5 Replies Latest reply on Sep 28, 2015 11:00 AM by cwinning

    Patch Tuesday - Delay Patch Deployment

    Rookie

      Hi Everyone,

       

      I am sure I am not the only person/company that want to test there patches fore they are deployed into there live environment.

       

      We are using Shavlik Protect to patch our desktops and servers, however there is a need to delay patches to our servers. Here is what I am trying to achieve:

       

      Microsoft release updates on patch Tuesday (Week 1)

      I deploy my updates to our testing environment and start testing applications (Week 1-4)

      Microsoft release updates on patch Tuesday (This is now Week 5 in my schedule but back to Week 1 for the 4 weekly)

      Week 5 is my Patching week. Any patches Microsoft have released before there next patch Tuesday have been included. I now want to patch my servers but I do not want to include any patches that would have downloaded from the 2nd patch Tuesday as I havent yet tested any of these updates.

       

      I need to know if there is a way I can make this happen. I have been looking at smart filters and the possibility of using a filter which says "Patch Release Date" "Is Greater then" "x" where X would be the days in question.

       

      Has anyone else got a similar setup or another way in which they delay patches for servers but not for desktops?

       

      Everyone's help is greatly appreciated.

       

      Regards,

       

      Scott

        • 1. Re: Patch Tuesday - Delay Patch Deployment
          cwinning CommunityTeam

          Hello,

           

          You could create a Patch Group to include the patches you want to work with then scan your machines using a Scan Template using the Patch Group.  Continue to use this Patch Group to scan and deploy your patches without worrying about newly released patches from being included in the scan/deployment  Simply update the Patch Group when you are ready to include new patches in your process.

           

          Thanks,

          Charles

          • 2. Re: Patch Tuesday - Delay Patch Deployment
            Rookie

            Hi Charles,

             

            Thank you for your response.

             

            This isn't really what I was looking for as I would have to manually intervene every month. I wanted to try and do something that was automated like a smart filter.

             

            Regards,

             

            Scott

            • 3. Re: Patch Tuesday - Delay Patch Deployment
              cwinning CommunityTeam

              Hello,

               

              Unfortunately a smart filter for what is included in a scan isn't a feature currently in Protect.  The Patch Group is the only out-of-box method to filter patches, products etc at this time.

               

              Although, you can link a Patch Group to a text file, but I can't come up with a good method to automatically populate it with the patches you want included. Not yet anyways. Perhaps a SQL query that runs against the database to obtain a list of patches based on release date and then another method (script?) to populate the Patch Group text file with a list of KBnumbers. 

               

              I'll perform some research on this today, can't promise anything though. 

               

              Thanks,

              Charles

              • 4. Re: Patch Tuesday - Delay Patch Deployment
                cwinning CommunityTeam

                Hello,

                 

                Sorry about the delay, I should know more tomorrow.

                 

                Thanks,

                Charles

                • 5. Re: Patch Tuesday - Delay Patch Deployment
                  cwinning CommunityTeam

                  Hello,

                   

                  This is way out of the normal scope of what we support, but we were able to come up with an SQL query.  The query will output patches that were released between the last Patch Tuesday up until the but not including the current patch Tuesday.  You could use this query to build a text file that can be used as a Patch Group in your scan templates.  You will have to determine the best method to automate the SQL query and the building of the text file.

                   

                  The basic flow would look like this:

                   

                  1. Setup a Scan Template that utilizes a text file in the Patch Filter Setting area, set it to Scan Selected.
                  2. Create a process that runs the query against the Protect database to build the list of patches.
                  3. Determine the best method to build the text file being used in the Patch Filter Settings.  The text file should contain one Qnumber (KBnumber) per line.
                  4. The scan would run and filter using the list of Qnumbers in the text files.

                   

                  That is about all the time I can spend time on this, let me know if you have questions,

                   

                  Charles