Deploying Custom Packages with Patch Manager

With the release of Orion NPM 11.0 and the SAM 6.2 Beta, we are introduced to a new extension to the Orion Family: the SolarWinds Orion Agent.  We cover the below procedure step-by-step in the Orion NPM Administrator's Guide, but we skip all of the "why's and what's" about the process.  I'm hoping that this post will demystify some of the steps involved with setting this up within Patch Manager.

I chose to call out the Orion Agent to showcase custom package creation within Patch Manager because it's an almost perfect application for a couple of reasons:

  1. It is packaged as an MSI file
  2. It has simple rules about its compatibility
  3. It has some customization that needs to be passed to the installer

All in all, it gives me the ammunition to show how to use Patch Manager to install a custom application with some (but not too much) complexity.  Although this step-by-step calls out the Orion Agent for package creation, there is no reason that you cannot use this procedure with any custom package.  In fact, after you go through this process with the Orion Agent, I highly encourage you to try it with a package of your own choosing.  But, without further ado, let's dig in!

Isn't Patch Manager just for Patches?

If you really think about it, patches are nothing but small software programs which just happen to "fix" other preexisting software problems.  The beauty and elegance of the Patch Manager solution is that you don't need to learn sixty different command line parameters, all of the switches for the Microsoft installer, or pretty much anything when deploying Third Party Software patches.  With Patch Manager, patching third party applications is as easy as 1 (download the package), 2 (publish the package), and 3 (approve for deployment).

So, you ask yourself, "Self, if patches are really just little programs with some rules, what's preventing me from using Patch Manager to deploy my own programs?"  The short answer:  Nothing!

Some background on the Windows Update Agent's Checks

If you dig into any of the predefined packages within the SolarWinds Patch Manager 3rd Party Update Catalog (3PUP), you'll see that there is all kinds of goodness that we pack into the tabs along the bottom.  If you don't have Patch Manager, download a copy and you can follow along.  Open up the Patch Manager Console, and check out the some entries in the catalog.  Go ahead, I'll wait.... **humming TetrisRegistered theme to self**

Tabs_1_PackageDetails.pngTabs_2_PrerequisiteRules.pngTabs_3_ApplicabilityRules.pngTabs_4_InstalledRules.png

So now that we're all looking at the same screens, I can continue.  There are a total of six tabs for every package; Package Details, Prerequisite Rules, Applicability Rules, Installed Rules, Content, and Version History.  I'm only showing the first four above and I'm only going to deep dive on the tabs for Prerequisite Rules, Applicability Rules, and Installed Rules.  I think of these rule tabs as answering very simple questions about the package:

  1. Prerequisite Rules
    Does this program apply to the target computer as a whole?
  2. Applicability Rules
    Does this program apply to the installed software on the target computer?
  3. Installed Rules
    How do I know if this is already installed on the target computer?

If you really want a super deep dive on these rule sets, you can dig in to Update Applicability Rules on the Microsoft MSDN Pages.  If you plan on digging into further custom packages (which you should), then I highly encourage you to read this article on the deep logic used in these rules and how it applies to Patch Manager.  Otherwise, just consider this post as a quick primer  - we'll give you enough information to get started.

Let's Build Us a Package!

Step 1 - Get the Installer Files

Since I've chosen the Orion Agent as our software package for custom package deployment, we'll need to get the necessary files for installing it.  The Orion Agent consists of two files, an MSI (the installer) and an MST (a transform file).  In very simple terms, a transform file is a "recording" of the information that you enter while running an installer.  Think of it as a script for all the text boxes, radio buttons, and check boxes for which the installer prompts.

You get these two files from within the Orion Web Console.  Launch the Orion Web Console with Admin rights, and go to Settings, then Agent Settings, then Download Agent Settings.  From there download the two files (MSI and MST) from the Mass Deployment Pane.  In my environment, I downloaded the MSI and MST file and saved them with the names SolarWinds_Agent_1.0.0.866.msi and SolarWinds_Agent_1.0.0.866.mst.  You can name them whatever you want - the above naming scheme just helps me keep the versions straight and I find that replacement of any spaces with underscores generally tends to be helpful.  I also saved them in a staging folder (C:\Staging\Tools\OrionAgent).  Again, this was just to help me keep everything straight.

Now it's time to start the package creation.  Navigate down in the Patch Manager Console to "SolarWinds, Inc. Packages" (you should find it under Patch Manager / Administration and Reporting / Software Publishing / SolarWinds, Inc. Packages) and click on it.  Now click on "New Package" in the Action Pane on the far right side of your screen.  Please note that you don't really have to navigate down to the "SolarWinds Inc. Packages" entry in the tree, you can create a package from any node under the Software Publishing node.  Again, this is just my preferred way so that I can keep things straight in my head..

Step 2 - Package Creation

Package Information Screen

Now you are in the Package Wizard. (Click on the image to pop up a larger version of each)

PackageInformation_Blank.pngPackageInformation_Complete.png

Above are the minimum entries that you'll have to make for a package.  Please be sure to change this for the proper version of the program.  Please take note that the Product entry (where it says Orion Agent) needs to be hand-typed the first time that you run through the wizard.  Once the information looks good, click Next to move onto the next screen.


What did we just do?

We just created the base information which categorizes the software package and how it is deployed.  The two important fields here are the Impact and the Reboot Behavior.  The Impact is used to determine the push schedule.  If you have Allow Automatic Updates immediate installation setting within your Windows Update Policy set to True, and the Impact is set to Minor, the install can take place immediately at next check-in by the Windows Update Agent.  If it is set to Normal, it is handled as all other patch tasks.


Reboot Behavior determines if the product requires a reboot.  Many products will, but some may not.  This is normally determined by the software package itself.  The Orion Agent does not require a reboot, so we've selected Never Reboots.

Prerequisite Rule Screen

Here is where having some background on the Rules is super helpful.  From reading about the Orion Agent, we already know that it supports Windows Server operating systems with Windows 2008 R2 and later.  It's also not recommended to be run on Domain Controllers.  So with that in mind, let's build that rule.

On the Prerequisite Rule Screen, click Add Rule.  Select Create Basic Rule as the format, and then Windows Version as the Rule Type.

  1. For Comparison, select Greater than or Equal to
  2. Enter 6 for the Major Version
  3. Enter 1 for the Minor Version
  4. Leave SP Major Version and SP Minor Version as 0
  5. Leave the Build Number empty
  6. Select Server for the Product Type

Click OK to save the rule and Next when you see the rule in the list.

PrereqRuleEditorWindowsVersion.png

What did we just do?

In simple words, we just created a prerequisite rule that says "check the Windows Version of the target computer and verify that it is a Windows Server version 2008 R2 or later running on a Server."  Windows version information (5.2, 6.0, 6.1, etc.) is explained a little more here.  Additionally, if you feel that this rule could be used repeatedly, you could have checked the box and save the rule with a name (Like "Windows 2008 R2 Servers or Later").

Select Package Screen

Here's where we tell the software how to install.  With MSI files, it's pretty straight forward, but I'll run you through the process step-by-step.

  1. Select Windows Installer as the Package Type.
  2. Move the radio button under Details down to I already have the package, click the browse button on the right and browse to your MSI file.
  3. You will get a popup indicating that the package has been downloaded and then one which asks if you trust the package.  Click OK to dismiss each of the pop-ups.
  4. Now take a step back.  You'll see something new on this screen.  The Product ID has been populated near the top (just under the Package Type).  Select this and copy it to the clipboard.  You'll need it in the next step.
  5. Further down in Details, check the box next to Include additional files with the package and click the package content button on the right side.  On the select additional files screen, click Add File and browse to your MST File.  Then click OK to close the Package Content Editor.  Click on Yes to copy these files.
  6. Back on the Select Package Screen, select the Binary Language as None.
  7. Finally, enter TRANSFORMS=<Full Name of MST File> in the Command Line (silent install) field.  This is the part where replacing spaces in the MST file with underscores (or something else) is handy.  If you have spaces, you'll need to surround the MST file with double-quotes.  This is one of the reasons that I saved the files with the names that I used above.

Here is your before and after...

SelectPackage_Blank.pngSelectPackage_Populated.png

When you are satisfied, click Next to continue to the Applicability Rules screen.

What did we just do?

We have selected the type of installer (which determines the necessary command line parameters), the installer file, the transform file to be included, and then told that installer to use that MST file during install.

Applicability Rules Screen

Click on Add Rule and select MSI Rule as the format, Product Installed an the Type, and check the box for Not Rule.

Now paste in the Product ID that we copied from the previous page in the Product Code field.  Be sure to remove the curly braces so that the format matches up with the example.  The rest can be left blank.

Click OK to save the Rule, then click Next to move to the Installed Rules Screen.

ApplicatabilityRule.png

What did we just do?

We just created a rule that asks the Windows Update Agent to check to see if a package with Package ID {E59C88B3-8C59-43A0-846D-B8AFC36D78C6} is installed on your computer.  If it's NOT, then the package that we're making now is applicable to be installed.  In essence, we said, "if the Orion Agent isn't already installed, it can be installed."


Installed Rules Screen

Lastly we need to define the rules for how we detect if the new package is already installed.  There are many ways to check to see if a package is installed.  You can use any rule that you like (MSI Rules are a popular selection), but I chose to use the File Version with Registry Value for this example.  The Installed rules are how the Windows Update Agent determines if an installation succeeded.  For this package, we'll only go semi-complex.  Other examples within the catalog are much more complex and I encourage you to look at them for more details on how you can detect installation.

Many times, figuring out the appropriate registry settings for this process requires you to install the software on at least one machine so that you can dig down through the registry and file system.  I'll save you that step and just give you the information that you need to build the rule.

  1. As before, click on Add Rule, but this time select Basic Rule for the format and File Version with Registry Value for the Rule Type.
  2. In the Registry Key field, enter "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SolarWinds\Agent"
  3. In the Registry Value field, enter "InstallDir"
  4. In the Sub-Path field, enter "SolarWinds.Agent.Service.exe"
  5. In the Comparison Field, select Greater Than Equal To
  6. In the Version Field, enter the version number of the installer (in this case 1.0.0.866)

You'll end up with what you see below.  Click OK to save the Rule and then Next to get to the Summary screen.

InstalledRule.png

What did we just do?

This one is more complex than all the previous rules, so let's go through it a step at a time.  We just created a rule that asks the Windows Update Agent to check in the Registry for the key stored at "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SolarWinds\Agent" and extract the contents in the "InstallDir" value.  Then it takes the content from they registry key & value (C:\Program Files (x86)\SolarWinds\Agent\) and appends the "SolarWinds.Agent.Service.exe" to the end which yields C:\Program Files (x86)\SolarWinds\Agent\SolarWinds.Agent.Service.exe.  Then we extract the version from the file at that path.  Finally, it compares the version extracted from the file to that which we hand-entered in the rule.  If the value matches or is newer, then the software has been successfully installed.

Summary Screen

You are almost done!  I know that you've seen enough screenshots, so I'll be skipping the one here... yes, you're welcome.  If you want to add notes, do so and then click Next to actually Build the package.  When it's all done, you will get the a confirmation message - just click on OK.  That's it!  The package has been built!

Step 3 - Publish & Approve

Now this package is just like any third party update.  Just right-click on it and select Publish Packages.  Normally, you just keep the defaults and click on Next to publish it and click Finish to confirm it.  It's now been published to your default WSUS Server.

Finally, in the Patch Manager Console, move up to Patch Manager / Enterprise / Update Services / (Your WSUS Server Name) / All Updates.  Click on the newly created and published package.  Right-click on it and select Approve.  From here, you can determine which groups can get the new package and setup a schedule.  Like I said, treat this just like any other update from this point.

The Orion Agent is awesome!  What if I want to deploy now?!?

Patch Manager gives you that option as well!  Just right-click on the package within Update Services, and select Update Management.  Click OK on the "Update Management - 1 Updates" screen.  On the Task Options Wizard screen, you can add computers to the list.  Click on Next and choose the timing of the deployment and if you want schedule the update, configure logging, or add email notifications.  Click Next once more and then click Finish to complete the deployment.  The beauty of this is that if you try to deploy this package to machines where the update isn't applicable, it won't get installed because of the rules that we built together.  If you want to watch the installation process, you can go down to the Active Tasks to watch the Agent be deployed in real time.

Where can I get more information?

Like everything SolarWinds, I'd tell you to start on Thwack.  We've got the best user community bar none.  Just ask a question in the forums and watch the people come out of the woodwork to help.  We also have some excellent articles written up about the rules for custom update packages, troubleshooting the installation, and the logic of the Windows Update Agent.  However, If reading isn't your thing and you prefer the wonderful world of video, we've got Package Creation using SolarWinds Patch Manager and Package Creation Fundamentals videos for additional guidance.

And don't forget that one of the biggest resources of untapped information in Patch Manager are the packages that we already make for you in the Third Party Catalog.  You can use these as a resource for learning and building your own rules.  I encourage everyone to pop open a few of them to look into the way that we build the rules for each of them.  We've already done the heavy lifting for you with these packages.  Learn from us.  Now go forth and create your own packages!

Parents Comment Children
No Data
Thwack - Symbolize TM, R, and C