/
Creating a Microsoft Patch Policy

Creating a Microsoft Patch Policy

A Microsoftย patch policy is a collection of rules that managesย Microsoft patches on devices.

What You Can Do

You can:

  • Specify how frequently the patch managed device will check for new updates.

  • Specify the time frame in which updates are installed after they are downloaded.

  • Specify whether users are prompted for updates to be installed or if updates are installed automatically.

  • Application rules, or by selecting specific devices and groups.

Patch policies also determine to which devices the policy is applied. You can set up automatic inclusion rules, or manually apply a patch policy to devices and groups. Note that automatic inclusion rules only take effect when the patch policy is included as part of a service delivery model (i.e., added to a service or service plan that is then applied to a site or group).

You can create as many patch policies as you require.

  • If a device is included in more than one Patch policy, the Patch policy with the lowest detection frequency is applied to the device. If both policies have the same detection frequency, the policy that was created first is applied.

To create a Microsoftย patch policy

  1. In Service Center, clickย Service Deliveryย >ย Policiesย >ย Patching > Windows Patching.

  2. Clickย New.

  3. In theย Create New Windows Patch Policy section, type a name and description for the policy.

  4. Clickย Create.

  5. Click theย Settingsย tab, and clickย Modify.

  6. From theย Detectionย Frequencyย list, select how often you want the devices to check for new patches.
    The default 22 hours is good for almost all circumstances. You may want to have devices that receive definition updates check more frequently.

  7. In theย Automaticย Updatesย Optionsย section, select one of the following option buttons:
    Notify for download and installย Local users will be notified in the notification area (System Tray or Notification Area) that updates are ready to be downloaded/installed.
    Auto download and notify for installย Updates will be automatically downloaded, and local users will be notified in the notification area (System Tray or Notification Area) that updates are ready to be installed.
    Auto download and schedule the installย Updates will be automatically downloaded. The install will be scheduled according to the applicable execution schedule.ย 
    Allow local admin to choose settingย Local users with administration rights can adjust the update settings in Windows.
    Theย Allow local admin to choose settingย option is not permitted for managed devices with a Device Manager installed. When a Patch policy with this setting is applied to these devices,ย Notify for download and installย is used instead.

  8. If you selected theย Autoย downloadย andย scheduleย theย installย option, do the following:

    • To have the Patch policy use an execution schedule to schedule patches, select theย Installย asย perย applicableย Executionย Scheduleย option button. For more information about execution schedules, seeย Setting Up Execution Schedules.

    • To have the Patch policy override any execution schedules applied to a site or group, select theย Overrideย Executionย Schedules optionย button. For more information about overriding the execution schedule, seeย Toย setย upย aย schedule for Microsoft patchesย thatย overridesย anyย applicableย execution schedules below.
      If you select theย Install as per applicable Execution Scheduleย option, and there is no execution schedule applied, patch management will default to theย Notify for download and installย option.

  9. Select theย Immediately install minor updates (updates that do not interrupt Windows services or require a restart)ย check box to have updates installed immediately if they do not interrupt Windows services or require a restart.

  10. Select theย Allowย non-administratorsย toย receiveย updateย notificationsย check box to allow regular users to select updates to install.

  11. Optionally, select theย Assignย theย newlyย addedย devicesย ofย thisย Patchย Policy to the following Approval Groupย check box to automatically add all devices that will get applied to this policy to an approval group that you select from the list. This option helps you facilitate the installation of patches by automatically approving patches for the devices in this policy. Then select an approval group.

  12. Optionally, select theย Apply changes to existing devices in this policyย check box to add the existing devices in this policy to the approval group that you selected.

  13. Clickย Save.

Toย setย upย aย schedule for Microsoft patchesย thatย overridesย anyย applicableย execution schedules

When setting up a Microsoftย patch policy, you can indicate that the policy uses the applicable execution schedule that was set up for the site or group to which the devices in the policy belong. If you do not want to use the applicable execution schedule, you can override it and create a custom patching schedule within the policy.

You may want to override execution schedules if you have special requirements for your patching schedule. For example, you may have set up an execution schedule for a customer site that takes place Friday evenings at 8 pm. However, for patching, you might want to set up your patching to occur the day after Microsoft releases patches, which typically occurs on the first Tuesday of every month. Overriding execution schedules grants you the flexibility to create a patching schedule that meets your specific patching requirements.

To set up a custom patching schedule, you must select theย Autoย downloadย and auto installย option when setting up theย Automatic Update Optionsย for the policy.

  1. In Service Center, clickย Service Deliveryย >ย Policiesย >ย Patching > Windows Patching.

  2. Clickย Newย to create a policy, or click the name of an existing policy.

  3. Click theย Settingsย tab.

  4. Clickย Modify.

  5. In theย Automatic Update Optionsย area, selectย Auto download andย auto installย from the list.

  6. Select theย Override Execution Schedulesย option button.

  7. In theย Start Timeย box, type a start time for when patching will begin. Alternatively, you can click the clock icon to select a time from the list.

  8. In theย Recurrence Patternย area, select whether you want patches to run daily, weekly, or monthly.

  9. In the Reboot Options section, select an option:

    • To allow the operating system to determine the reboot behavior, selectย Use operating system default behavior. The behavior will vary by operating system.

    • To wait until the user is logged off to reboot, selectย Do notย auto-reboot when a user is loggedย on.

    • To reboot immediately when the update requires, selectย Forceย a reboot when an update requiresย one.
      Some Microsoft updates will cause a server to reboot, even if you choose Do not reboot. This behavior does not come from Barracuda RMM but is native to Windows. We recommend reading all details of a patch before applying it to a server.

  10. In theย Missed Installation Optionsย area, select wait X minutes after the next system startup to installย and enter a value for X in minutes between 1 and 60, or select waitย untilย nextย scheduledย timeย to installย to define how missed installations are handled.

  11. Select Immediately install minor updatesย to automatically install updates that do not interrupt Windows services or require a restart.
    This option does not apply to Windows 10 or Windows Server 2016.

  12. Select theย Allow non-administrative users to approve or disapprove deputes on clients managed by Onsite Managersย check box to allow end users do not have an administrative role to approve or disapprove updates on devices managed by Onsite Manager.
    This option does not apply to Windows 10 or Windows Server 2016

  13. Clickย Save.

Contact Us
Barracuda Campus
Barracuda Support