Difference between revisions of "Windows Patch Management"

From UMIACS
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''Note: As of version 2017 LANDesk has rebranded to Ivanti. Some shortcuts/etc. may now be referenced by Ivanti rather than LANDesk.'''
+
In order to combat the ever increasing number of 3rd party security vulnerabilities on Windows machines, UMIACS staff has deployed Ivanti Security and Compliance Manager. As security threats have evolved from the operating system to applications we have had to take this step in order to maintain operational security for the Institute. Currently the updates are focused on applications that are exposed to the internet such as web browsers, teleconferencing solutions, Adobe Flash, Java, etc.
  
In order to combat the ever increasing number of 3rd party security vulnerabilities on Windows machines, UMIACS staff has deployed LANDesk Patch Manager. As security threats have evolved from the operating system to applications we have had to take this step in order to maintain operational security for the Institute. Currently the updates are focused on applications that are exposed to the internet such as Firefox, Flash, Acrobat, Java, etc.
+
Ivanti is currently deployed on all UMIACS-supported [[Windows]] desktops as well as [[Windows/LaptopSupport#UMIACS_Enterprise_Laptop_Support | Enterprise supported]] Windows laptops and home machines.
 
 
LANDesk is currently deployed on all UMIACS-supported [[Windows]] desktops as well as [[Windows/LaptopSupport#UMIACS_Enterprise_Laptop_Support | Enterprise supported]] laptops and home machines.
 
  
 
==Automated Scanning==
 
==Automated Scanning==
Patches are deployed during the week leading up to the [[MonthlyMaintenanceWindow|maintenance window]].
+
Patches are deployed during the week leading up to the [[MonthlyMaintenanceWindow|maintenance window]]. Specifically, they will always be released on the Wednesday that falls between the 9th and the 15th of every month, and typically in the morning.
*'''Desktops''' will scan for updates to be installed every night between 7:30pm and 9:30pm. If you are not logged in during those times, the system will automatically install the patches and reboot if necessary. If you remain active on your system during those times, you will see a popup with the scan beginning and (once patches are downloaded) a prompt from LANDesk asking to begin installing patches.
+
*'''Desktops''' will scan for updates to be installed every night between 7:30pm and 9:30pm. If you are not logged in during those times, the system will automatically install the patches and reboot if necessary. If you remain active on your system during those times, you will see a popup with the scan beginning and (once patches are downloaded) a prompt from Ivanti asking to begin installing patches.
*'''Laptops''' will scan for updates to be installed at least once every day (assuming the laptop is powered on). This will only occur when the laptop has an active Internet connection (wired or wireless). You will receive a notice from LANDesk when the patches are ready to be installed.  
+
*'''Laptops''' will scan for updates to be installed at least once every day (assuming the laptop is powered on). This will only occur when the laptop has an active Internet connection (wired or wireless). You will see a popup with the scan beginning and (once patches are downloaded) a prompt from Ivanti asking to begin installing patches.
  
Installation can be deferred until lock/logoff if desired. If you do not respond to the prompt within a given time, installation will automatically proceed:
+
Installation can be deferred until lock/logoff if desired. If you do not respond to the prompt within a given amount of time, installation will automatically proceed:
 
*'''Desktops''': 24 hours
 
*'''Desktops''': 24 hours
 
*'''Laptops''': 3 hours  
 
*'''Laptops''': 3 hours  
  
If a reboot is required after installation finishes, you will receive another pop up. It is highly suggested to reboot right away due to system instability and vulnerability. However, reboot can be deferred for a maximum of another 6 days if desired. If you do not respond to the prompt within a given time, the machine will automatically reboot:
+
If a reboot is required after installation finishes, you will receive another pop up. It is highly suggested to reboot right away due to system instability and vulnerability. However, reboot can be deferred for up to 6 days if desired. If you do not respond to the prompt within a given amount of time, the machine will automatically reboot:
 
*'''Desktops''': 24 hours
 
*'''Desktops''': 24 hours
 
*'''Laptops''': 9 hours
 
*'''Laptops''': 9 hours
 +
 +
If you interrupt the installation process between when the first patch begins installing and when the last patch finishes installing, Ivanti may ask to reboot before continuing to install the remaining patches next time it pops up. This is by design. If you would like to avoid multiple reboots on a machine that is used intermittently (such as a laptop), we would recommend starting a manual scan just before you stop using the machine for the night and then letting the machine download and apply all patches overnight. See below section for how to do this.
  
 
==Manual Scanning==
 
==Manual Scanning==
This should only need to be done on laptops or home machines in the event that LANDesk has not had a large enough time window to scan your computer since last month's patches were released. '''Please note you will need an active Internet connection for this to work, however you do not need to be on the UMIACS [[VPN]].'''
+
This should only <b>need</b> to be done on laptops or home machines in the event that Ivanti has not had a large enough time window to scan your computer since last month's patches were released, but can be optionally done if you see fit. '''Please note you will need an active Internet connection for this to work, however you do not need to be on the UMIACS [[VPN]].'''
  
# Search for "Security Scan" from the Start menu and click it. The scan will begin. Patches will be detected and downloaded.
+
# Search for "Security Scan" from the Start menu and click the result that shows up (should show a shield icon). The scan will begin. Patches will be detected and downloaded.
#* '''Note''': The scan may fail on the "Checking for other running scanners" step if LANDesk is already running an invisible scan in the background. If this occurs, wait 10-15 minutes and then retry the scan.
+
#* '''Note''': The scan may fail on the "Checking for other running scanners" step if Ivanti is already running an invisible scan in the background. If this occurs, wait 10-15 minutes and then retry the scan.
 
#: [[File:Landesk1.png]][[File:Landesk2.png]]
 
#: [[File:Landesk1.png]][[File:Landesk2.png]]
 
# After all patches have been downloaded, you will be prompted to allow the install to begin.
 
# After all patches have been downloaded, you will be prompted to allow the install to begin.
Line 28: Line 28:
 
# After all patches have been installed, you may be prompted to reboot.
 
# After all patches have been installed, you may be prompted to reboot.
 
#: [[File:Landesk4.png]]
 
#: [[File:Landesk4.png]]
 +
# If you do not want to reboot immediately, you can click on the 'Remind me in:' drop down menu and click 'More options...'
 +
#: [[File:Landesk5.png]]
 +
# Click the 'Remind me on' radio button and choose a date and time before the deadline (it will tell you what the deadline is). Then click 'Remind me later'.
 +
#: [[File:Landesk6.png]]

Latest revision as of 13:53, 15 September 2020

In order to combat the ever increasing number of 3rd party security vulnerabilities on Windows machines, UMIACS staff has deployed Ivanti Security and Compliance Manager. As security threats have evolved from the operating system to applications we have had to take this step in order to maintain operational security for the Institute. Currently the updates are focused on applications that are exposed to the internet such as web browsers, teleconferencing solutions, Adobe Flash, Java, etc.

Ivanti is currently deployed on all UMIACS-supported Windows desktops as well as Enterprise supported Windows laptops and home machines.

Automated Scanning

Patches are deployed during the week leading up to the maintenance window. Specifically, they will always be released on the Wednesday that falls between the 9th and the 15th of every month, and typically in the morning.

  • Desktops will scan for updates to be installed every night between 7:30pm and 9:30pm. If you are not logged in during those times, the system will automatically install the patches and reboot if necessary. If you remain active on your system during those times, you will see a popup with the scan beginning and (once patches are downloaded) a prompt from Ivanti asking to begin installing patches.
  • Laptops will scan for updates to be installed at least once every day (assuming the laptop is powered on). This will only occur when the laptop has an active Internet connection (wired or wireless). You will see a popup with the scan beginning and (once patches are downloaded) a prompt from Ivanti asking to begin installing patches.

Installation can be deferred until lock/logoff if desired. If you do not respond to the prompt within a given amount of time, installation will automatically proceed:

  • Desktops: 24 hours
  • Laptops: 3 hours

If a reboot is required after installation finishes, you will receive another pop up. It is highly suggested to reboot right away due to system instability and vulnerability. However, reboot can be deferred for up to 6 days if desired. If you do not respond to the prompt within a given amount of time, the machine will automatically reboot:

  • Desktops: 24 hours
  • Laptops: 9 hours

If you interrupt the installation process between when the first patch begins installing and when the last patch finishes installing, Ivanti may ask to reboot before continuing to install the remaining patches next time it pops up. This is by design. If you would like to avoid multiple reboots on a machine that is used intermittently (such as a laptop), we would recommend starting a manual scan just before you stop using the machine for the night and then letting the machine download and apply all patches overnight. See below section for how to do this.

Manual Scanning

This should only need to be done on laptops or home machines in the event that Ivanti has not had a large enough time window to scan your computer since last month's patches were released, but can be optionally done if you see fit. Please note you will need an active Internet connection for this to work, however you do not need to be on the UMIACS VPN.

  1. Search for "Security Scan" from the Start menu and click the result that shows up (should show a shield icon). The scan will begin. Patches will be detected and downloaded.
    • Note: The scan may fail on the "Checking for other running scanners" step if Ivanti is already running an invisible scan in the background. If this occurs, wait 10-15 minutes and then retry the scan.
    Landesk1.pngLandesk2.png
  2. After all patches have been downloaded, you will be prompted to allow the install to begin.
    Landesk3.png
  3. After all patches have been installed, you may be prompted to reboot.
    Landesk4.png
  4. If you do not want to reboot immediately, you can click on the 'Remind me in:' drop down menu and click 'More options...'
    Landesk5.png
  5. Click the 'Remind me on' radio button and choose a date and time before the deadline (it will tell you what the deadline is). Then click 'Remind me later'.
    Landesk6.png