Connect with TrueSight - TSSA: windows Patching Webinar Q&A

Version 2
    Share This:

    Subscribe to the BMC TrueSight Server Automation Youtube Channel

    https://www.youtube.com/c/BMCTrueSightAutomation

    Presentation References

     

    TrueSight Server Automation YouTube Channel Video Patching Playlist


    Documentation

    · Comprehensive List of ITSM 20.02 Enhancements (for Each Component)
    https://docs.bmc.com/docs/itsm2002/20-02-enhancements-909627536.html

    · Creating a Patch Catalog for Microsoft Windows
    https://docs.bmc.com/docs/tssa2002/creating-a-patch-catalog-for-microsoft-windows-910752640.html

    · Windows Patch Remediation
    https://docs.bmc.com/docs/tssa2002/walkthrough-basic-patch-remediation-910749694.html#Walkthrough:Basicpatchremediation-Whatispatchremediation?

    · Deploy Logs
    https://docs.bmc.com/docs/tssa2002/logs-for-deploy-jobs-911443064.html

     

    Knowledge Articles

    · Create an Offline Patch Catalog for Windows  Video – KA#000169889
    https://communities.bmc.com/docs/DOC-119109

    · How to Update the Windows Patch Catalog Filter List Video – KA#000166476
    https://communities.bmc.com/docs/DOC-122813

    · Troubleshoot Deploy Exit Codes - False Positives – KA#000090870
    https://communities.bmc.com/docs/DOC-102062

    · How to collect Log Package – KA#000169883
    https://communities.bmc.com/docs/DOC-119112

    · How to collect DPDTrace – KA#000099904
    https://communities.bmc.com/docs/DOC-102016

     

    Ivanti Patch Definition

    Q&A

     

     

    Q: If Patch Size is big GB files and to avoid Network Latency during Stage copy, in this case any special recommendation from BMC?

     

    A:  You can use repeaters in case the patches are being copied to the remote servers.

     

    See the following doc on Geographically-distributed TSSA environments:

     

    https://docs.bmc.com/docs/tssa2002/geographically-distributed-installations-910749902.html

     

    And the following doc on managing TSSA repeaters:

     

    https://docs.bmc.com/docs/tssa2002/managing-repeater-servers-911442711.html

     

     

    Q:  Is it acceptable, if we do Stage copy and Commit on deferent days?

     

    A: Yes, you can do that.

     

    https://docs.bmc.com/docs/tssa2002/patch-management-overview-and-workflow-910752577.html

     

    https://docs.bmc.com/docs/tssa2002/phase-scheduling-and-execution-910753682.html

     

     

    Q: To remediate the patches it takes too much time for Windows OS patching. What all parameters we need to take care of to remediate patches in minimum time?

     

    A: This can definitely vary based on individual setups for different customers.  I would encourage you to open a support ticket, if you are experiencing this issue.  One trick is to reboot servers beforehand. That reduces the amount of time for windows to create restore points before applying patches.

     

    Also please see the following KA on this topic:

     

    https://communities.bmc.com/docs/DOC-74405

     

    Q:  While creating the Windows / Redhat catalog, if we already consider few roles, then why after download the patches. all included role does not have permission. We have to update the permission at catalog / patches level.

     

    A: A RBAC policy needs to be added if multiple roles need access to catalogs.  We are now showing how to add permissions for multiple roles using RBAC Policy.

     

    Please also see the following KA on this topic:

     

    https://communities.bmc.com/docs/DOC-115477

     

    Q: We are now showing how to add permissions for multiple roles using RBAC Policy. ?? is there any video / docs to fix it.

     

    A: We have shown how to add permissions on multiple roles in the webinar. You can review the recording post the webinar.

     

    Please also see the following KA on this topic:

     

    https://communities.bmc.com/docs/DOC-115477

     

     

    Q: Is there any major changes between BSA Application 8.9.03.x and 8.9.04.x , especially in patching activity.

     

    A: Here are the release notes for what changed between 8.9.03 and 8.9.04, but nothing huge specific to Windows Patching:

     

    Also, the three 8.9.04 Patches:

     

     

    Q: Should the username used to run DPDTrace be the same user used to run the TSSA Patching?

     

    A: In the DPDTrace tool the user name must be a local administrator user. It is not the TSSA userid.

     

    Q: We have patch installed already but the version still shows as missing. and BSA shows as missing. what could be the issue?

     

    A: We have covered some of the scenarios in the webinar. (perceived False Positive)  If the steps mentioned do not help, please raise a case with BMC Support with the logs mentioned. Please refer to the following blog (especially section 1) for details :

    https://communities.bmc.com/community/bmcdn/truesight-server-automation/blog/2019/12/20/helix-support-tssa-windows-patch-analysis-issues-useful-knowledge-articles-and-videos

     

    Q: Different between 3rd and 4th option?

     

    A: This doc page should answer that clearly for you - https://docs.bmc.com/docs/tssa2002/specifying-job-options-910753689.html   This one is also useful to see how the different options can interact - https://docs.bmc.com/docs/tssa2002/interactions-between-reboot-settings-910753690.html

     

    Q: What is the best option to fix the agent not responding issue permanently?

     

    A: There is no single fix.  Agents may not be able to respond for multiple reasons.  If you are having an issue, I suggest you open a support ticket and we can delve deeper into your particular issue.

     

    Please see the following Troubleshooting Guide on this topic:

     

    https://docs.bmc.com/docs/tssa2002/rscd-agent-troubleshooting-911443079.html

     

    Q: What effect, if any, would there be by manually updating the permissions for a patch catalog outside of adding the RBAC policy and running a catalog update?

     

    A: If the role running the Catalog update job is not able to see the patch post the manual update of the permission, the catalog update job will fail.

    As long as the role running the catalog update job has access to the patch, the Catalog update job should run fine.

     

    Q: What is the best practice here? I have had issues where servers fail patch job because of pending reboot from previous patch when I choose to ignore item defined reboot and reboot at the end. Moreover, when the patch job fails, the server is not rebooted so I have to manually reboot the server.

     

    A: There is no single best practice.  The safest bet when patching windows is to reboot Windows before patching and then do so after patching, but these options are present because different users have different needs.

     

    Please see the following Blog post which discusses TSSA Windows Patch Analysis and the Pending Reboot state:

     

    https://communities.bmc.com/community/bmcdn/truesight-server-automation/blog/2020/04/30/helix-support-truesight-server-automation-windows-pending-reboot-status-and-the-effect-on-windows-patch-analysis-remediation

     

    Q: How can I configure patch job to reboot server even if job fails. Also, how can I configure job to re-run automatically after said reboot is completed so that it may succeed next time around?

     

    A: The target servers will not be rebooted if a job fails. If this is a feature which you think would be useful for you (reboot target server and rerun on failure) please create a support case with details so we can log a Product Improvement request.

     

    Q: Can I use smart groups from two different catalogs in single patch analysis / deployment job?

     

    A: You can use multiple smart groups as include lists and exclude lists but only from a single catalog.

     

    Q: My File server is getting increased due to the catalog files, is there a script or automatic way to clean up the hotfix files ? If so, please let me know.

    Also, my repeater server is facing same problem with hotfix files from age old dates. Do we have a mechanism to clean the files from repeater servers as well ?  As of now, we are using Windows servers for both File server & Repeaters.

     

    A: Check this communities BLOG, it might be useful to you on this topic - https://communities.bmc.com/community/bmcdn/truesight-server-automation/blog/2020/02/13/removing-old-patches-files-from-a-patch-repository

     

    Also please see this link about how to perform Repeater cleanup:

     

    https://docs.bmc.com/docs/tssa2002/types-of-data-commonly-included-in-cleanups-911442475.html

     

     

     

    Q: Why does BMC not provide a job to auto-add all products to the default xml list?

     

    A: There are some technical reasons why some patches need to be excluded. For example, Office 365 patches need to be excluded as they use an unsupported update process.

    --

     

    TrueSight Server Automation