DSMC (User Interface)

The DSM Console (DSMC) is the resource with which you administer DSM Patch Management. Various wizards are provided to enable you to configure synchronization of the Update Catalog and the download of installation files.

Patch Management Service Configuration Wizard

The Configuration Wizard enables you to specify all the settings which the DSM Patch Management Service requires for automated synchronization of the Update Catalog and download of the update program files. The settings are stored in the DSMDB.

The Configuration Wizard can be accessed in the Patch Library folder of the Software Library via Classic Patch Management > Configure DSM Patch Management Service in the task window or in the context menu via DSM PatchLink > Configure DSM Patch Management Service in the task window or in the context menu.

Functions

The Configuration Wizard performs the following steps in sequence:

Source selection - selection of data source (Classic Patch Management only): Different addresses can be specified for downloading the patch program files and the Update Catalog. DSM Patch Management can optionally obtain the necessary information and program files from the Internet, a separately specified address or a local WSUS server.

Patch Synchronization: Enter the addresses via which the DSM Patch Management Service should obtain the Update Catalog. DSM Patch Management receives all the information about the latest changes to Microsoft updates from the Update Catalog.

•From Microsoft Update (Internet): access by the DSM Patch Management Service to the Microsoft Update website. The service uses the address which has been configured by DSM Patch Management.

•Alternative URL: if there is no connection with the Microsoft Update website, you can specify an alternative URL to a different server, on which the Update Catalog and the necessary files are held.

If you specify an alternative URL, please make sure to save the Update Catalog on the Management Point where the Patch Management Service is installed. A network share that can be accessed from the Management Point is not sufficient.

You can download the current Update Catalog from the Microsoft Update site directly: http://go.microsoft.com/fwlink/?LinkId=40751 - as of 02/2008.

Patch Download: These settings apply to the download of patch program files.

•Obtain patch files from local server: if there is no connection with the Microsoft Update website, then you can specify a URL for an alternative WSUS server.

•Option: Download from the Internet if not available locally. The system uses the address specified in the patch synchronization.

Product selection - selection of product category and update type (Classic Patch Management only): In this dialog you specify the product categories and the update type which should be loaded. The list is created dynamically and shows the current status of the Update Catalog. DSM Patch Management loads only files of the selected categories and types from the download server.

Language Choice (Classic Patch Management only): The list of languages offers updates for all the languages in which updates are available. Multiple selection is possible. DSM Patch Management only loads files in the selected languages from the download server.

Synchronization and download intervals: The timeframe is used to control automated access by the DSM Patch Management Service to the download sources. Synchronization of the Update Catalog and downloads of the program files can be controlled separately. You can specify several time intervals.

In order for the Service to perform the download automatically, the options Synchronization and Download must be activated!

Patch Management Rules

DSM PatchLink provides rules for the installation of patches. There are two types of patch management rules: Rollout rules and template rules:

•DSM PatchLink employs patch rollout rules for downloading and assigning specific patches for security vulnerabilities (based on patch categories). The rules are also used to prevent the download or assignment of specific patches.

•Patch template rules are used to create individual patch packages automatically (based on specific rules).

When the system checks which patches to download and assign, it also evaluates the Patch Management rules for the individual patches. The patches are always evaluated according to an evaluation order. If a rule applies to a patch, the system applies the respective rule to this patch.

Regarding rollout rules, the evaluation can be continued after a rule applies to a specific patch (for example, if you want to assign a specific patch to different policy targets). Regarding template rules, the evaluation is stopped as soon as a rule applies because using different templates for the same patch is pointless.

Patch Management rules are usually created with the Patch Management Wizard and are managed centrally in the Patch Management Rules dialog. This dialog provides individual tabs for rollout and template rules.

Example of Patch Rollout Rules Dialog:

You can specify the following properties for rollout and template rules:

•Activation: Specifies whether the rule is active or not.

•Evaluation order: Specifies the order in which the system checks the rules for a specific patch.

•Included / Excluded patch categories: Defines whether the rule applies to the patches that are included or excluded in the specific patch categories.

•Languages, classifications and severity: Specifies that the system only evaluates patches with the specified languages, classifications and severity.

The Tools classification has the following features:

Clients only report security vulnerabilities to Tools if the computer configuration variable Scan including tools has been enabled.

If you select Action = Download and Assign in the rollout rules, the Tools classification is never considered. The default value is Classification = all except Tools. Explanation: You can only exclude, download or manually assign tools; they cannot be assigned automatically!

The following additional properties also exist for rollout rules:

•If rule applies: Specifies whether the evaluation is continued for the remaining rules when a rule applies to a specific patch.

•Action: Specifies what is done with the patch when a rule applies (download, assign or no action at all).

•Policy targets: Specifies the policy targets.

•Policies are activated automatically: Determines whether the respective policies are activated automatically or not.

•Policy activation off-set: Postpones the automatic policy activation.

•Download based on vulnerabilities: Specifies whether patches are to be downloaded only if a corresponding vulnerability exists (default).

The following additional properties also exist for template rules:

•Used patch template: Specifies the patch template the system uses.

Patch Synchronization Wizard

The Patch Synchronization Wizard instructs the Patch Management Service to update the Update Catalog. The Patch Management Service connects to the Update Server, compares the date of the Update Catalog from the data source specified in the configuration and only updates the catalog if the downloaded catalog is outdated.

If there is no Update Catalog available in the system, the Patch Management Service immediately downloads it from the Download Server and creates new patch packages with the control data in the Patch Library's folder.

The patch files (installation data) are not updated!

You can call the Patch Synchronization Wizard context-sensitively in the DSMC's Software Library.

•Patch Library > Classic Patch Management > Synchronize patch data now

•Patch Library > DSM PatchLink > Synchronize patch data now 15

Patch Download Wizard

The Patch Download Wizard helps you download the patch installation files for the selected patch packages. You can chose a language and download the installation files for this specific language only. DSM Patch Management saves the patch installation files in the patch package folder of the repository.

The Patch Download Wizard can be accessed in the DSMC via the Software Library in the context of a patch package.

•Choose one or more patch packages

•Click the right mouse button and choose the command Classic Patch Management > Download patch files
or
DSM PatchLink > Download patch files

•The scope of patch files you download differs depending on the options you select in the Download Wizard. You can select from different languages or all patches needed to patch all security vulnerabilities. Use the option Enforce re-download of all patch files to reset all of the previous data and settings of the patch.