best practices for Patching Windows Servers on a schedule using the new APD features
So i am trying to figure out what changes have been made to APD since .192 and how that effects my managed devices.
My struggle here is we do not patch in mass. Instead we have a specific schedule for each device which has been arranged and agreed upon by Operations and the applicaiton owner.
Schedule looks like this.
Seee how start and stop days set on Patch tuesday make it a definitive time?
There are notations that all APD jobs are going to be migtrated to the new set up after 90 days but with out these needs addressed this is fixing to cause us some pain.
My struggle here is we do not patch in mass. Instead we have a specific schedule for each device which has been arranged and agreed upon by Operations and the applicaiton owner.
Schedule looks like this.
Custom group A patches from midnight to 6 Am on Patch Tue +7 Days.
Custom Group B patches at Midnight to 6AM on Patch Tue +12 Days
Custom Group B patches at Midnight to 6AM on Patch Tue +12 Days
typicly what i have done is on the monday before Patch Tue (today) i will go into each job and schedule them all out to start a few days before the deployment.. This looks like this below.
So from the screen shots aboce you can see that this deployment is set to start Wed afternoon around 5PM. All patches should be approved prior to this 5 PM deadline.
The next screen shot dictates my deployment policy which is to push out on thursdays between 12:33 and 5:30.
this job will run then on friday or some day next week priot to Thur I will suspend the job. My concern being that if i dont suspend if for some reason a patch did not apply that it will attempt to re-push.
Now i have other jobs just like this scheduled throughout the entire month.
The next screen shot dictates my deployment policy which is to push out on thursdays between 12:33 and 5:30.
this job will run then on friday or some day next week priot to Thur I will suspend the job. My concern being that if i dont suspend if for some reason a patch did not apply that it will attempt to re-push.
Now i have other jobs just like this scheduled throughout the entire month.
My concern with the new patching policies is the deployment schedule still lacks the ability to specify deployment peramiters in such a way that this will only deploy on the days we specify.
Example:
this setting seems like it helps in this endevor by attempting to sync up patches approval date to when they are deployed.
Example:
this setting seems like it helps in this endevor by attempting to sync up patches approval date to when they are deployed.
There is also a stop date but the deployment frequency is still goverened by weeks and not days keyed off of Patch Tue.
So if i did next month what i did today which was to schedule all of my jobs out then they could possibly deploy this Thur or next Thur depending on what patch was missing. If a box misses patching last month for a 100 different reasons then its sitting on patches that were approved greater than X amount of days so the scheme listed above would allow patching on either week..
The work around to this is to change our Deployment polices every single month to adjust for a shifting Patch Tue and Manage Engine has been unable to clearly articulate what counts as Weeek 1 vs Week 2. What designates the beginning of a week?
Which week is week 1? Seems pretty simple that its week 13.
So if i did next month what i did today which was to schedule all of my jobs out then they could possibly deploy this Thur or next Thur depending on what patch was missing. If a box misses patching last month for a 100 different reasons then its sitting on patches that were approved greater than X amount of days so the scheme listed above would allow patching on either week..
The work around to this is to change our Deployment polices every single month to adjust for a shifting Patch Tue and Manage Engine has been unable to clearly articulate what counts as Weeek 1 vs Week 2. What designates the beginning of a week?
Which week is week 1? Seems pretty simple that its week 13.
But What about here? Is it week 21 or is it going to be 22 since week 21 only has 2 days in it?
Seee how start and stop days set on Patch tuesday make it a definitive time?
There are notations that all APD jobs are going to be migtrated to the new set up after 90 days but with out these needs addressed this is fixing to cause us some pain.