How do you make sure that your patches are tested before being widely deployed?
According to the documentation that comes with the KBox: "For a thorough test, devices should function normally for at least a week after being patched. If no problems are reported after a week, the patch can be deployed to the remaining devices on the network."
(Found here on the Kbox: /locale/en_US.UTF-8/doc/wwhelp/wwhimpl/common/html/frameset.htm?context=Admin&file=c_BestPracticesForPatching.html&single=true )
Has anyone figured out how to automate this? Is there a way to only deploy patches that you are sure have been deployed to a set of pilot systems for at least seven days?
I know how to label patches automatically by how old they are, but I can't figure out how to label them based on when the earliest they were installed.
Any and all suggestions are appreciated.
Thanks,
djz
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
kelleyplumos
7 years ago
I have a pilot group ( manual label ) of around 40 computers from various departments. They are aware of the fact they are my patching guinea pigs.
I deploy patches to them twice a month, starting with the Thursday after Patch Tuesday.
They run for a week, and any problems get sent directly to me.
If, after a week, we've not seen anything in our testing or on the various sources I follow for patching issues I then deploy to the entire company.
Posted by:
rockhead44
7 years ago
I have labels for the updates I am interested in when they have been released between 20-35 days. I target that label to several labs of computers I have. I then have labels for the same updates, once they are aged 35 days+. If we have no issues with the first set that was deployed I organically allow the patches to join the 35+ days label and deploy to other machines.
Comments:
-
How do you confirm that the test / lab machines actually successfully installed the patches before they end up on production machines? Do you manually review all the patches periodically? - zookdj 7 years ago
-
I verify the patches installed. The folks who run those labs are aware that they are "early adopters" of patches and notify me of any trouble. Fortunately, waiting until the 20-35 days aged before deploying keep problems to a minimum, as Microsoft has usually identified and replaced patches by that point. - rockhead44 7 years ago
-
Hi Rock,
are using smart labels or manual labels? for example if i create a smart label with Microsoft patches released in last 30 days and apply it to test machines and later apply that end user machines after a week, that will leave few patches and may apply new patches right ? how can i make sure patches applied to test machines a week ago is same as patches that are going to deployed later a week ? - rahimpal 7 years ago-
Smart Labels. The date range takes care of that for you. If a patch has been on your Kbox for 28 days and deploys, it will almost assuredly be there 7 days later. It can get tricky with application patches, which can easily be superceded by a new release. I handle all application patching via Managed Installs/scripts and only patch Operating System updates. Here's my SQL code for MS critical patches, aged 20-35 days
SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 20 DAY))) AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= NOW() AND TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > DATE_SUB(NOW(),INTERVAL 35 DAY))))
And my code for MS critical patches, aged more than 35 days.
SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((PATCHLINK_PATCH_STATUS.STATUS = '0') AND (KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 35 DAY)))) - rockhead44 7 years ago
