Kaseya Community

Patch Management Best Practices

  • We're looking to see if anyone out there has some best practices they can share with patch management. Here are some of the gotchas we are running into:

    1. We'd like to automate the process the best that we can, but are uneasy of being too "hands off" with patching. Currently, we have patch approval policies in place and we use the Patch Update function oneper month to update our customers. We find that this needs quite a bit of baby sitting as patches fail constantly for whatever reason and we have to re-deploy them until they all eventually get patched. We've gone through the intial pains of tracking down firewall issues, setting clients that have a large number of desktops to use a installation source on the LAN, etc. so we think we've got most of our infrastructure items in place, but we are just a little disappointed in how much effort goes into making sure desktops are fully patched.

    2. Is there a better way to do the above?

    3. What about prompting for reboots? We currently prompt the users to reboot during the day and they get reminded every 2 mintues. Would it be best to schedule at night? Perhaps Wake On LAN may be something we take advantage of?

    I know there's got to be others that have been there, done that and perhaps you can lead us into the right direction.

    Thanks in advance for your time

    -Don Jones, Ashton Technology Solutions, Inc.

    Legacy Forum Name: Patch Management Best Practices,
    Legacy Posted By Username: donjjones
  • While patch management needs some improvements (i.e. broader product support), it's not that bad.

    1. Use the patchapproval process. Several other on theforum complained about Kaseya including the update to IE7 as a patch. If you don't use the approval process, you're at Kaseya's mercy as to what will happen. They typically make good decisions but all their decisions may not meetyour approval.

    2. Use a test group for initial deployment ofpatches. This way you'll find most patch related problems beforea complete deployment. I personally use my internal systems and a few others at some key clients.

    3.Use templatesfor schedulingpatch scan and automatic patching processes. Templates simply agent setup and make keeping things consistent easier.

    4.Set the filesource and office sourceas these will typically be location or site dependent.

    5. I recommend patching during off hours this way you don't annoy the users.I personally use the reboot option "If user logged in ask permission. Do nothing if no response inXX (we use 15)minutes. Reboot if user not logged in."for the workstations. This way the system will patch, reboot, and be ready for use the next morning. I use thesend an e-mail option for servers. I then reboot them as needed. You can use WOL if needed to turn the systemson for patching.

    6. Beware some patches will stop services.This is quite common with ISA and Exchange updates. This can mean users come in to a non-working Exchange server. You can avoid this making sure you rebootsoon afterthe patches finish or possibly monitoring and restarting the related services.

    7. Office 2000 patches do not install withoutusers logged on answering the pathcing prompts. I only have a small number of these systems left. So I remote control and answer the prompts myself. However, it you have lots of Office 2000, I recommend documenting this for those users. Upgrading them to a later version of Office is even better!

    8. Check the patch command lines before you approve the patch. Sometimes Kaseya will not have switches to silently install. I typically change and test them. Note, this has been better lately. But it never hurts to check them to be sure.

    Basically after setting patch managementup, you should only have to approve patches per your approval groups and troubleshot any failed patches.

    Good luck.

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: connectex
  • Thanks for the info! We went ahead and started using Automatic Update based on policies. Found that a few servers looked like they went ahead and started installing during the day even though I scheduled them later in the evening. I think it may be due to the fact that we UNchecked the "Skip if machine offline" feature but we're not 100% sure yet..

    Legacy Forum Name: Patch Management,
    Legacy Posted By Username: donjjones