Patch management process definitions work with resources and other patch configuration settings already defined in Patch Management to automate some patch management processes.

This tutorial walks you through creating a simple patch management process definition for patching agents. You can then use this process in the Patch Management > Patch Configuration workflow.

The following image shows the simple patch management process definition you will create in this tutorial:

Process Definition Patch Management Example

A patch management process allows you to perform the following types of patch service tasks:

TaskDescription
Run Missing PatchesChecks for missing patches.
Approve patchesApproves patches based on filters.
Run Patch InstallInstalls the approved patches on the machine.
Patch MaintenancePuts the machine being patched into maintenance mode. When the machine is in maintenance mode, the alerts are sent to the maintenance queue instead of the active alert queue.
Run Patch ComplianceRuns a selected patch compliance configuration on the machine to measure patch compliance. The compliance configuration must already exist in the compliance configuration list, Automation > Patch Management > Patch Compliance Configuration.

While this tutorial does not include script tasks or platform service tasks, you can add these more advanced tasks to your patch management process definitions.

In the following tutorial, refer to the Process Definition Reference for detailed information about each component type and the properties available for customization.

Step 1: Create a new patch management process definition

In this step, you create a new process definition. Ensure the Remediation and Automation package is enabled for the client.

  1. In the main client menu, click Automation > Process Definitions to display the list of defined process definitions.
  2. To add a new process definition, click + NEW to display the canvas and tools for rendering a new visualization.
  3. In the Name. field, enter Simple Patch Workflow. The name is the process name you will select when you use this patch management process definition in the patch management workflow.
  4. In the Description field, enter Simple Patch Workflow Tutorial or some other description.
  5. Select Patch Management in the Category list.
  6. Enable the process definition with the Enable Process Definition toggle.

Step 2: Define the start event

The first step of any process is to define the start condition.

  1. Click the Create StartEvent symbol from the component tools menu, and place it on the canvas with a click.

  2. Click the Start Event symbol to display the start event properties.

  3. In the Properties Name. field, enter Start. The ID property is automatically populated.

  4. For the Input Type select Resource.

    You do not need any other start properties because this process is started by the patch management schedule.

    When the process definition is used in the patch management workflow, a new process instance is created for each resource, and the process instance receives the resource ID as input.

Step 3: Define the patch scan task

After adding the start event, add tasks to complete the process. The first task is to scan for missing patches.

  1. Click the Start Event, and click Append Task.

    Process Definition Append Task
  2. Select the task, click the Change type (wrench) icon and select Service Task.

  3. Click the task on the canvas to display the task properties.

  4. Enter Patch Scan for the Name. The name is displayed in the task symbol as you enter it. The task ID is automatically populated.

  5. Select Patch Service for the Service.

  6. Select Run Missing Patches for the Task.

  7. The resource field is context sensitive to the objects in the process definition. Enter a value in the Resource ID field in parts, using the following steps:

    • Enter a $, and the name of the start event, displays below the field, select or enter Start.
    • Enter a period . after $Start and select or enter resource.
    • Enter a period . after $Start.resource, and a list of possible values displays below the field, select or enter uuid.

    The value in the Resource ID field should be $Start.resource.uuid.

Step 4: Define the patch approval task

After you scan for missing patches, you will decide which patches are approved by filtering the patches on different patch properties.

  1. Click the Patch Scan task, and click Append Task.

  2. Select the task, click the Change type (wrench) icon and select Service Task.

  3. Click the task on the canvas to display the task properties.

  4. Enter Patch Approval for the Name. The task ID is automatically populated.

  5. Select Patch Service for the Service.

  6. Select Approve Patches for the Task.

  7. Enter a value in the Resource ID field in parts, using the following steps:

    • Enter a $, and a list of possible values displays below the field, select or enter Patch_Scan, the previous task. Since this is a simple sequential process definition using the resource ID, we can use the resource ID from either the Start or the Patch Scan task since they are the same.
    • Enter a period . after $Patch_Scan and select or enter resource.
    • Enter a period . after $Patch_Scan.resource, and a list of possible values displays below the field, select or enter uuid.

    The value in the Resource ID field should be $Patch_Scan.resource.uuid.

  8. In the Filter Criteria field enter patch.name = "update-notifier-common" to include all patches named update-notifier-common.

    You can add more filters, but for this simple tutorial, one filter will do.

    The following table shows patch properties and queries for different filters.

    FilterProperty and Query
    Patches based on patch namepatch.name = "update-notifier-common"
    Patches if patch name contains "ABCD"patch.name LIKE "%ABCD%"
    Patches based on external Id'spatch.externalId LIKE '%release-upgrade%'
    Patches based on severitypatch.severity = optional
    Patches based on categorypatch.category LIKE "%update%"
    Patches with rebootRequired flagpatch.rebootRequried = false
    Only windows patchespatch.patchType = WINDOWS
    Only Linux patchespatch.patchType = LINUX
    Whitelisted patchespatch.patchRating.rating = WhiteListed
    Blacklisted patchespatch.patchRating.rating = BlackListed
    Not Rated patchespatch.patchRating.rating = Not Rated
    All missing patchespatchStatus = "MISSING"
    Patches that showed up as missing in the scan in the last 2 hoursscanTime < -2h
    Whitelisted Linux patchespatch.patchRating.rating = WhiteListed AND patch.patchType = LINUX
    Whitelisted windows patchespatch.patchRating.rating = WhiteListed AND patch.patchType = windows
    Standard update categories patchespatch.serverity = 'standard' AND patch.category LIKE '%update%'
    Important update categories patchespatch.serverity = 'important' AND patch.category LIKE '%update%'

Step 5: Define the patch installation task

Once you define which patches will be installed, add a task to install the patches.

  1. Click the Patch Approval task, and click Append Task.

  2. Select the task, click the Change type (wrench) icon and select Service Task.

  3. Click the task on the canvas to display the task properties.

  4. Enter Patch Installation for the Name. The task ID is automatically populated.

  5. Select Patch Service for the Service.

  6. Select Run Patch Install for the Task.

  7. Enter a value in the Resource ID field in parts, using the following steps:

    • Enter a $, and a list of possible values displays below the field, select or enter Patch_Approval, the previous task.
    • Enter a period . after $Patch_Approval and select or enter resource.
    • Enter a period . after $Patch_Approval.resource, and a list of possible values displays below the field, select or enter uuid.

    The value in the Resource ID field should be $Patch_Approval.resource.uuid.

Step 6: Append the end event, save, and deploy

When you are finished defining the patch management process, add an end event and save and deploy the process definition for use in your patch management schedules.

  1. Click the Patch Installation task, and click Append EndEvent.
  2. Click the task on the canvas to display the task properties.
  3. Enter End for the Name.
  4. Click Save & Deploy. The Simple Patch Workflow displays in the Process Definitions list.

Next steps

Once you have created and deployed the Simple Patch Workflow patch management process, you can select the process in patch schedules as shown in the following figure.

Process Available in Patch Schedule

See Configure Patch Schedules for information on using a patch management process in a patch management schedule.