Exercise Overview:

Working with Patch Success

In this lab we will learn how to configure and use Patch Success.

Configuring Tachyon for Patch Success

This exercise will show you how to configure Tachyon to use Patch Success. We have already configured our connector to use Tachyon Powered Inventory. We have also already imported the Instruction Set 1E Inventory used by Tachyon Powered Inventory and created the Tachyon Role required and assigned it to the All Devices Management Group.

If we used stand-alone WSUS for Security Updates in our environment we would configure a WSUS connector instead of a Config Man Connector. In order to be used for Patch Success WSUS has to be configured to use SQL (instead of the Windows Internal Database). We also require either patch approvals for WSUS or Deployments for SCCM. This information will be what Patch Success evaluates to determine if a device is fully patched.

Create A Custom Role for Patch Success

We need to create a Patch Success user and role and assign to our All Devices Management Group. We also need to assign permissions to our Patch Success Instruction Set which we imported earlier.

  1. Navigate to Settings – Permissions – Roles. Click on Add
  2. In the Add Role dialog box Name field type in 1E Patch Success
  3. Click Add. You will then see the Role in the listing of Roles
  4. Click on 1E Patch Success
  5. In the Role: 1E Patch Success page Permissions tab click on Add in the far right
  6. In the Add Permissions dialog box Type field select Instruction Set. In the Name field choose Patch Success from the drop-down listing. Check the boxes for ActionerApprover, and Questioner. Click Add
  7. If you do not want to trigger a deployment of the patches via Patch Success, then do not add the Actioner and Approver permissions to the role. This will prevent the Deploy button from being enabled in the Patch Success Application.
  8. Click Add again and select Repository:Patch in the type field. Select the box next to Read. Click Add
  9. Click the Management Group tab. Click Add in the far right. Select All Devices. Click Add
  10. Click the Members tab. Click Add in the far right. Start typing in Manager and select Manager1 from the list. Click Add
  11. Navigate to Users and select Manager1 to see that the 1E Patch Success role has been added to that user
  12. Also add the following roles to our Manager1 account to use for Patch Success
  13. Connector Administrators
    Inventory Administrators
    Log Viewers
    Permissions Administrators
  14. Add the Patch Success role to the Tachyon Connector account
  15. If the Patch Success role is not added to our Tachyon Connector account the cube data will not populate the Patch Success Overview page with the Device information. To check this after doing an ETL Sync. Look at the SLA-BI DB EventLog Table on the Tachyon server for the Patch Device Table message (you should see another number than 0 devices).

Add the Tachyon Server Computer Account to SCCM

  1. From the Start menu type in Users and launch Edit Local Users and Groups
  2. Click on Groups – Find ConfigMgr_DViewAccess group and double-click it
  3. Click Add. Click Object Types and Check the box next to Computers. Click OK
  4. Type in 1ETRNAP then click Check Names
  5. Click Ok. Click Ok then close Lusrmgr

Create the SCCM Connector

This connector will pull our patch metadata into Patch Success

  1. Navigate to Configuration – Connectors
  2. Click on Add and select System Center Configuration Manager from the Connector Type dropdown
  3. In the Repository type Inventory will be shown
  4. In the Connector Name field type in SCCM
  5. In the SCCM Database Server field type in 1ETRNCM
  6. In the SCCM Database field type in CM_PS1
  7. Delete any entries that are in the SCCM SQL Server User Name or Password fields
  8. Check the box next to Use Windows Authentication
  9. Check the box next to Run Consoliidation Reports
  10. Click Add

Test the SCCM Connector

  1. Select the SCCM Connector that we just created
  2. Click the Test button on the right
  3. Navigate to Monitoring – Process Log to see the results
  4. Wait for it to be successful and then continue on with the exercises

Sync the Connectors Manually

In a production environment you will want to create schedules to run your syncs each week. The proper order is SCCM, Tachyon, then Generate Report – ETL. In our lab we will perform a manual sync of the connectors so that we can wait for them to finish and speed up the process

  1. Navigate to Configuration – Connectors – Click the Execute button at the top
  2. In the Execute Action box select Default Inventory in the Repository field
  3. In the Action field choose Sync Data – SCCM. Click Execute
  4. Navigate to Monitoring – Process Log and wait for everything to complete
  5. Navigate to Configuration - Schedules
  6. Notice the Tachyon Schedule in the Schedules list. Since we are using Tachyon Powered Inventory our Tachyon Sync schedule has been created for us by the system. This is gathering the responses from an instruction. The instruction runs each week (with a seven day duration) and adds the data daily.

Reprocess the Cube Data

We need to run our ETL Report manually. This will populate our BI dashboards.

  1. From Settings – Configuration – Connectors. Click the Execute button at the top
  2. In the Execute Action dialog box Repository field click the drop down and select Default BI
  3. In the Action field select Generate Report - ETL
  4. Click Execute
  5. Navigate to Monitoring – Process Log for status. Once the Generate Report shows a green check in Status continue with the lab
  6. Once the sync completes details can be viewed in Monitoring – Sync Log. You will also be able to see events in the SLA-BI database, BI.Event Log table. Right click the database and choose Select top 1000 rows from the 1ETRNAP – SQL Management Studio, if you would like to take a look.

Tachyon License File Details

To use Patch Success your Tachyon License file must have the Inventory and Patch Success consumers enabled. The license file must also include the pattern for 1E-Inventory* and 1E-PatchSuccess* as these are the names of the instructions that will use for Patch Success. We will look at our lab license file in this task to make sure we are set up correctly.

  1. In the Settings application navigate to Configuration – License Information
  2. Within Customer Licence expand Products – expand Features and expand Item 7 and notice that we have TachyonPatchSuccess
  3. Expand Consumers expand Item 1 and notice that we are also licensed for the PatchSuccess consumer

Exploring Patch Success

Now that we have our lab environment configured for Patch Success in this exercise we will look at the Patch Success pages.

Patch Success Title Bar

The quick look at the state of the environment at the top of the Patch Success Overview page is very useful for determining what state your compliance is in and where you need to focus your effort.

  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Navigate to the Patch Success application using Switch App. The page may need to be refreshed if it was already open in order to show Patch Success
  3. Our Manager1 user can also access Patch Success directly using https://tachyon.1etrn.local/tachyon/app/#/patchsuccess
  4. Click on the Overview menu. You will see the status of the environment across the top
  5. On the far right is the last time we Reprocessed the Cube Data
  6. We can select different management groups. This allows us to look at the data for only the devices in a management group
  7. Change to the Windows 7 management group and look at the data. Notice how the tiles change based on the Management Group
  8. Change to view the results for the Windows 10 Devices Management Group
  9. Change to view the results for the Server Management Group
  10. Change back to the Global Management Group

Patch Success Filter Bar

The Filter Bar allows us to look at the detailed information for specific devices or patches. In this task we will look at the filters that are available.

  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Filter button (just below overview and above Patch status per device)
  3. Notice the different options to Filter the data. Let's look at classification first. In the Value field click the drop-down and look at the options. These are the classifications for the types of patches. Choose Critical Updates and click Add. Click Apply
  4. Notice how our tiles are now filtered. We could click the x at the end of our filter to remove the filter. Click the View Patches button below the tiles
  5. You may need to adjust the Zoom of your Chrome window to see the details in the bottom pane due to our VM window.
  6. Once you finish looking at the patch details, remove the filter. Click View Devices. You will now see the details of each device in our lab.
  7. Click on Filter again. Let's look at the details for a specific KB. Click on KB and in the value field start typing 3004 select 3004375 from the suggestion list. Click on Add. Click on Apply
  8. Notice the details for that specific patch
  9. Navigate to Overview and look at the bottom pane with View Devices selected. Click on the View Patches button to see the details that are available
  10. In the View Patches listing at the bottom click on the number in the Missing column. This will create our filter to show the devices that are missing that specific patch
  11. Explore the other filters by looking at the following:
  12. Management Group = All Windows 7 Lab Workstations
    Operating System = Microsoft Corporation - Windows - 7
    Patch Status = Missing
    Publish Date = Jan 1, 2019 to today's date
    Notice how we can add 2 different filters if we do not clear the last filter.
  13. Create a filter that contains 2 values Patch Status = Missing and the KB from step 58.
  14. Look at the Patch Performance Tile. Click on Installed and then click on Still Missing to change the focus of the data
  15. Click the link in the upper right to show that tile in full screen  this tile will show you the number of updates installed per day. It isn't very interesting in our lab but in a production environment this will show more details so that you can have better patch performance
  16. Click the button in the upper right to exit full screen mode 

Patch Success Patch Pages

  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Patches menu in the left pane
  3. Notice our display is still filtered. Clear the filter
  4. Filter by Classification = Critical Updates
  5. Click one of the updates in the list to drill into the details
  6. Notice that we see the details of the patch itself in the top pane – Essential Details as well as the status of this patch in our environment By Device at the bottom

Patch Success Devices Page

  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Devices menu in the left pane
  3. Notice our filter moved over with us. We can see the status of each of the devices in our lab for the Critical Updates we looked at in the last task
  4. At the top change to our Windows 10 Devices Management Group. Notice how that filter is added to our data
  5. Click on 1ETRNW101 to drill into the details of that device. Notice the Explorebutton at the top. Click on Explore
  6. Explore takes us to the Explorer Application with coverage in Tachyon defined for our Patch Success selection.
  7. Click the drop down on coverage and see that it is our 1ETRNW101 device
  8. Click All Instructions
  9. Notice that we only have access to the Patch Success Instruction Set as this user has only our Patch Success Administrator role. We would need to add other instruction sets if we wanted our Patch Success Admin to be able to issue other Tachyon Instructions. For this lab we will only be doing Patch activities.
  10. Click the Back button in Chrome to return to our Patch Success window
  11. Click Check Status button. This will issue our 1E-PatchSuccess-Explore instruction with our device defined as the coverage parameter and take us to the Explorer application to monitor the instruction. Look at the details as they are returned
  12. Click the back button again to return to Patch Success
  13. Click back again to look at all our devices
  14. Navigate to Overview – Click the View Devices button (if that view is not selected). Notice the details in the bottom pane for each device. The numbers in the missing column are links to drill into the details
  15. Click on the Missing column number for 1ETRNW101
  16. This takes us to the details for each patch that is missing on 1ETRNW101
  17. This only shows us patches that have been deployed in our missing listing. This is using SCCM as our patching authority to say what has been approved for release in our environment. In our case our SCCM Admin has made our deployment only available (instead of required) this is to simulate a deployment.
  18. Scroll down in the list and select one of the listed titles (by selecting the check box next to the Vendor). Notice that we have Check Status, Update Status, and Deploy buttons active in the right
  19. Check Status runs 1E-PatchSuccess-Explore instruction on this device to get the status for this specific patch. Update Status runs 1E-PatchSuccess-Refresh instruction and will update our tiles (Cube Data) for this specific device and this specific patch without doing a full ETL
    These three buttons are enabled because of the permissions we assigned to this user in Tachyon when we created our Patch Success Role. We checked all the boxes on the permissions for the Patch Success Instruction Set – Actioner, Approver, Questioner. If we did not want our user to be able to Deploy patches, we would not add actioner or approver – deploy button will be inactive. If we did not add Questioner, then the Explore and Check Status buttons will not be active. In production you may want other groups to approve the actions – you will need to create another Patch Success Role and add the approver – you may call that one 1E Patch Success Approvers.

Deploying Patches

Now that we have Patch Success configured and we have explored the different options, we will learn how to deploy patches.

Deploying a Critical Update to a Device

  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. You should still have the page filtered to show Patch Status Missing for 1ETRNW101 and your manually selected update
  3. Click on Deploy and notice the warning dialog box. Check the box to enable patches to be downloaded directly from the internet (Read the warning that is displayed)
  4. Click Yes, start deployment
  5. Navigate to Monitoring – History to view the status
  1. Still logged into 1ETRNW73 as 1ETRN\Tachyon_AdminG (our Global Approver)
  2. Open LiveMail and find the email for the Action number in the above task. Click on Go To Approval Page
  3. Explorer will open to Notifications – click on the Pending Request
  4. Type something in the Your Comment box
  5. Check I understand the impact of this instruction and approve this request
  6. Click Approve
  1. Still logged in as 1ETRN\User
  2. Open File Explorer and navigate to c:\ProgramData\1E\Client and open the 1E.Client.log
  3. Look for Running instruction and the ID from the Approval request
  4. You will see it setting up a connection to a Remote WSUS Server
  5. You will see it download the update from Windows Update
  6. It will record a successfully processed instruction message
  1. Still in the Explorer application – notice the banner – Responses have been offloaded to consumer PatchSuccess. Click the Back button in Chrome to return to Patch Success
  2. Navigate to Patches and then filter for the update you deployed. Click on the update to drill into it
  3. Click on Check StatusExplorer application will launch showing the status of the instruction
  4. Once that instruction finishes Click the back button in Chrome to return to Patch Success
  5. Navigate to Overview – Add a Filter for your update and click on View Devices at the bottom
  6. Notice our device 1ETRNW101 no longer shows in the list and only 1ETRNW102 may be showing as missing for this patch (if the patch you chose was missing from 102. If the patch is not missing then move to step 112 and in those steps choose a patch missing from more than 1 machine to deploy)
  7. Click on View Patches and it will change you back to the update view
  8. Click on the 1 in the missing column and deploy this update
  9. Approve the instruction and check the results

Deploying Other Missing Patches

  1. In the Overview node apply a filter for Classification = Critical and Patch Status = Missing
  2. Navigate around and deploy any of the other patches that are missing in the lab
  3. View your results

Viewing Patch Events on Windows 10 and Windows 7

  1. Open Event Viewer and Expand Applications and Services Logs
  2. Expand Microsoft
  3. Expand Windows
  4. Expand WindowsUpdateClient
  5. Click on Operational
  6. Look at the events in the middle pane
  7. Event ID 41 will show the download of the patch
  1. Open c:\ProgramData\1E\Client\1E.Client.log
  2. Open c:\windows\windowsupdate.log

Lab Summary

In this lab we looked at the Patch Success Application. We looked at the status of our environment and then deployed patches to devices that needed to be patched. We then saw how the Patch Success Application reported on our compliance status in near real-time.

Next Page
Ex 7 - TCN Opr v5.0 - Working with Inventory