Windows Patch Scanning and Deployment Settings

Windows Patch Management module scans and assesses the patches that are deployed or missing in the Windows systems in the network. This helps make sure that all the Windows systems on the network are up to date with the critical or recent patches that are released by Microsoft and there are no security vulnerabilities in the network. The following sections provide details on configuring settings for scanning the network for missing patches and deploying the same.

Defining Parameters for Patch Scanning and Deployment

Click the 'Settings' tab. In the 'Software Management' section, click 'Patch Management Wizard'. This will list the current patch configurations that are defined.

Click on the link to turn the feature on and off. The indicator shows if the feature is active.
Include Systems: To add a new patch configuration, in 'Windows Patch Management Wizard' tab, click on the ‘Add’ button. The first step is to select the hosts that are to be included as part of the patch configuration. You can select an inclusion profile that is created or create a new profile using the ‘Add New Profile’ button. Make sure you select a correct profile.

Click 'Next'.
Exclude Systems: The next step is to select the exclusion profile. Devices which are part of this profile will be excluded from the patch scanning activity. To add a new exclusion profile click 'Add New Profile' button to add an exclusion profile.

Click 'Next'.
Mark Critical Systems: You can select the profile where has the critical systems defined. For systems which are set as critical systems, the patch deployment will always be only on approval. To add a new Critical System profile click on 'Add New Profile' button.

Click 'Next'.
Reboot Reminder Settings: This section allows settings for reboot actions and reminders to be set. Depending on the 'Reboot Reminder Configuration' selected, certain other parameters need to be entered.
If the Reboot Reminder is set as "Off", there will be no warning to end users and the system will not reboot.

If the Reboot Configuration is selected as 'Reboot Immediately' then after the patch deployment, if system restart is required, a popup with an option to restart the system is displayed to the end user.

A value has to be entered for 'Maximum Time To Wait For User Response' which is the time the system will wait for a response from the end user and if no response to the pop-up is received will proceed to restart.
The following pop-up is displayed in the end user system.

Click 'Restart Now' else the system is automatically restarted after the time interval 'Maximum Time To Wait For User Response' that is specified in the above patch management settings screen.
If the Reboot Configuration is selected as 'Reboot or Snooze', then after the patch deployment, if system restart is required, a popup with an option to either restart the system immediately or delay system restart further by a snooze interval is displayed to the end user.
'Reboot Reminder Snooze Count' is the number of times the end user can delay system restart action by choosing "Remind me in N minutes" when the pop-up reminder is displayed.'
'Reboot Reminder Snooze Interval' is the interval by which the user can delay system restart action by choosing "Remind me in N minutes" option when the pop-up reminder is displayed. This interval is applicable for first (n-1) reboot reminders.
'Last Reboot Reminder Snooze Interval' is the interval by which the user can delay system restart action by choosing "Remind me in N minutes" option. This interval is applicable only for the last reboot reminder.
'Default Action If User Doesn't Respond' is the action to be performed if the end user doesn't respond to the restart reminder popup within the configured time interval. The default action can be either 'Snooze' or 'Reboot'.
'Time Interval To Perform Default Action' is the time interval to wait before performing the default action.

The following pop-up is displayed in the end user system if the default action is 'Snooze'.

The end user can choose to 'Restart' or click on 'Remind me'. If no action is taken, then the pop-up is minimized in the system tray and pops-up after the snooze interval.
The following pop-up is displayed in the end user system if the default action is 'Restart'.

The end user can choose to 'Restart' or click on 'Remind me'. If no action is taken, then the system automatically restarts at the specified time.
Irrespective of the default action selected (Reboot or Snooze), the following popup window is displayed after the last snooze interval.

Click 'Next' once the Reboot Reminder Settings are done.
Scanning Schedule: Specify the parameters for the scan schedule

The fields are described below.

Sr. No	Field Name	Description
1	Patch Scan Mode	Select the Patch Scan Mode as 'Offline' or 'Online'. If the mode is Offline, then first the CAB file is downloaded from the Microsoft site and scanned to identify the missing patches. If the mode is Online, the missing patches are identified by comparing directly with the list on the Microsoft site. Once the mode is selected, it is not advisable to change it since it could result in incorrect scan results. Note: Online patch scan required Internet access.
2	Scan Retry Count	Number of attempts to retry if a scan fails on the target system. Default scan retry count is 1 which can be changed.
3	Scan Retry Interval	The duration after which a retry has to be attempted. Default scan retry interval is 1 hour which can be changed
4	Scan Scheduler	Select the patch scan schedule. The devices that are part of this rule are scanned as per the schedule configured here

Enter the fields and click on 'Next'.

Note: Patch Scan once scheduled will be performed only if 'Scanning and Deployment' is enabled in 'Enable Patch Scanning, Deployment and Automatic Approval' section

Deployment Schedule: Specify the parameters for the deployment schedule

The fields are described below.

Sr. No	Field Name	Description
1	Deploy Retry Count	The duration after which a retry has to be attempted. Default deploy retry count is 3 which can be changed.
2	Deploy Retry Interval	Number of attempts to retry if a patch deploy fails on the target system. Default deploy retry interval is 3 which can be changed.
3	Deploy Scheduler	Select the deployment schedule and save the configuration. The patch deployment is attempted only during the time interval that is selected here.

Enter the fields. Enter a name in 'Save Configuration As' field. Click on 'Save'.

Notes: a. Patch deployment will be performed only when the ‘Deploy Scheduler’ is enabled. Patch deployment will not be performed automatically or on demand.

b. Even if an automatic patch deployment is enabled, for devices listed in the critical system profile, the deployment will only happen for manually approved patches.

c. Windows service pack and update roll ups are given priority in the execution of patch management jobs since service pack and update roll-ups are cumulative set of hot-fixes, security updates and critical updates.