Patch Manager Infrastructure and Installation Requirements

System Requirements for Windows:

System Requirements for Linux:

Network and Firewall Requirements:

To ensure successful installation and proper operation of the Ceburu Patch Manager, the following network ports and application endpoints must be allowed within the customer infrastructure. 

Application and URL Whitelisting Requirements

The following domains must be whitelisted to allow updates, integrations, and portal access:

• Whitelisting must be applied at firewall, proxy, and endpoint security levels.
• SSL inspection should not block traffic to the above domains.
• Internet access is required from host and client machines for patch retrieval.
  

WinRM Requirements and Configuration:

WinRM must be enabled on Windows target machines to allow the Ceburu Patch Manager to perform remote validation, software installation, patch deployment, and remote command execution.

Enable WinRM on Windows Target Machines:

Run PowerShell as Administrator on each Windows target machine.

1. Enable WinRM

winrm quickconfig -quiet

2. Enable PowerShell Remoting

Enable-PSRemoting -Force

3. Set WinRM Service to Start Automatically

Set-Service WinRM -StartupType Automatic Start-Service WinRM

4. Allow WinRM Through Windows Firewall

Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"

If the firewall rule is missing, create it manually:

New-NetFirewallRule -Name "WinRM_HTTP" `  -DisplayName "WinRM HTTP" `  -Protocol TCP `  -LocalPort 5985 `  -Action Allow

For HTTPS WinRM, allow port 5986:

New-NetFirewallRule -Name "WinRM_HTTPS" `  -DisplayName "WinRM HTTPS" `  -Protocol TCP `  -LocalPort 5986 `  -Action Allow

Configure TrustedHosts:

TrustedHosts is required when the probe or distribution server connects to machines in a workgroup, another domain, or any environment where Kerberos authentication is not available.

Run the following commands on the probe or distribution server.

Add One Target Machine

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.149" -Force

Add Multiple Target Machines

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.149,192.168.1.150,192.168.1.151" -Force

Allow All Internal Targets

Use only for trusted internal networks:

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

Check TrustedHosts

Get-Item WSMan:\localhost\Client\TrustedHosts

Clear TrustedHosts

Clear-Item WSMan:\localhost\Client\TrustedHosts -Force

Allow Local Administrator Remote Access:

If the target machine is in a workgroup and local administrator credentials are used, run this on the target machine:

New-ItemProperty `  -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `  -Name "LocalAccountTokenFilterPolicy" `  -Value 1 `  -PropertyType DWord `  -Force

Restart WinRM:

Restart-Service WinRM

Test WinRM Connectivity:

Run these commands from the probe or distribution server.

Test Port 5985:

Test-NetConnection 192.168.1.149 -Port 5985

Expected result: TcpTestSucceeded : True

Test WinRM Response: Test-WSMan 192.168.1.149

Test Remote Session: $cred = Get-Credential $session = New-PSSession -ComputerName 192.168.1.149 -Credential $cred Invoke-Command -Session $session -ScriptBlock { hostname } Remove-PSSession $session

For domain credentials, use: DOMAIN\username

For workgroup credentials, use: WORKGROUP\usernameor: .\username

WinRM must be validated before remote patch deployment or remote software installation can be performed through Ceburu Patch Manager.