Product Reviews

Review: Staying Patched with SolarWinds

Patch Manager 1.8 is a useful companion to Windows Server Update Services, and eases the distribution and reporting of patches and security fixes.

Keeping computers up-to-date and safe from malware, viruses and other threats is one of the biggest challenges faced by IT pros. Almost all applications, except maybe calc.exe, must constantly be patched. Some updates are small and simple to apply, while others are complex. Some applications require occasional updates, while others need attention every couple of days to stay current.

If you're managing a handful of computers, keeping them up-to-date is simple. But for larger PC networks -- with 50 machines, or thousands -- patching them is much more difficult, especially if it involves remote and distributed systems.

Microsoft certainly did the IT community a service with Windows Server Update Services (WSUS) for managing the updates it issues. Another great service is the company's popular Patch Tuesday, when patches are issued on the second Tuesday of each month.

WSUS is a robust tool that can help get the largest of environments patched, but it takes a good amount of work and testing to ensure things get approved and applied within the maintenance window so that they don't cause issues. However, there is a viable option to ease the process: A third-party tool from SolarWinds Worldwide LLC can add more functionality to your environment with features that fill the gaps in WSUS.

Inside SolarWinds Patch Manager
SolarWinds Patch Manager is a server-side application that plugs into existing infrastructure -- either Microsoft WSUS or System Center Configuration Manager (SCCM) -- and helps provide additional features to the patch-update game. For this review, I evaluated the new 1.8 release of Patch Manager combined with WSUS.

The top-level dashboard provided by Patch Manager, shown in Figure 1, is similar to the WSUS console: The computers needing updates and the updates needed are displayed. That's where the similarities end and the additional features of Patch Manager take over. Patch Manager categorizes its features into three main areas.


[Click on image for larger view.]
Figure 1. Patch Manager dashboard provides a high-level view of the environment.

Enterprise
This area looks at the environment the server is running in. It includes the WSUS server as well as the nodes that should be managed. The options managed in this section include the following:

  • Update Services includes the WSUS servers in an organization. Updates are managed in this area.
  • Microsoft Windows Network includes the computers within an environment, among them the servers and workstations to be managed.
  • Managed Computers includes the Patch Manager servers within an environment.

Administration and Reporting
Within the Administration and Reporting area of the Patch Manager console there are five sections:

  • Software Publishing allows an administrator to publish pre-built packages of certain third-party applications for deployment as updates by WSUS. Think of this as a way to control the updates for Java, Adobe Reader and even Apple iTunes across an entire environment. Patch Manager supports PC manufacturer BIOS updates in addition to Microsoft and other third-party updates.
  • Task History provides a list of all the tasks that have been run by the Patch Manager server. This can help keep track of which update jobs have run and their status within your environment.
  • Scheduled Tasks is a list of upcoming tasks to provide a bit of an inventory of pending items for an environment. This can be extremely helpful if staggered update tasks are used -- for example, if the workstations in a particular location receive updates on Friday mornings at 12 a.m. and all other workstations receive updates on Saturdays. The Scheduled Tasks node is the area to watch these items.
  • Active Tasks displays a list of the tasks that are currently running on the Patch Manager server.
  • Reporting provides a number of different reports that are preconfigured to find information about an environment. Reports are available for finding computers with needed updates and computers with failed updates. You can also review information for groups of computers or a single computer. If the predefined reports need some manipulation to fit your situation, the reports can be customized and saved to include the changes.

Patch Manager System Configuration
The System Configuration section of the console is where the settings for Patch Manager itself are configured. The available items for configuration include the following:

  • Configure Managed Resources is used to configure sets of resources to be added to Patch Manager; within it, you can select domain and workgroup information.
  • Configure Security and User Management is where Patch Manager security is configured. You'll need at least one user account with enough credentials to manage items within your domain.
  • Configure Patch Manager Management Groups is used to configure management groups, which are used to split resources across large environments with multiple Patch Manager servers. The groups are used to scope the environment and determine which servers will manage the group.
  • View Product Licensing lets you view licensing information for the product.

Indispensable Product
What's great about this application is the depth an administrator can dig into updates. If there's a computer in your environment that you discovered needs Windows 7 SP1, it can be deployed immediately or scheduled to be rolled out at the next WSUS check. Deployed immediately means that the update gets installed at once -- just as if it were downloaded at the console and installed -- using the WSUS repository copy of the update.

Another feature that was quite a lifesaver was the Download from Microsoft Update option. Consider an organization with three offices that needs to deploy an update. Because the WSUS server lives in the corporate headquarters, the other offices would normally either have downstream servers for updates or request updates across VPN links. This can be slow and quite expensive depending on the speed of the VPN tunnels and the amount of other traffic using them.

Patch Manager allows an option to be specified that will point the computers receiving updates as part of this job to download them directly from the Microsoft Update catalog over the Internet. The corporate WSUS server determines which updates are needed and what has been applied, but then points the clients out to the Internet for the files. This keeps traffic off any VPN connections (other than the initial check-in and any polling that might be done). The bulk of the download is done over the Internet, with no VPN required.

When I first looked at the Patch Manager application, I thought more features for a WSUS environment might be unnecessary because much of what comes in the box with WSUS is just about enough to manage updates. After testing the SolarWinds product and seeing just how many features there are that bring additional functionality to an existing environment, there are now features I'm not sure I could live without.

REDMOND RATING
Installation: 20%
9.0
Features: 20%
9.0
Ease of Use: 20%
8.0
Administration: 20%
7.0
Documentation: 20%
7.0
Overall Rating:
8.0

Key: 1: Virtually inoperable or nonexistent  5: Average, performs adequately   10: Exceptional

Like any new tool, there's a learning curve, but with some regular use and the SolarWinds support and product teams available to help, any admin can use Patch Manager. The community that SolarWinds has built around the products it creates does not disappoint. When you visit thwack.solarwinds.com you'll find a wealth of information from the company and customers using its products. It's a great place to get help when it's needed.

SolarWinds Patch Manager 1.8

Starts at $2,995 for 250 nodes
SolarWinds Worldwide LLC
866-530-8100
solarwinds.com



comments powered by Disqus
Upcoming Events

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.