Patching Strategies are the central management objects in OneSite Patch because they group the details that define how, when, and where to patch third-party products. OneSite Patch includes prepopulated templates that address most patching scenarios. You can save these templates using your own titles and descriptions, and then customize them to your environment.
Each Patching Strategy uses building blocks that can include Schedules, Notifications (Chains), Deployment Channels, and Bots to define a given patching scenario. At minimum, a Patching Strategy must include a Patching Process and a Deployment Bot.
Functionally, a Patch Strategy performs the following:
Automated handling of new patches
Automatically discovers new patches and uses the Deployment Bot to match new patches to the Patching Strategy. The Patching Process queues patches for processing and, according to the set schedule, activates patch deployment in groups to minimize the impact on endpoints and end users.
Customized targeting of patches
Administrators can target specific products and high-profile patches that trigger a Deployment Bot based on individual products. Targeting is particularly useful when you first install OneSite Patch, have a considerable number of products that require patching, and you prefer to review the progress of patching before fully automating the process.
Reuse Intent Schema Objects
All objects in OneSite Patch are interoperable and designed for use in any Patching Strategy. Create a patching process, schedule, notification or approval chain, or deployment process once, and then use them in various Patching Strategies depending on your needs.
OneSite Patch Patching Strategy templates cater to four specific use cases: Approval Types, Rollout Scheduling, User Interaction Settings, and Rollout Phasing. When deciding which Patching Strategy to choose, consider the following example to understand naming:
By offering various combinations of these parameters, the templates are a versatile framework that can accommodate a wide range of patching scenarios.
Minimal customization includes adding the products to patch and a schedule. This flexibility allows for efficient patch management without the need for extensive customization or the creation of new strategies.
-
Approval Type: Level of approval needed prior to deployment:
-
No Approval: Deploys at once.
-
Initial Approval: Requires approval prior to deploying.
-
Phased Approval: Requires approval between each wave in the Deployment Waves object.
-
-
Rollout Scheduling: Defines the schedule and impact of a deployment.
-
Immediate: All product patches deploy at once.
-
RiskBased: Targeted and controlled deployment based on specific risk levels (low, medium, high, critical). Schedule and run patch deployments based on risk levels. Uses Deployment Channels.
-
-
User Interaction: Defines permitted user actions related to the patch installation.
-
Mandatory: Alerts the end user who can postpone depending on User Interaction Settings but cannot not decline. All product patches deploy at once.
-
Options: Alerts the end user. Otherwise, functionality not available in this release.
-
-
Rollout Phasing: Deploys in separate phases to allow a review before continuing.
-
Minimal customization includes adding the products to patch and a schedule.
-
This flexibility allows for efficient patch management without the need for extensive customization or the creation of new strategies.
-
Effective management and deployment of software patches is crucial for maintaining the security and stability of an IT infrastructure. The included Patching Strategies address various deployment scenarios and considerations.
Recommended Use
You can choose a Patching Strategy template, save it under a descriptive local naming convention, and then customize it as needed. OneSite Patching Strategy templates reference objects that include the minimum requirements for a successful patching strategy: Deployment Wave, Deployment Bot, and Patching Process.
Adaptiva recommends creating a folder to hold all new or customized strategies. This separates them from the strategies provided by Adaptiva (see Create a New Folder for Objects).
These built-in strategies are often enough to get an organization started with a patch deployment scenario. To build a Patching Strategy using an Adaptiva template, see Creating a Patching Strategy.
Each of these strategies requires an approval step before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively and does not use Deployment Channels.
Similarly, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.
-
Initial Approval - Immediate Mandatory Deployment
Approval required prior to deployment, then deploys at once with no user interaction.
-
Initial Approval - Immediate Mandatory Phased Deployment
Approval required prior to deployment, then deploys at once in a phased manner, rolling out to each wave of business units sequentially with no user interaction control.
-
Initial Approval - Immediate Optional Deployment
Approval required prior to deployment, then deploys at once in a phased manner, rolling out to each wave of business units sequentially. User interaction allowed.
-
Initial Approval - Risk-Based Mandatory Deployment
Approval required prior to deployment, and then deploys at once to all devices in the targeted business units based on the patch risk levels.
Uses both Deployment Waves and Deployment Channels. Higher-risk updates have priority in high-frequency Deployment Channels. Lower-risk updates belong to lower-frequency Channels.
Also uses Deployment Bot to filter patches based on risk level, and then sends the final wave to the proper Deployment Channels.
Ensures processing and deployment of the final wave through the most suitable Deployment Channel and adds a layer of control and customization to the deployment process.
Each of these strategies requires no approval before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively and they do not use Deployment Channels.
Additionally, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.
-
No Approval - Immediate Mandatory Deployment
No approval needed prior to deployment. Deploys at once with no user interaction.
-
No Approval - Immediate Mandatory Phased Deployment
No approval needed prior to deployment. Deploys at once in a phased manner, rolling out to each wave of Business Units sequentially. No user interaction.
-
No Approval - Immediate Optional Deployment
No approval needed prior to deployment. Deploys at once to all devices in the targeted business unit. User interaction allowed.
-
No Approval - Risk-Based Mandatory Deployment
No approval needed prior to deployment. Deploys at once to all devices in the targeted business units based on the patch risk levels. No user interaction.
Uses both Deployment Waves and Deployment Channels. Higher-risk updates have priority in high-frequency Deployment Channels. Lower-risk updates belong to lower-frequency Channels.
Also uses Deployment Bot to filter patches based on risk level, and then sends the final wave to the proper Deployment Channels.
Ensures processing and deployment of the final wave through the most suitable Deployment Channel and adds a layer of control and customization to the deployment process.
Each of these strategies requires phased approvals before deploying updates. Except for Risk Based Mandatory Deployment, the Patching Process within these strategies manages the deployment process exclusively without using Deployment Channels.
Similarly, the Deployment Bot does not apply any filtering mechanism, so the Patching Process manages all updates related to the products included in the non-risk strategies.
-
Phase Approval - Immediate Mandatory Phased Deployment
Approval required between each wave of the deployment, and then deploys the updates in a phased manner, rolling out to each wave of business units sequentially. No user interaction.
-
Phase Approval - Risk-Based Mandatory Deployment
Approval step required between each wave of the deployment, and then deploys the updates at once to all devices in the targeted business units based on risk levels. No user interaction.
A Patching Strategy template contains specific fields that you can configure to make a unique Patching Strategy for your environment. Adaptiva recommends opening an existing strategy that contains most of the configurations items you want, and then saving it with a new name and description. The configuration options are the same whether you create a new strategy or modify an existing strategy.
-
Follow the instructions in Create a New Folder for Objects.
-
Hover over or click Strategy in the left navigation menu of the Adaptiva OneSite Patch Dashboard, and then select Patching Strategies.
-
Select Show All to see all available Patching Strategies. This populates the Patching Strategies table with the available templates.
For descriptions of each template type, see Patching Strategy Templates.
-
Enter the Name of an existing strategy on the Search bar, and then click Search.
-
Select the Name of the strategy to open it.
-
Select More in the upper left corner of the template, and then select Save Patching Strategy As:
-
Enter a unique name that reflects what the strategy does conceptually. For example,
ITS Immediate Daily Product Patching
. -
Select OK. This opens your strategy template with all the default entries for the built-in strategy, including a detailed description.
-
Enter a detailed Description of your new template or keep the existing detail, and then click Save on the upper-left corner of the dialog.
-
Tip
Remember to click Save on the upper left corner to save your progress. After completing the Patching Strategy configuration, you must save and enable the completed strategy to make it available for use.
-
Scroll to the Products workspace in an open Patching Strategy template:
-
To include all products (not recommended), click the Include All Products toggle to enable it.
Caution
Adaptiva recommends including only the specific products used in your environment. Including all products means using the entire OneSite library of products.
-
To include specific products (recommended), click Add Software Products.
-
-
Select + Add Software Products.
-
Select the Down Arrow next to Search Columns and select the search information type that identifies the product you want to include.
-
Enter the product information on the search line, and then click Search.
-
Select the box next to the product you want to add. You may search for and include as many products as you need for this strategy, and then click Add Software Products at the bottom left of the dialog.
-
Select Add Software Products on the bottom left of the dialog to save your additions.
Deployment settings in a Patching Strategy include selecting a Deployment Wave, Creating Deployment Bot Runtime configurations, and choosing whether to present each patch to the first matching Deployment bot only (defaults to enabled). When customizing an existing Patching Strategy (recommended), settings may include tables with configuration selections other than the default.
Begin by adding a Deployment Wave.
-
Select Browse next to Add Deployment Wave in the Deployment Settings workspace of an open Patching Strategy template.
This opens the Add Deployment Wave dialog.
-
Select a Deployment Wave from the list. Adaptiva provides a Single Wave-All Clients Deployment Wave, which includes a Business Unit called All Clients Business Unit.
-
Select Add Deployment Wave on the bottom left of the dialog. This returns you to the Patching Strategy template.
In Patching Strategy templates, the Create Deployment Bot Runtime dialog provides a single location to add processes to your Patching Strategy. Use these settings for more advanced operations. For example, when you have multiple Business Units that require the same Patch Deployment Bot but use a different Patching Process and schedule, you can create multiple Deployment Bot Runtime combinations to patch according to different requirements.
See also:
Bots – Patch Deployment and Notification Bots
Deployment Channels and Deployment Channel Processes
Business Units and Rollout Processes
After adding a Deployment Wave to the Patching Strategy Deployment Settings, you can configure Deployment Bot Runtime scenarios. These copnfiguration options allow you to create scenarios that use the same Deployment Bot with different Patching Processes (schedules) for the same or different Business Units. Follow these procedures for each Deployment Bot Runtime you need to create. If you need to create a Deployment Bot, see Creating Deployment Bots.
-
Select + Create Deployment Bot Runtime from the Deployment Settings workspace of an open Patching Strategy template.
This opens the Create Deployment Bot Runtime dialog:
-
Begin by adding a Patch Deployment Bot.
-
Add a Deployment Wave in the Deployment Settings workspace of an open Patching Strategy template. This enables .
-
Select +Create Deployment Bot Runtime to open the configuration dialog.
-
Select Show All to see the available templates or click Filtered by: in the Bots list to see only the templates associated with that filter.
Important
A Patching Strategy presents each applicable patch sequentially to each Deployment Bot in the Runtime, from top to bottom. Be sure to organize the Deployment Bots in the Runtime from most important to least. You can enable or disable whether the Patching Strategy stops presenting patches to later Deployment Bots after discovering a match.
-
Select the template you want to use. For example, in Filtered by: Known Exploit, select Mandatory Install (Known Exploit Exists).
-
Select Add Patch Deployment Bot on the bottom left of the dialog.
-
Select Browse next to Add Patching Process in the Create Deployment Runtime dialog.
-
Select Show All to see the available processes.
-
Select the process you want to use. For example, select Immediate Phased Deployment – Initial Patch Manager Approval).
-
Select Add Patching Process on the bottom left of the dialog.
Important
The Business Units you add here must be the same Business Units included in the Patching Strategy Deployment Wave. If you select other Business Units here or select All Business Units, the Patching Strategy will take no action on those that do not match the Deployment Wave settings.
-
Decide whether to include all Business Units in this Deployment Bot Runtime, or to add specific Business Units:
To include all Business Units, click the Include All Business Units toggle to enable running this configuration on all Business Units, and then skip to step 3.
-
To choose specific Business Units to use this Runtime, click + Add Business Units, and then continue with the next step.
-
-
Select one or more Business Units to add to this Runtime. For example, to use this Runtime on all Windows 11 systems using a Wi-Fi connection, select Operating System – Windows 11 and Office Type – WiFi.
-
Select Add Business Units on the bottom left of the dialog to view the completed Runtime Bot.
-
Select Create Deployment Bot Runtime on the bottom-left corner of the dialog to return to the Patching Strategy.
-
Return to Create one or more Deployment Bot Runtime Scenarios to add more Deployment Bot/Patching Process pairs to this Patching Strategy.
After creating a Deployment Bot Runtime, set the runtime schedule for each Patching Process.
-
Select the ellipsis (…) under Actions in the Patching Process Settings table of an open Patching Strategy template, and then select Edit Process Setting.
-
Select + Add Schedules.
-
Select the Schedules you want to use for the Process Setting. All Deployment Bot Runtime pairs that use the same Patching Process in this Patching Strategy will run on the schedules you choose.
-
Select Add Schedules, and then click OK to return to the Patching Strategy workspace.
This toggle switch enables or disables whether the Patching Strategy stops presenting patches to Deployment Bots as soon as it discovers the first matching Deployment Bot. If you choose to enable this behavior, be sure to order the Bots in your Deployment Bot Runtime from most important to least.
-
Scroll down to the bottom of the Deployment Settings workspace of an open Patching Strategy.
-
Select the Present each Patch only... toggle to enable or disable (default) whether the Patching Strategy stops presenting patches to later Bots after discovery of a matching Bot.
-
Select Approval Chains to open the Approval Chains workspace in an open Patching Strategy template.
-
Select Browse next to the type of Approval chain you want to add (Product Owner, Patch Management, Security, and so on).
-
Select an Approval Chain from the Approval Chains table. This example uses an All Admins Approval Chain.
-
Select Add Approval Chain to return to the Patching Strategy template.
-
Repeat Steps 2 through 5 for each of the groups listed in the Approval Chains workspace:
-
Skip any groups that do not apply to your situation.
-
When each group from which you need an approval contains an approval chain, continue with the next step.
-
-
Select Save at the upper left to save your progress:
Patching Strategy, Deployment Channel, and Business Unit objects include a Notifications dialog where you can configure notification details. The configuration choices differ slightly for each object.
Important
This configuration requires selecting a specific type of Notification Cycle template. Contact Adaptiva Customer Support for assistance with this configuration and for information about choosing the correct template.
Notification Chain settings exist in the object templates for Patching Strategies, Deployment Channels, and Business Units.
-
Expand the Notifications box in an open object template to show the available configuration options.
-
Select Browse next to Notification Chain. This opens the Notifications Chain dialog.
-
Select Show All to see the available templates.
-
Select a Notification Chain from the table. To edit or create Notification Chains, see .
-
Continue editing the Notification settings or click to return to the template.
Both Patching Strategies and Deployment Channel templates have an option to Add Patch Notification Bots.
-
Select + Add Patch Notification Bots from the Notifications box in the object template.
This opens the Add Patch Notification Bots dialog.
-
Select Show All to list all available Patch Notification Bots or click any Filtered by: folder to see the Bots associated with that filter.
-
Choose one or more Notification Bots to set requirements for this template. To create more Notification Bots, see Creating Notification Bots.
-
Select Add Patch Notification Bots on the bottom left of the dialog to return to the starting template settings for Notifications.
These values must match the corresponding values defined in the Notification Bots. Otherwise, the Notification Cycle does not send a notification.
Execution Schedules control when and how often a Notification Cycle sends notifications. Choose schedules based on when and how often receiving parties require notification.
-
Select + Create Notification Setting from the Notifications workspace of a object template.
-
Select +Add Schedules to display the Create Notification Setting dialog.
-
Select one or more Schedule Names from the Add Schedules table, and then click Add Schedules on the lower-left corner of the dialog.
-
Continue editing the notification settings or click
to return to the template.
When enabled, sends notifications to the Roles shown in the Notification Chain associated with the Patching Strategy or Deployment Channel template. Defaults to disabled.
-
In the + Create Notification Setting dialog in the Patching Strategy or Deployment Channel template, decide whether to enable notifications:
-
Select the Notify Patching Strategy Chains toggle to enable or disable (default) whether the notification cycle sends notifications to the chains included in the strategy.
-
Select the Notify Business Unit Chains toggle to enable or disable (default) whether the notification cycle sends notifications to Business Unit chains included in the strategy.
-
-
Continue editing the Notifications settings or click to return to the template.
This setting names the Notification Cycle that processes the Notifications for the Patching Strategy or Deployment Channel. Notification Cycle workflows are customized for specific uses. Adaptiva does not provide sample Notification Cycle templates. These templates exist only if you create them for your environment.
Important
Contact Adaptiva Customer Support for assistance with Notification Cycle templates.
-
Select + Create Notification Setting from the Notifications box in the object template.
This opens the Create Notification Setting dialog.
-
Select Browse on the Add Workflow line. This opens the list of available workflows in OneSite.
-
Select your custom workflow from the list, and then click Add Workflow on the lower-left corner of the dialog.
-
Continue editing the Notification settings or click to return to the template.
Specifies the maximum length of time that the Notification Cycle Workflow runs before timing out. If set to all zeros (default) the workflow may run indefinitely. Choose this setting with care. If the notification times out before sending all notifications, the next cycle triggers the notifications again.
-
Select + Create Notification Setting the Notification box of the object template.
-
Next to Time Limit, set the Hours, Minutes, or Seconds that the Notification Cycle will run, or leave the setting default at 0 for each item to allow the workflow to run indefinitely.
-
Continue editing the Notification settings or click to return to the template.
Customer Extension Data is an advanced feature of OneSite Patch. The Customer Extension Data fields allow advanced users to specify different key/value pairs for use in customized Patching Strategies, Deployment Chains, or Business Units when necessary to achieve different results.
Customer Extension Data fields relate directly to fields in a customized template. If you do not have customized templates with key/value pairs you can modify, you do not need to configure or use this feature.
If you want to create customized templates that use key/value pairs for some settings, contact Adaptiva Customer Support.
The Content Prestaging feature enables OneSite Patch to provide deployment content to devices ahead of the scheduled deployment, either pushing content to a location or allowing a client to pull content. Prestaging content makes the content available on the device locally when the deployment time arrives. This reduces the deployment time and minimizes the chances of missing service windows or having devices going offline before a content download finishes.
You can create Content Prestaging Settings within the Patching Strategy, Business Unit, or Deployment Channel templates.
The templates for Patching Strategies, Deployment Channels, and Business Units include the choice to set Content Prestaging settings. Settings default to Not Enabled.
Content Prestaging settings include two options:
-
Server Content Push (Recommended) – The Adaptiva Server pushes the content to the best-suited sources in all locations that require the content. Adaptiva recommends this type of prestaging when the Deployment Strategy targets only a subset of devices. High-availability machines receive the content and function as local sources during discovery and deployment.
-
Client Content Pull – This option enables any client that requires the content to download and cache it before deployment. Suitable when a Deployment Strategy targets all clients that need the updated content.
Push Content
-
Not Enabled -- Disables any prestaging as part of the Patching Process workflow or Patching Strategy.
-
Handled by System – The OneSite Patch system handles the prestaging automatically and pushes content to three automatically chosen devices within the office that require the content.
This push occurs at once when the metadata updates include the latest content that meets patching requirements.
-
Handled by Workflow – When enabled as part of a Patching Process, Deployment Channel, or Business Unit template, pushes the content upon deployment of the Patching Process.
Pull Content
-
Not Enabled -- Disables any prestaging as part of the Patching Process workflow or Patching Strategy.
-
Handled by System – The OneSite Patch system handles the prestaging automatically. The Client pulls content from the Server and instructs all Clients that require the content to download and cache it ahead of any deployment.
-
Handled by Workflow – When enabled as part of a Patching Process, Deployment Channel, or Business Unit template, the Client pulls the content upon deployment.
Use this procedure to add or change Content Prestaging Settings in Patching Strategy, Business Unit, or Deployment Channel templates.
-
Expand the Notifications box in an open object template, and then scroll down to the Content Prestaging Settings.
-
Expand the Content Prestaging Settings box to view the available settings.
Client Content Pull defaults to Not Enabled. To enable pull settings, complete the following steps in the Content Prestaging Settings of a Patching Strategy, Business Unit, or Deployment Channel template:
-
Select the arrow to the right of Client Content Pull to expand the menu of available options.
-
Select the option you need for the object template you are using. For definitions of push options, see Defining Content Prestaging Settings.
-
Select Save on the upper left to save your changes:
Server Content Push defaults to Not Enabled. To enable push settings, complete the following steps in the Content Prestaging Settings of a Patching Strategy, Business Unit, or Deployment Channel template, complete the following steps:
-
Select the arrow to the right of Server Content Push to expand the menu of available options.
-
Select the option you need for the object template you are using. For definitions of push options, see Defining Content Prestaging Settings.
-
Select Save on the upper left to save your changes:
Business Unit Addition Settings do not have a separate menu item. Configure these settings from the Business Unit Addition Settings dialog in a Patching Strategies template.
When you have added a new Business Unit to an enabled Patching Strategy, which has already completed a current patching cycle, you must use the Business Unit Addition Settings to add the Business Unit. This ensures that the new Business Unit receives the current updates the next time the strategy runs. Adding new Business Units using these dialoges ensures that the Business Units inherit the Patches and Patch Approval Settings set up in the original template.
Adding Business Units and associated Patching Processes separately means the new Business Units inherit Patches and Patch Approval Settings from the overall schema, but the associated Patching Process manages the customized deployment process for the new Business Units.
The Business Unit you specify here includes the patch approvals the Patching Strategy will use for any Business Units you add to the Strategy after the Strategy has run.
The Patching Process you select here is the same process you identified in the Deployment Bot Runtime configuration of the Patching Strategy.
-
Select Strategy > Patching Strategies from the left navigation menu of the OneSite Patch Dashboard.
-
Scroll down to Business Unit Addition Settings and then click the right arrow to expand the box.
Specify the parent Business Unit of this strategy so that when new Business Units become part of the strategy after its initial creation, those Business Units inherit settings from the same parent.
-
Select Browse next to Template Business Unit in the Business Unit Addition Settings dialog of an open Patching Strategy template.
-
-
Select Save on the upper left to save your changes:
Identify the Patching Process that controls the approval and deployment logic for the existing Business Units in this strategy. This is the same Patching Process identified in the Deployment Bot Runtime, which is the only Patching Process you can choose here. This ensures that any Business Units added after initial creation of this strategy use the same Patching Process as the existing Business Units.
-
Verify that the Deployment Bot Runtime details are accurate. The Patching Process settings needed for identified there Business Unit Addition settings are the same as those used in the Deployment Bot Runtime.
-
Select Browse next to Patching Process in the Business Unit Additions dialog of an open Patching Strategy. If Browse is disabled, check the Deployment Bot Runtime Settings.
-
Select the available Patching Process, and then click Add Patching Process.
-
Select Save on the upper left to save your changes:
After completing the Patching Strategy configuration, including Add Software Products, you must enable the Patching Strategy. When enabled, the strategy runs according to the configured schedules.
After you Enable the Patching Strategy, you can view the pending approval request.
-
Select the Approval Requests in the left navigation menu of the OneSite Patch Dashboard.
-
The view defaults to All requests, which includes pending and completed.
-
The Patching Strategy you just enabled appears in the Approval Summary table with a Request Status of In Progress and Awaiting Response.
-
-
Select Flex Controls > Patching Cycles from the left navigation menu of the OneSite Patch Dashboard.
-
Check the Running Patch Processes table, which lists the status of the Patching Strategy as Waiting.
-
Select Approval Requests in the left navigation menu, and then click the Patching Strategy in the table.
-
Select Approve, and then click Back to Approval Requests. You can wait until the patch time passes, or you can start the deployment manually.
After the Patching Strategy approval process status shows Completed, you can wait until the time setting for patch deployment, or you can start the deployment immediately.
-
Select Flex Controls > Patching Cycles, and then click the name of the Patching Strategy to open the Cycle Information.
-
Select Play under Cycle Information, and then click Close. This returns you to the Patching Cycles workspace where you can view Running Patch Processes.
-
Select the Patching Strategy name to view details about the patching process.
Comments
0 comments
Article is closed for comments.