Client Management Suite

 View Only

  • 1.  Patch Management - best practices question

    Posted Oct 21, 2010 06:21 AM

    Hi,

    I was wondering how you guys deploy your MS hotfixes through patch management. Do you create a policy for each OS each month or do you just have the 1 policy that rolls out to all OS each month. Trying to figure out the best way - If I have a policy for WinXP and a Policy for Ser2003 that both contain the same update will this have any performance impact? suggestions welcome.

    Ta.

    Joe.

    Running latest version of CMS



  • 2.  RE: Patch Management - best practices question

    Posted Oct 21, 2010 07:14 AM

    In the testing phase of a patch roll out.  I have one policy per bulletin.

    ex MS10-40 will be applied to a "CORP Patch Test Group" filter.

     

    After we validate the updates do not affect the productivity of the test group, We edit policy and apply it to "All Windows Computers with Software Update Agent Installed" filter.

     

    There is a downfall of creating a single policy which includes all the bulletins for a month.  If a a single bulletin/update is revised, the entire policy will disabled.  Thus instead of having one disabled bulletin, you now have a whole months bulletins. 



  • 3.  RE: Patch Management - best practices question

    Posted Oct 21, 2010 08:41 AM

    We use one policy for all the bulletins for a month, so for example this month, it’s 11 bulletins out of the 16 that are relevant, with 69 actual software updates. 

    The “Automatically revise software update policies after Patch Management Import ” and “Enable distribution of newly added software updates ” settings are enabled, to hopefully cover revised updates without much intervention, though that might not be to everyone’s liking.

    I pilot the patches in advance to all the PCs in the IT department before a wider rollout.



  • 4.  RE: Patch Management - best practices question

    Posted Oct 21, 2010 12:39 PM

    Hi

    We have each individual patch ex MS10-21 then group them in a folder for each month ex "September 2010" . this is applied to a test group of selected users then after 10 days rolled out to a custom collection of "all computers except servers".

    Servers are patched seperatley as the  often require reboots after certain patches are applied. We have system leads that patch their own servers with Altiris patches when it suits them , obviously keeping them up to date.

    I just do all of the PC's although we do have a few exceptions that we patch seperatley because of critical systems that suppliers do not want certain patches applied.

     HTH  C