/build/static/layout/Breadcrumb_cap_w.png
09/20/2019 223 views

Currently in the process of resetting up our patch schedules for Windows updates and I thought I'd ask what everyone does to see if it gives me any ideas.

Currently we have:

weekly pilot patching on Wednesday

weekly production patching on Thursday

critical updates that are 60 days old pushed out on the first monday on every month

3rd party patching ? - still working on this one.

Answer Summary:
Patching Schedules: G_Detect_All: runs every monday on all machines with a full detect on all systems, so the system can download the needed patches in the nightly schedule G_Deploy_Pilot: runs a Deploy on all Pilot machines on Wednesday G_Deploy_Prod: runs a Deploy on all Production machines on Thursday A good idea would be: Check if the systems are mobile devices or fixed devices. With fixed devices you can run in the night a Wake On Lan - Run the Deploy - Shutdown - task chain. This would be an ideal split of the production devices. (2 groups) Laptops are hard to WOL if they are not in the network but fixed workstations have this option. This would bring down the annoyance of the users with patching popups.
0 Comments   [ + ] Show comments

Comments


Answer Chosen by the Author

1

Ask 2 people and you will get 12 answers.

At first: You should update to 10.0 since the 10.0 has a new patching engine, so some labels and schedules, which are linked to the "old" tables needs to be redone after the update)

I by myself patch all patchable on a machine group at the same time (so OS and application patches in one task)
It is always more effective to touch a machine only once instead of multiple patching schedules on the same machine.

Also you should run a detect job at least 48hr before the patching.
So from what I read you need (I use the naming convention I use in my env) the following:

Note: I still use M for Machines, which was the name for this group before it was renamed Devices a few years ago)
Label: M_SL_Pilot (device smart label with the pilot devices)
Label: M_SL_Prod (device smart label with the prod devices)

Patching Labels (I don't use them, I use all types except "Full Software")
9k=

This setup has a pro and a con:
Pro: you don't need any patching label
Con: you will not be able to use direct updates (from Acrobat Reader X to XI or similar) I have MI for that which updates to new major versions regulary.

Patching Schedules:

G_Detect_All:  runs every monday on all machines with a full detect on all systems, so the system can download the needed patches in the nightly schedule
G_Deploy_Pilot: runs a Deploy on all Pilot machines on Wednesday
G_Deploy_Prod: runs a Deploy on all Production machines on Thursday

A good idea would be:
Check if the systems are mobile devices or fixed devices. With fixed devices you can run in the night a Wake On Lan - Run the Deploy - Shutdown - task chain.
This would be an ideal split of the production devices. (2 groups) Laptops are hard to WOL if they are not in the network but fixed workstations have this option.
This would bring down the annoyance of the users with patching popups.

Answered 09/23/2019 by: Nico_K
Red Belt

  • Great information to use as a starting point. I didn't even think to let third party apps update at the same time as the windows updates