Software patches are released by vendors every month and you need to test them before deploying them to the production machines. You can plan to select the patches you want to deploy; take action and deploy them to the test group, and then do the same for the production machines. Patching has become a repetitive act and now with BigFix Patch Policies, you can automate the steps This will save you a lot of time and money and allows you to be more productive. With BigFix, you can do more with less and automate such tedious routines.

Set the criteria of what patches and to what machines and when and let BigFix take care of the rest. This allows you to accomplish more with less and help keep your endpoints continuously compliant and secure. This article shows how easily it is to set up patch policies and how granular the patch schedules can be and to deploy patches to fit your organization’s needs.

 

1. Go to BigFix WebUI and click Apps > Patch Policies.

 

 

 

 

 

 

 

 

 

 

2. Click Add Policy in the top right corner.

 

 

 

 

3. Create a  policy that sets the criteria of the patches you want to deploy. 
   1. Enter a name for the policy.
   2. Select a site in which you want to create your deployments.
   3. Select a operating system type.
   4. Select the severity. This is determined by the vendor and their classification of patch.
   5. Select a category.
   6. Select the type of updates
   7. Select the OS types to filter.

You can exclude certain patches as part of the policy. For example, enter keywords such as "Acrobat" or ".net framework" to exclude their patches from the policy.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4. Configure when the policy refresh -  how often BigFix should refresh the policy and look for new content. In this example, 2nd Monday of each month is selected, which is otherwise known as Patch Tuesday. This is the day BigFix looks for new patches. You can also use the auto-refresh feature so that patches auto-refresh and be ready for the criteria you set. You can also manually refresh the policy when you want to.

Note: Microsoft releases patches later in the month - if you refresh weekly, you could deploy patches to your test groups and then a week later when you deploy to production, it could be patches that are not tested. So it is best to run a monthly refresh.

 

5. Click Add at the top right corner.

 

 

 

6. Set schedules for deploying the patch policy. You typically want to test patches before deploying to the production systems. Set up multiple deployments and schedules for when to deploy patches to certain groups.

Click Add a schedule.

 

 

 

 

 

 

 

 

 

1. Enter a name for the schedule. This example schedule will deploy the patches 1 day following the 2nd Tuesday at 5PM. This is the day after Patch Tuesday. 
2. Set the duration for which you want the deployment to be open. 7 days is the default.

You can also run predefined maintenance windows through BigFix. For details, see Maintenance Windows Dashboard.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7. Set the criteria for how the patches are deployed. You can have the patches pre-cache and download ahead of time.

1. Stagger the patching start time to limit the network load.
2. Skip errors
3. Retry the patch and wait until the computer has rebooted

Note: With the size of the cumulative updates, if a patch fails to install, it is most likely due to the machine having a pending restart. Selecting this option allows the patch to try installing and then if there is a failure it tries again after a fresh restart. If you force the users to restart their machines after the patches deploy, they could be prompted to restart multiple times if there is a failure with these options selected. 

4. You can type in a custom message for prompting the users for a pending restart

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. When done, click OK in the top right corner.

 

 

 

 

 

8. Select the targets to which the schedule should be deployed. Click Add Targets.

 

 

 

 

9. Open the Target By Groups tab.

 

 

 

 

 

 

10. Search and select a test group from the list.

 

 

 

 

 

 

 

 

11. Click OK at the bottom right corner.

 

 

 

The first test group is defined and scheduled.

 

 

 

Add more groups and schedules as needed.

 

The following section is on setting up a policy schedule for production machines.

1. Click Add Schedule.

 

 

 

 

1. Enter a name for the schedule. In this example, I selected 6 days after the 2nd Tuesday at 11 PM. The patches deploy to my production users on the first Monday after Patch Tuesday. This gives me time to test and verify that the patching went smoothly on my test machines before I patch the production machines.

Note: Each environment is different and requires different levels of testing and schedules may vary.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Select the option to download the patches 3 days in advance. This way, the patches begin downloading on to the PCs 3 days before they are ready to install. It is all done in the background and does not impact the users. This also speeds up the deployment of my patches because they do not have to wait to download on the users' PCs. 

3. Select Retry the patch and wait until the computer has rebooted

Note: With the size of the cumulative updates, if a patch fails to install, it is most likely due to the machine having a pending restart. Selecting this option allows the patch to try installing and then if there is a failure it tries again after a fresh restart. If you force the users to restart their machines after the patches deploy, they could be prompted to restart multiple times if there is a failure with these options selected.  

4. Give the users 7 days to restart their machine.

5. Type in a custom message for prompting the users for a pending restart.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Click OK at the bottom right corner.

 

 

 

3. Add targets to the production machine schedule.

 

 

 

 

 

4. Open the Target By Groups tab.

 

 

 

 

 

 

5. Filter groups by typing the name of the production machine groups. Select the Workstations-All check box.

 

 

 

 

 

 

 

 

6. Click OK at the bottom right corner.

 

 

 

 

You now have two schedules set up to deploy your criteria. The test group will deploy the day after the first Tuesday. The production group will deploy the Monday after the first Tuesday. Each month the policy refreshes to add new patches. Deployments automatically deploy the same patches to your test groups as well as your production groups. 

 

 

 

 

 

7. Click Activate (at the top right corner) to activate the patch policies.

 

 

 

For more details on setting up patch policies, see this video: https://www.youtube.com/watch?v=gkWjobsj15I. Feel free to reach out if you have any questions or need help with BigFix.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Author

Brad Sexton is a BigFix technical advisor for the mid-Atlantic region. He was a BigFix administrator in a global enterprise for 7 years where he was using BigFix for OSD, Software Deployments, and patching. Brad joined the HCL BigFix team in 2018.

Review and editorial credits

Shivi Sivasubramanian is a senior-level technical author and editor with a demonstrated history of working in the technology industry. A firm believer in the magical power of words, she loves helping the community deliver expressive, minimalist, and user-friendly content. Shivi currently leads a team of information developers in BigFix.