Patch Management Solution

 View Only
  • 1.  During window, check every: Set to 0 hours

    Posted Jul 16, 2015 03:20 PM

    Greetings;

    I have researched this question but I have to throw in the proverbial towel.

    In CMS 7.1 SP2, In the console, under Settings you can set the "Default Software Update Plug-in Policy" for scheduling patch installations.  Under the "Schedule:" section, there is a field that states "During window, check every:" with a field to enter a time.

    My question is: What is the result of having a check every value of "0 Hours", or "0 Minutes"?  Does it disable the check, constantly check, or produce some other unexpected result perhaps???

    I'm asking since we are exploring ways to minimize required reboots after the update cycle, Hopefully setting the "check every" value to zero will produce a situation where the the client agent will only check one time during the deployment window (which is set to a 2 hour period for user predictability) .  Currently users are complaining of repeating reboots even though we have "at end of software update cycle" checked.  The most likely suspect is a failed patch out of a set which tried a second or third time, was successful, and rebooted the PC again.

    Any advice would be greatly appreciated...

    - Michael Babb



  • 2.  RE: During window, check every: Set to 0 hours

    Trusted Advisor
    Posted Jul 17, 2015 11:26 AM

    The "end of the software update cycle" will reboot when a computer's applicable set of patches apply.  Upon reboot it's often the case that the computer has now met a set of prerequisites and is eligible for one or more new patches.  This can result in the multiple reboots.

    We configure our workstation patch policy to apply patches three times a day and then reboot after an 12 hour deferrable timer.  That way, no matter when a computer is on, it will get patched and eventually rebooted.  We reserve the right to reboot right away if the severity or nature of the update necessitates it.

    I've been using the product a very long time now and I've never used the Schedule Window option for much of everything as the behavior is not very predictable.  In my industry, at least, lack of predictability is a big problem for us.

    You may want to look into using a Software Delivery policy triggering AeXPatchUtil.exe from the command line if you wanted more flexibility and customizability as to when you want the patch cycle to execute.



  • 3.  RE: During window, check every: Set to 0 hours

    Posted Jul 20, 2015 10:02 AM

    Thank you for your advice HighTower;

    It certainly helps my general situation and ongoing discussions with management on what reboot policy we should decide on.  It's helpful to know what is working for you and it certainly is a viable option for us to adopt.

    I'm still going to leave my question out there as long as possible though to see if anyone anyone actually knows what setting the "check every" value to "0" does.  I've been asked to provide an answer on this but all the documentation I've gathered seems to skip giving enough detail in this section.

    Thanks again for the advice and help!  Much apprecated...

    - MB



  • 4.  RE: During window, check every: Set to 0 hours
    Best Answer

    Trusted Advisor
    Posted Jul 20, 2015 06:20 PM

    Applicable updates for a given computer are determined by an inventory process (Windows System Assessment Scan) which compares a set of the updates available for the given product set that you've configured.  The inventory result of this is imported into the SMP's database and then applicable updates are advertised to that computer.  This is an ongoing process and does NOT happen as quickly as the native Windows Update process.

    Where I'm going with this is that even if you had the policy configured to make the client hammer away checking for new updates it likely will not (edit) work that way.  You'll need to take into consideration your Windows System Assessment Scan frequency, your agent check-in interval config, and the filter/target update interval on the backend.

    Usually after the initial implementation period when there are lots of clients trying to get caught up on lots of updates things settle down a bit.  You should also do an assessment to determine how frequently your computers reboot and how long your business/industry will tolerate patched computers not rebooting right away, or even within a few days.  You might be able to postpone reboots to an off-hour or some other time.