Kaseya Community

Patch Management Process

  • How are people managing this process?

    I know that everyone says that they review the patches before deploying, but does anyone really review every patch?

    We can certainly figure out our own ad-hoc process (which is what we have already done), but there must be some well thought out procedures that people are using.

    How do you decide what patches to deploy and when to deploy?
    How do you test patches and what patches (if any) do you actually test?
    How do you handle office patching?

    Legacy Forum Name: Patch Management Process,
    Legacy Posted By Username: rvines@axcelltech.com
  • For desktops I scan twice a day for patch status (3am and 3pm), and deploy once daily between 3:30-5:30am. I auto-approve the critical and high security patches, and leave everything else to Pending.

    For servers I have everything set to Pending and I review the available patches once a week for approval. We then have the servers do their patch status scan around 7pm on Saturday night, start installing patches around 11pm, and then do auto-reboots for most clients between 3-5am, making sure that if there are multiple servers at a site we stagger the reboots by 30 minutes so we don't have all the DCs down at once or something like that.

    I don't know if this is the best way to do it, but it's been working for us and we manage a total of about 1500 agents right now. If I ran my own network I would setup a test environment and test patches, but with all the different LOB apps we support for our clients there isn't enough time in a month to test all the patches with all the configs. I just try to keep an eye on the net to see if any patches are causing any major headaches.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kcears
  • I can't imagine anyone testing the enormous number of patches. In theory it sounds good, but in practice - no way...

    I'm just starting to use PM and decided to auto-approve Security Updates (Critical, Important and Moderate). I'll review other patches manually. But I sure don't have time to test all these patches... Besides, each machine is so unique, that I doubt testing would be of much value other than catching a seriously flawed patch (which I presume Microsoft would catch).

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • kcears
    For desktops I scan twice a day for patch status (3am and 3pm), and deploy once daily between 3:30-5:30am. I auto-approve the critical and high security patches, and leave everything else to Pending.

    For servers I have everything set to Pending and I review the available patches once a week for approval. We then have the servers do their patch status scan around 7pm on Saturday night, start installing patches around 11pm, and then do auto-reboots for most clients between 3-5am, making sure that if there are multiple servers at a site we stagger the reboots by 30 minutes so we don't have all the DCs down at once or something like that.

    I don't know if this is the best way to do it, but it's been working for us and we manage a total of about 1500 agents right now. If I ran my own network I would setup a test environment and test patches, but with all the different LOB apps we support for our clients there isn't enough time in a month to test all the patches with all the configs. I just try to keep an eye on the net to see if any patches are causing any major headaches.



    Are you using Kaseya's Auto-Update for installing the missing patches? What reboot options are you using? Do you download the patches then schedule a reboot later or reboot if no response from user?

    Thanks!

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: billmccl
  • billmccl
    Are you using Kaseya's Auto-Update for installing the missing patches? What reboot options are you using? Do you download the patches then schedule a reboot later or reboot if no response from user?

    Thanks!


    Yes we use Kaseya to handle the patching. For most of our servers we auto-reboot them, however for about 10% of them we just have it e-mail our NOC and then we do those reboots manually due to application issues or client requests. For workstations we have it prompt the user to reboot and then just auto-reboot if there's no response in 15 minutes.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kcears
  • If we are not reviewing the patches prior to install, why not just turn windows autoupdate on?

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: rvines@axcelltech.com
  • I do not use Windows AU because I do not want to blindy approve everything. But I do want certain categories (e.g. Security) auto-approved. But certainly not things like IE7, or Service Packs etc.

    Are you serious - that you check every Security patch on every operating system? Yikes Eek

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: ReedMikel
  • kcears
    For desktops I scan twice a day for patch status (3am and 3pm), and deploy once daily between 3:30-5:30am. I auto-approve the critical and high security patches, and leave everything else to Pending.


    Hi kcears,

    How do you schedule two patch scans? In the Patch Mgmt > Scan Machine section I can schedule it for 3:00am recurring every 1 days, but then how do you also have it run at 3:00pm?

    Also what is your reasoning with running it twice a day?

    Thanks,

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: djmundy
  • We create patch groups; thin clients, servers, workstations, and test. The test group gets every patch approved for install ~7 days after it comes out. Test machines are usually not mission critical machines but they have a good snapshot of the software the client is running. If we don't have any issues with the Test computers we approve the patches for the workstations group. This usually takes another ~7 days. Servers only get approved patches ~30 days after the patch is released. I figure everyone else should have had problems with the patches and fixes have been published by then. Thin clients only get critical patches becuse the hard drive space is minimal and patching will eat up the drive space pretty quickly.

    We run one patch cylce per week and we split the patch nights across the client base so if something goes wrong we can catch it before it affects every client. Depending on the number of PC's we start patching at 3AM and stagger every five. The patches are stored on the server nearest the pc's. Patching should be done by opening that morning and just waiting for the client to reboot the computer if PM didn't do it already.

    If we get zero day notices from firewall vendors or MS then we will move the patch process along faster. Patching is kind of a science, most of the clients we work with are 100 patches behind on any given machine when we take over and by the time the first month is out we are around 50% fully patched, I haven't touched a single machine and have spent zero minutes supporting patch management to that point. It was never that way with WSUS. And that makes me happy.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: reynoldsb5
  • djmundy
    Hi kcears,

    How do you schedule two patch scans? In the Patch Mgmt > Scan Machine section I can schedule it for 3:00am recurring every 1 days, but then how do you also have it run at 3:00pm?

    Also what is your reasoning with running it twice a day?

    Thanks,


    I just set it to scan every 12 hours, once at 3am and again at 3pm. The reason I do it twice is mainly for more accurate reporting in case users are leaving machines off at night. If the machine is off at 3am and never runs the scan, we won't know that it's missing patches. This way we have a better chance of catching it online at least one of those two times during the day.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kcears
  • rvines@axcelltech.com
    If we are not reviewing the patches prior to install, why not just turn windows autoupdate on?



    As Reed said, it's not that we just set all patch categories to Approved and let it fly, but I just don't have the manpower to test every little patch Microsoft puts out either. Everything that gets pushed to the servers is reviewed and approved manually, however any high-priority security patches are auto-approved for desktops. We manually approve the other groups that would include things like IE8 or SP3 for XP.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: kcears