ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why Patches Should be Scheduled With Default Software Update Plug-in (DSUP) Policies

book

Article ID: 161675

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

Specifying different schedules and targets within Software Update policies requires creating redundant Software Update policies. This is time consuming for an administrator and slows down Import Patch Data (PMImport) tasks when options under Revise Software Update policies are enabled.

Resolution

Unlike Software Delivery policies, it is best practice to not specify schedules and targets within individual Software Update policies. Instead patch schedules should be controlled with Default Software Update Plug-in (DSUP) Policies. DSUP policies are located under Settings>Agents/Plug-ins>Software>Patch Management>Windows and Linux and should be thought of as patching schedules for different groups of computers. Each group of computers (for example servers, workstations, and test group) should have a clone of the original DSUP policy targeted to them that is configured with an appropriate patching schedule and reboot settings (for example servers might need to have reboots disabled). Of course, only the original DSUP policy is needed if all computers will share the same schedule. In theory, there should be only one Software Update policy per set of software updates that applies to all computers with the Software Update Plug-in (the default target), while scheduling for different groups of computers is broken up and controlled by the DSUP policies. Only when DSUP policies and/or Maintenance Windows need to be overridden should targets and schedules be specified within Software Update policies.
Please read section 5 of HOWTO56242 for best practice configuration of the DSUP policies.