I’ll be first to admit it’s hard to maintain Windows Server patches, even with a full time patch management team. It seems like there’s always a new exploit which in turn means a new critical security patch around the corner these days. I help advise companies on how to make their environments better but it’s hard to maintain my own with my busy schedule. I have a mixed server environment of Server 2016 and Server 2012 R2 like many organizations out there. I didn’t want to setup full Microsoft System Center Configuration Manager (SCCM) server infrastructure in my environment so I decided to try something my peers have been using and claimed was very easy to use, Ivanti Patch for Windows (previously known as Shavlik Protect). What really attracted me to it was that it patches not only the Windows OS but applies 3rd party patches as well for apps you have installed on your servers. It can patch servers in an Agentless mode as well which is a big plus because I try to run my servers lean for optimal performance. If you have an existing SCCM environment you can extend it to patch 3rd party software as well using a different Ivanti Patch for SCCM installer. I decided to give Patch for Windows a shot and thought I’d share my experience with it.
1. First download Ivanti Patch for Windows from the Ivanti website and install it on a server. I chose to install it on a dedicated Server 2016 VM I just spun up. The version I downloaded was “IvantiPatchForServers_9.3.4510.exe”:
2. Run it and hit Yes to the UAC prompt:
3. A Microsoft SQL Server database is required for it. Since this was for testing I chose to hit Yes for it to install a SQL Server Express database locally. In a production environment you should use a remote SQL Server database:
4. The installer will now check for pre-reqs. If any come up missing like on mine, don’t worry hit Install and it will go download and install them automatically for you:
5. It was sitting there for a while and I was curious if it was actually downloading anything. To verify, open Task Manager and you can see it was pulling down the pre-req installers at a pretty decent speed:
6. Once the pre-reqs are done automatically installing for you, you’ll get this screen to begin the setup. Hit Next:
8. I like to have a shortcut on the desktop so I checked that and hit Next:
9. You can choose to join or not join the Product Improvement Program here if you like:
11. I’m using SQL Express locally and this is a brand new setup so I leave the “Create a new database” option and hit Next:
12. On the SQL Express settings, you can choose to use IWA or SQL authentication. It will create a new database called “Protect”. I chose SQL authentication and provided the SQL service account credentials I wanted to use:
13. Hit Next once the DB installation is complete:
15. Check the “Launch Ivanti Patch for Windows Servers” check box and hit Finish:
16. Here you can choose to add a license if you have one or use Trial mode. I chose Trial mode and hit Activate online now:
17. It will says it was successful activating. Hit Close:
18. You will see the Ivanti Patch for Windows Servers splash screen next. It may sit on “Importing patch definitions…” for a bit as it pulls them down:
19. And now you will see the Ivanti Patch console. I give my operation a name, select My Domain, and hit Scan Now so that it can scan all my domain joined servers:
20. It will return all the machines it found on a screen called Operations Monitor and their current patch status. Some of my VMs are turned off right now which is why they could not be contacted in this screenshot. You can visually see I’m not too bad off here, most servers are only missing 4-6 patches, another batch is missing 26-32 patches, and I’ve got one server that seems like it hasn’t been patched in a really long time for some reason at 122 patches. Whoops. I have no idea why but obviously I need to investigate this straggler:
21. Back to the main console, I can see more detailed results of the scan. I can click on a single server on the top screen or a single patch in the middle screen to get more details:
22. On the bottom half of the screen, once I have clicked on a patch it will show me the number of Affected machines that are missing it, in this case 19. It will show the patch info below that and links to the Microsoft KB and the CVE if applicable if you want to do further reading.
23. There is also a really nice Executive Summary which will give you a 1 page PDF of your patch scan. This is great to hand to management and give a good summary of what’s going on. You can see the majority of my patches are Critical or Important that are missing here which is expected. I have 409 missing patches and 923 patches installed otherwise. That’s not acceptable in an enterprise environment so I definitely need to do better.
24. Back on the Operations Monitor, I can select all the machines and hit “Deploy all missing patches” to begin the patch deployment. You can also do test deployment if needed.
25. I need to give it some machine credentials to begin the deployment. You can hit New and give it some service account credentials so that it can perform the updates on the targeted servers:
26. Here I give it a nickname, the domain user name for the service account, and the password:
28. Verify your deployment settings. I chose to deploy Now instead of scheduling it for night since I know my environment doesn’t have much traffic at the moment. It also shows it needs about 5.79 GB of disk space to download patches. You’ll also note in this screenshot I have some arrows pointed at 3rd party patches, in this case VMware Tools updates. Hit “Deploy (machines will reboot” to continue:
29. It will now begin to download the patches. It may take a bit of time depending on your Internet speed and number of patches it is downloading:
30. Soon you’ll see the server names populate and their patching progress:
31. You can hit the Deployment Tracker and change the update speed to High (10 seconds) so that you are getting faster reports back from the servers. Remember, this is an Agentless deployment of patches I’m doing here. You can see now my servers are in various stages of patching:
32. After more time goes by, you can see many servers are Finished, some are Complete and awaiting a reboot, one still patching, and one that is Complete but could not be verified. That server ended up coming back up from a reboot when I checked on it after taking this screen shot so that was likely why it was not verified yet. I’m really happy about how fast I was able to scan and patch my environment. It visually kept me aware of the progress the whole time:
33. I had accidentally selected my Ivanti Patch server itself during the patching. It wasn’t a big deal and I actually got to experience what it would look like to people logged into servers working while I was patching and the server needed a reboot. You can see it pops up with this message before reboot and allows the logged in user to extend the reboot timer or immediately reboot if they just want to get it out of the way:
And there you have it, my experience getting my environment patched and up to date using Ivanti Patch. It was pretty easy and I can see why my peers recommended it. It has a lot of cool features like automating/scheduling scans, setting reboot options, patching both online and offline VMs, take snapshots before patching, patch my ESXi hosts, wake up offline machines for patching, etc. Those are features I haven’t tested yet but intend to in time. I just wanted to show the basics in this guide and my experience so far has been pretty positive with it. Please leave a note below if you have any comments or questions.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Vic
July 24, 2018 at 3:39 PM
We’re using BatchPatch for a really long time. So long that we’ve seen it grow in features.
It’s just a standalone executable that relies on psexec.exe. It’s far more rich in features and it doesn’t require a database.
I personally, can’t live without it for large environments.