Subscribe to the BMC TrueSight Server Automation Youtube Channel
· Comprehensive List of ITSM 20.02 Enhancements (for Each Component)
· Creating a Patch Catalog for Microsoft Windows
· Windows Patch Remediation
· Create an Offline Patch Catalog for Windows Video – KA#000169889
· How to Update the Windows Patch Catalog Filter List Video – KA#000166476
· Troubleshoot Deploy Exit Codes - False Positives – KA#000090870
· How to collect Log Package – KA#000169883
· How to collect DPDTrace – KA#000099904
Ivanti Patch Definition
Q: If Patch Size is big GB files and to avoid Network Latency during Stage copy, in this case any special recommendation from BMC?
A: You can use repeaters in case the patches are being copied to the remote servers.
See the following doc on Geographically-distributed TSSA environments:
And the following doc on managing TSSA repeaters:
Q: Is it acceptable, if we do Stage copy and Commit on deferent days?
A: Yes, you can do that.
Q: To remediate the patches it takes too much time for Windows OS patching. What all parameters we need to take care of to remediate patches in minimum time?
A: This can definitely vary based on individual setups for different customers. I would encourage you to open a support ticket, if you are experiencing this issue. One trick is to reboot servers beforehand. That reduces the amount of time for windows to create restore points before applying patches.
Also please see the following KA on this topic:
Q: While creating the Windows / Redhat catalog, if we already consider few roles, then why after download the patches. all included role does not have permission. We have to update the permission at catalog / patches level.
A: A RBAC policy needs to be added if multiple roles need access to catalogs. We are now showing how to add permissions for multiple roles using RBAC Policy.
Please also see the following KA on this topic:
Q: We are now showing how to add permissions for multiple roles using RBAC Policy. ?? is there any video / docs to fix it.
A: We have shown how to add permissions on multiple roles in the webinar. You can review the recording post the webinar.
Please also see the following KA on this topic:
Q: Is there any major changes between BSA Application 8.9.03.x and 8.9.04.x , especially in patching activity.
A: Here are the release notes for what changed between 8.9.03 and 8.9.04, but nothing huge specific to Windows Patching:
Also, the three 8.9.04 Patches:
Q: Should the username used to run DPDTrace be the same user used to run the TSSA Patching?
A: In the DPDTrace tool the user name must be a local administrator user. It is not the TSSA userid.
Q: We have patch installed already but the version still shows as missing. and BSA shows as missing. what could be the issue?
A: We have covered some of the scenarios in the webinar. (perceived False Positive) If the steps mentioned do not help, please raise a case with BMC Support with the logs mentioned. Please refer to the following blog (especially section 1) for details :
Q: Different between 3rd and 4th option?
A: This doc page should answer that clearly for you - https://docs.bmc.com/docs/tssa2002/specifying-job-options-910753689.html This one is also useful to see how the different options can interact - https://docs.bmc.com/docs/tssa2002/interactions-between-reboot-settings-910753690.html
Q: What is the best option to fix the agent not responding issue permanently?
A: There is no single fix. Agents may not be able to respond for multiple reasons. If you are having an issue, I suggest you open a support ticket and we can delve deeper into your particular issue.
Please see the following Troubleshooting Guide on this topic:
Q: What effect, if any, would there be by manually updating the permissions for a patch catalog outside of adding the RBAC policy and running a catalog update?
A: If the role running the Catalog update job is not able to see the patch post the manual update of the permission, the catalog update job will fail.
As long as the role running the catalog update job has access to the patch, the Catalog update job should run fine.
Q: What is the best practice here? I have had issues where servers fail patch job because of pending reboot from previous patch when I choose to ignore item defined reboot and reboot at the end. Moreover, when the patch job fails, the server is not rebooted so I have to manually reboot the server.
A: There is no single best practice. The safest bet when patching windows is to reboot Windows before patching and then do so after patching, but these options are present because different users have different needs.
Please see the following Blog post which discusses TSSA Windows Patch Analysis and the Pending Reboot state:
Q: How can I configure patch job to reboot server even if job fails. Also, how can I configure job to re-run automatically after said reboot is completed so that it may succeed next time around?
A: The target servers will not be rebooted if a job fails. If this is a feature which you think would be useful for you (reboot target server and rerun on failure) please create a support case with details so we can log a Product Improvement request.
Q: Can I use smart groups from two different catalogs in single patch analysis / deployment job?
A: You can use multiple smart groups as include lists and exclude lists but only from a single catalog.
Q: My File server is getting increased due to the catalog files, is there a script or automatic way to clean up the hotfix files ? If so, please let me know.
Also, my repeater server is facing same problem with hotfix files from age old dates. Do we have a mechanism to clean the files from repeater servers as well ? As of now, we are using Windows servers for both File server & Repeaters.
A: Check this communities BLOG, it might be useful to you on this topic - https://communities.bmc.com/community/bmcdn/truesight-server-automation/blog/2020/02/13/removing-old-patches-files-from-a-patch-repository
Also please see this link about how to perform Repeater cleanup:
Q: Why does BMC not provide a job to auto-add all products to the default xml list?
A: There are some technical reasons why some patches need to be excluded. For example, Office 365 patches need to be excluded as they use an unsupported update process.