4

Patch Policy

Last Update 18 hari yang lalu

Creating a Patch Policy Creating a Software Deployment Policy Creating a Universal Script Execution Policy Patch Approval

Creating a Patch Policy

Satyam

Last Update 9 bulan yang lalu

A Patch Policy in SecOps Solution lets you automate operating system and third-party application updates across your devices. It ensures patches are deployed on schedule, reboots are handled properly, and even devices that were offline get updated when they reconnect.

Follow these steps to set one up:

Step 1: Create a New Policy


  • Go to ProductsPatch Management -> Policies.

  • Click Create Policy.

  • Choose Patch Policy.


Step 2: Fill in Policy Details

  • Policy Name: This is the label that will identify the policy in your list. Use a simple, recognizable name (for example: Windows-Critical-Patches-Weekly).
  • Description: A free-text field where you can add comments about what the policy does. For example: “This policy deploys all critical Windows security patches every Friday night with a scheduled reboot.”
  • Status: Policies can be set to Active (they will run according to their schedule) or Inactive (saved but won’t run until activated). This is useful if you want to create a policy in advance but hold off on running it right away.
Step 3: Select Target Devices

In the Device Targeting section, you define which systems the policy will apply to.

  • Servers, Endpoints : Choose the servers, endpoints that you want to patch as part of this patch policy
  • Asset Groups: Choose which category of devices should be covered by this policy (for example, “HR-Laptops” or “Production-Servers”).

  • OS Filter: Narrow the scope to specific operating systems

  • ASR Score: Use this option if you want to include or exclude devices based on their Asset Severity Rating score. 

  • Match Any / Match All: Match Any includes a device if it matches at least one selected option, while Match All requires the device to meet every selected option.

  • Exclude Assets: Select devices that should be excluded by this policy, even if they meet the other filters.

You can review the final scope of the target devices by clicking Preview Impacted Assets before saving the policy.

Step 4: Choose What to Patch


In the Package Targeting section, you define which patches the policy will deploy.


  • Patch All: Installs all missing patches on the selected devices, including operating system updates and third-party applications.


  • Patch Except: Installs all missing patches except the ones you specifically exclude (useful if a certain update is known to cause issues).

  • Advanced Patch Policy: Gives fine-grained control. You can filter patches based on:

    • Severity (for example, Critical, High, Medium).

    • Update Type (Security Updates, Definition Updates, Update rollups, etc.).

    • Patch Type (operating system or third-party applications).

    • Patch Age (only deploy patches that have been available for a set number of days).

    • Specific Packages (target or exclude by patch title or application name).


You can use Preview Filtered Packages to review the list of patches that match your criteria before saving the policy.

Step 5: Configure Reboot Settings


In the Patch Configuration section, you define how devices will restart after patches are installed:

  • No Reboot: Installs patches and skips the reboot operation. You can use this if you want to leave the reboot operation up to the end user.

  • Graceful Reboot: Displays a message to the signed-in user and allows a set number of deferrals before the restart is enforced.

  • Force Reboot: Restarts the device immediately after patches are installed, without user input.

  • Scheduled Reboot: Restarts the device at a specific date and time that you configure.

You can also set a Retry Window (for example, 3 days). If a device is offline during the scheduled deployment, it will still receive and apply the patches when it reconnects within this window.

Step 6: Set the Schedule


In the Schedule section, you define when and how often the policy will run:

  • Select the Start Date and Time for the first run.


  • Choose a Recurrence Pattern:

    • One-time (Does not repeat)

    • Daily

    • Weekly (on one or more days of the week)

    • Monthly (for example, first Friday of every month)

    • Annually (for example, run on 1st Aug every year)

    • Custom recurrence (for example, every 2 weeks on Wednesday)

  • Set End Date and Time to stop the policy after a certain period.

You can use Preview Schedule to review the upcoming run times before creating the policy.

Step 7: Save and Run

  • Click Create Policy to create and save the policy configuration

Best Practice: Roll Out in Stages


To reduce risk and ensure smooth deployment, apply a staged rollout pattern for new patch policies:

  • Test Group: Apply the policy first to a small IT or QA group. Use No Reboot so you can validate patch selection and deployment without disrupting workflows.


  • Pilot Group: Expand to around 10% of endpoints. Use Graceful Reboot with limited deferrals to confirm that reboots and user prompts behave as expected.

  • Production Group: Apply the policy to all remaining devices. Adjust reboot rules if necessary (for example, stricter reboot enforcement during server maintenance windows).

This approach helps confirm patch stability before affecting the wider environment.

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us