Windows Patch Deployment

All the approved patches will be automatically deployed to the affected system based on the configuration. Patches can also be deployed on demand. The steps are detailed below.

On the SapphireIMS menu, point to ‘IT Automation' and click ‘Patch Management’. Select the 'Windows Patches' option.
Click 'Missing Patches' tab.
Select 'Patch Type' as 'OS Patches'.

In the 'Approval Type' drop down box, select 'Approved Patches'.
In the ‘System Type’ drop down box select ‘Normal Systems’ or ‘Critical Systems’ as required.
You can filter the listing based on the 'Organizational Unit Tree'.
Use the search filter to select a search criteria like ‘KB Article’, ‘Host Name’, 'Status' or ‘Bulletin ID’ and then enter the information in the search text and click on 'Search'.
Refer Advanced Search for using the Advanced Search options.
Select the approved patches and click the 'Deploy’ button. This process deploys the patch in the affected systems where the patch is missing. You can also click on 'Disapprove' button to move an approved patch to the disapproved list.

You can deploy multiple patch across all the affected systems or choose to apply a path to selected systems only. For deployment of patches across all systems, refer to Patching all systems. For deployment of patches selectively refer to Patching selective systems only.
Deployment of patches might require a restart of the target system. Once the deployment is done and that patch requires a restart, the Reboot Reminder Settings dialog box is displayed to on the target system.

Patching selective systems only

This section is applicable when there are multiple affected systems which are missing the patch and you want to apply a patch to selected systems only.

Click the 'Affected Systems' count to view the host details like host name and system status as shown below. Select the systems where the patch needs to be deployed.

Click 'Next' to configure the reboot reminder settings. The following screen is displayed.

If no Reboot Reminder is required, click 'Next'.
If 'Reboot Reminder Configuration' is selected as 'Reboot Immediately', the following screen is displayed.

Select the 'Maximum Time To Wait for User Response' which is the time for which the system will wait to reboot after the reboot reminder message pops up.
Edit the 'Reboot Reminder Message' if required. Click on 'Next'.
If the 'Reboot Reminder Configuration' is selected as 'Reboot or Snooze' then the following screen is displayed.

Enter the 'Reboot Reminder Snooze Count' which is the number of times the user can delay system restart.
Enter the 'Reboot Reminder Snooze Interval' which is the interval for which the system will wait after the system restart is delayed each time before another reminder message is displayed.
Enter the 'Last Reboot Reminder Snooze Interval' which is the interval for which the system will wait after the system restart is delayed after the last Reboot reminder.
Select the 'Default Action if User Doesn't Respond' which is the action to take if the user does not respond to the reminder pop-up.
Enter the 'Time Interval to Perform Default Action'.
Edit the 'Reboot Reminder Message' if required. Click on 'Next'.
The Deploy Schedule Settings screen is displayed.

Select 'Deploy Now' as 'Now' for immediate deployment or as 'Later' to schedule the deployment. If 'Later' is selected then select a date.
Click on 'Deploy'.

Patching all systems

This section is applicable when you want to patch all affected systems with a patch.

Select one or more of the missing patches. Click on 'Deploy'. The following screen is displayed.

If no Reboot Reminder is required, proceed to 'Deploy Schedule Settings'.
Select the Reboot Reminder Settings. If selected as, 'Reboot Immediately' the following screen appears.

Select the 'Maximum Time To Wait for User Response' which is the time for which the system will wait to reboot after the reboot reminder message pops up.
Edit the 'Reboot Reminder Message' if required. Proceed to 'Deployment Schedule Settings'.
If the 'Reboot Reminder Configuration' is selected as 'Reboot or Snooze' then the following screen is displayed.

Enter the 'Reboot Reminder Snooze Count' which is the number of times the user can delay system restart.
Enter the 'Reboot Reminder Snooze Interval' which is the interval for which the system will wait after the system restart is delayed each time before another reminder message is displayed.
Enter the 'Last Reboot Reminder Snooze Interval' which is the interval for which the system will wait after the system restart is delayed after the last Reboot reminder.
Select the 'Default Action if User Doesn't Respond' which is the action to take if the user does not respond to the reminder pop-up.
Enter the 'Time Interval to Perform Default Action'.
Edit the 'Reboot Reminder Message' if required.
Edit the 'Deploy Schedule Settings'.
Select 'Deploy Now' as 'Now' for immediate deployment or as 'Later' to schedule the deployment. If 'Later' is selected then select a date.
Click on 'Save'.

Note: For Service Pack Updates, Roll-up and Cumulative Security Updates deployment, it is mandatory to restart the system.

Notes:

1. Completed Patch management jobs are purged after 180 days irrespective of the job status of patch management jobs. To change the default setting of 180 days, change the global settings variable 'Purging interval for patch management jobs'

2. Purged jobs can be viewed as archived reports in 'Automation Summary Reports', 'Automation Analytical Reports', 'Patch Summary Reports' and 'Patch Analytical Reports'. For more information, refer Reports > IT Automation Reports

3. Retry Count and Retry Interval will assume default values of 3 and 3 minutes respectively when 'On-Demand' patch deployment is selected.

Patch Download Retry Count

You can set the maximum download retry count for missing patches by defining a value for Global Settings variable 'Patch Download Retries Max count'. Once the maximum retry count is exceeded click on the red 'Reset Download Count' icon and reset the count to 0.

Patch Deployment Status and Patch Redeploy

On the SapphireIMS menu, point to ‘IT Automation' and click ‘Patch Management’. Select the 'Windows Patches' option.
Click 'Patch Deploy' tab.
The status of the patch deployment is displayed. Click on the icon to customize the status view.
Refer to Advanced Search to create profiles for filtering and viewing the list.

System status shows whether the system is up or down. If there is a failure in patch deployment, then the check box is enabled.
Select the patch which has to be redeployed in the target machine and click on the 'Redeploy' button.
Patch deploy status can be any of the following:

Sr. No	Deploy Status	Description
1	Patch deployment job is posted	Patch download job posted to download a particular patch from internet to SapphireIMS server
2	Patch download in progress	Patch download from internet to SapphireIMS server is in progress
3	Patch download is completed	Patch is downloaded from internet to SapphireIMS server
4	Master Agent started download	Master/Standalone agent started downloading patch from SapphireIMS server
5	Master Agent download success	Master/Standalone agent successfully downloaded the patch from SapphireIMS sever
6	Patch deploy job is posted	Deployment job is posted
7	Another deploy is in progress. Please wait	For that machine, another deployment job in progress.
8	Copying the Patch to the Target Machine	File copy from SapphireIMS server to agent-less target machine in progress. It includes 1. Wsusscn2.cab 2. Patch file(s) to be deployed 3. SappWUADeploy.exe
9	Patch deploy started	Agent started processing the deployment of particular patch
10	Patch deploy completed successfully	Patch deployment completed without error
11	Patch deploy completed. System needs restart	Deployment success. Target machine needs to be restarted so that the installed patch comes into effect. After target machine restart, if inventory is collected, the status is updated automatically to " Patch deploy completed successfully." and Reboot column is changed to "Machine rebooted".
12	Patch deploy failed	Failure during Patch Deployment
13	Unknown error	Once deployment is completed, patch scan is performed. Sometimes, during this process the patch which is installed is shown as missing.
14	Patch is not applicable due to previous service pack installation or update roll-up installation or corresponding software is removed from the machine	This happens when patch deployment is posted for several patches, but due to service pack/update roll-up installation the patch is neither missing nor installed. This may also happen when the corresponding software is uninstalled after posting a deployment job and before completion of deployment

The status will be checked and updated after 15 minutes from the time the patch is sent for deployment to the target system. Status of Service Packs and product related updates will be updated during the next scan cycle and so the status will be shown as ‘In Progress’ until then.

Notes: 1. When posting Redeploy for failed patches, reboot reminder option will not work.