Script to install just critical updates on demand

We have our patch management set to run every Sunday early AM. However, for times where Microsoft releases some super critical updates mid-week, it would be nice to be able to trigger an install of just critical updates on demand without having to go into each asset and clicking on install. Has anyone done this already? Is there a script somewhere that I have missed?

You should be able to do this now with our new Windows Patch Management implementation. You can basically setup two Windows Patching sub-policies. One for all your normal stuff on Sunday AM (and in this one put the Critical stuff to Manual), and then make a second one with everything set to manual and Critical stuff set to approved. That one you can schedule daily or on whatever cadence you want. Then apply both of those to your asset policy.

I thought of that option as well, but kind of wanted something I could run just when needed. Even better, it would be nice to be able to push out on demand just a specific update to all assets.

You should be able to do a specific patch to multiple assets from the Windows Patching reports, but this is somewhat problematic if machines aren’t on and whatnot. Having it policy-based is definitely going to be the safest and most consistent model.

Hi Andy, coincidentally I was just giving my Patch Management settings a review this morning. I’m sure its just me, but setting the columns to “Manual” made me wonder- will another Patch Approval be able to pick this up and approve it, or not? Perhaps “ignore” or even just a tooltip there would be helpful.

At any rate, your comment here helped me out so if I am the only confused guy… it’s solved! :slight_smile:

Super glad to hear that!!

So the short answer is yes. The long answer is the way each “sub-policy” for Windows Patching works is that they are separate entities only evaluated within the confines of their own schedule. So if you have two sub-policies running on different schedules, and one say for “Critical” it’s manual, it will be treated as Manual for that run. If the next one says “Approved” for “Critical,” it would be approved for that run. It’s designed so you can do exactly what was being discussed above.