Running Windows Updates in "test" then "production" environments
I have been asked to do updates in a "test" server environment, then two weeks later perform those same updates - assuming no problems in test - to the production environment.
Labeling the machine test vs production is no issue, nor is setting up the two schedules; however, the clarity of being able to install the same updates to different machines two weeks later, is an issue.
Is this possible with Kace1000?
Thanks,
Dave
Answers (2)
I've been expirementing with this. We do the same thing. After patch Tuesday we deploy to our test lab. At the end of the month we deploy to production. I created some test labels that still need to be refined some, but this will give you an idea.
This will get all Microsoft critical security patches that are less that 15 days old. This deploys to our test lab label. The INTERVAL 15 day line can be changed to match what you need, or just added to your existing labels.
select UID from KBSYS.PATCHLINK_PATCH where (((( KBSYS.PATCHLINK_PATCH.IS_SECURITY = '1') AND KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND KBSYS.PATCHLINK_PATCH.VENDOR like '%microsoft%' AND KBSYS.PATCHLINK_PATCH.TITLE not rlike 'SERVER' AND KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED = '0' AND KBSYS.PATCHLINK_PATCH.RELEASEDATE > DATE_SUB(NOW(), INTERVAL 15 DAY)) AND (1 in (select 1 from PATCHLINK_PATCH_STATUS where PATCHLINK_PATCH.UID = PATCHLINK_PATCH_STATUS.PATCHUID and PATCHLINK_PATCH_STATUS.STATUS = '0')) )
This will be after testing for patches older than 15 days.
select UID from KBSYS.PATCHLINK_PATCH where (((( KBSYS.PATCHLINK_PATCH.IS_SECURITY = '1') AND KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND KBSYS.PATCHLINK_PATCH.VENDOR like '%microsoft%' AND KBSYS.PATCHLINK_PATCH.TITLE not rlike 'SERVER' AND KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED = '0' AND KBSYS.PATCHLINK_PATCH.RELEASEDATE < DATE_SUB(NOW(), INTERVAL 15 DAY)) AND (1 in (select 1 from PATCHLINK_PATCH_STATUS where PATCHLINK_PATCH.UID = PATCHLINK_PATCH_STATUS.PATCHUID and PATCHLINK_PATCH_STATUS.STATUS = '0')) )
Comments:
-
Wow, this is a great approach. - chucksteel 11 years ago
-
Thanks. I'm still testing it, but it seems to be working. I've been looking at Microsoft's technet to match the bulletin every month. This months matched. I figured if a patch does break my testing machines I just going into the patch detail and set it to inactive.
http://technet.microsoft.com/en-us/security/bulletin/ms13-mar - dugullett 11 years ago
It can be done but it depends on when you are doing them and what patches. You can create your labels for patches as needed and test them against your test server lab. Once you validate those you can:
1. Note the number of patches and see if it increases in two weeks
2. Or manually add them to a label called "approved patches" and then push them out to the production server. Since they were assigned manually they won't change unlike the smart label where it could add new patches if it met the sql requirements.
You would then push out the patches with the "approved patches" label.