Working with Patch Success

In this lab we will learn how to configure and use Patch Success.

Configuring Tachyon for Patch Success

This exercise will show you how to configure Tachyon to use Patch Success. We have already configured our connector to use Tachyon Powered Inventory. We have also already imported the Instruction Set 1E Inventory used by Tachyon Powered Inventory and created the Tachyon Role required and assigned it to the All Devices Management Group.

Create A Custom Role for Patch Success

We need to create a Patch Success user and role and assign to our All Devices Management Group. We also need to assign permissions to our Patch Success Instruction Set which we imported earlier.

1. Navigate to Settings – Permissions – Roles. Click on Add
2. In the Add Role dialog box Name field type in 1E Patch Success
3. Click Add. You will then see the Role in the listing of Roles
4. Click on 1E Patch Success
5. In the Role: 1E Patch Success page Permissions tab click on Add in the far right
6. In the Add Permissions dialog box Type field select Instruction Set. In the Name field choose Patch Success from the drop-down listing. Check the boxes for Actioner, Approver, and Questioner. Click Add
If you do not want to trigger a deployment of the patches via Patch Success, then do not add the Actioner and Approver permissions to the role. This will prevent the Deploy button from being enabled in the Patch Success Application.
7. Click Add again and select Repository:Patch in the type field. Select the box next to Read. Click Add
8. Click the Management Group tab. Click Add in the far right. Select All Devices. Click Add
9. Click the Members tab. Click Add in the far right. Start typing in Manager and select Manager1 from the list. Click Add
10. Navigate to Users and select Manager1 to see that the 1E Patch Success role has been added to that user
11. Also add the following roles to our Manager1 account to use for Patch Success
Connector Administrators
Inventory Administrators
Log Viewers
Permissions Administrators
12. Add the Patch Success role to the Tachyon Connector account
If the Patch Success role is not added to our Tachyon Connector account the cube data will not populate the Patch Success Overview page with the Device information. To check this after doing an ETL Sync. Look at the SLA-BI DB EventLog Table on the Tachyon server for the Patch Device Table message (you should see another number than 0 devices).

Add the Tachyon Server Computer Account to SCCM

13. From the Start menu type in Users and launch Edit Local Users and Groups
14. Click on Groups – Find ConfigMgr_DViewAccess group and double-click it
15. Click Add. Click Object Types and Check the box next to Computers. Click OK
16. Type in 1ETRNAP then click Check Names
17. Click Ok. Click Ok then close Lusrmgr

Create the SCCM Connector

This connector will pull our patch metadata into Patch Success

18. Navigate to Configuration – Connectors
19. Click on Add and select System Center Configuration Manager from the Connector Type dropdown
20. In the Repository type Inventory will be shown
21. In the Connector Name field type in SCCM
22. In the SCCM Database Server field type in 1ETRNCM
23. In the SCCM Database field type in CM_PS1
24. Delete any entries that are in the SCCM SQL Server User Name or Password fields
25. Check the box next to Use Windows Authentication
26. Check the box next to Run Consoliidation Reports
27. Click Add

Test the SCCM Connector

28. Select the SCCM Connector that we just created
29. Click the Test button on the right
30. Navigate to Monitoring – Process Log to see the results
31. Wait for it to be successful and then continue on with the exercises

Sync the Connectors Manually

In a production environment you will want to create schedules to run your syncs each week. The proper order is SCCM, Tachyon, then Generate Report – ETL. In our lab we will perform a manual sync of the connectors so that we can wait for them to finish and speed up the process

32. Navigate to Configuration – Connectors – Click the Execute button at the top
33. In the Execute Action box select Default Inventory in the Repository field
34. In the Action field choose Sync Data – SCCM. Click Execute
35. Navigate to Monitoring – Process Log and wait for everything to complete
36. Navigate to Configuration - Schedules
Notice the Tachyon Schedule in the Schedules list. Since we are using Tachyon Powered Inventory our Tachyon Sync schedule has been created for us by the system. This is gathering the responses from an instruction. The instruction runs each week (with a seven day duration) and adds the data daily.

Reprocess the Cube Data

We need to run our ETL Report manually. This will populate our BI dashboards.

37. From Settings – Configuration – Connectors. Click the Execute button at the top
38. In the Execute Action dialog box Repository field click the drop down and select Default BI
39. In the Action field select Generate Report - ETL
40. Click Execute
41. Navigate to Monitoring – Process Log for status. Once the Generate Report shows a green check in Status continue with the lab
Once the sync completes details can be viewed in Monitoring – Sync Log. You will also be able to see events in the SLA-BI database, BI.Event Log table. Right click the database and choose Select top 1000 rows from the 1ETRNAP – SQL Management Studio, if you would like to take a look.

Tachyon License File Details

To use Patch Success your Tachyon License file must have the Inventory and Patch Success consumers enabled. The license file must also include the pattern for 1E-Inventory* and 1E-PatchSuccess* as these are the names of the instructions that will use for Patch Success. We will look at our lab license file in this task to make sure we are set up correctly.

42. In the Settings application navigate to Configuration – License Information
43. Within Customer Licence expand Products – expand Features and expand Item 7 and notice that we have TachyonPatchSuccess
44. Expand Consumers expand Item 1 and notice that we are also licensed for the PatchSuccess consumer

Exploring Patch Success

Now that we have our lab environment configured for Patch Success in this exercise we will look at the Patch Success pages.

Patch Success Title Bar

The quick look at the state of the environment at the top of the Patch Success Overview page is very useful for determining what state your compliance is in and where you need to focus your effort.

45. Still logged into 1ETRNW72 as 1ETRN\Manager1
46. Navigate to the Patch Success application using Switch App. The page may need to be refreshed if it was already open in order to show Patch Success
Our Manager1 user can also access Patch Success directly using https://tachyon.1etrn.local/tachyon/app/#/patchsuccess
47. Click on the Overview menu. You will see the status of the environment across the top
48. On the far right is the last time we Reprocessed the Cube Data
49. We can select different management groups. This allows us to look at the data for only the devices in a management group
50. Change to the Windows 7 management group and look at the data. Notice how the tiles change based on the Management Group
51. Change to view the results for the Windows 10 Devices Management Group
52. Change to view the results for the Server Management Group
53. Change back to the Global Management Group

Patch Success Filter Bar

The Filter Bar allows us to look at the detailed information for specific devices or patches. In this task we will look at the filters that are available.

54. Still logged into 1ETRNW72 as 1ETRN\Manager1
55. Click on the Filter button (just below overview and above Patch status per device)
56. Notice the different options to Filter the data. Let's look at classification first. In the Value field click the drop-down and look at the options. These are the classifications for the types of patches. Choose Critical Updates and click Add. Click Apply
57. Notice how our tiles are now filtered. We could click the x at the end of our filter to remove the filter. Click the View Patches button below the tiles
You may need to adjust the Zoom of your Chrome window to see the details in the bottom pane due to our VM window.
58. Once you finish looking at the patch details, remove the filter. Click View Devices. You will now see the details of each device in our lab.
59. Click on Filter again. Let's look at the details for a specific KB. Click on KB and in the value field start typing 3004 select 3004375 from the suggestion list. Click on Add. Click on Apply
60. Notice the details for that specific patch
61. Navigate to Overview and look at the bottom pane with View Devices selected. Click on the View Patches button to see the details that are available
62. In the View Patches listing at the bottom click on the number in the Missing column. This will create our filter to show the devices that are missing that specific patch
63. Explore the other filters by looking at the following:
Management Group = All Windows 7 Lab Workstations
Operating System = Microsoft Corporation - Windows - 7
Patch Status = Missing
Publish Date = Jan 1, 2019 to today's date
Notice how we can add 2 different filters if we do not clear the last filter.
64. Create a filter that contains 2 values Patch Status = Missing and the KB from step 58.
65. Look at the Patch Performance Tile. Click on Installed and then click on Still Missing to change the focus of the data
66. Click the link in the upper right to show that tile in full screen  this tile will show you the number of updates installed per day. It isn't very interesting in our lab but in a production environment this will show more details so that you can have better patch performance

67. Click the button in the upper right to exit full screen mode 

Patch Success Patch Pages

68. Still logged into 1ETRNW72 as 1ETRN\Manager1
69. Click on the Patches menu in the left pane
70. Notice our display is still filtered. Clear the filter
71. Filter by Classification = Critical Updates
72. Click one of the updates in the list to drill into the details
Notice that we see the details of the patch itself in the top pane – Essential Details as well as the status of this patch in our environment By Device at the bottom

Patch Success Devices Page

73. Still logged into 1ETRNW72 as 1ETRN\Manager1
74. Click on the Devices menu in the left pane
75. Notice our filter moved over with us. We can see the status of each of the devices in our lab for the Critical Updates we looked at in the last task
76. At the top change to our Windows 10 Devices Management Group. Notice how that filter is added to our data
77. Click on 1ETRNW101 to drill into the details of that device. Notice the Explorebutton at the top. Click on Explore
Explore takes us to the Explorer Application with coverage in Tachyon defined for our Patch Success selection.
78. Click the drop down on coverage and see that it is our 1ETRNW101 device
79. Click All Instructions
Notice that we only have access to the Patch Success Instruction Set as this user has only our Patch Success Administrator role. We would need to add other instruction sets if we wanted our Patch Success Admin to be able to issue other Tachyon Instructions. For this lab we will only be doing Patch activities.
80. Click the Back button in Chrome to return to our Patch Success window
81. Click Check Status button. This will issue our 1E-PatchSuccess-Explore instruction with our device defined as the coverage parameter and take us to the Explorer application to monitor the instruction. Look at the details as they are returned
82. Click the back button again to return to Patch Success
83. Click back again to look at all our devices
84. Navigate to Overview – Click the View Devices button (if that view is not selected). Notice the details in the bottom pane for each device. The numbers in the missing column are links to drill into the details
85. Click on the Missing column number for 1ETRNW101
86. This takes us to the details for each patch that is missing on 1ETRNW101
This only shows us patches that have been deployed in our missing listing. This is using SCCM as our patching authority to say what has been approved for release in our environment. In our case our SCCM Admin has made our deployment only available (instead of required) this is to simulate a deployment.
87. Scroll down in the list and select one of the listed titles (by selecting the check box next to the Vendor). Notice that we have Check Status, Update Status, and Deploy buttons active in the right
Check Status runs 1E-PatchSuccess-Explore instruction on this device to get the status for this specific patch. Update Status runs 1E-PatchSuccess-Refresh instruction and will update our tiles (Cube Data) for this specific device and this specific patch without doing a full ETL
These three buttons are enabled because of the permissions we assigned to this user in Tachyon when we created our Patch Success Role. We checked all the boxes on the permissions for the Patch Success Instruction Set – Actioner, Approver, Questioner. If we did not want our user to be able to Deploy patches, we would not add actioner or approver – deploy button will be inactive. If we did not add Questioner, then the Explore and Check Status buttons will not be active. In production you may want other groups to approve the actions – you will need to create another Patch Success Role and add the approver – you may call that one 1E Patch Success Approvers.

Deploying Patches

Now that we have Patch Success configured and we have explored the different options, we will learn how to deploy patches.

Deploying a Critical Update to a Device

88. Still logged into 1ETRNW72 as 1ETRN\Manager1
89. You should still have the page filtered to show Patch Status Missing for 1ETRNW101 and your manually selected update
90. Click on Deploy and notice the warning dialog box. Check the box to enable patches to be downloaded directly from the internet (Read the warning that is displayed)
91. Click Yes, start deployment
92. Navigate to Monitoring – History to view the status

93. Still logged into 1ETRNW73 as 1ETRN\Tachyon_AdminG (our Global Approver)
94. Open LiveMail and find the email for the Action number in the above task. Click on Go To Approval Page
95. Explorer will open to Notifications – click on the Pending Request
96. Type something in the Your Comment box
97. Check I understand the impact of this instruction and approve this request
98. Click Approve

99. Still logged in as 1ETRN\User
100. Open File Explorer and navigate to c:\ProgramData\1E\Client and open the 1E.Client.log
101. Look for Running instruction and the ID from the Approval request
102. You will see it setting up a connection to a Remote WSUS Server
103. You will see it download the update from Windows Update
104. It will record a successfully processed instruction message

105. Still in the Explorer application – notice the banner – Responses have been offloaded to consumer PatchSuccess. Click the Back button in Chrome to return to Patch Success
106. Navigate to Patches and then filter for the update you deployed. Click on the update to drill into it
107. Click on Check Status. Explorer application will launch showing the status of the instruction
108. Once that instruction finishes Click the back button in Chrome to return to Patch Success
109. Navigate to Overview – Add a Filter for your update and click on View Devices at the bottom
110. Notice our device 1ETRNW101 no longer shows in the list and only 1ETRNW102 may be showing as missing for this patch (if the patch you chose was missing from 102. If the patch is not missing then move to step 112 and in those steps choose a patch missing from more than 1 machine to deploy)
111. Click on View Patches and it will change you back to the update view
112. Click on the 1 in the missing column and deploy this update
113. Approve the instruction and check the results

Deploying Other Missing Patches

114. In the Overview node apply a filter for Classification = Critical and Patch Status = Missing
115. Navigate around and deploy any of the other patches that are missing in the lab
116. View your results

Viewing Patch Events on Windows 10 and Windows 7

117. Open Event Viewer and Expand Applications and Services Logs
118. Expand Microsoft
119. Expand Windows
120. Expand WindowsUpdateClient
121. Click on Operational
122. Look at the events in the middle pane
123. Event ID 41 will show the download of the patch

124. Open c:\ProgramData\1E\Client\1E.Client.log
125. Open c:\windows\windowsupdate.log

Lab Summary

In this lab we looked at the Patch Success Application. We looked at the status of our environment and then deployed patches to devices that needed to be patched. We then saw how the Patch Success Application reported on our compliance status in near real-time.

Next Page
Ex 7 - TCN Opr v5.0 - Working with Inventory