*WARNING* for admins using Automatic Patch Deployment

*WARNING* for admins using Automatic Patch Deployment

We just had a mini-crisis with desktop central patch deployment the other day as we had a mess of unapproved updates deploy through our automatic patch deployment policy. After sending our logs to support and long remote assistance session we learned exactly what caused us such a panic. 

I am sharing with the community to hopefully to spare anyone from a similar scenario. We got lucky in the end, the patches did not negatively affect our PCs. We will not make the same mistake twice.

Chat transcript:

support+user
Only known possible way for an unapproved patch to be deployed through APD is, the patch was taken by the task when in was in approved state. Then the patch has been unapproved. But since the patch has been in APD before Nov14th, we are not able to find if the above case has happened
-----------------------------------------------------------------------------------------
Guest
So if a patch was approved then unapproved 4 days ago... 
-----------------------------------------------------------------------------------------
support+user
If the patch was approved, it will be taken by the APD for deployment. If it is later unapproved, it will not be removed from APD
-----------------------------------------------------------------------------------------
Guest
why not?
-----------------------------------------------------------------------------------------
Guest
thats seems to be a pretty big design flaw
-----------------------------------------------------------------------------------------
Guest
because that may be exactly the case
-----------------------------------------------------------------------------------------
support+user
We expect the Approve/Unapprove feature to be used once. But, we will update your concern with the team. For your use case, you can use decline patches feature. This will make sure the patches are never deployed unless through a manual configuration (i.e) will not even be taken by Test Group.
-----------------------------------------------------------------------------------------
Guest
So.... if we approved patches, decide against it, we have to fully decline them to stop the ADPs from deploying them anyway
-----------------------------------------------------------------------------------------
support+user
Yes. You are correct
-----------------------------------------------------------------------------------------
Guest
Is this detail in any of your documentation? I don't recall being warned about it
-----------------------------------------------------------------------------------------
support+user
Sorry that we have not captured it in the documentation, since this was not an expected direct use case.
-----------------------------------------------------------------------------------------
Guest
I see.. we are just unlucky it would seem
-----------------------------------------------------------------------------------------
Guest
Well we are lucky enough that the unapproved updates did not cause any issues with our users
-----------------------------------------------------------------------------------------

:end:


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
              See all integrations
              New to ADManager Plus?
              See all integrations
              New to ADManager Plus?

                New to ADSelfService Plus?

                Start your free trial
                Start your free trial



                          Related Products