Ideas on grouping computers for patching
I have a ton of computers at a bunch of sites and remote home offices. Just looking for ideas on ways to automatically group computers for patching other than grouping them by site or something that changes often. I would probably like to split them into 5 or more groups.
I was originally thinking I would make 5 Smart Labels, but then I was thinking it might not be great because the IPs move around a lot when they travel:
- Patch Group 1 - IP ends in 0 or 1 -->> Scheduled for Monday
- Patch Group 2 - IP ends in 2 or 3 -->> Scheduled for Tuesday
- Patch Group 3 - IP ends in 4 or 5 -->> Scheduled for Wednesday
- Patch Group 1 - IP ends in 6 or 7 -->> Scheduled for Thursday
- Patch Group 1 - IP ends in 8 or 9 -->> Scheduled for Friday
What are some of the ideas you use to space out the patching schedules that does not involve any manual intervention?
Answers (1)
You should setup Replication shares on your sites and base your patching groups based on those repositories. Group them so they use the Replication share that has the least impact on the network.
Comments:
-
We have the local replications setup and tagged with labels to enable users to pull from those servers when onsite. Some sites have 50-100 users so we are just looking for ways to space out the patch schedules so they do not crush the servers. - JordanNolan 5 years ago
-
I have 2-3hundred on some replication sites, we did not try to split the machines apart we split the type of patches apart. We patch all machines at the same time for each type of patch.
1. Critical Microsoft patches
2. Not Critical Microsoft patches
3 Critical Not Microsoft patches
4. Not Critical Not Microsoft patches
Now with the SMA having WOL we have started waking the machines up a couple of hours prior to start of work day and run the patching then. - SMal.tmcc 5 years ago-
Have you used a KACE script to configure WOL with Dell Command Config? I think that is going to be my next project. I just think it is easier to tell everyone to shutdown the computer instead of log out and leave it on. - JordanNolan 5 years ago
-
Yes I have a couple different scripts for wol settings. I created a portable version of the Dell C|C so I do not worry what version or if it is even installed.
I zip the C:\Program Files (x86)\Dell\Command Configure\X86_64 and C:\Program Files (x86)\Dell\Command Configure\X86_64\HAPI up as one file and add that as a dependency to the scripts.
This is one I run (the last line is a wake up on Friday is for WSUS patching that runs at 1am Saturday
Launch “$(KACE_DEPENDENCY_DIR)\hapiinstall.bat” with params “”.
Launch “$(KACE_DEPENDENCY_DIR)\cctk.exe” with params “--wakeonlan=enable --embnic1=on --deepsleepctrl=disable”.
Launch “$(KACE_DEPENDENCY_DIR)\cctk.exe” with params “--autoon=fri --autoonhr=20 --autoonmn=00”. - SMal.tmcc 5 years ago
I would probably separate computers based on something you might already be tracking. For instance, we make extensive use of LDAP labels that match our OU layout, which is done by department. If you have something similar you could optimize your departments into five groups of equal size. Add those labels to the appropriate patching schedules and you should be good to go. - chucksteel 5 years ago
I also want to prevent the computers from crushing the K1000 or their local distribution share so I do not want to go by site, IP, anything that needs maintaining.
I did some reading up on REGEX syntax last night and I think I might be onto something. My standard naming convention is:
Site Prefix + Hyphen +First Inital + Last Name (nyc-bsmith). I was thinking I might be able to use the REGEX option to use the LAST character of the computername to put them in a group.
I gave this a try last night:
System Name Matches Regex a$|b$|c$|d$|e$| 1$|2$
Operating System Name Doe Not Contain Server
I figure I could separate A-Z and 0-9 into 4 groups that distribute the computers pretty evenly. I would imagine this would always be pretty balanced if I get the mix right and it would be something that would not need any maintenance other than an occasional shift of a letter or number into another group if they come very unbalanced.
My only question is using the REGEX. I do not see it mentioned very often so I am wondering if this could cause issues. - JordanNolan 5 years ago
I ended up creating a manual label called "Patch Group 1" where I would manually maintain the computers getting the first run of patches for testing. These computer would get all new patches. Then I created 4 other smart labels and configured them as:
System Name Matches Regex a$|b$|c$|d$|e$| 1$|2$
Operating System Name Doe Not Contain Server
Label Name != Patch Group 1
I just had to balance out the REGEX parameters for [0-9] and [A-Z] and I now have 5 patching groups that do not require any manual intervention going forward unless I end up with a bunch of employees that all happen to have the same last character in their name. - JordanNolan 5 years ago