Navigation
OperationsUpdated July 3, 2026

OHEMR Epic Patching

referencepatchingmaintenanceazureautomationtaggingschedulesconfiguration-management

OHEMR Epic Patching

Naming Convention

Naming is important because it explains the schedule. The convention is as follows:

CSPRecurrenceWeekDayHour
Z: AzureM: MonthlyW0D[0-6]H[00-23]
W:WeeklyW[1-4]D[0-6]H[00-23]

Examples

ZWW0D0H02 - Weekly, Week 0, Day 0 (Sunday), 02AM ZWW0D2H06 - Weekly, Week 0, Day 2 (Tuesday), 06AM ZMW3D4H20 - Monthly, Week 3, Day 4 (Thursday), 8PM

Notes

  • The 5th week of the month will never be used because if a patch falls on an impossible day it would be skipped
  • 0:Sunday, 1:Monday, 2:Tuesday, 3:Wednesday, 4:Thursday, 5:Friday, 6:Saturday
  • All Maintenance Configurations are set to reboot after patching, even if no patches were applied.
  • All weekly schedules will use Week 0, (W0)

Azure Configuration

  • Servers patch based on the PatchSchedule tag
  • Maintenance Configurations must be duplicated in each subscription for them to work in that subscription
  • Dynamic Scopes are attached to each Maintenance Configuration that point to the PatchSchedule Tag.
  • There is a tagging policy that must be modified if you are creating new Schedules. That is stored in the policy repo, not in the repo that you're adding to.
  • If you need to temporarily disable patching on a server, apply ALL_DO_NOT_PATCH.

RACI Document

This document establishes the roles for Patching.

AbbRole
RResponsible (does the work)
AAccountable (owns the result / makes the final decision)
CConsulted (provides input)
IInformed (kept in the loop)
CategoryTask/ActivityServer OperationsPatching TeamNetwork OperationsInfrastructure Operations ManagementApplication OperationsEpic SupportCyber DefenseCitrix Team
(Benny Butler's Team)(Charles Smith's Team)(John Mouser's Team)(Randy Olinger's Team)(Rafal Kamieniecki's Team )
PatchingApprove New Patching Maintenance WindowCIR/A
PatchingCreate New Patching Maintenance WindowR/A
PatchingConfiguring Resource for Patching (Patch Orchestration & Tagging)ACII
PatchingVerifying Resources Configured Correctly for Patching <br/>(Patch Orchestration & Patch Tag)R/AC
PatchingVerifying Scheduled Patches Performed SuccessfullyIR/A
PatchingAd-hoc Performing Patching (including creating the Change Request)RR/AICI
PatchingTriage and Recovery Actions from Patch-Related IncidentsR/ARICI
PatchingReport Patching ComplianceCRA
PatchingMonitor Post-Patching HealthCR/A
PatchingVDA Patching, monthly based on updated golden imageR/A
VulnerabilityMonitor Security Platform Portal (Day to Day)RA
VulnerabilityOperating System vulnerability remediation for Critical, High, and Known Exploitables (VMs, OS, Golden Image)R/A
VulnerabilityCloud Configuration vulnerability remediation for Critical, High, and Known Exploitables (Azure Storage, Key Vault, etc.)R/A
VulnerabilityApplication-level vulnerability remediation for Critical, High, and Known Exploitables (Epic, SQL, Web Apps)IIR/A
VulnerabilityFirewall vulnerability remediation for Critical, High, and Known ExploitablesR/A
VulnerabilityReport Vulnerability StatusR/A
SecurityRemediating issues with Agents on all VMs and ServersR/A
SecurityMonitor OHEMR Policy ComplianceR/A
SecurityRemediating VM and Servers when Non-Compliant with any OHEMR PolicyA
SecurityMonitoring Core Infrastructure from Cyber AttacksR/A
SecurityMonitoring Core Infrastructure Performance and AvailabilityR/A
SecurityMonitoring Application Performance and AvailabilityR/A