Automated Policy Execution - Apply all current and future patches up to policy baseline in single execution

Hey all!

Due to some of our severs only being able to take an outage once every 6 months (cringe), we need a way to ensure newly relevant patches are applied after an initial policy execution. Short of requiring our patching administrators to manually click ‘execute policy’ again after it’s completed the first time, has anyone found a way to ensure any patches that become relevant after the initial policy execution are still applied during the same execution? This is critical for us to continue automating our patch process to be as hands-off as possible.

Looking for something like a feature that applies all currently relevant and future relevant patches for the system up to the designated policy baseline.

Any guidance would be appreciated!!

1 Like

Hi @habrnero,

Thank you for the feedback!

By server outage, do you mean the servers rebooting to complete a patching cycle (where applicable) or patching in general?

As for policy execution, can you elaborate more on this manually executing policies. It will help us understand more of your challenge and how to assist you. I’m also curious to see what this brings up as problems in our product to note that for our roadmap.

Thank you!

1 Like

Currently, we schedule ‘patch windows’ where customers are aware that patching will be taking place over ‘x’ hours on ‘y’ day. This time frame is all we have to get servers up to date and aligned with the policy that has been set.

Unfortunately, we’re still working on getting customers to patch more often, so sometimes there are patches that are prerequisites to other patches showing up that don’t appear until after a patch cycle and reboot have occurred. Since this is potentially our only opportunity to get these systems up to date for several months, it’s important for us to try to re-scan and apply any new patches that become relevant during that window as a result of prerequisite patches completing their installation.

This becomes difficult to maintain from a manual perspective as we scale out across many different groups and execution times. As of right now, we’re asking our patching admins to re-execute the policy a second time during that window after it has completed in case any new patches become relevant.

Unfortunately this is a tough problem to solve, given the way Microsoft sets up their cumulative & exclusive patches.

One workaround we’ve suggested in the past is setting up two identical policies, that run at least 30 minutes apart. That way if there’s an exclusive patch then it will rerun the policy after that completes and catch any additional patches that open up, both on the same day when you’re allowed to reboot the servers.

Given your 6 month window, it’s not often that there are two exclusive patches that would happen within that time-frame. But the above workaround should take care of those. Would that work for you?

1 Like

Thank you again for your feedback, we’ve noted it for the future and please don’t hesitate to reach out with more!

1 Like

Thanks, Greg! Does this mean you’ve added it to the roadmap, or should I go ahead and suggest it?

We already had this feature in our roadmap for consideration and your feedback/use case has been added to it. Thanks again!

1 Like