How to create and configure an automate patch deployment task?


Steps to create an APD task

Follow the steps given below to create tasks for automating patch deployment for a set of computers:

  1. Navigate to Patch Mgmt -> Deployment -> Automate Patch Deployment. This view will display all the tasks that are created.
  2. Click 'Automate Task' to create a new task for Windows/Mac/Linux and name your task.
  3. Configure required details for the following steps:
    1. Select Applications - The type of OS and third-party apps to patch
    2. Choose Deployment Settings - Configure how and when to deploy the patches based on your enterprise's patching requirements
    3. Define Target - Select the target computers to deploy patches
    4. Configure Notifications - Receive notifications on the deployment status

    Select Applications

    Deploy Operating System updates

    If you want to deploy updates related only to Operating Systems (example Windows, Mac or Linux), then you can enable one of the given check boxes:

    • Security Updates that involves all security updates of:
    1. Windows
    2. Mac (Security and Supplemental updates)
    3. Linux (Ubuntu, Debian, Pardus, CentOS, Red Hat, Oracle and SUSE)

    and specify severity as Critical/Important/Moderate/Low/Unrated.

    • Non-Security Updates that involves all non-security related updates from:
    1. Windows
    2. Mac
    3. Linux (Red Hat, Ubuntu, CentOS and Oracle)

    Updates that are applicable only for Windows:

    • Service Packs - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates for different versions of Windows OS.
    • Rollups - Cumulative set of updates including both security and reliability updates that are packaged together for easy deployment as a single update and will proactively include updates that were released in the past. 
    • Optional Updates - Also called Preview Rollups, these are optional, cumulative set of new updates that are packaged together and deployed ahead of the release of next Monthly Rollup for customers to proactively download, test and provide feedback.
    • Feature Packs - New product functionality that is included in the full product release.
    • Driver Updates that can be used to automatically update the network, sound, and video drivers present in your system. For the complete list of Driver updates supported by us, use this link

    Deploy Third-Party Updates

    1. If you want to deploy updates only related to third party applications, then specify the severity as Critical/Important/Moderate/Low/Unrated.
    2. Specify if you want to deploy all applications or if you would like to include/exclude a specific application.

    Deploy Anti-Virus Updates

    Select this option to deploy anti-virus definition updates for the following:

    1. McAfee Virusscan Enterprise
    2. Microsoft Forefront Endpoint Protection 2010 Server Management
    3. Microsoft Forefront Endpoint Protection 2010 Server Management x64
    4. Microsoft Forefront Client Security
    5. Microsoft Forefront Client Security x64
    6. Microsoft Security Essentials
    7. Microsoft Security Essentials x64

    Schedule Deployment

    You can choose to postpone the deployment of patches to ensure its stability. You can choose to deploy the patches after a specific number of days from the date of release.  For example, assume you specify the number of days as "5 days after release", then the patches will be deployed only after 5 days, from the day it is supported by Endpoint Central. If you choose to deploy patches "after 5 days from approval", then the patches will be deployed only after 5 days, from when the patch was marked as approved. 

    Automated Patch Deployment

    Choose Deployment Policy

    • Customize the patching process according to your enterprise's requirements by configuring the Deployment Policy settings. 
    • The Deployment Policy details:
      1. Deployment frequency - Select how frequently you want to carry out the deployment
      2. Deployment window - The time interval during which patches need to be deployed
      3. Deployment will be initiated at - Select if deployment should happen during the system startup or the refresh cycle within the Deployment Window chosen.
    • Automated Patch Deployment

    Define Target

    • Select the target computers for which deployment has to be performed. The target can be a whole domain or remote offices. If you select the entire domain as target, this will also include all the remote offices in that specific domain. 
    • You can filter targets based on sites, OU, Group, specific computers and more.
    • 'Exclude Target' allows you to select certain targets that you want to exclude from the patch deployment task. For example, you can exclude server machines while deploying non-security updates.

    Automated Patch Deployment

    Configure Notifications

    Configure Notification settings to receive email notifications for the following : 

    1. Failure in the deployment/download of the APD task 
    2. Daily status reports on the APD task

    Automated Patch Deployment

    Click on Save to successfully create a task. Now all the chosen computers will automatically be deployed with the missing patches in the deployment window specified in the selected deployment policy.

    Frequently Asked Questions

    1. If "Schedule scan" is removed, will I be able to scan my machines at all?
    2. Vulnerabilities keep increasing every day, we must have up to date scanned data of which computers on our network are missing critical and important patches. So, we have automated the scan task. After the patch database sync, if new patches are released when compared to the previous sync, agents will automatically scan in the subsequent refresh cycle.

    3. Will an automatic scan overburden the server with multiple requests? Will it choke the network traffic?
    4. Definitely not. The scan happens right after the database is synced. Every time the scan happens, the latest missing patches are detected and downloaded on to the server. We employ this effective mechanism of posting only the diff scan data(difference in the scan data between two consecutive scans), it will not overburden the server.
      Also, it will not affect the network traffic, since we don't initiate an on-demand scan from the server. It is similar to a configuration, the agents will scan only in their subsequent refresh cycle. So, the network traffic is distributed in the refresh interval and hence undisturbed.

    5. What happens if I do not migrate the tasks to the new workflow?
    6. You have a timeframe of 90 days to migrate. After 90 days, a notification will be sent and your APD tasks will be deleted. Hence, it is recommended to migrate your APD tasks within 90 days.