Patch Management Solution

We currently have our policies configured to patch at a specific time and to reboot 2 hours later. The policy is configured as follows.

1. Patch 1AM
2. Reboot 3AM. 
3. "At end of software update cycle" is not checked.

For the most part, the above policy works as planned. However, we have had some issues where some machines are not fully patched after installing monthly updates and rebooting.  This happens either because the machine is in a "reboot pending" status and cannot install additional updates or because additional updates become applicable after a pre-requisite update has been installed. To clarify: 

1. Monthly patches install as configured.
2. Machine reboots as configured.
3. Vulnerability Analysis runs and determines additional patches are required.
4. Additional patches downloaded and are scheduled to run during next month's patching window.

In the above scenario, it would be ideal if step 4 executed in the current patch window. To accomplish this, we're thinking of reconfiguring our policies to patch over an extended 4-6 hour window and using the "At end of software update cycle" option to force reboots. The hope is that, by using a window of time to patch in conjunction with the "At end of software update cycle" option, the machines will be able to reboot and patch multiple times within the patching window as follows.

1. Patch window opens.
2. Monthly patches install as configured.
3. Machines reboot as configured.
4. Vulnerability Analysis runs and determines that additional patches are required.
5. Additional patches download and install.
6. Machines reboot as configured.
7. Repeat 2-6 as needed.
8. Patch window closes.

The Patch Management user guide states that the "At end of software update cycle"  option will force machines to "restart after all updates in a single
update cycle have been installed." It is not clear if the option will allow for multiple reboots within a given patch window. Any insight into this would be a big help.

Thanks!

The option for multiple reboots is not availabe as it used be for NS 6. Our remediation cycle is to run daily at night with a shedule reboot at a later time.So if there are multiple patches to be applied and out of these, one requies a reboot to be completed. Part of the patches upto the patch requiring the reboot will be applied in this cycle and, the remaining the next night  and  the process so follows

Regards

Ciscoman.

I was reading your scheduling for patch management. Are your computers running all night long or you wake up them?

It's very hard for us the choice of installation time because we can't wake up the computer, we don't want to make running the computers all night, and patch operations during working hours is difficoult (they slow computers, patches don't install because programs are open).

The best solution would be to install the patches at computers shutdown, like WSUS. I don't know why this option is not implemented....

Hi mlombardo,

You are correct, "At end of software update cycle" option will allow the machines be able to reboot and patch multiple times within the patching window.

The scenario you mentioned in your initial post should work well.