Automating Patch Management

After you defined all your patching requirements and understood how the patching process works, you can set it up in such a way that it is completely automated. The following topics guide you about automating patch management:

Defining automated patch management

Patch jobs are designed to define the application of a specific type of patches for specific products and targets once and then run continuously without having to manually interfere in its operation. This means that any new patches that become available for the defined product will automatically be downloaded, assigned to the concerned devices and installed on these without you having to do anything. Patch jobs are created via the patch wizard.

1. Click the Wizards > Patch/Service Pack Distribution  command to call the Patch/Service Pack Distribution Wizard .
2. Enter a name in the Add patches to this patch job: field.
3. Click Next .
4. Check the Patch only these selected products: radio button and select one product from the list, that is, the operating system of one of your target devices. Do not select Microsoft Office, as this product requires specific configurations which is explained in another example.
5. Click Next .
6. Select the Daily option under the Recurr: parameter of the Deployment Schedule panel.
7. Select the Deploy anytime according to the above schedule radio button of the Time Period panel.
8. Click Next .
9. Click Assign Device .
10. Select the target device from the list box, for example the device on which you are currently working.
11. Click OK to confirm.
12. Click Finish now to confirm all settings and finish this wizard.

The patch job is now defined, it will start checking for patches that are missing on the assigned devices and start downloading these.

Monitoring automated patching

As the patch job automatically executes all tasks, you only must check once in a while that everything is running smoothly.

1. Select the Patch Management> Patch Jobs> Your Patch Job node in the left tree hierarchy.

   The right pane shows in the upper half a recap of your patch job definitions:

   • Patch Job Filters : the following lines display the type and severity of the patches included in the patch job.
   • Patch in the following product : Displays the list of products for which patches are included in the job.
   • Patch Window : Displays the schedule for the patch job.
2. You can click any of these titles to open the Patch/Service Pack Distribution Wizard and make modifications to these definitions.
3. Click Finish when you are done and all modifications will become applicable immediately and the display will be updated.
4. In the lower part the Active Patches tab is preselected and shows the advancement of the job execution for each patch that is part of the job.
5. Select the Assigned Devices tab.

6. Select a device, right-click with your mouse button and then select the Details option from te pop-up menu.

   The appearing window lists all patches that are currently missing on the selected device for the product, type and severity selected in the patch job and its details and the current patch application status.

Scheduling monthly patch installation

Patch Job Windows are timeframes that you define in which the patch job installs the missing patches on the target devices. You can schedule daily installation windows, weekly or monthly ones or you can switch off the schedule as we have done for our main patch job example. This option defines a window that allows the patch packages to be transferred to the target devices at any time so as to be ready when the time of the patch window arrives. This window allows the installation to start every second Saturday of the months at 1 o'clock in the morning and run its course until all missing patches are installed as no end time will be specified.

1. Select the Patch Management> Patch Jobs> Your Patch Job node in the left tree hierarchy.
2. In the right pane click the Patch Window link.
3. Select the Monthly option under the Recurr: parameter of the Deployment Schedule panel.
4. In the table that appears to the right-click the 2nd cell and the last S which stands for Saturday.
5. Select the Deploy only during this time radio button of the Time Period panel.
6. In the now accessible list box select the option Allow files to be downloaded to devices prior to start time .
7. Select the 01:00 am value for the Start time.
8. Click Finish.

Scheduling weekly patch installation

This window will define a very similar window as the option before, with the difference that the patch installation will occur on a weekly schedule and is limited from Saturday morning to Sunday night, to ensure that the installation will not interfere with the working week.

1. Select the Patch Management > Patch Jobs > Your Patch Job node in the left tree hierarchy.
2. In the right pane click the Patch Window link.
3. Select the Weekly option under the Recurr: parameter of the Deployment Schedule panel.
4. In the table that appears to the right-click the M and the last S which stand for Monday and Saturday , while holding the CTRL key.
5. Select the Deploy only during this time radio button of the Time Period panel.
6. In the now accessible list box select the option Allow files to be downloaded to devices prior to start time .
7. Clear the No End Time. Run Till Completed. box.
8. Select 01:00 am value for the Start: time and 03:00 am as the End: time.

9. Click Finish.

   Be aware, that the last started patch installation will not be interrupted when the specified end time arrives, it will finish installing.