Patch Management How To's

How does the Automated Patch Deployment feature work?

Description

Automated Patch Deployment is a feature in Desktop Central that enables you to deploy patches that are missing in the computers in your network automatically. You can automate the following tasks using the Automated Patch Deployment feature:

• Scanning computers periodically to identify missing patches: This is the default option. Use it to scan the client systems in your network, to detect which patches are missing.
• Identifying missing patches and downloading them from the vendors' Web sites: Use this option to:
  • Detect vulnerable client systems and applications in your network
  • Download the corresponding fixes from Microsoft and non-Microsoft Web sites
• Downloading patches that you require and creating tasks related to patch deployment: Use this option to:
  • Download missing patches automatically from the vendors' Web sites
  • Create a draft of the patch configuration
• Downloading patches that you require automatically and installing them on to specific computers: Use this option to:
  • Scan computers periodically to identify which patches are missing
  • Download the missing patches from the vendors' Web sites
  • Deploy the missing patches to client systems
  • Show the progress of deployment of patches in the computers in your network
  • Continue deploying patches even if all the missing patches are not found in the computer during scanning
  • Choose an appropriate reboot policy

All the levels of patch-deployment automation mentioned above can be specified for a specific set of client systems. You can choose to have different levels of automation for different sets of client systems. The process of deploying patches automatically depends on the level of automation you choose.

Automation Process

The automation process includes the following steps:

1. Scan the computers to identify the missing patches
2. Download the required patches from the vendor's website
3. Define a patch task
4. Deploy the patches to the missing computers

The patch-scanning process takes two hours, from the time it begins, till the time it is complete. During this two-hour period, the deployment status will remain Not Started. The period of two hours includes the time period of 90 minutes, which is when the agent checks the server for information, and an additional buffer of 30 minutes for scanning.

Out of the above, patch scanning process takes an estimated (fixed) time of two hours from the time of commencement. During this two-hour period, you will see the deployment status as "Not Started". The two hours accounts for the agent contact interval of 90 minutes plus an additional scanning buffer of 30 minutes.

Now, what happens when "Patch Approval" has been enabled? When you enable Patch Approval, only the patches that are "approved" will be downloaded and deployed. All the unapproved patches will not be downloaded or deployed via Automated Patch Deployment task, even though they are shown as Missing.

Examples

The examples given below help you understand the sequence of steps followed to deploy patches automatically and how to handle a new scheduled task when the previous task is still in progress.

Example 1: Deploying missing patches to specific systems

This example helps you understand the sequence of steps followed to deploy patches, when you have completely automated patch deployment.

Scenario

You have made the following settings:

• Enabled the Automatically Download and Deploy the Missing Patches option for 50 systems
• Scheduled this option to run at 12:00 hours every Monday

Steps

The sequence of the processes, based on the scenario mentioned above, will take place as follows. The Desktop Central server will:

1. Start scanning all the 50 systems at 12:00 hours.

   Note: This process will take two hours, hence the next process will begin only at 14:00 hours irrespective of the scan status.

2. Get information about the missing patches from the local patch store at 14:00 hours
3. Download the patches that are not available in the local patch store.
4. Create a patch task and deploy it to the systems that do not have the missing patches once the patch download is completed.

   Note: If Patch Approval is enabled, only the patches that have been approved will be downloaded or deployed via Automated Patch Deployment task.

The patch configurations will only be deployed to systems that require them and not to all the 50 systems. However, the patch status will be updated for all the 50 systems.

Example 2: Handling a new scheduled task when the previous task is still in progress

Typically, when a task is in progress and the next scheduled task is ready to be executed, the first task will be suspended and the new task will be created. The following example helps you understand this better.

Scenario

You have made the following settings:

• Enabled the Automatically Download and Deploy the Missing Patches option for 50 systems
• Scheduled this option to run at 12:00 hours every Monday

In the first week, on Monday, ten patches are deployed to 50 computers. As per the settings you made:

• Scanning will commence at 12:00 hours
• Deployment of the configuration, to all 50 systems, will begin at 14:00 hours

Assume that five systems are switched off on that day. The patch-deployment status will have In Progress status because the patch deployment process is not complete in all 50 systems. In the 2nd week, on Monday, if the five systems are still switched off, the following changes will take place:

• The status of the previous task will be changed to Suspended
• A new task will be created to deploy all the missing patches. The status of the task will be changed to Executed only when patch deployment is complete in all the 50 systems.