Exercise Overview:

Using Patch Success

In this lab we will learn how to use Patch Success.

Exploring Patch Success

The lab environment has been configured for Patch Success in this exercise we will look at the Patch Success pages, to carry out the configuration or to see how to configure, please look at the Install and Configure Tachyon Course.

Patch Success Title Bar

The quick look at the state of the environment at the top of the Patch Success Overview page is very useful for determining what state your compliance is in and where you need to focus your effort.

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Navigate to the Patch Success application using Switch App. The page may need to be refreshed if it was already open in order to show Patch Success
  3. Our Manager1 user can also access Patch Success directly using https://tachyon.1etrn.local/tachyon/app/#/patchsuccess
  4. Click on the Overview menu. You will see the status of the environment across the top
  5. On the far right is the last time we Reprocessed the Cube Data
  6. We can select different management groups. This allows us to look at the data for only the devices in a management group
  7. Change to the Windows 7 management group and look at the data. Notice how the tiles change based on the Management Group
  8. Change to view the results for the Windows 10 Devices Management Group
  9. Change to view the results for the Server Management Group
  10. Change back to the Global Management Group

Patch Success Filter Bar

The Filter Bar allows us to look at the detailed information for specific devices or patches. In this task we will look at the filters that are available.

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Filter button (just below overview and above Patch status per device)
  3. Notice the different options to Filter the data. Let's look at classification first. In the Value field click the drop-down and look at the options. These are the classifications for the types of patches. Choose Critical Updates and click Add. Click Apply
  4. Notice how our tiles are now filtered. We could click the x at the end of our filter to remove the filter. Click the View Patches button below the tiles
  5. You may need to adjust the Zoom of your Chrome window to see the details in the bottom pane due to our VM window.
  6. Once you finish looking at the patch details, click View Devices. You will now see the details of each device in our lab. Remove the filter
  7. Click on Filter again. Let's look at the details for a specific KB. Click on KB and in the value field start typing 3004 select 3004375 from the suggestion list. Click on Add. Click on Apply
  8. Notice the details for that specific patch
  9. Look at the bottom pane with View Devices selected. Click on the View Patches button to see the details that are available
  10. In the View Patches listing at the bottom click on the number in the Missing column. This will create our filter to show the devices that are missing that specific patch
  11. Explore the other filters by looking at the following:
  12. Management Group = All Windows 7 Lab Workstations
    Operating System = Microsoft Corporation - Windows - 7
    Patch Status = Missing
    Publish Date = Jan 1, 2019 to today's date
    Notice how we can add 2 different filters if we do not clear the last filter.
  13. Create a filter that contains 2 values Patch Status = Missing and the KB from earlier.
  14. Look at the Patch Performance Tile. Click on Installed and then click on Still Missing to change the focus of the data
  15. Click the link in the upper right to show that tile in full screen  this tile will show you the number of updates installed per day. It isn't very interesting in our lab but in a production environment this will show more details so that you can have better patch performance
  16. Click the button in the upper right to exit full screen mode 

Patch Success Patch Pages

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Patches menu in the left pane
  3. Notice our display is still filtered. Clear the filter
  4. Filter by Classification = Critical Updates
  5. Click one of the updates in the list to drill into the details
  6. Notice that we see the details of the patch itself in the top pane – Essential Details as well as the status of this patch in our environment By Device at the bottom

Patch Success Devices Page

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. Click on the Devices menu in the left pane
  3. Notice our filter moved over with us. We can see the status of each of the devices in our lab for the Critical Updates we looked at in the last task
  4. At the top change to our Windows 10 Devices Management Group. Notice how that filter is added to our data
  5. Click on 1ETRNW101 to drill into the details of that device. Notice the Explore and Check Status buttons at the top. Click on Explore
  6. Explore takes us to the Explorer Application with coverage in Tachyon defined for our Patch Success selection.
  7. Click the drop down on coverage and see that it is our 1ETRNW101 device
  8. Click All Instructions
  9. Notice that we only have access to the Patch Success Instruction Set as this user has only our Patch Success Administrator role. We would need to add other instruction sets if we wanted our Patch Success Admin to be able to issue other Tachyon Instructions. For this lab we will only be doing Patch activities.
  10. Click the Back button in Chrome to return to our Patch Success window
  11. Click Check Status button. This will issue our 1E-PatchSuccess-Explore instruction with our device defined as the coverage parameter and take us to the Explorer application to monitor the instruction. Look at the details as they are returned
  12. Click the back button again to return to Patch Success
  13. Click back again to look at all our devices
  14. Navigate to Overview – Click the View Devices button (if that view is not selected). Notice the details in the bottom pane for each device. The numbers in the missing column are links to drill into the details
  15. Click on the Missing column number for 1ETRNW101
  16. This takes us to the details for each patch that is missing on 1ETRNW101
  17. This only shows us patches that have been deployed in our missing listing. This is using SCCM as our patching authority to say what has been approved for release in our environment. In our case our SCCM Admin has made our deployment only available (instead of required) this is to simulate a deployment.
  18. Scroll down in the list and select one of the listed titles (by selecting the check box next to the Vendor). Notice that we have Check Status, Update Status, and Deploy buttons active in the right
  19. Check Status runs 1E-PatchSuccess-Explore instruction on this device to get the status for this specific patch. Update Status runs 1E-PatchSuccess-Refresh instruction and will update our tiles (Cube Data) for this specific device and this specific patch without doing a full ETL
    These three buttons are enabled because of the permissions we assigned to this user in Tachyon when we created our Patch Success Role. We checked all the boxes on the permissions for the Patch Success Instruction Set – Actioner, Approver, Questioner. If we did not want our user to be able to Deploy patches, we would not add actioner or approver – deploy button will be inactive. If we did not add Questioner, then the Explore and Check Status buttons will not be active. In production you may want other groups to approve the actions – you will need to create another Patch Success Role and add the approver – you may call that one 1E Patch Success Approvers.

Deploying Patches

Now that we have Patch Success configured and we have explored the different options, we will learn how to deploy patches.

Deploying a Critical Update to a Device

1ETRNW72
  1. Still logged into 1ETRNW72 as 1ETRN\Manager1
  2. You should still have the page filtered to show Patch Status Missing for 1ETRNW101 and your manually selected update
  3. Click on Deploy and notice the warning dialog box. Check the box to enable patches to be downloaded directly from the internet (Read the warning that is displayed)
  4. Click Yes, start deployment
  5. Navigate to Monitoring – History to view the status
1ETRNW73
  1. Still logged into 1ETRNW73 as 1ETRN\Tachyon_AdminG (our Global Approver)
  2. Open LiveMail and find the email for the Action number in the above task. Click on Go To Approval Page
  3. Explorer will open to Notifications – click on the Pending Request
  4. Type something in the Your Comment box
  5. Check I understand the impact of this instruction and approve this request
  6. Click Approve
1ETRNW101
  1. Still logged in as 1ETRN\User
  2. Open File Explorer and navigate to c:\ProgramData\1E\Client and open the 1E.Client.log
  3. Look for Running instruction and the ID from the Approval request
  4. You will see it setting up a connection to a Remote WSUS Server
  5. You will see it download the update from Windows Update
  6. It will record a successfully processed instruction message
1ETRNW72
  1. Still in the Explorer application – notice the banner – Responses have been offloaded to consumer PatchSuccess. Click the Back button in Chrome to return to Patch Success
  2. Navigate to Patches and then filter for the update you deployed. Click on the update to drill into it
  3. Click on Check StatusExplorer application will launch showing the status of the instruction
  4. Once that instruction finishes Click the back button in Chrome to return to Patch Success
  5. Navigate to Overview – Add a Filter for your update and click on View Devices at the bottom
  6. Notice our device 1ETRNW101 no longer shows in the list and only 1ETRNW102 may be showing as missing for this patch (if the patch you chose was missing from 102. If the patch is not missing then move to step 112 and in those steps choose a patch missing from more than 1 machine to deploy)
  7. Click on View Patches and it will change you back to the update view
  8. Click on the 1 in the missing column and deploy this update
  9. Approve the instruction and check the results

Deploying Other Missing Patches

1ETRNW72
  1. In the Overview node apply a filter for Classification = Critical and Patch Status = Missing
  2. Navigate around and deploy any of the other patches that are missing in the lab
  3. View your results

Viewing Patch Events on Windows 10 and Windows 7

1ETRNW101
  1. Open Event Viewer and Expand Applications and Services Logs
  2. Expand Microsoft
  3. Expand Windows
  4. Expand WindowsUpdateClient
  5. Click on Operational
  6. Look at the events in the middle pane
  7. Event ID 41 will show the download of the patch
1ETRNW71
  1. Open c:\ProgramData\1E\Client\1E.Client.log
  2. Open c:\windows\windowsupdate.log

Lab Summary

In this lab we looked at the Patch Success Application. We looked at the status of our environment and then deployed patches to devices that needed to be patched. We then saw how the Patch Success Application reported on our compliance status in near real-time.