Scheduling Software Updates to Run on Patch Tuesday
Software updates in Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to computers in the enterprise. An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the network infrastructure. Effective Software Update Management requires constant attention.
Configuration Manager supports the configuration of automatic deployment rules (ADRs). When the rule runs, the software updates that meet specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to Distribution Points, and the software updates are deployed to client computers in the target collection. If necessary, the automatic deployment rules can be configured with the appropriate rules, but not executed on a schedule. Figure 1 demonstrates the high-level flow of an automated deployment rule.
Figure 1: Automated Deployment Rule
ADR Configuration
Automated deployment rules can be configured to:
- Not execute automatically;
- Execute after Software Update Point synchronisation, or;
- Execute on a schedule.
If configured to run on a schedule, the recurrence options are:
- None;
- Every 1 or more months on a specific day;
- Every 1 or more months on the last day of the month
- Every 1 or more months on the first, second, third or fourth or last specific day of a month;
The Problem
A number of organisations like to schedule their patching cycle to align with Microsoft Patch Tuesday so that updates are deployed as quickly as possible after release and on a predictable cycle. In addition, some organisations like to schedule updates in advance to provide the business with predictable maintenance windows and schedules.
“Patch Tuesday” is a well-known term in the industry that refers to the second Tuesday of every month (USA time) when Microsoft releases patches. Patches are usually released at 10am Los Angeles time. (PDT).
For organisations with a time zone that has week days that closely align with USA time, this is as simple as setting the recurrence pattern of the ADR to the second Tuesday of each month and creating deployments with deadlines based on the number of days since the rule was executed. However, for organisations in time zones with a week day ahead of the USA, this presents a challenge. On the face of it, it would seem that setting the recurrence pattern to the second Wednesday of each month would solve the problem, but the second Wednesday of each month does not always follow the second Tuesday of a month.
Given the release time, time zones with a time zone offset of +7 will find it impossible to use the recurrence pattern to schedule based on patch Tuesday and other time zones will struggle to find the most appropriate time in the day to schedule the update.
Based on daylight savings times in 2016, Table 1 demonstrates the variation in time across the year between time in Los Angeles, USA and Brisbane or Sydney in Australia.
| Month | Los Angeles Time Zone | Brisbane Time AEST | Sydney Time AEST/ADEST |
|---|---|---|---|
| Jan | PST | 4am | 3am |
| Feb | PST | 4am | 3am |
| Mar | PST/PDT | 3am/4am | 2am/3am |
| Apr | PDT | 3am | 3am |
| May | PDT | 3am | 3am |
| Jun | PDT | 3am | 3am |
| Jul | PDT | 3am | 3am |
| Aug | PDT | 3am | 3am |
| Sep | PDT | 3am | 3am |
| Oct | PDT | 3am | 2am |
| Nov | PST | 4am | 3am |
| Dec | PST | 4am | 3am |
Table 1: Patch Tuesday Release Time by Time Zone in 2016
The Solution
The potential solutions for this are:
- Manually execute the ADR each month on the appropriate day;
- Run the ADR on an arbitrary date that is always after the second Tuesday of each month based on USA time and use manually updated maintenance windows to control update installation over the year;
- Schedule a script to detect patch Tuesday and execute the ADR.
Using a script is the only method that allows for complete automation and consistent deployment based on the patch cycle and patching based on particular days. The added benefit of using a script is the ability to add extra automation such as sending a summary email.
I've written a sample script that provides this functionality. The script is designed to run daily and checks the local time on the server against PDT and if the day is Patch Tuesday PDT time it will execute the following steps:
- Check if WSUS sync has completed since patch Tuesday;
- If not, execute and monitor a WSUS sync;
- Execute the defined Automated Deployment Rule and monitor its execution;
- Modify the name of the ADR;
- Modify and generate new deployments for each deployment group (based off the CSV);
- Sends an email with the schedule and update details.
An example of the generated email message is displayed in Figure 2. The schedule section links to the “Software Updates Deployment – Deployment States” report for the collection listed and the relevant software update deployment.
Figure 2: Software Updates Email
Download
For more information about the script and how to set it up, head over to TechNet Gallery.