Patch Management How To's

How Automated Patch Deployment works?


This article will brief you about how automated patch deployment works and the levels of automation that you can achieve using Endpoint Central MSP.

Automated Patch Deployment Process

Endpoint Central MSP supports four levels of automating the patch deployment:

  • Scan the computers periodically to identify the missing patches.
  • Identify the missing patches and download the required patches from the vendor's website.
  • Download the required patches and draft a Patch Configuration.
  • Automatically download the required patches and install them on to the computers.

All of the above can be specified for a specific set of computers. This means you can choose to have different level of automation for different set of computers as you need.

Depending on the level of automation, the following processes happen sequentially:

  • Scan the computers to identify the missing patches
  • Download the required patches from the vendor's website
  • Define a patch configuration.
  • Deploy the patches to the missing computers.

Out of the above, patch scanning process takes an estimated (fixed) time of two hours from the time of commencement. During this two-hour period, you will see the deployment status as "Not Started". The two hours accounts for the agent contact interval of 90 minutes plus an additional scanning buffer of 30 minutes.

To understand the sequence of process, let us assume that you have enabled complete automation (Automatically Download and Deploy the Missing Patches) for some 50 computers and you have scheduled this task to run as 12.00 hrs every Monday. Given below will be the sequence of operations for this case:

  • 12.00 hrs - Scanning will commence. The next operation will only start at 14.00 hrs irrespective of the scan status.
  • 14.00 hrs - Will lookup the local patch store with the details of the missing patches and downloads the patches that are not available in the local store.
  • Draft a patch configuration and deploy them to the missing computers as soon as the patch download is completed. Patches will be deployed only to the computers that require them and not for all the 50 computers. However, the status for all the patches will get updated for all the 50 computers.

Now, what happens when a task is still running, but the schedule for the next task has arrived? The previous task will be suspended and a new task gets created. For example, assume that you have chosen to automatically download and deploy the patches and have scheduled the operation to run every day at 12.00 hrs.

On day 1 assume that there are some 10 patches that are being deployed to some 50 computers. As per schedule, scanning will commence at 12 hrs and at 14 hrs deployment will begin to all the 50 computers. Assuming that 5 computers remained shutdown on that day, the status of the patch deployment will continue to remain in "In Progress" state as the deployment is not completed in all the 50 computers. On day 2 at 12 hrs, if the remaining computers are still shutdown, the previous task will be moved to "Suspended" state and a new task will get created, which will deploy all the missing patches at the time of task creation. The task will be moved to "Executed" state only when deployment is complete in all the target computers.

Remote Desktop & Mobile Device Management Software for MSPs trusted by