Advanced Patching

If you have a Puppet Enterprise Advanced license you can enable Advanced Patching from the PE console. From the PE console navigation bar, select Overview and click Get started with Advanced Patching now.

Before you begin

The service requires an extra 1GB of RAM, to operate by default. CPU usage varies based on how many systems are being patched and how often, but is an incremental amount of usage.
To enable Advanced Patching, you must acquire a Puppet Enterprise Advanced license. Contact your Puppet Enterprise administrator or Contact our sales team to acquire a license and enable this feature.
Ensure there are no classification issues on the primary server and that a Puppet run can complete successfully before you enable Advanced Patching.
The Advanced Patching feature is not enabled by default, and requires a user with permissions to run all plans in order to enable the feature. Once enabled, the feature cannot currently be disabled.
The Advanced Patching feature assumes ownership of the PE Patch Management node group tree. Any patch groups declared under that group are modified or deleted by the Advanced Patching service. It is important that no additional classification is applied beyond use of the pe_patch class to the PE Patch Management group, or any groups underneath it otherwise Advanced Patching will not enable successfully.
Once enabled, the PE Advanced Patching feature enforces the state of the PE Patch Management node group tree, so any manual changes made to it are replaced.
RBAC: A default role is available for patching in PE. That role can be assigned to a user to do patching. The Administrator by default has all permissions. The permission needed for onboarding customers must have permissions to run a plan on the primary server. For more information about Advanced Patching user permissions and roles see User permissions and user roles.

Create a blackout window

To add a blackout window:

In the PE console navigation bar, select Blackout Windows.
Click Add blackout window.
In the Information section, add a name for your blackout window.
From the drop-down menu in the Availability section, select how often you would like the blackout window to run.
In the Schedule section, designate a valid period of time for your blackout window.
Click Add blackout window.

Create a maintenance window

To add a maintenance window:

In the PE console navigation bar, select Maintenance Windows.
Click Add maintenance window.
In the Information section, add a name for your maintenance window.
From the drop-down menu in the Availability section, select how often you would like the maintenance window to run.

Note: You can select Custom from the drop-down menu to specify a more complex scheduling using a cron string to define your maintenance window. For more information see cron strings.
In the Schedule section, designate a valid period of time for your maintenance window.
Click Add maintenance window.

Create a patch group

To create a patch group:

From the PE console navigation bar, select Patch Groups.
Click Add patch group.
In the Information section, add a name and description (optional) for your patch group.
Select Next: Select nodes.
From the drop-down menu, select one of the four available methods to pin nodes to a patch group:
- Classification node group
- Fact match
- Node list
- PQL query
Select Next: Assign maintenance window.
Filter maintenance windows by name and select Apply.
Check the maintenance window(s) and click Add selected windows.
Select Next: Assign blackout window.
Filter blackout windows by name and select Apply.
Check the blackout window(s) and click Add selected windows.
Select Add patch group.
From the PE console navigation bar, select Overview to:
- View what patch groups need patched.
- Apply patches for nodes that have been configured for patching.
  Note: When you select a group that needs patching from the Overview page, you can apply a patch job for that group by clicking Apply patch job in the upper-right corner.