Hello, we are looking at moving away from SCCM and use Automox for our updates. What is best practice to configure a policy that will update severe and high updates once every 30 days?
I have Install Optional and Recommended Windows Updates enabled, package targeting is Critical and High
Device Targeting with Attribute = OS, Condition = In and Value = Windows. I do not have a schedule assigned as I need to test this manually first.
User Notifications are set as:
Install Notifications are disabled
Reboot Notifications are enabled
Enable deferrals, enable automatic deferrals enabled, with hourly deferrals set as 1 hour, 2 hours, and 3 hours. Max deferrals is set as 3.
@hadolf! Great question, you can handle this with either a “By Severity” or an “Advanced Policy”
This one is pretty straight-forward, you can create a By Severity Patch Policy and select Critical and High, or more if you like. This will patch any devices that has a CVE score of Critical or High in scope to the device.
With an Advance Policy, you can choose similar to what you see above, but the added benefit is you can add something called “Patch Age.” Patch Age mixed with Severity will only updated devices that need a patch with High or greater as long as the patch is older than 30 days. Patch Tuesday isn’t always 30 days apart however, so I usually recommend slimming it down to 21-27 days (up to you based on your SLAs of course.)
This one can be tailored to your needs, but you can see here my Schedule is the 3rd Tuesday of every month. In this scenario, I’m only patching once a month, and that’s a full week after Patch Tuesday.
Hope this helps answer your question!