3 Replies Latest reply on May 16, 2017 3:24 PM by klevitan

    Scheduled patch and compliance

    sapperino Apprentice

      We are a schools district with about 8,000 windows devices on the network. We currently have patching setup to install critical/important updates once a month. The patches install to about 1,000 devices per day until all devices have had the patches pushed to them.

       

      Is this a good method for patching? What is the best practice for patching those devices? I'm curious if I can push to more devices at once and is there a standard for how often patches should be pushed out.

        • 1. Re: Scheduled patch and compliance
          klevitan Specialist

          The best method is the one that works for your environment.  I also manage about 8000 windows devices in an education environment.  We use a 5 phase deployment process for OS patches.

          On the Wednesday immediately after Patch Tuesday we deploy to my team and our test systems.  The next day we deploy to our field techs and a bunch of friendly users.

          On the following Thursday we deploy to 10% of our user population.  Tuesday 40% and then on Thursday the remaining 50%.

           

          This gives us time to keep an eye on what other people are discovering with the patches and to see how it behaves in our environment.

           

          We have 2 primary patch cycles each month.  One for OS patches and the other for 3rd party applications  The cycles are offset by about 2 weeks but follow a similar phased approach.

           

          We also have off-cycle deployments if needed.

           

          - Kurt

          • 2. Re: Scheduled patch and compliance
            sapperino Apprentice

            Thank you very much for your response. I think something similar will work for us.

            • 3. Re: Scheduled patch and compliance
              klevitan Specialist

              FYI:  Here is how I break my users in to groups automatically so I can do the % phased approach.

              I have a Data Translation Services rule to calculate a new field called GroupNum.  I use this command:  RetValue=Right("!Computer.ID!",1)

              to get the a number from 0-9.  This breaks my users in to 10 random groups.  So just add that field to my query.