Summary

What you need before using Patch Success.

Prerequisites

To configure Patch Success, you will need the following:

  • An appropriate Tachyon License to permit using Patch Success and Tachyon connector inventory instructions. This is normally included in a standard Tachyon license.
  • A domain security group representing Patch Administrators who will use the Tachyon Patch Success application. 
    • The steps below describe how a Tachyon user will be created for this group, and a role which grants access to the Patch Success pages and instructions.
    • In our examples this role is called 1E Patch Success.
  • domain user account for use by the Tachyon connector to keep track of the inventory instructions. This account will be configured as a Tachyon user. 
    • The steps below describe how a Tachyon user will be created for this account and used in the configuration of the connector.
    • In our examples this user is ACME\SLATACHYON.
  • Your Tachyon user will need the following role permissions in addition to the ones listed above:
    • Connector Administrators
    • Permissions Administrators role in order to create the above Tachyon user.
    • Instruction Set Admininstrators role to upload the Tachyon Inventory Product Pack instructions and assign them to a new instruction set.
    • Inventory Administrators role to populate an inventory repository.
    • Log Viewers role to aid troubleshooting (optional).

This process assumes you have already verified your Tachyon installation and have Tachyon Agents deployed on some Windows devices.

On this page:

Configuring connectors and schedules

You must create the following connectors and schedules:

  • Tachyon connector and its Sync Data schedule - to import inventory and patch data into an inventory repository - this is normally the Default inventory repository
  • Configuration Manager or WSUS connector and its Sync Data schedule - to import meta-data for patches into the inventory repository
  • Gernerate Report - ETL schedule - for reprocessing of Cube data in a BI repository - this is normally the Default BI repository

Patch data from all inventory repositories is reprocessed by an ETL (extract, transform, load) and stored in the BI cube to support dynamically updating interactive dashboards. The Patch Success application allows its users to view one inventory repository at any time.

Adding the Tachyon connector

You must add the Tachyon Connector in order to support Tachyon Powered Inventory which uses the 1E Inventory instructions. 

Please refer to Tachyon connector for detailed configuration steps. In summary these steps do the following:

  • Creates a user. In our example this is ACME\SLATACHYON.
  • Configures the Tachyon connector. A by-product of this step means Management Group synchronization is enabled to support the use of Management groups.
  • Creates the 1E Inventory instruction set and role of the same name.

Adding a connector for Patch meta-data

Patch Success needs to get meta-data for patches. Ensure you add a connetor for whichever one of the following sources that you use to approve patches:

  • Configuration Manager (SCCM) if it is configured to manage WSUS
  • Windows Server Update Services (WSUS)

If you are using Configuration Manager then you must add a System Center Configuration Manager connector.

If you are using WSUS then you must add a Windows Server Update Services connector.

Creating schedules for Patch processing

After creating the connectors, you need to add a schedule for each of their actions to execute in the following order: 


ActionFrequencyNotes
1

Sync Data - Configuration Manager 

or Sync Data - WSUS

Daily

Pick a suitable time when there is the least amount of actiivity.

If using the Configuration Manager sync be aware it may take a long time to run because as well as patch meta-data, it is also importing a lot of inventory, and usage data for processes and users.

2

Sync Data - Tachyon

WeeklyThe Tachyon connector must be run weekly. Pick a suitable Day of week and Time when there is the least amount of activity
3Generate Report - ETLDailyEnsure this starts at least 10 minutes after the Tachyon schedule starts. This report reprocesses the Cube data. 

Steps for adding a schedule can be found on the Settings→Configuration→Schedules page

For the Sync Data actions, the actual name of the action depends on the connector name. Also ensure you select the correct inventory repository, the default is Default Inventory.

Creating the 1E Patch Success instruction set and role

Creating the 1E Patch Success instruction set

The steps below create an instruction set and a custom role, both called 1E Patch Success. Users who need to use Patch Success must be assigned to this custom role. The role allows the following:

  • Access to the Patch Sucess apliaction and all its pages
  • Visibility and use of one or more of Deploy, Explore and Check Status buttons in the Patch Sucess pages, according to the permissions assigned to the role.

The 1E Patch Success intruction set will contain the 3 instructions listed in the following table: 

Instruction file nameInstruction text (ReadablePayload)DescriptionVersion
1E-PatchSuccess-DeployDeploy specified by <patchKB> article numbers patches to targeted device.

Action to deploy a specific patch or patches to targeted devices.

See Patch.Deploy in the Tachyon SDK.

The 1E Patch Success role requires Actioner permissions to see the Deploy button.

1.1
1E-PatchSuccess-ExploreReturns patch status for <patchKB> KB number(s).

Question returns patch status for given KB article numbers.

See Patch.List in the Tachyon SDK.

The 1E Patch Success role requires Questioner permissions to see the Check Status button.

1.0
1E-PatchSuccess-RefreshReturns patch status of given <patchKB> KB number(s) for PatchSuccess consumption.

Question returns patch status for all known patches on a device. Information is based on offline cache.

When run, its response data is offloaded direct to the SLA-BI Cube.

See Patch.List in the Tachyon SDK.

The 1E Patch Success role requires Questioner permissions to see the Update status button.

1.0

The 3 instructions are part of the Patch Success Product Pack which is file named 1E-PatchSuccess.zip downloaded as part of the Tachyon Product Pack zip file from the 1E support portal page (https://1eportal.force.com).

First upload the instructions:

  1. Logon to the Tachyon Portal using a Tachyon user account with the Permissions Administrators and Instructions Administrators roles.
  2. Open the Settings application.
  3. Navigate to the Settings→Instructions→Instruction sets page.
  4. Click on the Upload button.
  5. In the Open dialog navigate to the location of the 1E-PatchSuccess.zip file.
  6. Select 1E-PatchSuccess.zip and click Open.

All the instructions contained in the zip file will initially be added to the default Unassigned instruction set. Instructions in the Unassigned instruction set cannot be used, so you will need to add the instructions to a new instruction set:

  1. Select the 3 instructions you want to add to the new set, by clicking the checkbox at the start of each instruction row in the list.
  2. Click the Add new set button in the button panel to the right of the page.
  3. In the Add new instruction set popup subsequently displayed, and type:
    1. 1E Patch Success as the name.
    2. Patch Success as the description.
  4. Ensure that the Include 3 selected instructions checkbox is checked.
  5. Click the Add button to add the new instruction set, with the selected instructions.


Creating the 1E Patch Success role

To create a new user:

  1. Navigate to the Settings→Permissions→Users page.
  2. Click the Add button to start the add user process.
    1. In the Add user popup susequently displayed in the Select user field, type the name of an Active Directory account or security group.
    2. Select a name and click the Add button.
  3. The new user will be added to the Users table.

To create the custom role:

  1. Navigate to the Settings→Permissions→Roles page.
  2. Click the Add button to start the add role process.
    1. In the Add role popup subsequently displayed set the name as 1E Patch Success
    2. Click the Add button.
  3. The new role will be added to the Roles table. Locate its entry and click on the link in the Name column for that row.
  4. Select the Members tab and click the Add button.
    1. In the Add role member popup subsequently displayed, search for the Tachyon user that you added in the earlier steps.
    2. Click the Add button.
  5. Select the Management groups tab and click the Add button.
    1. In the Add management group popup subsequently displayed, scroll down the list and select All Devices.
    2. Click the Add button. 

      Only select All Devices. This is the same as the Global management group as seen in Patch Success Title and filter bars.

  6. Select the Permissions tab and click the Add button.
    1. In the Add permssion popup subsequently displayed, scroll down the Type list and select Repository.patch
    2. Select the Read checkbox.
    3. Click the Add button.
    4. In the Add permssion popup subsequently displayed, scroll down the Type list and select Instruction set.
    5. Scroll down the Name list and select the 1E Patch Success instruction set.
    6. Select the Actioner, Approver and Questioner checkboxes from the list of permissions (see note below).
    7. Click the Add button.

      If you do not wish users to deploy patches using Tachyon, then do not add the Actioner and Approver permissions to the role. This will prevent the Deploy button from being enabled.

      If you do not wish users to use the Explore and Check Status buttons, then do not add the Questioner permission to the role.

      Users cannot approve their own actions, but if you want diffent users or security groups to have Actioner and Approver permissions then you need to create a separate role for Approvers, for example called 1E Patch Sucess Approvers. Or you may use an existing approvers role and assign the 1E Patch Success instruction set to it. Ensure the selected role has the All Devices management group assigned to it.


To verify:

  1. Logon to the Tachyon Portal using a Tachyon user account with the new 1E Patch Success role.
  2. Navigate to the  Patch Success→Overview page.

Tachyon License details

Ensure your Tachyon License file has the Inventory and PatchSuccess consumers enabled and includes the patterns for 1E-Inventory-* and 1E-PatchSuccess-*

You can view your Tachyon license details using either of the following methods:

  • in the Tachyon Portal, navigate to Settings→Configuration→License information, look in the Products section and expand Features and instructions items
  • in the license file Tachyon.LIC found in C:\ProgramData\1E\Licensing

If either pattern does not exist, then the corresponding instructions will not run. You may have an old version of Tachyon, or your license needs to be updated.

   <Features>
      <Feature name="TachyonPlatform">
        <Consumer name="Inventory" enable="on"> </Consumer>
        <Instructions signersha="F08386A5318A8187D79B0A58253C65CB4E442570" pattern="1E-Inventory-*"> </Instructions>
        ...
      </Feature>
      ...
      ...
      <Feature name="PatchSuccess">
        <Consumer name="PatchSuccess" enable="on"> </Consumer>
        <Instructions signersha="F08386A5318A8187D79B0A58253C65CB4E442570" pattern="1E-PatchSuccess-*"> </Instructions>
        ...
      </Feature>
      ...
    </Features>

 

Tachyon Platform zip

The TachyonPlatform zip file can be downloaded from the 1E support portal page (https://1eportal.force.com). Extracting the zip will create a folder structure containing the following, where highlighted files are required by Tachyon Setup.

  • Licenses.txt
  • Tachyon Release Information.html
  • Tachyon.Setup.exe
  • Installers\1ECatalog.msi
  • Installers\SLA.BI.Installer.msi
  • Installers\SLA.Platform.Installer.msi
  • Installers\TachyonCertificateManager.exe
  • Installers\TachyonServer.msi
  • Installers\TachyonToolkit.msi
  • Installers\Apps\Explorer\Explorer.zip
  • Installers\Apps\Explorer\metadata.json
  • Installers\Apps\GuaranteedState\GuaranteedState.zip
  • Installers\Apps\GuaranteedState\metadata.json
  • Installers\Apps\PatchSuccess\metadata.json
  • Installers\Apps\PatchSuccess\PatchSuccess.zip
  • Installers\Apps\Settings\metadata.json
  • Installers\Apps\Settings\Platform.zip
  • PolicyTool\delete_all.bat
  • PolicyTool\Export_All.bat
  • PolicyTool\import_all.bat
  • PolicyTool\log4net.dll
  • PolicyTool\Newtonsoft.Json.dll
  • PolicyTool\Tachyon.Policy.exe
  • PolicyTool\Tachyon.Policy.exe.config
  • PolicyTool\Tachyon.Policy.exe.RoslynCA.json
  • PolicyTool\Tachyon.SDK.Consumer.dll
  • PolicyTool\Fragments\1E-GuaranteedState-*.xml
  • PolicyTool\Policies\Policy-Windows Client Health.xml
  • PolicyTool\Rules\Rule-*.xml
  • PolicyTool\TriggerTemplates\TriggerTemplate-*.xml