This article aims to explain how Patch Management for Windows can be used in a Hierarchy environment. The document will also highlight some best practices.

ITMS 8.5 and later

Workflow:

1. Child Servers replicate managed language data UP the hierarchy.
2. PMImport runs on the parent
3. PMImport data replicates DOWN the hierarchy based on the languages in step 1.
4. Software Update Policies are replicated DOWN to the Children.

Workflow details:

1. Child Servers replicate managed language data UP the hierarchy
   
   This is an automated process that rarely needs attention.  If we believe languages are not correctly reported to the parent, the Replication rule can be run as a complete.
    
2. The PMImport process runs on the parent server bringing in the new update and bulletin data
    
3. PMImport data replicates DOWN the hierarchy
   
   This process replicates all PMImport data imported via the PMImport process run on the Parent, down the hierarchy to any Child NS’s. Only data for the managed languages of the Child will be replicated based on data sent up to the Parent via each Child’s Patch Language Alert replication rule.
   
   Shortly after this is finished it will trigger a post-replication task that carries out similar post import tasks that a normal PMImport would do. An instance of this task will be displayed on the Microsoft Patch Management Import page on the Child Server.
   
   Note: When problems have occurred or there is a mismatch of data changing this rule to run as a Complete can often resolve the issue.  
   
   
    
4. Replication of Software Update Policies down the hierarchy
   
   Once data has been replicated, Software Update Policies created on the Parent can be replicated down to the Child Servers.
   
   This is done via Standard Differential replication defined to each child server.
   
   Note: If policies inadvertently get replicated before the previous three steps have completed simply right click on the desired policies on the parent and use the right click option “Replicate Now” to force them to replicate again now that the supporting data exists.

Best Practices and information

• Software Release Exclusions must be set on the Parent Server. The selected exclusions will be replicated down to Child servers and resources removed when the post replication PMImport clean up task runs.
• Scheduling It is important to look at the schedules defined for the following:
  Note: Ensure that there is enough time scheduled between each for them to complete in the order below
  • PMImport on the parent
  • Replication Rule “Patch Management Import Data Replication For Windows”
  • Differential Replication to the children
• If there is a Site Server for the Parent, the packages need to be in a ready status on that Site Server before they will replicate to the Child.
• Changing languages on a child to update existing Software Update Policies on a Child with new language information, the policies will need to be first revised on the Parent (if required) and then re-replicated to the Child nodes.
• Monitoring the process Logs can be very helpful and the “Jobs Management” page under Hierarchy Replication