Create a Patch Policy

In this page, steps for creating a patch policy, selecting patches to include, setting deployment options, and designating targets are provided in detail.

To open the application, select Patch Policy from the WebUI App menu. For a summary of Patch Policy tasks, see Patch Policy Operations.

  1. On the Policies page, click Add Policy.
    Note: A non-master operator needs Create/Edit Policy and Delete Policy permissions to add, edit or delete policy. For more information on permissions, see The WebUI Permissions Service. Non-Master operators cannot edit definition of the policy stored in the Master Action Site despite having the permission to Create/Edit Policy. Currently, non-master operators are not allowed to access the Master Action Site and they can access only their custom site.
  2. On the Add Policy page, enter a name and description for the new policy.

  3. Select the Master Action Site or a custom site from the drop-down to store the policy and its schedules.
  4. Select patch inclusion criteria, one or more items from each column.
    • Severity: Critical, Important, Moderate, Low, Unspecified.
    • Category: Bug Fix, Enhancement, Security, Service Pack.
    • Operating System (choose one): CentOS, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE, or Windows.
    • Update Type: OS Updates, OS Application Updates, 3rd Party Updates.
    Refine your operating system selections as required.
    • RHEL versions:
      Image of OS versions for RHEL.

    • CentOS versions:
      Image of OS versions for CentOS.

    • Oracle Linux versions:
      Image of OS versions for CentOS.

    • SUSE versions:
      Image of OS versions for SUSE.

    • Windows versions:
      Image of OS versions for Windows.

  5. Specify any patch exclusions. Type a keyword or phrase from the patch title in the Exclude field, and press Enter to add more. The Exclusion field is not case-sensitive so capitalization can be ignored.

    Use an exclusion to prevent patches that would otherwise meet policy criteria from being included. For example, exclude all Microsoft Office patches from a policy that updates Windows with a dynamic exclusion. Or exclude a patch that causes problems in a custom application with a manual inclusion. Dynamic exclusions are set here or on the Edit Policy page. Set manual exclusions on the Patches list, once the policy has been created.

    Exclusions remain in place until canceled. To remove an exclusion clear its keywords from the Edit Policy screen or the Exclude box from the Patches list. Non-Master Operators can view exclusions, but cannot add to or modify them.

  6. Specify Auto-refresh behavior. Use the optional Auto-refresh feature to automatically include new patch content in your policy. To control update timing and frequency, set a refresh interval. Auto-refresh is disabled by default.

    • Frequency (daily, weekly, monthly), on a specific day (of week/month) at (hour).
    • Day After: use the optional Day After controls to schedule Auto-refresh updates relative to a monthly event, such as patch Tuesday. The second Tuesday of the month often falls in the second week—but not always. (For example, in August of 2018, Patch Tuesday fell on the 14th.) Use the Day After options to coordinate refreshes with events whose dates change month to month.
    • Time Zone: defaults to time zone of logged in user. The default time zone is the one the operator is in.
  7. Click Add to save policy settings and display the policy document.

    The Schedules and Patches tabs appear at the upper left, beneath the policy name. A policy summary appears on the right. Once established, policy schedules will display on the left. The Edit Policy and Delete Policy controls appear at the lower right.
  8. Click the Add Schedule button to set policy deployment timing, behavior, and targets. A policy can have multiple schedules, each with its own deployment options and targets. A policy without a schedule does not deploy.
    Scheduling adds predictability to patching and can help minimize errors. It also ensures that your environment meets company security policies in time for compliance audits. Some vendors follow a regular patch release schedule, which can tailor your policy schedule to meet. You may want to roll out a policy in a test environment prior to deploying to production. Consider defining separate patch rollouts for Test, QA, and production stages, each with their own timing and duration.
    Note: Non-Master operators need Create/Edit Schedule and Delete Schedule permissions to add or edit or delete a schedule. For more information on permissions, see The WebUI Permissions Service. Non-Master operators also need write access to the site where the policy is stored to add or edit or delete a schedule.
  9. Enter a name for the schedule and set the deployment interval.
    Image of the Add Schedule page.
    1. This event repeats (daily, weekly, monthly), on (day of week/month).
    2. Day after - Use the optional Day after controls to schedule patching relative to a monthly event, such as Patch Tuesday. The second Tuesday of the month often falls in the second week—but not always. (For example, in August of 2018, Patch Tuesday fell on the 14th.) Use the Day after options to coordinate patching with events whose dates change month to month.
    3. At (Start time).
    4. Time Zone. Use Client time to initiate a process relative to its time zone, for example, to initiate patching in the overnight maintenance window where each endpoint resides. Use UTC time when you want all endpoints to act simultaneously across all time zones.
      • Client Time - the local time on each endpoint; the time on the device where the BigFix Agent is installed.
      • Universal Time - Coordinated Universal Time (UTC) is the global standard used to regulate clocks and time worldwide.
    5. Patching Duration (minutes, hours, or days, up to 30 days). The amount of time the policy will attempt to install patches on a target device that is not responding.
    6. Maintenance Window - Maintenance Window allows you to run patch policies during maintenance activities. You can use this dashboard to schedule maintenance activities run by BigFix. For detailed information, click the Maintenance Window icon and view the Maintenance Window dashboard.
  10. Set deployment and post-deployment behavior.
    • Pre-caching: To download required files before patching starts, set the in minutes, hours, or days up to 5 days.
    • Stagger patching start time, for example, to reduce network load. Set an unlimited number of minutes or hours.
    • Bypass patch errors and continue patching. Patch policies are Multiple Action Groups (MAGs). MAGs run sequentially and stop on the first action that fails. Use the Bypass patch errors option to ignore failures and proceed to the next action. Use this option when the actions in a MAG do not depend on the actions that precede them. For more information about policies and Multiple Action Group (MAG) processing, see Monitoring Deployed Policies.
    • Retry up to n times (unlimited). If a patch fails to install on a device, for example, due to lack of space on the hard drive, set a retry value and the wait period between attempts.
      • Wait n (minutes, hours, up to 30 days) between attempts to install.
      • Wait until device has rebooted to install.
    • Force a Restart - Force a restart on completion. Notify device owners when a restart is required and provide options for restarting at a convenient time. (1, 7, 15 days). Use the default message or type in your own.
  11. Click OK to save the schedule and return to the policy document.
  12. The new schedule appears at the top of the list. Click Add Targets.
    Image of Target By Device list.
    Note: Non-master operators need Add/Remove Your Own Targets permission to add or remove the self created targets. Non-master operators need Remove Other Operator's Targets permission to delete the targets that are created by other operators. Non-Master operators can target only the permitted number of devices and cannot exceed the limit. In case of violation, WebUI app will display an error message and the non-master operators cannot proceed further. For more information on permissions, see The WebUI Permissions Service. Non-master operators need read access to the site where the policy is stored to add/remove the targets.
  13. Select devices or computer groups from the Target By Device or Target By Group tabs. Note that you cannot target both devices and groups in a single schedule. A schedule without targets does not deploy. Use the Sort, Search, View, and filter controls to find targets quickly. Click anywhere in a card to select or deselect it. Click a device or group name to open its document. Use your browser’s Back button to return to the Patch Policy app.
  14. Click OK to save targets and return to the Policy document.
  15. To set a manual exclusion, click the Patches tab.
    1. Check the Exclude box next to patches you want to exclude. The Exclude button tallies your selections.
    2. Click the Exclude button.
  16. When you are ready, click Activate to activate the policy and commence patching. Activating a policy activates each of its schedules. Suspend an active policy at any time to halt patch deployment.

To monitor policy-based patching activity, use the WebUI’s Deployment views