Hey Guys,
We have started patching our servers through Patch Policies. That seems to be working good and everything is automated. So it works even if I am out of office, leave the company, etc. Each month we have about 30 or so, out of 400 total, that do not get patched for whatever reason. Does anyone have a good idea how to setup an automated catch-all that will re-attempt to patch everything on the last day each month? I know we will always need to check reports, any do some manual work, but just trying to automate as much as I can.
We have a lot of fault tolerance in our servers and the main concern is that we do not have more than 2-3 that restart at the exact same time. So currently for clean-up each month I am creating a baseline for each operating system and then targeting the remaining nodes that still appear as applicable for the patch, and tell them to stagger the patching over 3 hours, etc. to spread out the restarts. I am hoping I can find something automated that might work even if I am out-of-office for a few weeks, etc. If anyone has an automated catch-all, let me know what you are doing as just trying to get some ideas.
If the failed patches are still covered by your Patch Policy definition, one method would be to define an additional Schedule on the same Policy.
Then you could handle it a couple of ways -
- You could target the same systems on both schedules. If the machines fully patched successfully on the first pass, they’d just skip the second schedule.
- You could target some automatic or manual group for the second schedule, and add computers to that group as needed to have them apply the second-round schedule.
Thanks - I was thinking along the same lines. Currently, my patch policy is applying a pre-patch script that basically checks for pending reboots, and reboots if needed prior to patching. My patch policy also applies a post update mandatory reboot. I am thinking it would be nice to tell failed servers ONLY, to reboot(even if not needed)and try to patch again. So maybe an additional patch policy that targets all servers and runs on the 28th of each month and basically runs a fixlet that says if you have not rebooted in 30 days, go ahead and reboot and then try to patch, etc. Thanks for feedback as just trying to get some ideas for a better catch-all I can start testing. I am thinking that a different patch policy might be needed, and not just a different schedule, in order to apply the different pre-patch fixlet, but just trying to see if anyone else is doing something similar. Thanks so much for the response
I don’t use Patch Policies so not sure if this helps, but when applying an action you can set options to retry X amount of times if failed and/or becomes relevant again. We find doing this helps to proactively solve failed patching.
Thanks - Yes, I am telling it to try twice on error with only a 1 hour break between.
Torn with concerns about targeting all Servers with a catch-all that runs on the 28th day of the month that basically has a pre-patch policy fixlet that says :if you have not rebooted in 30 days(All servers are forced to reboot post patching when successful, so most should be excluded) go ahead and reboot and then try the updates again. The big concern is if all the servers did happen to reboot at the same time for any reason at all, an out-of-band patch picked up on refresh, etc. it would be really bad. I only have a few hundred servers getting targeted right now, and success rate is over 90%, but I have noticed that the majority that report “Not Relevant” or “Running” a couple of days after they were targeted, actually failed
I am guessing the a patch policy would still apply a pre-patch fixlet to all servers and reboot them, even if those servers did have the latest windows updates