Working with patch policies

This topic provides instructions on adding, viewing, editing, disabling, or removing patch policies. 

To understand the concept of patch policies, see Patch policies

Adding a patch policy

On the Manage > Patch Policies page, click Add Policy and do the following:

  1. Enter a unique name for the policy. 
    Patch policy name must always be unique even if users with different roles are creating it.
  2. Click Browse to select a catalog.
    Catalogs are created in TrueSight Server Automation.
  3. Click  and choose one of the policy filters:
    • Patch Classifications (only for Windows). Select this filter to scan assets based on classifications such as Security Patches, Security Tools, and Non-Security Patches.
      To skip service packs while scanning assets, select Exclude Service Packs
    • Include Patch Groups. Select this filter to scan assets based on the patch groups that exist in Server Automation. 
      To exclude a specific set of patches, select one or more patch groups and save your options. 
  4. To specify targets, do one of the following:
    • Select all assets enrolled in the endpoint manager.
    • Select Asset Groups (server groups or server smart groups in Server Automation) and then select one or more groups. 
  5. In the Patch Schedule section, specify a schedule for the policy:
    • Daily: Click the clock icon in the Time field, and specify the time.
    • Weekly
      1. From the Recur Every list, select the number of weeks after which the policy should run again. 
      2. Click the clock icon in the Time field, and specify the time.
      3. Specify the days of the week when the schedule should run.
    • Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:

      • Specify the frequency (first, second, third, or fourth) and the day of the week for the schedule.

      • Specify the day in every month when the schedule should run. 
      • Select the last day of every month.  

      The schedule summary is displayed.

      Can I schedule a policy in another timezone?

      No. Automation Console shows the browser time zone. You can only schedule policy scans in the local time zone.

After you save the patch policy, it is enabled and appears on the Manage Policies page. When you create a policy, in Server Automation, the policy is saved at the Jobs/<username>_<user_role>/<Policy_Name> location.

Execute patch policy

You can run a patch policy instantly after adding it. You cannot execute a policy that is disabled or already running.

On the Manage > Patch Policies page, do the following:

  1. Select a policy and click Actions >Execute now.
  2. Click Continue

Viewing patch policy results

After a policy runs on the selected assets according to the schedule, the results are displayed on the Manage Patch Policies page.

You can see the policies available in the product and additional information such as name, scope of the policy scan according to the assets, the date and time of the last run, and the status.

On the Manage > Patch Policies page, do the following:

  1. Click the policy name.
    The Scan Run Results page shows results of each policy scan according to the schedule.
  2. To view results for any previous scan, click on the scan in the Scan Start Time column. 
    The following image shows the results of a policy scan.

    The following details are displayed: 
    • Total number of assets scanned by the policy
    • Number of assets that were scanned successfully or with warnings, and failed scans
    • List of assets scanned by the policy and the number of missing and installed patches on these assets
    • Log for the policy that contains errors and warnings, if any
    • Date, time, and duration of the policy scan
  1. To view the policy results for each asset, click the asset name.

    You can see each installed and missing patch identified on the selected asset.

Editing a patch policy

On the Manage > Patch Policies page, do the following:


When you edit, disable, or remove a policy, all missing patches displayed after the last scan are removed from the Automation Console.

  1. Select a policy and click Actions > Edit.
  2. Update the policy details, and click Update

 Missing patches according to the new configurations are displayed after a successful scan.

Disabling and enabling a policy

You may want to stop running scanning policies for a while or the policy may no longer be relevant. To stop the policy from running, disable the policy. 

On the Manage > Patch Policies page, do these steps: 

  • Select a policy and click Actions > Disable and click Continue
    The policy status changes to Disabled and the policy no longer runs according to the schedule. It still appears in the patch policy list. 
  • To view details of a disabled policy, click Actions > View
  • Select a policy and click Actions > Enable.
    The policy status changes to Enabled and the policy runs according to the schedule. New missing patches are reported after a successful scan. 

Removing a patch policy

You cannot delete a policy if it is used by any operation. In such a case, delete the operation first, and then delete the policy. 

When you remove a policy from the Automation Console it continues to exists in TrueSight Server Automation. 

On the Manage > Patch Policies page, do the following:

  1. Select a policy and click Actions >Remove.
  2. Click Continue
Was this page helpful? Yes No Submitting... Thank you