Using Patch Management

Patch Management allows you to address security vulnerabilities in the systems in your enterprise. The patch scanner obtains security bulletins from the Microsoft Download site.

Video: Managing Patches (2:19)

You can also re-scan a system at any time. The Patch tab allows you to approve these downloaded bulletins, apply the patches, and monitor patch events.

The Patch tab is divided into the following subtabs:

• Bulletins
• Scans
• Distribution

Note: Before using the Patch tab, we recommend that you review the Deployment Process and related sections.

Video: Patch Overview (2:35)

Bulletins

The Bulletins subtab allows you to view all of your Microsoft bulletin reports. You can view the following menus on the Bulletins subtab:

• Bulletins
• Reports

Bulletins

The Bulletins menu of the Bulletins subtab allows you to view the following reports:

• All bulletins
• New or updated bulletins
• Approval Audit Log

Note: You cannot modify these reports; however, you can click the Save As button to use a report as a template from which to build a customized report to save and reuse in your report library.

All Bulletins

The All Bulletins report provides all the information you need to manage patches for your environment.

Follow these steps to display the All Bulletins report:

1. Click the Patch tab.
2. Click the Bulletins subtab.
   The All Bulletins report displays by default.

You can view the following details for each bulletin:

• The Bulletin Name column displays the names of the Microsoft bulletins. Click a bulletin name link to display the Microsoft detailed view of the bulletin.
• The Severity column displays the severity of the bulletins according to the following rating system:
  
  • Critical = Microsoft Critical
  • Major = Microsoft Important
  • Minor = Microsoft Moderate
  • Warning = Microsoft Low
  For more information about the Microsoft severity levels, go to www.microsoft.com/technet/security/bulletin/rating.mspx
• The Category column typically indicates the type of bulletin: server, enterprise, workstation, or terminal server. If a patch applies to more than one category, Systems Manager lists the same patch once for each category.
• The Approved column indicates whether you have approved the bulletin. You can approve a bulletin on the Edit Bulletins page.
• The Auto Apply column indicates that if Systems Manager encounters a patch during a scan, it will apply it immediately. You can set auto apply for a bulletin on the Edit Bulletins page.

You can also complete the following tasks with the All Bulletins report:

• Edit bulletins
• Reset bulletins
• Edit patch definitions
• Sort report data
• Export report data
• View & edit report filters

Note: Although you can filter the data, you cannot permanently modify the All Bulletins report; however, you can click the Save As button to use this report as a template from which to build a customized report to save and reuse in your report library.

New or Updated Bulletins

The New or Updated Bulletins report displays a list of bulletins that have been changed or added.

Follow these steps to display the New or Updated Bulletins report:

1. Click the Patch tab.
2. Click the Bulletins subtab.
3. Point to the Bulletins menu and choose New or Updated Bulletins to display the New or Updated Bulletins report.

You can view the following details for each updated bulletin:

• The Bulletin Name column lists the Microsoft bulletins. Click the bulletin name link to display the Microsoft detailed view of the bulletin.
• The Severity column displays the severity of the bulletins, according to the following Microsoft rating system:
  
  • Critical = Microsoft Critical
  • Major = Microsoft Important
  • Minor = Microsoft Moderate
  • Warning = Microsoft Low
  For more information about the Microsoft severity levels, go to www.microsoft.com/technet/security/bulletin/rating.mspx
• The Category column typically indicates the type of bulletin: server, enterprise, workstation, or terminal server. If a patch applies to more than one category, Systems Manager lists the same patch once for each category.
• The Approved column indicates whether you have approved the bulletin.
  Note: You can approve bulletins on the Edit Bulletins page.
• The Auto Apply column indicates that if Systems Manager encounters a patch during a scan, it will apply it immediately.
• The Updated column indicates the date that the bulletin was updated.

You can also complete the following tasks with the New or Updated Bulletins report:

• Edit bulletins
• Reset bulletins
• Edit patch definitions
• Sort report data
• Export report data

Note: You cannot modify the New or Updated Bulletins report; however, you can click the Save As button to use this report as a template from which to build a customized report to save and reuse in your report library.

Approval Audit Log

The Approval Audit Log report allows you to view a list of approval changes.

Follow these steps to display the Approval Audit Log report:

1. Click the Patch tab.
2. Click the Bulletins subtab.
3. Point to the Bulletins menu and choose Approval Audit Log to display the Approval Audit Log report.

To delete specified events, select the events you want to delete and click the Clear Events button.

To delete all of your events, click the Clear All Approval Events button.

You can also complete the following tasks with the Approval Audit Log report:

• Sort report data.
• Export report data.

Resetting Bulletins

Resetting bulletins restores the severity, description, approval, and auto apply to their original values.

Follow these steps to reset a bulletin:

1. Click the Patch tab.
2. Click the Bulletins subtab.
   The All Bulletins report displays by default.
3. Select the bulletin(s) you want to reset and click the Reset Bulletin button to display the confirmation dialog box.
4. Click OK.

After you reset a bulletin, it displays in the New or Updated Bulletins report with the date that Systems Manager last updated that bulletin's definition file.

Editing Patch Definitions

The Edit Patch Definition page allows you to modify a patch definition.

Follow these steps to edit a patch definition:

1. Click the Patch tab.
2. Click the Bulletins subtab.
   The All Bulletins report displays by default.
3. Click the edit button next to the bulletin you want to modify to display the Edit Patch Definition page.
4. From the Severity drop-down list, select the severity you want to apply to the patch definition.
   Note: This action changes the severity from the Microsoft default severity to the severity of your choice.
5. In the Description field, enter a new description or modify the existing description for the bulletin.
6. Select the Approved option to approve the patch definition.
7. Select the Auto-apply option to have Systems Manager apply the patch immediately when it encounters it during a scan.

Editing Bulletins

The Edit Bulletins page allows you to set the approval status and auto-apply status for bulletins.

Follow these steps to edit a bulletin:

1. Click the Patch tab.
2. Click the Bulletins subtab.
   The All Bulletins report displays by default.
3. Select the bulletin(s) you want to modify and click the Edit Bulletin button to display the Edit Bulletins page.
4. To approve the selected bulletins, select the approval option and select Approved from the drop-down list.
   —OR—
   To remove approval from the selected bulletins, select the approval option and select Unapproved from the drop-down list.
   Note: You can distribute only approved bulletins.
5. To set Systems Manager to apply the selected bulletins automatically when it encounters them during a scan, select the auto-apply status option and select Auto-apply from the drop-down list.
   To prevent Systems Manager from applying the selected bulletins automatically, select the auto-apply status option and select Don't Auto-apply from the drop-down list.
6. Select the reset option to reset all bulletins to their default state.
7. Click Apply to save your settings.

Bulletins Reports

The bulletins reports section includes a list of Systems Manager report folders, ordered alphabetically. This list includes any custom report folders that contain the bulletin reports available to you.

Click the Edit button to modify any of these reports. To edit, create, and delete custom reports, go to the Reports tab.

Follow these steps to view a report from the bulletins reports menu:

1. Click the Patch tab.
2. Click the Bulletins subtab.
3. Point to the Reports menu to view the report folder list.
4. Point to the report folder you want to view and then choose a report to display.

Scans

Systems Manager automatically scans your environment to determine the state of all machines and their relative patch levels. In addition, you can re-scan a system at any time.

The Scans subtab allows you to complete the following tasks:

• View scans and system scan history
• Scan your environment
• Apply patches to systems and groups

You can view the following menus on the Scans subtab:

• Scans
• Reports

Scans

The Scans menu of the Scans subtab allows you to view the following reports:

• Systems with Missing Bulletins
• Bulletins with Affected Systems
• Scan System Group
• System Scan History
• System Scan Status
• Scan Errors

You can also access the Scan System Group page from the Scans menu.

You can complete the following tasks with scans reports:

• Sort report data.
• Export report data.

Note: Although you can filter the data, you cannot permanently modify these reports. For all of the reports except the Scan History report, you can click the Save As button to use a report as a template from which to build a customized report to save and reuse in your report library.

Systems with Missing Bulletins

The Systems with Missing Bulletins report displays a list of all systems that Systems Manager has scanned.

Follow these steps to display the Systems with Missing Bulletins report:

1. Click the Patch subtab.
2. Click the Scans subtab.
3. Point to the Scans menu and choose Systems with Missing Bulletins to display the Systems with Missing Bulletins report.
   

You can view the following details for each scan:

• The Missing Critical column displays the number of critical patches not applied to the system.
• The Total Missing column displays the total number of patches not applied to the system.
• The Name column indicates the name of the affected system. Click the link to display the System Inventory View page for the system.
• The Domain column displays the domain in which the affected system was discovered.
• The IP Address column displays the IP address of the affected system.
• The Operating System column displays the system's operating system type.
• The Last Patch Scan displays the date and time of the last scan.

Click View Patches link to display the Security Scan Details report.

To apply patches to selected systems, select the system(s) to which you want to apply the patches and click the Apply All Patches button to display the Patch Distribution Options page.

To re-scan selected systems, select the system(s) you want to scan again and click the Scan button.

To delete selected scans, select the scan(s) you want to delete and click the Delete Selected Scans button.

You can also complete the following tasks with the Systems with Missing Bulletins report:

• View and edit filters.
• Sort report data.
• Export report data.

Note: Although you can filter the data, you cannot permanently modify the Systems with Missing Bulletins report; however, you can click the Save As button to use a report as a template from which to build a customized report to save and reuse in your report library.

Patch Distribution Options

The Patch Distribution Options page allows you to set the schedule and download options for patches.

Follow these steps to complete the Patch Distribution Options page:

1. If a distribution job contains unapproved patches, the Patch Distribution Options page notifies you with a message at the top of the page. To approve patches, click the Approval All/Save button at the bottom of the page.
   Note: Systems Manager does not distribute unapproved patches; Systems Manager removes any unapproved patches from a patch distribution job.
2. Optional: Set the Schedule for patch application, including the Date, Hour, and Minute. This feature allows you to distribute patches at convenient times.
3. Enter a tracking comment.
4. Enter a maximum download speed.
   Note: If you enter 0, the download executes as quickly as possible.
5. In the Maximum Simultaneous Downloads field, enter the number of machines that can connect to the source at one time. The minimum number is one.
6. In the Error Sample field, enter a number to indicate the first x percent of install attempts that Systems Manager monitors for success or failure.
7. In the Error Threshold field, enter a number to instruct the download to stop after the specified amount of attempts fail.
   For example, if you distribute a patch to 100 systems and set the Error Sample to 30% and the Error Threshold to 10%, these settings abort the installation after 30 attempts if three or more installations fail.
8. Select the Reboot after patches are applied option to automatically reboot the system after a successful installation.
9. Select the Display Reboot Notification Dialog to User option to notify the user before rebooting. This notification informs end users before the reboot takes place, but it moves forward without user consent (after 60 seconds or after the Max wait time, if set). Also, enter a Max wait time in seconds to have the reboot proceed if the user is not at the machine.
10. Recommended: Select the Require Reboot User Consent option to require the user to confirm the reboot.
    Note: If you set the max wait time to 0, this reboot waits indefinitely until the user confirms it.

Security Scan Details

The Security Scan Details report allows you to view the details of all scans.

Follow these steps to display the Security Scan Details report:

1. Click the Patch tab.
2. Point to the Scans menu and choose Systems with Missing Bulletins to display the Systems with Missing Bulletins report.
3. Click a View Patches link to display the Security Scan Details report for the system.

You can view the following information for each scan:

• The Item Severity column displays the highest severity of the items detected on the scanned system.
• The Bulletin Name column displays the names of the Microsoft bulletins. Click a bulletin name link to display the Microsoft detailed view of the bulletin.
• The Category column typically indicates the type of bulletin: server, enterprise, workstation, or terminal server. If a patch applies to more than one category, Systems Manager lists the same patch once for each category.
• The Approved column indicates whether you have approved the bulletin.
• The Auto Apply column indicates that if Systems Manager encounters a patch during a scan, it will apply it immediately.

To apply patches to a selected system, select the patch(es) you want to apply and click the Apply Patches to System button.

Click the Affected Systems link to display the Systems with Missing Bulletins report for the specified bulletin.

You can also complete the following tasks with this report:

• Sort report data
• Export report data

Bulletins with Affected Systems

The Bulletins with Affected Systems report on the Scans subtab provides a list of all needed patches for all systems that the Systems Manager scan finds.

Follow these steps to display the Bulletins with Affected Systems report:

1. Click the Patch tab.
2. Click the Scans subtab.
   The Bulletins with Affected Systems report displays by default.

You can view the following details for each bulletin:

• The Bulletin Name column displays the names of the Microsoft bulletins. Click a bulletin name link to display the Microsoft detailed view of the bulletin.
• The Item Severity column displays the severity of the bulletins according to the following severity rating system:
  
  • Critical = Microsoft Critical
  • Major = Microsoft Important
  • Minor = Microsoft Moderate
  • Warning = Microsoft Low
  For more information about the Microsoft severity levels, go to www.microsoft.com/technet/security/bulletin/rating.mspx
• The Category column typically indicates the type of bulletin: server, enterprise, workstation, or terminal server. If a patch applies to more than one category, Systems Manager lists the same patch once for each category.
• The Approved column indicates whether you have approved the bulletin. You can approve a bulletin on the Edit Bulletins page.
• The Auto Apply column indicates that if Systems Manager encounters a patch during a scan, it will apply it immediately. You can set auto apply for a bulletin on the Edit Bulletins page.
• The Affected Systems column lists the number of systems that require the patch.

To apply selected bulletins to all vulnerable systems, select the bulletin(s) you want to apply and click the Apply to All Systems button to display the Patch Distribution Options page.

To apply selected bulletins to selected systems, select the bulletin(s) you want to apply and click the Apply to Select Systems button to display the Target Endpoints report.

To apply selected bulletins to asset groups, select the bulletin(s) you want to apply and click the Apply to Asset Group button. Choose a group from the menu to display the Patch Distribution Options page.

You can also complete the following tasks with the Bulletins report:

• Sort report data
• Export report data
• View & edit report filters
  

Note: Although you can filter the data, you cannot permanently modify the Bulletins with Affected Systems report; however, you can click the Save As button to use this report as a template from which to build a customized report to save and reuse in your report library.

Scan System Group

The Scan System Group page allows you to view a list of your dynamic and static system groups and scan them for vulnerabilities.

Follow these steps to scan system groups:

1. Click the Patch tab.
2. Point to the Scans menu and choose Scan System Group to display the Scan System Group page.
3. Select the system group(s) you want to scan and click Scan System Groups.

Systems Manager displays the Systems with Missing Bulletins report.

System Scan History

The System Scan History report displays all of your scan events.

Follow these steps to re-scan an system:

1. Click the Patch tab.
2. Point to the Scans menu and choose System Scan History to display the System Scan History page.
3. Select the event(s) on which you want to scan and click the Scan button to scan the system associated with the event.

To delete selected scan events, select the event(s) you want to delete and click the Clear Events button.

To delete all of your scan events, click the Clear All Scan Events button.

You can also complete the following tasks with the Systems Scan History report:

• Sort report data.
• Export report data.

System Scan Status

The System Scan Status report lists the status details of all scans.

You can view the following details for each scan listed:

• The Name column displays the name of the affected system.
• The Status column displays the status of the patch application.
• The Domain column displays the domain in which the affected system was discovered.
• The Last Patch Scan column displays the date and time of the last scan.

Follow these steps to re-scan an system:

1. Click the Patch tab.
2. Point to the Scans menu and choose System Scan Status to display the System Scan Status page.
3. Select the system(s) you want to scan again and click the Scan button to display the confirmation dialog box.
4. Click OK to initiate the scan.

You can also complete the following tasks with the System Scan Status report:

• View & edit report filters
• Sort report data.
• Export report data.

Note: Although you can filter the data, you cannot permanently modify these reports; however, you can click the Save As button to use a report as a template from which to build a customized report to save and reuse in your report library.

Scan Errors

The Scan Errors report displays the machines with a patch status of "failed" or "scanning." At a glance, you can view the machines that have scans in progress or scans that failed.

You can view the following details for each scan error:

• The Name column displays the name of the affected system.
• The Status column displays the status of the patch application.
• The Domain column displays the domain in which the affected system was discovered.
• The Last Patch Scan column displays the date and time of the last scan.

Follow these steps to re-scan an system:

1. Click the Patch tab.
2. Point to the Scans menu and choose Scan Errors to display the Scan Errors page.
3. Select the system(s) you want to scan again and click the Scan button to display the confirmation dialog box.
4. Click OK to initiate the scan.

You can also complete the following tasks with the Scan Errors report:

• View & edit report filters.
• Sort report data.
• Export report data.

Note: Although you can filter the data, you cannot permanently modify these reports; however, you can click the Save As button to use a report as a template from which to build a customized report to save and reuse in your report library.

Target Endpoints

The Target Endpoints report allows you to apply patches to selected endpoints.

Follow these steps to apply patches to target endpoints:

1. Click the Patch tab.
2. Point to the Scans menu and choose Bulletins with Affected Systems to display the Bulletins with Affected Systems report.
3. Select the endpoint(s) to which you want to apply patches and click the Apply to Select Systems button to display the Target Endpoints report.
4. Select the endpoints to which you want to apply the patches and click Apply All Patches to display the Patch Distribution Options page.

You can also complete the following tasks with this report:

• Sort report data.
• Export report data.

Scans Reports

The scans reports section includes a list of Systems Manager report folders, ordered alphabetically. This list includes a set of pre-defined reports, contained in the Patch Reports folder, as well as any custom report folders that contain the bulletins and system scans reports available to you.

The Patch Reports folder includes the following pre-defined reports:

• Patch Severity Summary report provides summary-level information about vulnerable systems.
• Severity Summary report allows you to view the percentage of systems in your environment with vulnerabilities.

Click the Edit button to modify any of these reports. To edit, create, and delete custom reports, go to the Reports tab.

Follow these steps to view a report from the scans reports menu:

1. Click the Patch tab.
2. Click the Scans subtab.
3. Point to the Reports menu to view the report folder list.
4. Point to the report folder you want to view and then choose a report to display.

Distribution

The Distribution subtab allows you to view and track all of your patch and scan events. You can view the following menus on the Distribution subtab:

• Distribution
• Reports

Distribution

The Distribution menu of the Bulletins subtab allows you to view the following reports:

• Bulletin Distribution Summary
• Distribution Log by System

You can complete the following tasks with these reports:

• View events
• Clear events
• Sort report data
• Export report data

Bulletin Distribution Summary

The Bulletin Distribution Summary report displays the status of any patch distribution jobs that you or other specialists create.

Follow these steps to display the Bulletin Distribution Summary report:

1. Click the Patch tab.
2. Click the Distribution subtab.
   The Bulletin Distribution Summary report displays by default.

You can view the following details for each patch:

• The Tracking Comment column displays any comments entered on the Patch Distribution Options page. Click a tracking comment to view the details on the Bulletin Distribution Status page.
• The Start Time column displays the time that the distribution started or is scheduled to start.
• The # Patches column displays the total number of patches being distributed.
• The # Systems column displays the total number of systems that the patch application affects.
• The Systems Processed column displays the number of systems that have been processed.
• The Systems with Errors column displays the number of systems that encountered errors during the patch application process. Click a number in this column to display the Bulletin Distribution Status page, which displays the systems with errors.

To delete a patch distribution job, select one or more items in the list and click the Delete button to remove the patch distribution job(s) from the list.

You can also complete the following tasks with the Bulletin Distribution Summary report: 

• Sort report data.
• Export report data.

Bulletin Distribution Status

The Bulletin Distribution Status displays information about each system included in a patch distribution job.

Follow these steps to display the Bulletin Distribution Status report:

1. Click the Patch tab.
2. Click the Distribution subtab.
   The Bulletin Distribution Summary report displays by default.
3. Click a tracking comment or number in the Systems with Errors column to display the Bulletin Distribution Status report.

You can view the following details for each system:

• The Name column displays the name of the system. Click the system name link to view the Bulletin Distribution Details report.
• The Last Status Update column displays the date and time of the last update for the distribution.
• The # Patches column displays the total number of patches to be distributed to the system.
• The Patches Processed column displays the number of patches that have been completed. This number includes those patches awaiting reboot.
• The Successful column displays how many patches Systems Manager successfully applied to the system.
• The Awaiting Reboot column displays the number of patches that require a reboot in order to be considered successful.
• The Failed column displays the number of patches that Systems Manager failed to apply.
• The Message column displays additional information about the distribution event.
  For example: "User refused reboot request"

You can also complete the following tasks with the Bulletin Distribution Status report: 

• Sort report data.
• Export report data.

Bulletin Distribution Details

The Bulletin Distribution Details report displays the status of all bulletins being applied to a particular system within a distribution job.

Follow these steps to display the Bulletin Distribution Details report:

1. Click the Patch tab.
2. Click the Distribution subtab.
   The Bulletin Distribution Summary report displays by default.
3. Click a tracking comment or number in the Systems with Errors column to display the Bulletin Distribution Status report.
4. Click a name to display the Bulletin Distribution Details report.

You can view the following details for each patch:

• The Bulletin Name column displays the names of Microsoft bulletins. Click a bulletin name link to display the Microsoft detailed view of the bulletin.
• The Status column displays the status of the patch application.
• The Message column displays additional information about the patch distribution job.
• The Last Status Update column displays the date and time of the last update for the patch item.

You can also complete the following tasks with the Bulletin Distribution Details report: 

• Sort report data.
• Export report data.

Distribution Log by System

The Distribution Log by System report displays all of your patch events.

Follow these steps to display the Distribution Log by System report:

1. Click the Patch tab.
2. Click the Distribution subtab.
3. Point to the Distribution menu and choose Distribution Log by System to display the Distribution Log by System report.

To delete specified events, select the events you want to delete and click the Clear Events button.

To delete all of your events, click the Clear All Patch Events button.

You can also complete the following tasks with the Patch Events report:

• Sort report data.
• Export report data.

Distribution Reports

The distribution reports section includes a list of Systems Manager report folders, ordered alphabetically. This list includes a set of pre-defined reports, contained in the Patch Reports folder, as well as any custom report folders that contain the bulletins and system scans reports available to you.

The Patch Reports folder includes the following pre-defined reports:

• Patch Severity Summary report provides summary-level information about vulnerable systems.
• Severity Summary report allows you to view the percentage of systems in your environment with vulnerabilities.

Click the Edit button to modify any of these reports. To edit, create, and delete custom reports, go to the Reports tab.

Follow these steps to view a report from the distribution reports menu:

1. Click the Patch tab.
2. Click the Scans subtab.
3. Point to the Reports menu to view the report folder list.
4. Point to the report folder you want to view and then choose a report to display.

Sorting Report Data

Follow these steps to sort report data:

1. Click any of the headings in a report to sort the information based on that heading.
   The arrow next to the heading indicates whether the sort order is ascending or descending.
2. Click the column heading to reverse the sort order.