PatchAutomation and ZeroDayPatch is a tool for managing Patch Policies in the SMP.
This tool was original created by Ludovic Ferre.
ITMS 8.5 was released recently, so it is time for the Patch Automation toolkit to receive it's new addition to the familly: Version 13, built for 8.5 :D.
For the download check the Releases page on our Protirus GitHub
For any problem please contact us via email or direct message.
---
Additional references:
All the existing documentation related (and updated) to both tool still apply (both document contain the 7.1 builds as well):
7.5 builds are also available as downloads:
7.6 releases are available on a blog entry:
{CWoC} PatchAutomation and ZeroDayPatch builds for 7.6
8.0 releases are available on a blog entry:
{CWoC} PatchAutomation and ZeroDayPatch builds for 8.0
8.1 releases are available on the downloads entry
Quick reference: ZeroDayPatch Command line help message
ZeroDayPatch (version 1#) command line usage: /vulnerable Use this command line switch to install and run a custom stored procedure to retrieve candidate bulletins. The procedure will be installed is and named ZeroDayPatch_GetVulnerableMachines-0003. /targetguid= Use this option to set the target guid to be used with newly created policies. This will over-write the default target defined globally. Note that you can specify more than 1 target guid. Just add more /targetguid= to you command line or config file. This is most useful if you are delegating computer targetting to other team (such as server , workstation administrators). /config= Reads the file at the provided path and parses each line for com- -mand line options. Here is a sample config file content: /severity=critical /custom-sp=CWoC_GetAllBulletins /vendor=google /dryrun /debug /test Run the automate in test mode only. A maximum of 10 policies will be created in this mode. /dryrun Run the automate in dry run mode. No changes will be made to the system, but expected operation will be printed to the console. /severity=|* Set the severity used to select bulletins that will be handle by the automate. The * wildcard can be use to match all severities. /patchall Use this command line if you want to manage bulletins from all vendors in the database. By default we only handle Microsoft bul- -letins. /released-before= Configure a date filter that will include bulletin released before the specified date. It is set by default to the current date. /released-after= Configure a date filter that will include bulletin released after the specified date. It is set by default to (current date -1 year). /custom-sp= This option allows the user to specify a custom stored procedure to be called during the execution. The stored procedure may be present on the database (if not the automate will return with no errors) and must contains the following columns that are used and needed: * _resourceguid [Software bulletin guid] * released [Software bulletin release date] * bulletin [Bulletin name] * severity [Bulletin Severity] You can also add a vendor column if you want to filter bulletins by vendor (see option /vendor) /vendor=|* Configure a vendor filter to only return bulletins that match the vendor string from a custom procedure. This is because the vendor field doesn't exist in default Patch Procedures used by this tool. If /vendor is specified with a custom-sp that doesn't contain the vendor field the setting will be ignored (all bulletins will be returned). /debug Output extra information on the command line to allow debugging or reporting problems to Symantec Connect. /duplicates Use this command if you want the tool to generate duplicate policies. This is useful if you want, for example, to migrate policies from a parent to a child SMP without disruption. Note! Duplicated and new entries will be added to the exclusion table in the database for safety reasons. /exclude-on-fail Use this command to add bulletins to the excluded table if it fails 3 times during the stagging or policy creation phases. If not uses the failing bulletin will only be skipped. /retarget Use this command if you want to switch existing policies to use a new target. The target guid should be provided with /targetguid=... /version Print out the current version of the tool. /? Print this help message to the console (stdout).
I’ve raised an Issue on GitHub and I’ll fix it for the next release.
Hopefully there aren’t any more typos but if you do spot any please do add them to the list.
One minor fix that has bugged me for years. Please change "stagged" to "staged" in this message series below.
Processing bulletin MS19-09-W10-4516058 (2a5dd6f2-0fa8-45dd-8685-a223e1f4fda8) now. ... bulletin will be stagged now. Bulletin is now stagged.
to
Processing bulletin MS19-09-W10-4516058 (2a5dd6f2-0fa8-45dd-8685-a223e1f4fda8) now. ... bulletin will be staged now. Bulletin is now staged.
Many thanks! I love this product!! Thank you for keeping it up to date!
I want to know how the download proces is working. If I installed this with the parameters it created's the Patch policy's, but do I have to trigger the actual patch download somewhere else?
Unfortunately those options aren't exposed in the app, I'll add it as a feature request and see what I can do to add them.
I just want to know can do it on the command line to get the same result?
Just to confirm you wish to set the following options:
Could you help to provide command line switch for the "As soon as possible" or "On schedule" package options on the policy creation?