Need a way to set policy for specific patches to always installed?

(imported topic written by SystemAdmin)

Is there a way to set a policy for all ‘approved’ patches to always be installed and/or required? Microsoft’s WSUS has a way of enforcing an installation of approved patches. Basically I want to set it and forget it. The only way I know how to do this is to set an on-going action that never expires. Is that the only way to do this? It’s a rather difficult way of managing it when new patches come out etc… This seems like it should be a fairly simple basic need for a patch management system, am I missing an easier way of doing this?

(imported comment written by BenKus)

Hey Brian,

I am not sure I understand. Like you said, you can select the Fixlets (one at a time or in a group) and then choose to deploy them as a policy (you can preset all your options in the “Action Presets”). The whole thing should just be a few clicks… I suppose we could try to come out with a patch-specific deployment system where you check some boxes or something like that to try to reduce the number of clicks, but we always try to strive keep the process to deploy patch actions the same as deploying new AV updates, new configuration changes, new software packages, etc.

But… I think if you have some ideas on how we might do things better, we would enjoy hearing them…


(imported comment written by SystemAdmin)

You mentioned you can select the fixlets and then choose to deploy them as a policy. How would I do that? Create a baseline, add what I want as a ‘policy’ to that baseline, and then deploy that as an action that does not expire? When new patches come out all I need to do is add them to the baseline? Will the action be automatically updated with those patches?

I don’t care about the number of clicks per say, however the way I am doing this now is a rather manual process. I create a group of computers that have a specific dark window. Under computer groups I select a group for patching and then select all the missing patches and take the default action to deploy those, then go back and select the ones that did not have default actions then manually deploy each one of those. If the above works as a policy that would be better then what I’m doing now. But that would end up being one huge baseline if I had all MS patches in there as well as any additional AV stuff etc. Is that a problem? Can a baseline be too big?

I will say one feature that is missing (I think) is on the deployment screen post-action tab why can’t I set a specific time to reboot? i.e. I’d like to deploy patches, then prompt the user a reboot is needed. If they do not reboot by 1am Sunday morning, then force a reboot at that specific time.

I’m still somewhat new to bigfix and learning…

Thanks for your time.