Security Controls

Details on the Product Level and Patch Deployment Process

You have the ability to use agents to deploy both product levels and patches. On an agent machine that is missing both product levels and patches, product levels are deployed first.

Product Level Deployment Process

If an agent machine is missing multiple product levels, only one product level will be installed at a time. The agent patch task will begin by initiating the download of the first product level. Operating system product levels are downloaded at a higher priority than product levels for products. After the product level is successfully installed, the machine is restarted, rescanned, and the process is repeated until all product levels are deployed or until the daily limit is reached [see the Limit deployments (per day) option].

Limiting the Number of Product Levels That Can be Deployed in One Day

You can use the Limit deployments (per day) option to specify the maximum number of product levels that can be deployed to a machine in one day. Product levels can take a long time to deploy and almost always require a reboot of the machine, so you typically want to keep this number rather small. If you do not limit the number of product level deployments in a day you run the risk of overwhelming a machine if it is missing a large number of product levels. If a machine is missing more product levels than the specified limit, the additional product levels will be deployed the next time the patch task is run.

Note that a "day" in this case is considered to be a calendar date and not a 24 hour period. This means the day is reset at midnight. If you were to schedule the patch task to run on an hourly basis (not recommended), it would allow you to maximize an overnight maintenance window by deploying the maximum number of product levels before midnight and then again immediately after midnight.

Patch Deployment Process

Once the list of approved patches is determined, the patches are downloaded and installed according to their priority. Security patches are downloaded first, followed by all other patch types.

Product Level and Patch Download Process

Each agent patch task is allocated a two hour total maintenance window that is allocated for downloading missing product levels and patches.

Product levels are allotted a 60 minute window to complete the download > install > restart > rescan process.

Patches are allotted a separate 60 minute window to download the missing patches.

Only those product levels and patches that are successfully downloaded during their respective 60 minute window will be installed by the active patch task. If the patch task cannot finish downloading all missing product levels during the first 60 minute window, the remaining product levels will be identified, downloaded, and installed the next time the patch task is run. Likewise, if the patch task cannot finish downloading all missing patches during its 60 minute window, the remaining patches will be identified, downloaded, and installed the next time the patch task is run.

Background Downloads and Checkpoint/Restart

The downloads occur in the background using idle bandwidth not being used by other applications. Foreground tasks such as Web browsing are not affected by the product level and patch download process.

If an agent machine becomes disconnected from the network during a file download, the process will be suspended and will automatically resume where it left off when the network is available again. This technique is called checkpoint/restart and is extremely useful for machines that are frequently disconnected.

Related Topics

Console Software and Hardware Recommendations

Port Requirements and Firewall Configuration

Distributed Environment Management

Configuring Agentless Patch Management

Best Approach for Applying Patches in an Agentless Environment

Automating Patch Management in an Agentless Environment

Agent-Based Patch Management

Agent Rollout Options

Installing and Supporting Agents on Internet-Based Machines

Guide to Surviving Patch Tuesday

Microsoft SQL Server Database Maintenance

Performing Patching in a Disconnected Environment


Was this article useful?