Initial Setup of Ivanti’s EPM Patch Management

The Patch and compliance module is arguably one of Ivanti’s best features for a sysadmin. This system allows you to download definitions not only for Microsoft products but other vendors such as Mozilla, Google, and many more. Today I will run through a basic setup of Ivanti’s EPM Patch and Compliance module.

Patch Setup Walkthrough

  1. Open the EPM console.
  2. Select Tools, Security, and Patch and Compliance
  3. Select Download
  4. On the Download updates page, you now have a few different things to choose:
    • On the left side, you will select the definitions you wish to download or remediate.
    • Right side, select the languages for your definitions
    • Download patches: Only detected definitions (this saves disk space as you won’t download updates for everything – just discovered vulnerabilities).
    • Definition group: Unassigned (your choice, but I keep everything in unassigned unless I’m actively using it)
  5. Select definition download settings at the bottom of the download updates page.
  6. Here you can create rules for specific definitions that you download, e.g., mark any vulnerability that is critical from vendor ‘Microsoft,’ assign to Scan Global. Scan Global would give you visibility into devices that require the patch without automatically remediating. You can also be more aggressive and set all Vulnerability definitions with the products containing ‘Firefox’ as the name to scan global, and auto fix. Autofix would scan/remediate as soon as new versions of Firefox are by EPM. There are additional features such as disabling superseded (replaced) definitions, tagging, groups, and roll out-groups – once you are done – select close.
  7. Select Patch location tab
  8. Ensure your UNC and WEB URL are set correctly and accessible by your client workstations. Additional settings I’d recommend would be grouping your updates by the vendor and enabling patch cleanup tasks.
  9. Finally, select Schedule download, select create, and adjust the scheduled task settings – for our example, we set it to download now and repeat daily. Setting the schedule download to repeat daily ensures you have the latest definitions daily. If you decide against scheduling your downloads – you can trigger them manually by selecting download now. Download Options:
    Download Now option – launches download progress window:
    Schedule Download Options:
  10. The last thing I’d recommend doing is scheduling a gather patch historical information task. Under patch and compliance – Select schedule tasks, gather historical information.
  11. Select create a task and schedule it to repeat daily.
  12. At this point, you’ve established your basic patch management settings and can now go through the process of determining which patches to take, ignore, or schedule them through a roll-out group for testing.