Patch Policy Settings - scheduling

It appears that the only place to schedule patch policies are:

1. Configuration > Security (which does everything)
2. Individual workstations (which does just that PC)

Am I missing something?  I would think it should be possible to have a group of workstations assigned to one schedule and another group to another schedule.

Parents
  • The native options are:

    1) Configuration > Security to set them at the zone level for all devices.

    2) The setting tab on any folder in the device hierarchy to set the setting for the devices in that folder

    3) The individual device

    If you need more control you could set the schedule to Manual and then use a bundle that you can set schedules on that just runs 'zac pap' to apply patches.

  • This has been a little frustrating so far.  I had set the policy for a 3 AM install.  And I created a WOL bundle to wake up the PCs at 2:40 AM.  I set these to occur every day over the weekend hoping to get up to date.  Came in this morning to find just over 25% were patched.  And many of those were ones I had done manually during testing.

    I just set the policy to manual.  Modified the WOL bundle to run "zac pap" and set it to run every day of the week.  Also created a separate bundle that just runs "zac pap" and asked users to manually run it.  Hopefully between the two I can get everything caught up.

    Setting it during the day doesn't work because it causes too much grief for users trying to get work done.  I tried testing "patch during shutdown" but I could not get all patches to reliably install.  WOL should be working because I checked with wireshark and the packets do appear.

    Patching is important and yet no one has a reliable method to make it happen.  I blame Microsoft ultimately because it is their OS.  MicroFocus has come up with some great tools that ease issues caused by Microsoft.  I had hoped ZPM would be the same.  Maybe I just need to work through it some more.  I will see what happens over the next day or two with the WOL patching and manual patching.

Reply
  • This has been a little frustrating so far.  I had set the policy for a 3 AM install.  And I created a WOL bundle to wake up the PCs at 2:40 AM.  I set these to occur every day over the weekend hoping to get up to date.  Came in this morning to find just over 25% were patched.  And many of those were ones I had done manually during testing.

    I just set the policy to manual.  Modified the WOL bundle to run "zac pap" and set it to run every day of the week.  Also created a separate bundle that just runs "zac pap" and asked users to manually run it.  Hopefully between the two I can get everything caught up.

    Setting it during the day doesn't work because it causes too much grief for users trying to get work done.  I tried testing "patch during shutdown" but I could not get all patches to reliably install.  WOL should be working because I checked with wireshark and the packets do appear.

    Patching is important and yet no one has a reliable method to make it happen.  I blame Microsoft ultimately because it is their OS.  MicroFocus has come up with some great tools that ease issues caused by Microsoft.  I had hoped ZPM would be the same.  Maybe I just need to work through it some more.  I will see what happens over the next day or two with the WOL patching and manual patching.

Children
  • We do patches via a bundle and have used the info in this post /collaboration/zenworks/zpm/f/patchmanagement/222276/microsoft-servicing-stack-updates-and-patch-policies  (Craig's reply) to get the servicing stacks to install first.  The method using the tracking key works well.

    In my layout I have our devices in folders by department(Mechanical Design, Project Management, etc.).  I then can schedule the bundle as I see fit by department.

    For the bundle I added a user prompt action at the beginning

    "Critical System Patches are Being Installed in the Background....... Make Sure You Shut Down Your Machine Tonight to Complete the Install Process."

    I have reboot as the last action and have a requirement for HKEY_CURRENT_USER\Volatile Environment\LOGONSERVER value not existing to control automatic reboot.  This allows me to schedule it whenever and not force a reboot if a user is logged in at the time but get the reboot if I am using it after a WOL in a night run scenario.

    Jim

  • The key is to just slow down and focus on one thing at a time and not change many variables at once.

    1. WOL - Get that working w/o anything else.  There can be many factors that prevent it from working.  Don't try to troubleshoot WOL and PATCH at the same time until one or the other is  working reliably.  
      • Test when the PC is Off
      • Test when the PC is Asleep
      • Test when the PC is Hibernated.
        • Different PC Hardware and OS settings can make it fail 
        • Windows OS Logs are good to see if it was running before or after the WOL time.
    • ZPM - AFAIK, there has been no ZPM troubleshooting.
      • Do the Patches install when you manually run the policy via 'zac pap'..If no, then it's not about scheduling.  
      • What errors do the patches give? 
        • Often there is a PreReq that needs to be installed.
          • The Prereq may end up requiring multiple reboots before all is installed
          • A PreReq not in the Policy may cause a patch to never apply.
            • In Such a Case, it is not possible to even install manually w/o the other patch.
            • The "ZPM" folder holds many patch specific logs.

    The key however, is to just get one thing working and I would start with just troubleshooting the patches even applying.  Once you have it down to JUST schedule, then start working on scheduling.  If you will have WOL in the mix for the schedule I would just work on WOL testing independent.  Deploy a bundle via WOL that does something simple such as run a script to echo the date and time to a text file so you can see when it ran.  Once THAT is working, then you can consider mixing in Patching with WOL.  

     

     

     

  •   This sounds good, but I'm trying to sort out scheduling...  It seems like there would be times that the bundle would run, prompt the user to shutdown/reboot later, and then run "zac pap" and nothing would happen because their pc was already up to date.  How are you scheduling this bundle and how do you prevent the prompt if there is nothing to be patched?

  • A key to our success was having a reboot bundle prior to conducting patch management activities.  Even if you enable automatic reboot through patch management based on patch requirements, it may not always do it.   So you will have patches that require reboot from the last patch event and you cannot proceed with new patch installation until the machine has rebooted.

  • In our case the shutdown part happens by the user at the end of the day.  Everyone is required(and it is enforced here) to not leave their machine on when done for the day.  We have a lot of engineers and programmers so I avoid forced reboots/user pain(becomes my pain) during the day.

    As I mentioned I do the scheduling by Departments.  I set it in the bundle Assignments and set a launch schedule by date.  Once my Patch Policies have been updated I will flush out to one department for testng before I update the schedules for the other departments.  So my bundle runs once on/after the date I set.  I don't have it running on a refresh or anything.  Since I am explicitly setting the run time I know patches will happen due to the updated Patch Policies, so I don't worry about the prompt but I could place a requirement on it as I mention below to hide it if not required.

    This works out better for us but is more hands on than using the Schedule Enforcement and having it run on refresh or event.  I had tons of problems trying to get that working right when Patch Policies first came out and went with the bundle model.   Prob works much better now but never really went back and tried it again.

    You could also check if a reboot is required by using registry key requirements such as 

    HKLM\System\CurrentControlSet\Control\Session Manager value: PendingFileRenameOperations
    HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
    HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending
    HKLM\Software\Microsoft\Updates value: UpdateExeVolatile

    There are a few other reboot keys but these would cover most patches.

    Hope some of my rambling makes sense or helps.

    Jim

  • Thanks !  Really appreciate what you and   have been posting.  I have used ZCM for ages but I am totally new to ZPM.  Trying to get up to speed when I have lots of other things on my plate makes for interesting times.  I am hoping to find a block of time to just focus on this soon.