Advanced Patching

If you have a Puppet Enterprise (PE) Advanced license you can enable Advanced Patching with vulnerability remediation capabilities. From the PE console navigation bar, select System updates and click Get started with Advanced Patching now.

You can use Advanced Patching to:

  • Create patch groups

  • Define maintenance and blackout windows

  • Run or schedule patch jobs to apply all available package/software updates

  • Integrate data from a third party security scanner to detect vulnerabilities

  • Run or schedule patch jobs to apply the specific updates necessary to remediate detected vulnerabilities on affected nodes

Before you begin:
  • The service requires an extra 1GB of RAM, to operate by default. CPU usage varies based on how many systems are being patched and how often, but is an incremental amount of usage. The service also requires incremental additional disk storage for the vulnerabilities database, with usage varying based on the number of nodes being managed.
  • To enable Advanced Patching, you must acquire a Puppet Enterprise (PE) Advanced license. Contact your Puppet Enterprise (PE) administrator or Contact our sales team to acquire a license and enable this feature.
  • Ensure there are no classification issues on the primary server and that a Puppet run can complete successfully before you enable Advanced Patching.
  • The Advanced Patching feature is not enabled by default, and requires a user with permissions to run all plans in order to enable the feature. Once enabled, the feature cannot currently be disabled.
  • The Advanced Patching feature assumes ownership of the PE Patch Management node group tree. Any patch groups declared under that group are modified or deleted by the Advanced Patching service. It is important that no additional classification is applied beyond use of the pe_patch class to the PE Patch Management group, or any groups underneath it otherwise Advanced Patching will not enable successfully.
  • Once enabled, the PE Advanced Patching feature enforces the state of the PE Patch Management node group tree, so any manual changes made to it are replaced.
  • RBAC: A default role is available for patching in PE. That role can be assigned to a user to do patching. The Administrator by default has all permissions. The permission needed for onboarding customers must have permissions to run a plan on the primary server. For more information about Advanced Patching user permissions and roles see User permissions and user roles.