Submit a ticketCall us
Home > Success Center > Patch Manager > Patch Manager Documentation > Patch Manager Getting Started Guide > Best practices for using SolarWinds Patch Manager

Best practices for using SolarWinds Patch Manager

Patch Manager Getting Started Home

Last Updated: June 14, 2018

Getting started with Patch Manager includes more than just publishing updates and generating reports. These best practices help you fine tune the deployment to avoid any issues along the way.

Managed systems

  • Inventory the WSUS server and Windows® network before you generate a report. Reports query the Patch Manager database and convert the data into information you can use to manage the deployment. If you do not inventory the WSUS server or Windows network each day, the reports will not contain the latest information about the deployment.
  • Create an inventory only for the organizational units you want to include in the reports. Patch Manager collects licenses from managed systems and task history and compares the total amount to your purchased license. If you inventory the entire domain, the inventory includes disabled systems that still exist in Active Directory ®. This process includes irrelevant systems that exceed your license count and generate a system error.

    Any Windows-based system that you patch counts toward the node count. These systems include the Patch Manager server, standalone WSUS server, SCCM server, and all client systems. The Primary Application Server determines the node count in the Windows domain. A Patch Manager license includes 11 license tiers and is licensed on the node level.

Microsoft updates

  • Synchronize your WSUS server to download the latest Windows updates every day. Microsoft® releases security patches on the second Tuesday of each month (also known as Patch Tuesday). Create a daily schedule to synchronize the WSUS server with the Microsoft Updates Catalog each day. This process ensures that you receive the scheduled and non-scheduled Windows updates, patches, and hotfixes software updates when they are available.
  • Check the Microsoft Security Response Center each week for the latest information. Located on the Microsoft TechNet® website, the Security Response Center identifies and posts security risks and vulnerabilities discovered in Microsoft software. This site also posts white papers and additional resources to help you be informed about Windows-related security risks. 

Third-party updates

  • Remove all custom filters from the Third Party Updates list. Remove any filters in the Third Party Updates pane to ensure that all third-party updates are published to the systems.

    1. Log in to the Patch Manager Administrator Console as an administrator.
    2. Expand Enterprise > Update Services > Patch_Manager_Server > Updates in the SolarWinds Patch Manager menu.
    3. Select Third Party Updates.
    4. Examine the filter icons in the table columns.

      If a filter icon is clear File:Success_Center/Reusable_content_-_InfoDev/SPM/Patch_Manager_Getting_Started_Guide/0080-Best_practices_for_using_SolarWinds_Patch_Manager/SPM-Getting-Started-Best-Practices-Clear-Filter-Icon.png, no filters are applied.

      If a filter icon is blue File:Success_Center/Reusable_content_-_InfoDev/SPM/Patch_Manager_Getting_Started_Guide/0080-Best_practices_for_using_SolarWinds_Patch_Manager/SPM-Getting-Started-Best-Practices-Blue-Filter-Icon.png, click the icon, select All, and click OK.

    5. Click Refresh in the Actions pane to apply the changes.

      The third-party update filters are removed.

  • Enable Patch Manager to automatically download third-party updates every day. By default, Patch Manager does not automatically download third-party updates after you install the software. Download the third-party updates and create a daily or weekly schedule to synchronize with the SolarWinds Third Party Update Library. When you are finished, SolarWinds Patch Manager downloads the latest third-party updates when they are available.
  • Review the latest third party updates. The Table of Third Party Patches posted on THWACK lists the most recent patches added to the Patch Manager third party catalog. Review this list often to ensure that your managed systems have the latest updates.

SolarWinds Patch Manager server

  • Update and publish the group policy to all servers and systems managed by SolarWinds Patch Manager. Create and export a software publishing certificate from the WSUS server to a certificate file. When you are finished, configure the Group Policy Object (GPO) on the domain controller with the certificate file and the supporting Windows Update policies to enable the managed systems to receive Windows and third-party updates from the WSUS server. Patch Manager signs all packages with the software publishing certificate. This certificate must be installed in the Trusted Root Certification Authority and Trusted Publishers keystores so each managed computer can receive and install third-party updates.
  • Ensure that the SolarWinds Patch Manager servers are associated with a management group. This process helps you minimize errors with translating system names in the deployment.

    1. Log in to the Patch Manager Administrator Console as an administrator.
    2. In the navigation pane, expand Patch Manager System Configuration and select Patch Manager Servers.
    3. In the Patch Manager Servers pane, ensure that the Management Group column includes a management group. In this example, the WSUS server (SPM-MGOM) is associated with the Managed Enterprise management group.

      File:Success_Center/Reusable_content_-_InfoDev/SPM/Patch_Manager_Getting_Started_Guide/0080-Best_practices_for_using_SolarWinds_Patch_Manager/SPM-Getting-Started-Patch-Manager-Servers.png

  • Run the Server Cleanup Wizard on the WSUS server each month. The wizard performs several housekeeping tasks to optimize the WSUS server performance. These tasks include removing unused updates and revisions, unneeded update files, expired or superseded updates, and systems that no longer access the WSUS server for updates.

    1. Log in to the Patch Manager Administrator Console as an administrator.
    2. In the navigation pane, expand Enterprise > Update Services and select the WSUS server.
    3. In the Actions pane, click Server Cleanup Wizard.
    4. Complete the wizard options, and click OK.
  • Ensure that WSUS is configured and running at an optimal level. See the Microsoft Technet website for information about best practices with WSUS and managing the Windows updates.
  • Ensure that port 4092 is open on your firewall. If you are running the Patch Manager Agent on your remote systems, ensure that port 4092 is open so the application can manage these systems.

SQL Server database

  • For optimal performance, use a licensed version of SQL Server. The licensed version can support multiple console users, inventory multiple WSUS users, and execute simultaneous WMI-based tasks. SQL Server Express (included with Patch Manager) can only store up to 10GB. If you exceed that amount, you must migrate the database to a remote SQL Server database.
Last modified

Tags

Classifications

Public