Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Patch Manager > Description of the different types of groups in the Patch Manager Console

Description of the different types of groups in the Patch Manager Console

Table of contents
Created by Brandon Painter, last modified by MindTouch on Jun 23, 2016

Views: 38 Votes: 0 Revisions: 4

Overview

This article provides information about the multiple types of Groups within Patch Manager. 

Environment

All versions of Patch Manager

Detail

  • Management Groups - in Patch Manager, these are what we call a given logical collection of domains, workgroups, and WSUS servers. It is possible to have more than one Management Group defined in Patch Manager, although the vast majority of our customers just have one Management Group that is created on the initial installation. Defining multiple Management Groups is an advanced configuration option, and the concepts surrounding it are discussed in Chapter 8 of our Patch Manager Administrator Guide. A couple of reasons why someone might deploy multiple Management Groups would be if you wanted to keep information stored in our database separate for two segments if your company, or if you wanted to maintain a separate database for a testing environment.
     
  • Computer Groups - are groups on the WSUS server that are used to logically separate machines to be targeted for patching. Many people would refer to them as “WSUS groups” or “WSUS Target Groups”. Yes, these are the ones that show up under Computers and Groups > All Computers. 

    A default WSUS installation will use Server Side Targeting. With that method of group assignment, when you ‘point’ a client machine to a WSUS server through Group Policy, that computer will show up under Unassigned Computers until you move it to another specific single group. So, you would create WSUS groups using whatever logical grouping makes the most sense for you (some people just have a ‘Servers’ and ‘Workstations’ groups, while other admins might create a different group for each Operating System or groups for each physical location, etc…). You would then move each computer client into the appropriate group yourself.

    If you want to have the machines effectively put themselves in a group you can use the other client targeting option - Client Side Targeting, which is normally enabled through Group Policy. Using this client targeting method, the machines will receive Group Policy from their OU, and each OU can be configured to drop the client machines automatically in the correct WSUS group.

    These two options (server-side vs. client-side targeting) are discussed in this TechNet article:http://technet.microsoft.com/en-us/library/cc720450(v=ws.10).aspx.
     
  • The Managed Computers node is basically just a list of machines that Patch Manager thinks it has targeted with a task of some sort. In general, if you have targeted a specific OU or WSUS Group with a task (like Inventory, or Update Management, or many others), then the machines that were targeted should show up under Managed Computers. We use Managed Computers as one part of the calculation for used licenses. Please note: There is no requirement that a machine show up under Managed Computers for you to be able to target it with any of our available tasks. There is also no requirement for you to add anything to that list. It is simply a list of things we think we’ve targeted. Sometimes it can be an easy way to find a machine name so you can right click it and execute some task, but in general you can ignore that node altogether if you wish (unless you are getting messages about being over your allocated licenses).
     
  • Patch Manager Computer Groups are not the same as Management Groups. They are another way you can group computers to be targeted with tasks. If you select one or more machines in Patch Manager, you can right-click that selection and choose to create a Patch Manager Computer Group. That group will then show up under the Enterprise -> Microsoft Windows Network node. Patch Manager Computer Groups can be targeted with many different types of tasks, including Inventory, our Update Management and Update Management Wizard deployment tasks, Detect Now, Refresh Group Policy, etc…

    There is an important distinction between WSUS Groups (Computer Groups) and Patch Manager Computer Groups, and that is: The WSUS server has no idea that Patch Manager Computer Groups even exist.

    This is important because one of the update deployment options available to you is to use the ‘normal’ WSUS methodology of Approve-ing updates to WSUS Groups. 

    In a WSUS environment, once an update is Approved for a WSUS Group, machines in that group will ‘see’ the approval when they check in to WSUS on their default 22-hour cycle. If the update is both Approved for a group they are in and the update is Applicable to them, the client machines will have the update deployed to them based upon the client machines’ other group policy settings.

    Since WSUS doesn’t know about Patch Manager Computer Groups, you cannot Approve an update to a Patch Manager Computer Group. You can still deploy updates to a Patch Manager Computer Group using the Update Management tasks, however.

    Most admins would use WSUS Groups for most tasks. Patch Manager Computer Groups are sometimes used for ‘special cases’ where, for example, I might want to target certain machines with a new Java update but not others. In my scenario, I might not want to move machines around in my WSUS groups just to facilitate proper targeting for a one-time update. Another use case would be if I am looking in Task History at the results of an Update Management task and see that a few machines failed because they were likely turned off at the time. I could select the ‘failed’ machines, then right-click and create a Patch Manager Computer Group and give it a name like “Failed update machines – 2013-02-18” and then use that to target a precisely-scoped follow up task later when I know they are back online.

 

Last modified
01:01, 23 Jun 2016

Tags

Classifications

Public