheduled to run daily.

Daily schedule settings

Data Collection

Go to “Create a task \ Collect historical data…”

Collect historical data interface

Click on “Create a task”.

Create a task button

Go to the task properties.

Task properties interface

The task is scheduled to run every night at 10:30 PM

Task schedule settings

How Patching Will Be Done

Downloading Patches

This is the role of the scheduled task Download patch content.

Once launched, the new “critical” and “important” patches will be copied to _NewPatch.

New patches group interface

Patch Approval

During the execution of:

The scheduled task “Rollout project task”
Or with the button “Process selected Item Now”

The new patches will be in the “rollout project” awaiting validation.

Rollout project with new patches

Installation on L1 (Pilot) Group

Once the patches are validated, during the execution of:

The scheduled task “Rollout project task”
Or with the button “Process selected Item Now”

The patches will move to the L1 group.

Installation on L2 Group

Once the one-week period has passed, during the execution of:

The scheduled task “Rollout project task”
Or with the button “Process selected Item Now”

The patches will move to the L2 group.

Categories: EPM

Tags: creating groupscreating scopes.EPMLANDESKpatch approvalpatch compliancePatch Managementpilot terminalsrollout projectssecurity bulletinssecurity suiteWSUS