6 Replies Latest reply on Apr 12, 2011 9:56 AM by Steffen Kreis

    Microsoft Security Patching Setup

    Rob Slattery

      I have not created/performed security patching on BladeLogic so I was wondering if someone would/could answer several questions for me.  I've read the entire users guide on patching (information all over the place) and I'm still a bit confused.


      -  I'm guessing the first thing one should do (if not using OOB catalog) is to create a Windows patch catalog under depot which I have done - I've named it

         patch catalog.

      -  Next, we should create a patch job under jobs which I have done - I named it patch analysis.

         -  First question, after the catalog has been created and the hotfixes, bulletins, and irrelevant patches have been created, is there anything else we should

            do under the depot folder?

         -  Second question, when right clicking on the newly created catalog, there are several options and three of which I'm wondering the differences of:

            Update Catalog and the Red Arrow pointing down; what are they used for, does one overwrite while the other just updates?

            -  What is the benefit of using Analyze Using This Catalog since there's a job we need to create under the jobs section?

      -  Under Jobs, I created the Windows patching job as stated above and ran it against six (6) test servers and the job failed.

         -  What does this error mean?:  No successful catalog update run found for catalog: Patch Catalog


      I don't know where to go from here but figured to stop and ask questions - thanks.

        • 1. Microsoft Security Patching Setup
          Jim Campbell

          When you created the catalog, it contained no patches and was just a shell.  Hotfixes, Bulletins, and Irelevant patches are just smart groups that filter the individual hotfixes/bulletins that are in the Patch Catalog in the same way that server smart groups filter servers by various criteria.  You can expand these smart groups to see how many hotfixes/bulletins are in them.  You need to run a Catalog Update job to populate the catalog with items that match the filters you have provided.  Typically you will need to run this catalog update job once a month after all of the new Microsoft patches have been published (typically takes a day or two after patch Tuesday).


          'Analyze Using This Catalog' will just go through the process of creating the job you already created.  The only benefit of doing it this way is that it fills in the first step (the catalog to be used) automatically.


          'Update Catalog' updates the metadata for hotfixes/bulletins.  The 'Download' option actually downloads the executables.  This is generally unnecessary as Patch Remediation jobs do this automatically for any hotfix that has not already been downloaded and is needed for packaging up the hotfixes for remediation.  If you were doing analysis and remediation on the fly it might save you some time, but we typically set up our patching jobs hours in advance of actually running them as our patching windows are limited and we can save some time by doing all of the analysis prior to the window.

          • 2. Microsoft Security Patching Setup
            Rob Slattery

            Thank you very much.  I've been creating patch catalogs, read a couple of documents floating around and am confused about a couple of things and hopefully someone can answer my questions below (hopefully, the last of them).


            After I create a catalog, right-click on new catalog, and select update catalog, do I even need to EVER use the download option and if so, why?


            Under jobs, when you select new, then patch jobs, then click on windows patching job, is that the same thing as a patch analysis?


            Finally, how many directories are really needed on your file server when creating a new patch catalog?  The reason I ask, is that when asked where your helper files are you need to specify a path.  Then you're asked for a repository and whatever you type there, gets automatically filled in for your payload.

            • 3. Microsoft Security Patching Setup
              Bill Robinson

              You can download the catalogs during the CUJ if you don't want to do it at runtime of the remediation job creation, or if you don't want to grant the users write access on the catalog.


              jobs -> windows patching jobs is the same thing as patch analysis.


              on the file server only 1 directory for the catalog is created under storage/patch/catalog for each catalog.  on the server holding the patch payloads there will be 1 directory for each catalog.  for the windows 'helper' location you only need to specify a temp dir so the cuj can decode the shavlik xmls.

              • 4. Microsoft Security Patching Setup
                Steffen Kreis

                Hi Bill,


                what do i have to do, in order to have to new patches downloaded as part of the CUJ automatically ?




                • 5. Re: Microsoft Security Patching Setup
                  Bill Robinson

                  Check the ‘download from vendor’ option in the catalog configuration – it’s right above the box where the filters are defined.

                  • 6. Microsoft Security Patching Setup
                    Steffen Kreis



                    we are using offlines catalogs in our environment, and never spent much attention to that tickbox, as we thought it is not relevant for offline catalogs.


                    However, this explains, why the catalogs behave different in two environments.

                    in one Env we have that option ticked, but not on the other.


                    Unfortunately it seems to be set forever once the catalog is created and cannont be changed afterwards.


                    Anyway thanks for clarification.