How can we stop new updates from installing until they are X days old?

This question relates to patching being scheduled around Microsoft Patch Tuesdays. It's generally a good idea to not patch your devices with the latest patches the day or even two or three days after patch Tuesday. It's better to let others install and test them and that way Microsoft can fix and release any revisions. This can be difficult as sometimes patch Tuesday is in the second week of the month, and other times it's in the third week.

Answer

You can create an Advanced Patch Policy and use the Patch Age filter to get around this dilemma.

  1. In the console, go to Manage > Polices, and select Create Policy.

    create-policy.png
  2. Select Advanced Policy.
  3. Give the policy a name that is unique and reminds you what this policy is for at a glance.
  4. Set the Policy to Active and then assign a group or groups of devices.
  5. The next section is Device Targeting, which can be used or skipped for now.
  6. Go to Package Targeting
    The following screenshot shows the filters used to capture patch age.
    • The first filter is recommended unless you are using a WSUS, in which case you can skip this filter. In this example we filter for Patch Source > Is > Microsoft Windows Update.
    • The second filter is for patch age. We select Patch Age > Is Greater Than or Equal To > 9.
      We can set the days to anything from 1 day to 180 days. After you set this, you can click the Preview Packages button to show the packages that would be installed based on the filter. 

      package-targeting.png
  7. Next, set a schedule for the policy according to the needs of your business.
  8. Finally, set the Install and Restart Notifications based on your needs. Then you are ready to save and test this policy.

 

Was this article helpful?
0 out of 0 found this helpful