Install BT Updater Enterprise
Introduction
BT Updater is an application that downloads and installs updates for BeyondTrust products and includes the following features:
- View the currently installed software version.
- Set up a subscription to download product updates.
- Lock the software at specified versions, when necessary.
Note
While the BT Updater can be configured to download and install a variety of product updates, it does not include scheduling the Security Update Package Installer (SUPI) for updates.
Package dependencies
New product versions require that specific versions of products are installed, and potentially newer versions of supporting software to be installed, before software can be updated.
To determine the upgrade path for specific products and versions, visit the release notes website.
Security
BT Updater enforces the following security measures:
- productupdates.beyondtrust.com is secured by an SSL certificate.
- On download, the hash of the file and file length are verified to ensure the file matches the requested download.
- After extraction of the package, the certificate on the file is checked to ensure it is a BeyondTrust certificate.
Requirements
| Requirements | Requirements |
|---|---|
| Operating System | Windows Server 2012 and 2012 R2 (64-bit only) Windows Server 2016 Windows Server 2019 (BT Updater version 2.11 or later) Windows Server 2022 |
| Processor | Intel Dual Core 2.0GHz or compatible (minimum) |
| Memory | 16GB Minimum (Requires x64 operating system) |
| Hard Drive | 20GB |
| Server Requirements | Server Roles | Web Server IIS | Web Server | Application Development .NET Extensibility 3.5 .NET Extensibility 4.7.2 + ASP.NET 3.5 ASP.NET 4.7 ISAPI Extensions ISAPI Filters Features | .NET Framework 3.5 HTTP Activation Features | .NET Framework 4.7.2 + | WCF Services HTTP Activation Features | Windows Process Activation Service Process Model .NET Environment 3.5 Configuration APIs |
| Certificate | A self-signed certificate in IIS is required to use https:// |
Note
For more information, see BT Updater Release Notes.
Installation
Important
Before installing, verify you can access the product updates landing page.
If you are unable to access this page, see the Add Imperva IP Addresses to Allow List section of this guide. The link for Incapsula’s IP addresses provided on the landing page is no longer valid.
To install BT Updater Enterprise, follow the below steps.
- Open a command prompt as an administrator.
- Run the following command:
C:\BeyondTrust-Release-UpdaterInstaller.exe ENABLE_ENTERPRISE=1
Best Practices for Deploying BT Updater Enterprise
We recommend the following configuration to deploy BT Updater Enterprise in your environment.
Designate a server as the root parent node (top-level BT Updater server) with BT Updater Enterprise installed and configured to receive updates from the BeyondTrust cloud environment.
Then configure two BT Updater servers to receive updates from the root parent node. Designate one server as the Testing BT Updater Server and the other as the Production BT Updater Server.
Then set client subscriptions for the production server and the testing server using the Client Subscriptions page in BT Updater on the root parent node.
The client subscriptions for the testing server and all clients configured to receive updates from it would not be locked to specific product versions, as the clients would be used for testing updates.
The client subscriptions for the production server and all clients configured to received updates from it would be locked to specific product versions that have been successfully tested on the testing clients.
As updates are tested successfully, reset the client subscription locks for the production clients to match the versions that have been tested.
See the following diagram for a visual representation of the recommended configuration.
Log in to BT Updater Enterprise
To log in to the BT Updater Enterprise website, follow the below steps:
-
Open a browser, and then enter the following:
https://[FQDN]/UpdaterSettings/
Note
We recommend providing the Fully Qualified Domain Name (FQDN) for your BT Updater Enterprise server in the URL when accessing the site. FQDN is the complete domain name for the server. It includes the host name and the domain name, including the top-level domain. For example, myUpdaterServer.myCompany.com.
- Enter credentials for an administrator account on the server where BT Updater Enterprise is installed.
Note
To create a login for BT Updater Enterprise, you must log in with a Windows user account that is a member of the local machine’s Administrator group. This creates an account in BT Updater Enterprise with the same user name and password. We recommend that you change the password after you log in for the first time. The password change propagates to all BT Updater Enterprise clients.
Configure BT Updater Enterprise Server
The BT Updater Enterprise server allows you to connect to a BT Updater server in your network to receive software updates, rather than connecting to the BeyondTrust cloud servers for updates. Using BT Updater Enterprise allows you to configure one BT Updater Enterprise server as the root parent node (top-level BT Updater server) that connects to the cloud and all other servers connecting to BT Updater Enterprise servers in your network.
BT Updater Enterprise allows you to control updates distributed across your environment and the global settings applied to all clients using policy.
To access the Settings page, follow the below steps:
- Log into the BT Updater Enterprise website.
- Select Settings from the menu.
From the Settings page, you can configure the following:
- Subscription frequency (interval for checking for updates).
- An BT Updater Enterprise server and a proxy server.
- Download throttling and speed.
- Schedule for downloading and publishing updates.
- Clear cached download files.
- Password for your administrative account.
- Session timeout value.
- Email notifications for when new downloads are available.
- Air-Gapped Mode.
Set an interval to check for updates
To set an interval to check for updates, follow the below steps:
- In the Subscription Frequency section, click the toggle to enable automatic checking for updates.
- Set your desired check interval frequency.
- Click Apply Changes.
Set the connection for BT Updater Enterprise server and proxy server
Configure the BT Updater Enterprise server and proxy server in the Connection section.
- Enter the server name or IP address for BT Updater Enterprise in your network.
Note
If a BT Updater Enterprise server is not specified, or has been deleted, BT Updater connects to the BeyondTrust cloud server for updates.
Once a BT Updater Enterprise server has been entered, the Subscription Frequency settings are disabled as this instance of BT Updater now checks for updates every 30 minutes from the BT Updater Enterprise provided. Air-Gapped Mode is also disabled.
- Click the toggle to enable Use secure connection.
- Enter the Address, Port, Username, and Password for your proxy server.
- Click Test Connection to verify connectivity.
- Click Apply Changes to save the settings.
Set throttling and speed for downloads
Configure throttling and download rates to mitigate bandwidth usage concerns in the Download Settings section.
- Enter the maximum number of kilobytes (KB) that can be downloaded in a day for Throttle.
- Enter the number of KB per second that can downloaded for Rate.
- Click Apply Changes.
Schedule download and installation times for updates
Specify days and time frames for update downloads and installations in the Schedule section.
Note
While the BT Updater can be configured to download and install a variety of product updates, it does not include scheduling the Security Update Package Installer (SUPI) for updates.
- Check the boxes for the days you would like updates to be downloaded.
- Select times in the From and To lists to specify a time frame for downloads to be updated from the server.
- Check the boxes for the days you would like updates to be published.
- Select times in the From and To lists to specify a time frame for downloads to be published.
- Click the toggle to enable the Allow machine to reboot when required setting. If a restart is required, enabling this setting causes the computer to be restarted after an update has been installed.
Note
If this setting is disabled, a message is displayed after the update is installed indicating a restart is required. You must be logged in to receive the message.
- Click Apply Changes.
Clear cached downloads
Downloaded packages are cached and stored locally. This occupies disk space over time. Clear the data periodically to remove outdated packages from the system in the Clear Cache section.
- Enter the number of days to keep stored packages.
- Click Clear Cache.
- Click Apply Changes.
Change your password
You can change the password for your login account in the Change Password section.
- Enter your Current Password.
- Enter your New Password following the specified password requirements.
- Enter your new password again to Confirm New Password.
- Click Change Password.
Set session timeout
You can set a timeout value for each BT Updater Enterprise session in the Session Timeout section.
- Enter the number of minutes for Timeout.
- Click Apply Changes.
Configure email notifications
Configure SMTP settings to send email notifications to specified email addresses when new packages are available for download. Configure the Email Notifications / SMTP Settings section.
- Enter the Host name or IP address for the SMTP server.
- Enter Port number, if applicable.
- Click the toggle to enable Use secure connection.
- Enter Username, Password, and From Display Name, if required. These fields are optional.
- Enter From Email Address.
- Enter To Email Addresses.
- Click Send Test Email to verify the email configuration works as expected.
- Click Apply Changes to save settings.
Use Air-Gapped Mode
To enable Air-Gapped Mode, click the Air-Gapped Mode toggle and then click Apply Changes. When enabled, this feature prevents BT Updater from communicating with an external BT Updater server. BT Updater instead checks the local cache for available updates and install packages that were loaded using the offline tool.
Create an offline package
Use the following steps to create offline packages.
- On a computer that contains the latest updates, navigate to the folder \Program Files (x86)\BeyondTrust\Updater\Service.
- Double-click the OfflineTool.exe file.
- Click Create Offline Package.
- Click Quick Select.
- Select your subscriptions from the list, and then click OK.
- By default, the latest package is selected in each subscription. If needed, you can check the box for any other installs that you want to include in the package.
- Click Download Selected.
- Confirm the packages that you want to include, and then click Create Offline Package.
- Name the .opkg file and save it to a desired location. The default location is the Desktop.
- Copy the .opkg file to computers that require the updates but are not connected to the internet.
Load an offline package
BT Updater Enterprise must be installed on computers that are not connected to the internet. The packages can be uploaded using the OfflineTool.exe tool.
- Navigate to the folder \Program Files (x86)\BeyondTrust\Updater\Service and double-click the OfflineTool.exe file.
- Click Load Offline Package.
- Locate and select your offline package (.opkg) file, and then click Open.
- Click OK on the Completed Successfully message box.
- On the BT Updater Enterprise Subscriptions page, click Update Now.
Note
You can confirm packages were successfully updated on the Activity Feed page.
Important
If you selected an older package version in the Create Offline Package dialog box, then this package might not be applied. Most subscriptions look for the latest package.
Important
An outdated package is skipped. Some subscriptions are sequential and all the missing packages are required to apply the updates in order.
Manage BT Updater Enterprise Subscriptions
To access the Subscriptions page, follow the below steps:
- Log into the BT Updater Enterprise website.
- Select Subscriptions from the menu.
The following features are available on the Subscriptions page:
- View your current and available subscriptions.
- Lock your subscriptions to specific product versions.
- Unlock your subscriptions.
- Subscribe to new subscriptions.
- View the status of downloads and installs.
- Find out when BT Updater last checked for updates and when the next check will occur.
- See if auto-update is enabled or disabled.
- Manually check for updates now.
You are automatically subscribed to products that are installed on the same system where BT Updater is installed. BT Updater is licensed as part of your products.
You are automatically subscribed to the BT Updater subscription. By default, BT Updater checks for updates every 12 hours, and if a schedule isn't defined for downloads, updates can be pushed at any time.
Note
The update process will close the application. If desired, you can disable automatic checking for updates on the Settings page and manually update at any time by clicking Update Now on the Subscriptions page.
To enable or disable automatic checking for updates, follow the below steps:
- Select Settings from the menu.
- In the Subscription Frequency section, click the toggle to enable or disable Automatically check for updates.
- If you are enabling automatic checking, set the desired Check Internal time and Interval settings.
- Click Apply Changes.
Note
The subscriptions managed on the Subscriptions page only apply to the system where BT Updater Enterprise is installed. Each installation of BT Updater Enterprise has its own database.
Note
For more information on managing subscriptions for clients connected to and receiving updates from BT Updater Enterprise, see Manage BT Updater Enterprise Client Subscriptions.
Use the Current Subscriptions List
Subscriptions are versioned packages that can be delivered to systems connected through BT Updater. The Current Subscriptions list shows all subscriptions that you are currently subscribed to, the version that has been delivered, and the version that is available for download. You can also search for current subscriptions using keywords in the Search current subscriptions box.
The Delivered column shows the version that has been downloaded or installed. Applicable icons are displayed for the subscription to indicate whether the package has been downloaded successfully, installed successfully, or if the upload has failed.
The Available column shows the version that is available for download in the BT Updater cloud environment . An icon may be displayed to indicate that a newer version is available for download.
If an update fails, a red exclamation mark icon is displayed next to the subscription. You can retry the update as follows:
- Click the vertical ellipsis for the subscription.
- In the Details window, click Retry where it indicates there was an error with the update.
The following table lists various icons found in the Current Subscriptions list.
| Icon | What it means |
|---|---|
 | Manual Install: Indicates the product was installed or updated externally from BT Updater. The manually installed version is displayed. |
 | Installed Successfully: Indicates a subscription update has been successfully installed. |
 | Update Failed: Indicates a subscription update has failed installation. You can retry the update by clicking More Options (vertical ellipsis) for the subscription, and clicking Retry where it indicates there was an error with the update. |
 | Downloaded Successfully: Indicates an update has been downloaded successfully. Some subscription updates are download-only and must be manually installed externally from BT Updater. When the subscription is selected, instructions for installation are provided in the Details pane. |
 | Newer Version Available: Indicates a newer version is available for the subscription, but not currently installed. This will be updated at scheduled settings or manually installed by clicking Update Now. |
Note
You can also review the log files to assist with troubleshooting any update failures. The log files are located in C:\ProgramData\BeyondTrust\Updater\Logs.
Lock and unlock a subscription version
You can lock your subscription at a particular version of the product so packages for the subscription are not downloaded. You might consider locking subscriptions for your production environment until you test the packages in your test environment. Locking a subscription also prevents the update from being downloaded. Once you have chosen a version to lock, that version will be installed according to scheduled settings or by clicking Update Now to install the downloaded version immediately.
Important
Once a version has been locked for BeyondInsight and Password Safe subscriptions, you commit to install the update at scheduled settings. You are required to manually update to the same lock version on all instances of BT Updater Enterprise or it could result in a loss of service. Best practice is to click Update Now once an update has been downloaded and then manually update all instances of BeyondInsight and Password Safe immediately.
To lock a subscription version, follow the below steps:
- Under Current Subscriptions, click the vertical ellipsis for the subscription, and then select Lock. This locks the subscription to the current delivered version.
- To lock a different version, in the Details pane, select the version from the drop-down list, and then click Lock.
- When you are ready to download and install new updates for the subscription, click the vertical ellipsis for the subscription, and then select Unlock.
Unsubscribe from a subscription
- In the Current Subscriptions list, click the vertical ellipsis for the subscription.
- Select Unsubscribe from the menu.
View release notes
Release notes for the current subscriptions are downloaded and available on the Subscriptions page. To view release notes for a subscription, follow the below steps.
- In the Current Subscriptions list, click the vertical ellipsis for the subscription.
- Select View release notes... from the menu.
- Select a version from the drop-down list to view the release notes for that version.
Subscribe to a subscription
On the Subscriptions > Other Available Subscriptions list, click Subscribe. You can also search for an available subscription by using a keyword search in the Search available subscriptions box.
Manage BT Updater Enterprise client subscriptions
The following features are available on the Client Subscriptions page:
- View client machines that are configured to receive updates from the BT Updater Enterprise server.
- Lock subscriptions to specific versions of products.
- Unlock your subscriptions.
- Set throttling rates that apply when updates are uploaded to client machines.
- Copy policy settings to the BT Updater Enterprise client machine (enabled by default).
Any changes that you apply on the Client Subscriptions page are reflected on the Activity Feed page. Client subscriptions apply to individual clients as configured on the Client Subscriptions page. They are unrelated to the subscriptions listed on the Subscriptions page, which are specific to the BT Updater Enterprise server itself.
Lock and unlock client subscription versions
To lock and unlock client subscription versions, follow the below steps:
- Log into the BT Updater website.
- Select Client Subscriptions from the menu.
- Select a client from the Client list and then click the vertical ellipsis icon.
- Select View Subscriptions. The subscriptions for this client are listed under the Subscription list.
- Select a subscription from the list, and then click the vertical ellipsis for the subscription.
- Select Version Lock/Unlock.
- To lock a different version, in the Details pane, select the version from the drop-down list, and then click Lock.
Note
Once you have locked a version, you have committed to update to that version at scheduled settings.
- When you are ready to download and install new updates for the subscription, click the vertical ellipsis for the subscription, and then select Unlock from the menu.
Client settings
The following client setting configuration options are available:
- To set a throttling rate for uploading updates to client machines, enter the maximum KB/day in the Upload Settings box.
- To copy settings from the BT Updater Enterprise server to its clients, click the toggle in the Policy box.
Once the Policy option has been enabled, the following settings are sent to Enterprise clients:
- Subscription frequency (update check interval).
- Download and publish schedule settings, including the configuration option Allow machine to reboot when required.
- Password changes. Changes will only be sent to the BT Updater Enterprise clients if the client is pointing to the root parent BT Updater Enterprise server.
Manage the BT Updater Network
You can use the BT Updater Enterprise website to centrally manage your clients receiving subscription details from the BT Updater Enterprise server. The clients are set up to receive policy and subscription information from the BT Updater Enterprise website.
View the network map
The network map is a visual representation of your clients. You can see if client machines are offline and view general health statistics for a client.
- Log into the BT Updater Enterprise website.
- Select Network from the menu.
- View the network map for the clients where the BT Updater tool is deployed.
- Click a client node to view detailed health information.
Note
The link will not be enabled if no health information is available.
- Click Send Analysis to Support to send health data to a cloud server for review by BeyondTrust Technical Support. Identifiable information such as IP addresses and computer names are removed before the data is sent.
Delete clients
BT Updater does not assume a client is invalid if it has not been online and checking for updates. If you have a client machine that no longer exists or is no longer configured to receive updates from your BT Updater Enterprise server, the client machine can be removed so that it no longer appears on the network map or the Client Subscriptions page. If the client comes back online and checks with the BT Updater Enterprise server for updates, it will show again as a client on the network map and Client Subscriptions page.
To remove a client, follow the below steps:
- Log into the BT Updater Enterprise website.
- Select Maintenance from the menu.
- Toggle Show only expired on or off as desired to filter Available clients, Available nodes, or both.
- To delete the client from the Client Subscriptions page, select the client from the list, and then click Delete Client.
- To delete the client from the Network page, select the node from the list, and then click Delete Node.
Audit Activity and Log Information in BT Updater Enterprise
BT Updater Enterprise uses Windows verbose logging. Log files for BT Updater are located in C:\ProgramData\BeyondTrust\Updater\Logs.
Update activity can be audited by viewing the Activity Feed page. All actions performed in BT Updater Enterprise, including client machine actions, are logged on the Activity Feed page.
To access the Activity Feed page, follow the below steps.
- Log into the BT Updater Enterprise website.
- Select Activity Feed from the menu.
- Select the Search by Term or Search by date option from the Search filter dropdown.
- If searching by term, you can search by the subscription name or the user name. The list will automatically display filtered search results.
- If searching by date, select your desired date range, and then click Apply Search to filter the list by specific dates.
You can also export the entire list of activity to a CSV file by clicking EXPORT AS CSV in the top right corner of the page.
Troubleshoot Connection
Firewall issues
If the BT Updater Enterprise server is unable to connect to the BT Updater cloud environment, verify that the firewall isn't blocking connectivity. To verify this, you can access the product updates landing page by visiting https://productupdates.beyondtrust.com/landing.html.
Upon successful connection, you receive a message stating you have successfully reached the service landing page. If you are unable to connect to the landing page, it is likely being blocked by the firewall.
CloudFlare IP addresses
To receive updates to your appliance, you must add the CloudFlare IP addresses to the allow list of any firewall or proxy server deployed in front of your BT Updater Enterprise instance.
Note
As of January 1, 2025, BeyondTrust Product Update Server changed from Imperva to CloudFlare. See Important notice about Imperva IP addresses for more information.
Note
For more information, see CloudFlare IP Addresses for a list of IP address ranges that are used by CloudFlare and for access to the CloudFlare API. These IP addresses may change. Refer to the above link for the most up-to-date IP addresses.
Important Notice about Imperva IP addresses
Important
As of January 1, 2025, BeyondTrust Product Update Server will NO LONGER be protected by Imperva cloud. Instead, BeyondTrust is switching over to CloudFlare.
To receive updates to your appliance, you must add the CloudFlare IP addresses to the allow list of any firewall or proxy server deployed in front of your BT Updater Enterprise instance.
Note
For more information, see CloudFlare IP Addresses for a list of IP address ranges that are used by CloudFlare and for access to the CloudFlare API. These IP addresses may change. Refer to the above link for the most up-to-date IP addresses.
Updated 8 days ago