Kaseya Community

Patch Policy Management Best Practice

  • Out of the box Kaseya provided us with two policies.

    Daily Wkst Schedule for 10+ Patches (Auto Update M-F 6am-6pm/Power Mgmt) - Applies Daily Auto Update schedules to Workstation Patching Policy members that are missing 10 or more approved patches.  Auto Updates are scheduled M-F each week from 6am-6pm.  This policy is generally used when customers have machines that are missing quite a few patches and they want to get those systems up to date over the course of days rather than weeks or months.  Once the machines are patched, then they will not need to be patched on a daily basis anymore.  Auto Updates are performed in the daytime to handle customers where machines are generally powered off at night, but the power management option is enabled on these schedules so that any machines powered off during the day can be woken up prior to performing these operations.

    Weekly Wkst Schedule (Scan Tu 6am-6pm/Auto Update W 6am-6pm/Power Mgmt) - Applies Weekly Patch Scan and Auto Update schedules to Workstation Patching Policy members.  Patch Scans are scheduled on Tue of each week from 6am-6pm and Auto Updates are scheduled on Wed of each week from 6am-6pm.  This policy is generally used when customers want to take a more aggressive approach to patching to help minimize risk due to machines not being patched and thus want new patches deployed relatively quickly to machines.  Auto Updates are performed in the daytime to handle customers where machines are generally powered off at night, but the power management option is enabled on these schedules so that any machines powered off during the day can be woken up prior to performing these operations.

    I'm looking for suggestions/recommendations on best practices; I would like to go with one policy that will scan computers on a daily basis and perhaps install updates once or twice a week.  I'm a bit confused with the two policies above and hoping someone could clarify this up a bit for me.  Thanks.

  • The built-in policies are just an example or a suggestion - you're free to create your own as you see fit, there is no right or wrong, only what you want to achieve.

    We patch workstations daily and try to apply every missing patch; for some clients this happens at night, whereby we wake-on-lan any machine that needs patching; those that fail we skip and try again the next day. For other clients, they patch as soon as the machine next comes online, regardless of time of day or user disruption.

    For servers, we patch terminal servers and other noncritical boxes once a month the sunday after 'patch tuesday' at 4am. For other servers, we patch manually as a general rule, we have agreed maintenance windows with clients that can and do get rescheduled, so we just program the patch schedule accordingly each month.

    The key thing here, is not to get hung up trying to understand the logic behind the sample patch process.....just throw it away if you don't like it and do your own thing --- which you determine by discussion with your clients and reference to whatever other standards and processes you need to reference e.g. ITIL, change management framework, SLAs, required uptimes, etc.

    Perhaps the first thing to do is to understand that a maintenance window IS necessary, and thus open a dialog with your client about WHEN that can be -> and let the discussion travel from there to our patch approval policy, what happens if patches fail, what happens if the patch window is missed (e.g. machine off & wont wake), whats the tolerance level for out-of-compliance machines and how do you report that internally and to the client, that sort of thing.

  • Thanks for the feedback Craig; it's insightful and appreciated.

  • I'm confused between scanning and updating. Should the policy include a scan followed by an update? Or could I just set the policy to install updates? Do scan and update go hand-in-hand?  Thanks!

  • You must scan in order to have something to patch.    I would suggest scanning on a regular basis, either daily, or every few days.    The updating can be done as you wish.

    We patch workstations every day.   Remember that 29 days out of the month there should be nothing for it to do, but just in case there is an out-of-band patch, we want to have it pushed out.    We try to get our clients to leave their machines on at night, and for laptops we patch in the late afternoon.

    Servers is "to each his own" -  We apply server updates every Sunday in the wee hours, and reboot immediately.     You know your clients, and the urgency and dependency of machines, so there is not 1 policy that is good for everyone.     When I talk to new partners, I always suggest to let automation have a chance.

    We do have a patch training session we did on our ClubMSP site  (clubmsp.com/.../kaseya-patch-management-full-course), there is no registration or membership required to view this one.

  • The purpose of Scanning, is to determine what updates are required. We scan daily. This is a nonintrusive process for the user and can be run any time.

    Updating is the process of installing the patched that the scan identified as required (and you have approved for installation via patch policy).

    Generally:

    1. Build a patch policy for your machines (patch policy - create)

    1a. make machines a member of that patch policy (patch policy - membership)

    1b. disable automatic windows updates so only your rules apply (configure - windows auto update)

    2. scan machines to determine required patches

    2a. approve or deny those patches as required (patch policy - approve by policy or by patch)

    3. apply patches s you see fit - in most cases by scheduling a automatic update