The possibility to "pin" a patch set for X number of days
The possibility to "pin" a patch set for X number of days, giving you the possibility of deploying and verifying the same set of patches across individual envs. In other words: same patchset on DEV servers on Monday, Test servers on Tuesday, etc. and Production on Sunday.
We’re currently reviewing enhancements around approved and time-delayed patching.
In the interim – there are two ways to achieve your scenario “exactly same updates” in Dev & then Prod, by either manipulating the OS behavior or tweaking the AUM config:
- - Host the updates locally using Microsoft WSUS [https://docs.microsoft.com/azure/automation/automation-configure-windows-update#make-wsus-configuration-settings] or Reposync utility from RedHat [https://access.redhat.com/solutions/23016]or Ubuntu Landscape [https://docs.ubuntu.com/landscape/], etc. And the configure the update service or package manager of all your machines to use the local update source. In this way the updates installed when using Update Management will only be what is available in your local patch server which is running (say) WSUS or RH Reposync. And if the patch server remain unchanged in 2-3 weeks when you start update schedule for Prod, they will also fetch updates from same local patch server and have exactly same updates as your non-prod.
- - Use the MS CXP created – Create-azUpdatePatchDeploymentList PowerShell script [https://www.powershellgallery.com/packages/Create-azUpdatePatchDeploymentList/]. It will query for existing needed updates applied and create a new schedule as needed which only include the updates retrieved from query of the result of an earlier UM schedule run.
Customers can choose either (1) or (2) – based on the environment & control requirements.
I want to help me change the phone number so that I can enter my account
Jo Di Piazza commented
We really need the ability to sanction a specific set of patches, and migrate them through our environments (Linux and Windows). Applying a 'moving target' of patches can be operational suicide. It would be a really helpful feature, and mean we wouldn't need to look at alternative solutions. Thank you.
ivan borghetti commented
the selection of patches that we want to include is a good option however i think the request is different , i will put an example in Linux since i am not very experienced with Windows. Lets say i patch my dev environment today and we have 50 patches in the repo that i apply to my servers. In 2 weeks i will need to patch my prod servers however in the repo there are now 60 patches and in some cases there are also new versions for patches that i applied in dev. A good example would be a kernel versión. In this case it would be really difficult to be able to manage all those variables which today in onprem or with different tolos are managed with local repos (sccm , red hat satellite , tanium ) or with the package reléase dates , for instance , apply the packahes released from x to y only .
Guy Gibson commented
We are looking for something similar. Tiues to Patch tuesday. So for example starting on the 3rd monday of the month we want to apply 7 update sets across 1 Monday night, 2 Tues, 2 Wed and 3 Thurs night. in that order.
Recuring 3 rd (MTWTFSS) every month doesnt't work. If the month starts on a Wed, then the acutal order above will end up being 2 Wed, 2 Thur, 1 Mon, 2 Tues.
We'd like to say: 'update the system with all packages that were available on the 1st of March, at 00:01'. In this way, we could run the update on the 5th of March for DEV, 12th of March on ACC, etcetera, but the result would be the same.
The same functionality is for example available if you use Red Hat Satellite (or Spacewalk), but it would be much more preferable to integrate this within Azure Patch Management.
Javier Negro Dieste commented
It's a bit cumbersome to have update warning and have to see that they are antivirus definition lists of the same day.
It would be great if we could allow how many days/hours until the solution warns us of missing updates of 'definition' classification.