Using Definition Download Settings for Disabled Replaced Rules and Autofix to Help Make Patching Easier
A lot of organizations are struggling with patching. They have a well-established patching process and schedule, however, they are putting more work into it that they need to.
One area that is overlooked is the Disabled Replaced Rules tool is not being used. Patch supersedence is when a newer patch completely replaces an older patch. It is generally best practice to apply the latest patches rather than all of the patches.
It is much quicker and easier to apply the latest patch that will contain all the fixes in the replaced patches. Disabling replaced rules can cut the scan time in half. Another benefit is that you will have fewer patch install failures if you install the latest patch. Many Microsoft patches will fail to install if there has been a newer patch installed.
Now that you know what Disabled Replaced Rules is how can you use it? If you want to continue using your time for reviewing patches that have been replaced you can run the tool manually.
From the Patch and Compliance tool bar you can select the Disabled Replaced Rules icon.
The Disable replaced rules window opens, select All replaced rules then select start. Then wait. I’ve seen this rule over an hour on a system that the rule has never run on. The time could be more or less depending your system.
All of the definitions are placed in the correct folder based on this tool.
What happens when new definitions are downloaded? Do you have to use your time to rule the rule again? The short answer is No? This can be automated.
Open the Download Updates from the Patch and Compliance tool bar, then look at the lower right for the Definition download setting.
When the windows opens select new.
Leave the Vulnerability selected then from the next dropdown select Any.
Select the Scan tab. Select Assign scan status, Disable any rules this definition replaces also make sure you have Scan (global) set. Click OK and your done.
You’d created a rule to automatically run the Disable replaced rules every time the download update runs. You do have the Download Update scheduled to run on a regular schedule?
While you’re creating rules to automate tasks how about creating rules to set patch to Autofix. After testing many organizations decide that certain patches will always be applied to the devices. Many wait until a new patch arrives than set the patches to autofix, but this is time-consuming. Why not create a rule to assign the patch to the scan folder as well as turn on autofix?
Open the Definition download setting to create the rule.
Select Any from the dropdown but this time from the Comparison select Product, you can leave contains, then in the next window enter the patch you want to set to autofix.
Select the scan tab. Select Assign scan statue then make sure that Scan (global) is select
Select the Autofix tab, select Assign Autofix. From the Autofix settings: select Global then your done.
You can create as many rules as you need to set patches to autofix to automate the patching process.
Need additional support around your Ivanti solutions? Reach out today. We offer custom remote or onsite packages to help get your workload under control:
About Network America
Established in 1991, Network America is a premier professional services organization providing license procurement, design, training, implementation and ongoing support for systems management, security management, asset management, mobility management, and service management solutions to organizations worldwide. Network America is a veteran-owned small business and is a schedule 70 GSA holder. With a longstanding reputation for seasoned deployment engineers and expert information technology business consultants, Network America is the longest operating Ivanti Platinum Partner, having been in the expert solution provider program for over 19 years. Headquartered in Treasure Island, Florida, Network America serves clients throughout the world including United States, Canada, Puerto Rico and Curacao.