Patch Management Solution

Still trying to automate our patching... I have all MSFT servers in one filter, targeting via OS. I have another filter for Exceptions. I have to wait for the patches to be approved (sometimes 2-3 months later)to install patches. The monthly policy targets the "All MSFT Servers -Exceptions" filter. Now, once the patches are approved, I want to get them installed without creating separate policies. If I do the all the filters manually, I cannot guarantee that servers won't drop through the cracks. I could target "All MSFT Servers -Exceptions + "New group of previous exceptions" but I don't think that will work. Something like this: Jan: OS -Exceptions + new group Feb: OS -Exceptions + new group Mar: OS -Exceptions I can't pull the servers out of the Exceptions list, because March's patches will be applied. I don't want to create new policies for every group of exceptions. Please assist. Thanks, S.....

Hello Svillar,

     To clarify; the individual Software Update Policies merely deploy the packages to the client. Albeit a 'loaded gun' at that point; someone will still need to pull the trigger in order for the Software Updates to install.

You could work through the following:

1. Clone the Default Software Update Plug-in Policy (DSUP) found on the Console > Settings > All Settings > Agents/Plug-ins > Software > Patch Management > Windows.

     a. Configure each cloned DSUP to target the individual groups needing the separate installation schedule.

     b. Ensure the setting: 'Allow user to run' is disabled on each DSUP.

     Caution1: Ensure the clients are only targeted by one DSUP, for as clients are included in multipled filters; it is possible for a client to be targeted by multiple DSUP Policies, and this will cause undesired behavior (install outside schedule etc.).

     Caution2: If the Software Update Cycle is never to be ran on the client via automation; configure the DSUP to execute in the far future (e.g. 1/1/2030).

 

2. Configure the Software Update Policies to target the 'All Windows Computers with Software Update Plug-in Installed'

     a. Configure the Software Update Policies by disabling any 'Run (other than agent default)' settings (i.e. 'As soon as possible' or 'On schedule') to ensure the client obides by the DSUP, for these settings on the Software Update Policy will override the DSUP schedule.

     b. To control the deployment of updates to the controlled clients; you will still need to modify the targeted filter, for the DSUP merely 'pulls the trigger' and these policies get the updates in place.
 

     This configuration should allow for each targeted client to download the vulnerable Software Update Packages. The client will hold the updates in a 'Scheduled' status until the Software Update Cycle executes as scheduled on the DSUP.

--BE SURE TO TEST THIS PROCESS; this will help you see the behavior and work out any glitches

     As long as the user is not able to execute the Software Update Cycle, and the DSUP is scheduled appropriately; you should see the desired behavior. Additionally, these configurations of Patch Management, best practices etc., are outlined on KM: HOWTO56242.

Hi Joshua, Thanks for replying. I think what you are explaining isn't solving my issue, or I'm not fully explaining. The issue is that I want all of my machines to get all CURRENT patches, as set up in Monthly SUPs, EXCEPT one or two groups of machines which get MOST of the patches (these vendors haven't tested the CURRENT patches yet). They will always be behind -- Dec 1: 500 computers get all November and before patches except 10 servers. 10 servers get all October and before patches. Jan 1: 500 computers get all December and before patches except 10 servers. 10 servers get all November and before patches. How can I do that without creating separate Software Update Policies? Thanks again, Scott.....

Thank you for the clarification, for I read this as installation of Patches and not downloading or "get patches."

Unfortunately, once you have assigned a targeted filter to a Software Update Policy; ALL targeted clients will update configuration, receive the Software Update Policy, and download the packages.

I have been researching this throughout the day and the only available processes:

     1. You will need to modify the individual Software Update Policies with ammending which filters are targeted when they are needed to be deployed to the different groups in your environment.

     2. Create a new Software Update Policy and target the clients as they are added. Keep in mind that the more Software Update Policies you add; the longer the Revise/Superseded process takes on the PMImport and will put more strain on the SMP during that download time.

I wish there was more could be done in this instance, and I will continue to research this request, and I will update the post if as I find further info.

Joshua

 

 

I do the very thing that you're suggesting.  I have multiple filters of computers that I target for patch, a Software Update Plug-In Policy unique for each of those filters for scheduling and agent behavior, and all of my Software Update Policies bundled by month (one for Security Bulletins, one for Windows Updates, one for Adobe....etc).

Inside each SUP you can configure which targets/filters the policy applies to.  Yes, it's tedious, but each month I change the appropriate SUPs to point to the next appropriate filter.

 

Did any of these suggestions help you out or do you still need assistance?  If not, let's close this thread.  Thanks!

Thanks, for all of your thoughts.  I am using the policy to include filters after the group of servers has been approved.  I simply add the filter to the previous SUP (as stated above) and it works.

 

As Hightower said... tedious, but it works.