We currently have our policies configured to patch at a specific time and to reboot 2 hours later. The policy is configured as follows.
- Patch 1AM
- Reboot 3AM.
- "At end of software update cycle" is not checked.
For the most part, the above policy works as planned. However, we have had some issues where some machines are not fully patched after installing monthly updates and rebooting. This happens either because the machine is in a "reboot pending" status and cannot install additional updates or because additional updates become applicable after a pre-requisite update has been installed. To clarify:
- Monthly patches install as configured.
- Machine reboots as configured.
- Vulnerability Analysis runs and determines additional patches are required.
- Additional patches downloaded and are scheduled to run during next month's patching window.
In the above scenario, it would be ideal if step 4 executed in the current patch window. To accomplish this, we're thinking of reconfiguring our policies to patch over an extended 4-6 hour window and using the "At end of software update cycle" option to force reboots. The hope is that, by using a window of time to patch in conjunction with the "At end of software update cycle" option, the machines will be able to reboot and patch multiple times within the patching window as follows.
- Patch window opens.
- Monthly patches install as configured.
- Machines reboot as configured.
- Vulnerability Analysis runs and determines that additional patches are required.
- Additional patches download and install.
- Machines reboot as configured.
- Repeat 2-6 as needed.
- Patch window closes.
The Patch Management user guide states that the "At end of software update cycle" option will force machines to "restart after all updates in a single
update cycle have been installed." It is not clear if the option will allow for multiple reboots within a given patch window. Any insight into this would be a big help.
Thanks!