Skip to main content
All Collectionsitopia WorkAnywhere Help LibraryWorkAnywhereAdmin Console
OS Patch Management Module
OS Patch Management Module
F
Written by Fegeins Louis
Updated over 4 months ago

Overview

Cloud Automation Stack's OS Patching module provides a simplified interface for managing automated OS patching for Windows VM instances. The module allows Cloud Desktop administrators to configure one or more patching profiles for VMs managed by CAS; each profile specifies a schedule and the category of patches to apply to VMs.

The OS Patching module relies on the OS patch management (OSPM) functionality of Google Compute Engine. Each profile created in CAS configures corresponding settings in an OSPM deployment and policy; the actual OS patching is performed directly by Google Cloud. The advantage of using itopia CAS to configure OSPM is added flexibility in specifying the VM instances to include in each profile, as described later in this article.

Patching Profile Settings

CAS OS Patching is designed for use with Windows VM instances; all versions of Windows Server and client OSes supported by CAS are supported by patching profiles. When creating an OS Patch Profile in the CAS Admin Console (cas.itopia.com), administrators can configure several settings:

  • The VM instances to include in the profile:

    • All instances in the deployment

    • All instances in one or more GCP regions

    • All instances with a specific key:value pair

    • Specific VM instances

    • Specific VM instances to exclude (if selecting All instances in the deployment or All instances in a GCP region)

  • Update categories:

    • Critical updates only

    • Critical and security updates

    • All updates

  • Specific updates to exclude (signified by their Microsoft KB number)

  • Patching Schedule:

    • Start and End times for the patching window

    • Recurrence:

      • Weekly on a specific day of the week

      • Monthly on a specific day of the month

      • Monthly on nth day of the week

NOTE: Additional options are available when configuring OSPM policies directly in the Google Cloud console, including support for patch policies for Linux VM instances; itopia has only included common settings and values to streamline the configuration process.

CAS Profiles and OSPM Policies

When a Patch Profile is created in the CAS OS Patching module, CAS automatically configures a corresponding policy in OSPM. Most settings, such as the patching schedule and the types of updates to include. are directly transcribed to the OSPM policy. However, all OSPM policies created by CAS are configured to use the key:value pair method of scoping the policy; CAS generates a unique key:value pair for the policy (or uses the key:value pair manually specified in the profile) and then applies this metadata to the relevant VMs to include them in the policy.

Requirements

Permissions

To configure Patch Profiles, a CAS administrator must have the Deployment Editor (or higher) role in the deployment, or a custom role with the OS Patching > Create/Edit/Delete Profiles permission.

Within Google Cloud, OSPM policies will be created within the context of the CAS service account, which should have necessary permissions. To manually create or edit OSPM policies, you must use a Google account with the required permissions on the GCP project.

Google Cloud Requirements

To use OSPM, the following APIs must be enabled in your GCP Project:

  • OS Config API

  • Container Analysis API

CAS will attempt to detect and enable these APIs before creating your first profile.

Additionally, the VPC network for your CAS deployment must be configured to enable Private Google Access. VPC networks created by CAS have this option enabled; however, if you created your deployment using an existing VPC network or shared VPC, you must ensure this option is enabled.

Finally, your VM instances must be set to enable the OS Config management features. This is most easily achieved a common instance metadata value on your GCP project, which is inherited by all VM instances in the project. When creating your first Patch Profile, CAS will configure the following common instance metadata on your GCP project:

  • enable-osconfig: TRUE

Creating a Patch Profile

Use the steps below to create and configure a Patch Profile.

  1. Log in to the CAS Admin Console (cas.itopia.com) as a user with the necessary role or permissions.

  2. Using the left-hand menu, navigate to Cloud Infrastructure > OS Patching.

  3. If the Google Cloud APIs have not been enabled in the GCP project, CAS will prompt you to enable them. Click Enable API for each necessary API.

  4. Click Create Profile

  5. Provide the following information:

    • Name - A descriptive name for the profile.

    • Description (optional) - A description for administrators to identify the profile settings or scope

    • Instances to Include - Choose and configure one of the available options:

      • All instances in the deployment

      • All instances in the following regions - Select one or more GCP regions from your CAS deployment

      • All instances with the following metadata - provide a key:value pair.NOTE: CAS will not apply this key:value pair to any VM instances; you must use other methods to set the key:value on VM instances.

      • Specific instances

    • Exclude specific instances (optional) - Provide a comma-separated list of VM instance names to exclude from the profile. This option has no effect if setting key:value pairs or specific instances.

    • Patches to include (refer to Microsoft documentation for information on categories):

      • Critical updates only

      • Critical and security updates

      • All updates

    • Exclude specific updates (optional) - provide a comma-separated list of specific Microsoft Update IDs to be excluded from the patch profile. These IDs are typically in the format KB1234567

    • Schedule

      1. Time Window - Select a start time and end time for the patch profile, and select the appropriate time zone.NOTE: the "end time" of a Patch Profile/OSPM policy signifies that latest time that a patch installation will begin; if patches are already being installed at this time, they will not be terminated and will be allowed to complete.

      2. Recurrence date:

        • Weekly on [day of week] - Select a day of the week

        • Monthly on specific date - The patch policy will run on a specific date of each month (e.g. April 1, May 1, etc.)

        • Monthly on day of week - Select a week of the month and a day of the week (e.g. 3rd Thursday, 2nd Saturday)

  6. Click Create.

Considerations

When planning your deployment's patching policy, it is important to consider the following points:

  • Patch Profiles created in itopia CAS are configured to permit reboots. If a patch requires an OS reboot, the VM instance(s) will be automatically rebooted when patching is complete. If you wish to prevent reboots, you must configure an OSPM policy manual in the Google Cloud admin console.

  • Patch Profiles are configured to perform patching "zone by zone" within each GCP region. If you have redundant infrastructure instances (such as RD Brokers or RD Gateways), each instance is deployed to a separate zone and will be patched sequentially, allowing the environment to continue operating while patching is occurring.NOTE: reboots of RD Gateway servers may still disconnect users momentarily until they are reconnected to the surviving Gateway servers.

  • Patch Profiles parameters cannot be edited once they are created. If you created the Patch Profile to apply to specific instances, you are able to edit the instance list after the profile has been created. No other settings can be changed. You can delete and recreate a Patch Profile at any time.

  • There is no additional cost to use Patch Profiles in itopia CAS; however, the OS Patch Management feature in Google Cloud is subject to usage pricing for larger deployments (greater than 100 VM instances).

  • OS Patching Profiles are not aware of other scheduling mechanisms in itopia CAS such as Dynamic Uptime or Scheduled Uptime; therefore, you should configure these services separately to ensure that the VM instances are powered on and available during the time window specified in the Patch Profile.

  • OS Patching Profiles are not exclusive; a single VM can be included in multiple Patch Profiles and, subsequently, multiple OSPM policies. If not configured as intended, this may lead to unexpected patching schedules.

  • Within CAS, Collection Pools can be configured with one or more key:value pairs. To create a Patch Profile for specific Collection Pools, configure the profile to use a specific key:value pair and then configure the Collection Pools to apply the same key:value pair to the Session Hosts

  • Patch Profiles that are configured to use a key:value pair will use that exact key:value pair for the OSPM policy. Any VMs in your GCP project that have this same key:value pair will be subject to the OSPM policy, whether they are managed by itopia CAS or included in your deployment.NOTE: OSPM patching requires the VM instance to be running the Google OS Config Agent software, which is not installed by default; if your VM instance does not have the agent software installed, it will not be patched by OSPM policies. itopia CAS automatically installs this agent on VMs included in a Patch Profile.

  • Details on patch compliance are not currently available in the CAS Admin Console. You may use the OS Patch Management Dashboard in Google Cloud to monitor the status of patch deployment on your VM instances. This data will be available in CAS in a future release.

Did this answer your question?