Getting started with patch management

Step

Actions to take

Enable patch management

1. Create a license for Miradore Management Suite. Make sure to enable the "Use patch management" option.

2. Enter the license to your Miradore Management Suite instance.

3. Navigate to "Administration > System settings > Main > Miradore features" and enable "Patch management".

Define system settings

1. Navigate to "Administration > System settings > Patch management" in Miradore Management Suite.

2. Check the field descriptions from Patch management system settings and configure at least the following settings:

   • Windows Update

   • Automatically download not-installed patches

   • Default languages to download

3. As an optional step, you can also configure the other settings like default reboot behaviour and default language for Miradore client messages. The language setting is located at "System settings > Main > Client popup window > Default end-user language".

Install patch manager

1. Use Miradore Management Suite installer to install Patch manager component. You can download the installer from: https://support.miradore.com.

2. Check Patch manager's network requirements from the Patch manager page, and configure your firewall accordingly.

3. Go back to Miradore and navigate to "Administration > System settings > Connectors" and make sure that Miradore Patch Manager item is listed in the "Connectors" table.

4. Open Miradore Patch Manager item and change its status to "Active".

5. Open Windows Task Scheduler at the installation point computer where Patch manager is installed and run "MDPatchManager$InstanceName" scheduled task manually for the first time.

Prepare asset groups

1. Plan the security patch deployment process. It is a good practice to first deploy new patches to a pilot group of assets for a few days, because sometimes patches can cause unpredictable problems. If any problems don't occur in the pilot group, then it's probably safe to deploy the new security patches to production assets.

2. Navigate to "Administration > Basic settings > Asset groups view" in Miradore Management Suite, and prepare the asset groups as you planned. It is usually best to create dynamic asset groups whose member assets are updated automatically based on asset filters, because that way the asset group members stay better updated. For instructions, see Creating and configuring asset groups.

Configure scheduled tasks for patch scanning and patch deployment

1. Navigate to "Administration > System settings > Clients > General > Built-in scheduled tasks > Windows > Patch scan and install" and use scheduled task profiles to define what asset groups are in the scope of patch management and what is the interval of patch scanning and installations. For instructions, check Configuring patch scan and deployment.

2. As an additional step, you can configure patch maintenance windows in "Administration > Feature settings > Patch management > Maintenance windows view". With the maintenance window items, it is possible to define a schedule when security patch installations are allowed to take place. If any maintenance windows are not defined, then patch scans and installations are performed according to the built-in scheduled tasks, but with the maintenance windows the patch installations can be scheduled outside business hours. Notice that it is also possible to configure multiple maintenance windows for assets.

In the Asset groups view, "Maintenance windows" data column shows what maintenance windows have been configured for asset groups. Notice that disabled maintenance windows are presented with strikethrough formatting and they don't have any effect on patching actions.

For more information, see Configuring a patch maintenance window for assets and Inheritance of patch management settings.

3. Also as an optional step, you can define asset group specific or even asset specific reboot options that override the default reboot options configured in the system settings for patch management.
   
   The reboot options determine the reboot behaviour of managed assets after Miradore has installed security patches which require a computer restart. If you want to make sure that some certain computers are not restarted during business hours, it might be a good idea to set asset group specific or asset specific reboot options.

In the Asset groups view, "Reboot options" data column shows what reboot settings have been configured for the asset groups.

Pro tip: On the Asset page, you can disable patching for one specific device until specific date. This is helpful if you want to prevent Miradore from patching the device during maintenance for example.

Check operators' user permissions

1. Consider who are the Miradore operators who are responsible for the operational use of Miradore patch management and add their user accounts as members to the "Security officers" user group in "Administration > Permissions > Groups > Security officers".
   
   Security officers have access to the patch management views and controls that are needed in the operational use.

Configure quality index reports

1. There are three quality index indicators that can be used for measuring and reporting the status of security patch management. See Configuring a quality index report and use those indicators freely in your quality index reports.

Define rules for storing and downloading the patch data

1. In "Administration > System settings > Main > Patch management > Patch management settings", you can define the maximum storage time for the patch metadata and for the cached patch data. With these settings, you can define how long the data about obsolete or unused patches will be preserved in the system.

2. At the Location item pages, administrators can use the "Max bandwidth for file copying" setting to define what is the maximum allowed network bandwidth consumption when a managed device is downloading patches or Windows 10 version updates.
   
   Notice that this setting is location-specific and the limit is applied to the assets that are assigned to the location.