3 Replies Latest reply on Sep 9, 2014 12:58 PM by Carl.Otey

    Patch Management Practice Question...


      This is probably a silly/simple question.  But here is the situation.  I use global autofix (except servers) and I am behind on patch management.  Should I enable patches from March that were replaced in June, if I am also enabling the June patch?  (The patches in question have been tested and approved for distribution)


      Thinking it out, from a technical point of view, I am quite certain it is not necessary to enable the patch from March, however, as I catch up and patches are released and replaced in the future, is it going to be high maintenance to check to see which patches have been replaced, find that patch and remove it from autofix?


      Does anyone else have process such as:

      1) Download latest patches

      2) Test new patches

      3) Apply new patches

      4) Retire patches that have been replaced



      I could use confirmation that I am on the right track or an alternate technique/process if I am not on the right track.


      Thanks for the insight,


        • 1. Re: Patch Management Practice Question...
          Frank Wils ITSMMVPGroup



          In the Download Updates you can set patches to be downloaded to Uassigned unless it applies to certain rules. In those rules you can have newly downloaded patches automatically placed in a custom test group and you can disable any replaced patchcontent automatically! This will make maintenance a bit easier



          • 2. Re: Patch Management Practice Question...

            I have 2 Custom groups setup - one to capture all my Automatically downloaded patches & a second for Production.


            I have a test-bed of pc's set up to use the Auto download folder as their primary patch source  - it is a mixture of different models & have tried to use pc's that belong to more tech-savvy end users, who would know when something is definitely wrong, when their pc may simply need a restart or clearing of the temp internet cache, & if something is going on, will be able to report a good amount of detail when submitting the request for support.


            I wait about a month or so before moving patches into production so I can keep an eye on the tickets coming in & identify if one of those patches may be the cause of that pc's issue.


            Our IT Technical team is also in that list of Auto group scans so they can test & closely monitor the changes to identify any issues that may arise.

            • 3. Re: Patch Management Practice Question...

              Thank you for the response, however, before I start automating the process I am focusing a little more on the manual side so if the automation breaks I will know what to look for.  That said, you did indeed answer the question I really needed answered which is, do you toss out patches that have been replaced.  Again thank you for your insight.