Hello,

        We been using Patch Management with LabTech has anyone had any success with pushing out updates through LabTech? It seems like the Patching is not working in LabTech for us.

Thank You,
               Patrick

Views: 4742

Reply to This

Replies to This Discussion

We have had great success.  It works great.  Though, we don't use the patch manager.  We patch using groups and various templates assigned to groups.  Vernon has a great video on patching setup.  Ours is similar, but many levels deeper.
I see updates going through however not that many weekly or updates that are Set to Install are not automatically being pushed?

Farzon Almaneih said:
We have had great success.  It works great.  Though, we don't use the patch manager.  We patch using groups and various templates assigned to groups.  Vernon has a great video on patching setup.  Ours is similar, but many levels deeper.
Vernon's video is a really strong start.

Here is vernon's patching video link:

 

http://app-care.com/index.php/blog/22-labtech-windows-patching-configuration

 

-Matt

Which methodology is everyone using? The built in one? or the one created by Vernon?

We are using a hybrid of Vernon's and our own methodology we developed over the years.  Vernon's method in that video is actually is very simplistic (as it should be for such a video).  There are only a few levels in that video.  We have taken this idea and added about 30 levels.  Though, at our company, we take patching more seriously than anyone we have talked to.

 

What I can tell you with confidence, is that LabTech patching WORKS.  It is by far the best MSP patching platform we have ever tested.  We have bought and bought and used in production MANY patching platforms over the years.  Since 1999 we have used: WSUS, LPI, Shavlik/Nable, Kaseya, and now LabTech.  None of these solutions were out-of-the-box plug-n-play patching systems.  LabTech overcomes almost every problem we ever encountered in all the other systems.  With LabTech you must build it like you want it.  We love this aspect.  LabTech doesn't really limit in any way.

 

Good luck with your patching.

Farzon,

We just incorporated Vernon's method for Patch Management in LabTech and like the simplicity of it. I'd interested to learn what levels you've added and some of your best practices.

 

At this moment using Vernon's method form his video I'm curious to know what is the best way to see/monitor success and failure of the approved patches. I've poked around with the Patch Manager and really didn't find what I thought was a simple view of even failed or approved patches that didn't install.

 

Thank you for your time and attention to my inquiry.

 

Regards,

 

Tom Barlow



Farzon Almaneih said:

We are using a hybrid of Vernon's and our own methodology we developed over the years.  Vernon's method in that video is actually is very simplistic (as it should be for such a video).  There are only a few levels in that video.  We have taken this idea and added about 30 levels.  Though, at our company, we take patching more seriously than anyone we have talked to.

 

What I can tell you with confidence, is that LabTech patching WORKS.  It is by far the best MSP patching platform we have ever tested.  We have bought and bought and used in production MANY patching platforms over the years.  Since 1999 we have used: WSUS, LPI, Shavlik/Nable, Kaseya, and now LabTech.  None of these solutions were out-of-the-box plug-n-play patching systems.  LabTech overcomes almost every problem we ever encountered in all the other systems.  With LabTech you must build it like you want it.  We love this aspect.  LabTech doesn't really limit in any way.

 

Good luck with your patching.

It would be nice if Farzon could follow up on the question posed by Tom. I am interested too and possibly are others.

Somehow I missed Tom's question before.  Sorry about that.  There would be too much to cover in a forum post to get into a step-by-step, but I can help for sure.  One of the most powerful aspects of LabTech is the ExtraDataFields/additions you can add to the "Info" tab.  There is an info tab for Clients, locations, and computers.

By utilizing ExtraDataFields connected to custom searches, and then those searches as auto-joins to groups.  In our environment, 100% of group join/leave is done with auto-joins.  We never ever drag and drop computers/clients etc into groups.  Once you have completely automated group joining based on ExtraDataFields, you setup your template for the group, patching for the group, and scripts for the group.  This is very much like Vernon's video.

For example. 

  1. We have some clients that we patch 24x7 approved patches, and get prompted 24x7 asking them if they are willing to reboot because patches were installed.  If they say no, it asks them again in 2 hours.  If for any reason the computer isn't logged on, it reboots.
  2. We have other clients that we patch 24x7 approved patches, but they never ever want to see any message about rebooting.  For these clients we negotiate a specific time that we "just reboot".

FYI, this is just a tiny little glimpse of the levels we have built.

So with the above two examples, we have a setting on the Location object for a client.  We do it there, in case a client wants special handling at the location level (which in our experience, they do).  So we have an ExtraDataField that selects the type of prompting and reboot.  Once set, we have a Search created that based on those fields.  Then, we have groups set with auto-join based on those searches.  Then, we have a template that is tied to these groups which set the patching windows and the reboot handling.  Lastly, we have a monitor that is tied to these groups that detects that a reboot is needed and then runs a script that we made that prompts the user in the exact way that we want.  Note:  This is why we worked with LabTech to extend the time that the pop-up message displays in scripting (used to be 30 seconds, as of around DOT2 90 seconds).  We really wish we could display a message for at least an hour, or forever.

So that is the framework that makes it all work.  Take each option that you want and can dream of and do the above.  Some fields belong at the Client level, location, or computer.

I wish my explanation was easier to follow, but it really is an exact recipe to the heart of the automation of LabTech.  If you understand the concepts above, this should just snap together.  If you don't, and you really want to utilize the power of LabTech, I suggest taking what I wrote above and learn each step until you get to the end.  Your eyes will open with that "ta da!" moment.

People could and probably will complain that it shouldn't be all that work.  I think it's super easy once you learn it.  I honestly think LabTech already made it super easy for us.  I can't really think of an easier way to get it done.  You really get what you put into LabTech.  Take your time, learn it.  Lots of power in there.  I am still finding new things that surprise me, and put a smile on my face.

Let me know if I can be of further help.

I forgot to add a few more things.

To verify things are patched, we use a few things.  First of all you can use custom searches that find computers that have more than 0 approved patches not installed.  Then you can use auto-join groups for these searches.  From these groups you can see near real time the computers that are not patched.

Another way is to use Dataviews.  We take the existing dataviews, make changes, and then save the changes as a new dataview.  The changes we make is the "approved patches" type of stuff.  Using this dataview we can view a location, client, or all clients for patch status.

Also, another way is to use monitors.  You can create a monitor that finds machines that have more than 0 approved patches not installed.

P.S.  You can also use these methods to find servers that are "pending-reboot".  This is helpful when you are using a patch and reboot window, and you are trying to reconcile which servers still need a reboot after patching.

Well Farzon that is a lot of usefull information, thank you for that! We are just enrolling into LabTech coming from Kaseya. The more I understand of the system the more impressed I get! I have been discovering the use of searches, auto-join groups and the use of templates. It is really great stuff that LabTech is offering us within this system.

I am still wondering what procedure is triggering patches anyway. Is there a recurring search itterating through all the templates/groups and firing procedures? On the machine level I can see under the Patching Tab when patches are pushed. But is see nothing in the computer Log indicating something has been fired up by the LT server.

When there are conflicting settings on a template level (multiple templates apply) which on has precedence?

First of all, never have a conflicting template.  While I think the newer versions of LabTech try to work around conflicting templates, I wouldn't take that risk.  Be very confident about how your templates are configured.  Don't change them often.  Do several (as in more than 2) verifications to ensure nothing conflicts, ever.

The beauty of LabTech is that it REALLY does use the built-in windows update engine on the computer.  Somehow they have carved into it so that we can utilize Cached folders and other trick stuff.  Fundamentally, and functionally it uses Windows update.  This is a godsend, because it actually works.

You can check the patch tab on a computer.  There in the top window you will see patches.  Status of Installed, pushed, missing.  The other two are obvious, but "pushed" means the patch was attempted and it's not complete yet.  It's normal to see "pushed" for a while, but if it stays there - there is a problem.

Which reminds me.  We have a monitor that finds computers that are in the "pushed" status for too long and runs a script to "re-attempt failed patches" to them.  This is a command.  By doing this automatically it keeps the patch flow going without requiring us to follow-up on the patching system so much.

We also have a monitor that finds computers with no patches listed for it.  These computers have a broken Windows Update engine.  From here we auto-run a script that repairs windows update on that machine.  This monitor is awesome. It fixes computers several times per week while we sleep.  :)

P.S.  Try doing that in Kaseya!  Not going to happen.

Reply to Discussion

RSS

© 2017   Created by Ben Johnson.   Powered by

Badges  |  Report an Issue  |  Terms of Service