Security is definitely a hot topic at the moment. ITSec is becoming relied upon more and more within organizations as hackers get much more advanced in their attacks. One of the key consideration these days is Windows and application patch compliance. It is now becoming imperative to get a high hit rate when it comes to delivering the monthly security updates. Gone are the days when 90% -95% success rate is acceptable to the organization. There is a drive to push those numbers even higher.
Adaptiva has taken a holistic approach to patch compliance and has designed and released an array of new Adaptiva Client Health checks and remediations specifically aimed at improving patch compliance. With its advanced workflow engine and prebuilt Health Checks you can take advantage of the detection and remediation of the most common issues related to poor Security Update coverage.
The new Health Checks can validate several health issues including:
- Has the Windows scan cycle taken place on the client?
- Has the client got the latest update catalogue version
- Has the client received the correct Windows Update Group Policy (GPO) settings
- Many more
All the above and more can affect the ability for the client to install updates and it can easily be detected and remediated with very little to no configuration.
Let’s talk about the Health Checks themselves and interrogate each check in the Windows Update Health Check Library to see how they can help.
Windows Update Scan Cycle
Before a client can install a Windows Update it must first know which ones are available and required. The Windows Update Agent (WUA) connects to the WSUS server and retrieves the software updates as metadata and then scans the client computer for software update compliance. If the scan never takes place the client will never install any updates.
The Windows Update Scan Cycle Health Check interrogates the client in real time for the last time the scan cycle was performed and if it has not run within a set timeframe (last 7 days for example), then the client is deemed unhealthy and will be reported as so. This means we can quickly identify any clients that are having update cycle issues and begin remediation.
When an organization is using ConfigMgr to deploy security updates, the client is sent a deployment assignment for a group of updates. The ConfigMgr client performs a scan and if any updates are required they will be installed. This is reported on the client that the assignment is either compliant or non-compliant. To be compliant, all of the updates in the assignment need to be either installed or not required. If there is a problem with the ConfigMgr client or WUA some updates may have failed to install and could create a bottleneck for future updates.
By using the Non-Compliant Assignment Health Check we can interrogate the client in real time for any non-compliant assignments and quickly generate a list of affected machines ready for further investigation and remediation as this could indicate that the client is broken.
Software Update Metadata
As well as validating the Windows update cycle has run there is also a need to make sure the metadata on the client is at the same version as that on the WSUS server. If the versions are different the client could have an old update list and thus not install the latest updates.
Implementing the Software Update Metadata Health Check, provides the ability to instantly interrogate the client in real time and confirm the Update Metadata from the client is the same as the WSUS server. If the versions are different, the client is deemed unhealthy. This Health Check provides the ability to auto remediate the issue by re-syncing the updates metadata with the WSUS server.
Having a system in an organization that has been online for a long period, more than 31 days for example, or is sitting waiting for a reboot, can all affect the ability for a new update to install, leaving the client vulnerable.
There are many reasons why a client could be left in a state of requiring a reboot. A previous update or application may have been installed or a new feature may have been enabled. If this is left unchecked, a backlog of updates could build up over time, so it is highly recommended to prevent clients from being online for more than 31 consecutive days.
By making use of the System Uptime Health Check we can detect all systems that have been online for a selected period along with detecting any that require a reboot. This means we can proactively schedule in a reboot to keep the security updates flowing as normal.
Windows Update GPO Settings
If an organisation uses a Group Policy Object (GPO) or ConfigMgr to control Windows Update Settings on a client, such as which WSUS server to use for example, monitoring that the GPO is being applied correctly could be the difference between having updates applied or not.
By applying the Windows Update GPO Health Check, we can instantly validate the settings are correct on the estate and put in remediation steps to correct them if not.
Windows Update Repair
There comes a time when a client’s local Windows Update database requires a repair, the good news is we don’t need the old commands and scripts that we have been running for years. We now have a Windows Update Repair Workflow that can repair it.
When all else fails, an Adaptiva Client Health check can be deployed that will perform a full repair operation on the local Windows update agent with just a few simple clicks.
Software Update Scan Errors
The ConfigMgr client uses the Windows Update agent to scan the system for installed updates and compare those updates to the local catalogue to see which are required and which are already compliant. One of the components of this is the scan agent which initiates the compliance scan. If this scan cycle fails or errors in some way it can prevent the detection and further installation of updates.
The Software Update Scan Errors health check will check for any errors reported by this component and report back up to the last 10 errors.
Check Into Automated Security
In addition to these new health checks, Adaptiva Client Health comes shipped with over 100 other health checks and remediations. They cover everything from the Windows Update
Agent itself, through Network Settings, WMI, Operating System Checks, PowerShell, Security and many others.
The real power and benefit of the Adaptiva Client Health application however, is in its ability for an organization to create their own health checks and remediations using Adaptiva’s powerful workflow engine and designer. This allows customers to leverage a full visual orchestration engine to design new (or customize existing) health checks.
Within just a few minutes and without writing a single line of code, script, query language or knowing any kind of syntax, even Administrators that are new to systems management can stand up new very powerful workflows and Client Health Check objects that can check for and remediate a plethora of system or application health or compliance issues.
If you are interested in acquiring the new health checks or are new to Adaptiva Client Health and would like to see more, request a demo. Our experts would love to take time to learn about your challenges and help you find the best ways to solve them.