What is included in patch management? Best practices
Create patch management system policies by first thinking up a set of rules. These rules inform the patch management system of important operating parameters, such as when the system is available for a patch run.
Your patch management policies need to be coordinated with business practices and system priorities. They will be implemented in the patch management system as a series of profiles. Here are a few tips:
1. Create separate profiles per device type and operating system
The patches that you receive won’t apply to all of your devices because your software is closely tied to the operating system that runs. Therefore, you don’t need to patch all systems simultaneously. Creating separate profiles gives you flexibility.
2. Separate out systems that are critical
An example of this is an operating system or a service that needs an entry in the registry. Patches applied to these programs will require a system reboot. Other software packages won’t require that and should be put in a separate patch rollout group.
3. Create a system preparation policy
Set up a profile for creating a system restore point so that everything can be rolled back to its status before a patch rollout began if something goes wrong during the patch application process. Attach other admin policy actions to this profile. Schedule this profile to run first before any patch rollouts.
4. Create a regular window for patches
Identify a day of the week and an hour of the day each week when there is almost no user activity.
You don’t have to attend the rollout, but you need to be able to check system availability after it has completed and before the user community clocks in for work.
5. Leave gaps in the rollout schedule
If you are likely to apply patches in several policy groups during the same time frame, leave a gap of about an hour between the launch times of each. This gives time for each policy group to have completed its updates before the next begins. Run the lower-priority patch group that doesn’t require a reboot first, unless patch release notes require otherwise.
6. Ensure that all devices are on
You can check in the patch management system to see whether there are any patches that need to be applied in the run-up to your weekly patch rollout time slot. Ensure that all of the devices that will be touched by that policy group activation are on and connected to the network before you leave the office for the evening.
7. Be the first in the office after the rollout
Don’t set a patch rollout window for a day when you can’t be sure that you will be the first to access the system the next day. If an appointment means you probably won’t be able to check the system before the users log on after an update, suspend the rollout.
For more detailed information about patch management best practices, please visit our support page on the subject.