Enhanced APD. We have tried it, and we hate it. How is this working for others?
Formerly I had "one" patch deployment schedule working for weekends. Machines which were not reachable, due to being shut down, or mobile workstations, would patch as soon as they were turned on, or connected via VPN, as soon as they connected to our DTC server. That worked well for us for a matter of years. I kept the old deployments until they would have been automatically deleted, before recreating them with the new "enhanced APD. Now what I have found, is we have no way to achieve patching to the mobile workforce, unless I expand our deployment window to include all days of the week. That is extremely unsatisfactory, as we would end up deploying multiple times per week, to workstations which are in the office. As soon as a patch moved into the approved status in fact. I didn't have to separate my mobile workforce from our stationery workstations, nor even know which they are, formerly, as the previous deploy method just stayed actively working against all machines that had not checked in yet, up until the next time it was triggered to start all over again on the weekend. (note: I have placed emphasis on "mobile", but these could be stationery machines which just happen to be shut down, during regular deploy).
Every possibility I can think of for defining a solution that would not impact machines multiple times per week, or at random hours of the day, involves so much more work, than the former single auto deployment configuration. In our organization any user has the option to take their laptop off-site, if they need. Sometimes they remain in the office. But no matter what, a laptop being brought into a meeting to demonstrate who knows what, would not welcome a Desktop Central pop-up announcing that their computer was about to be patched. Likewise I have a test patch group which runs at 6PM, but it certainly doesn't have every software that needs tested in it. Several apps I have such a limited number, I have to just manually approve (between 8a - 5p).
Our management was sold on the idea of the once-a-week patching scheme, and its easy to explain to users, that you will not be disrupted on a Monday morning with the patching process, if you leave your computer on and in the office over the weekend. If I expand the deploy window to achieve deployment to all workstations, I will impact all the computers, just to reach those machines which were not reachable during the desired deploy time. That is such a disruptive possibility, I am under a mandate to not change the deploy window. I am creating so many manual deploys for missing updates now, its consuming my days.
How are most Desktop Central Users faring with the new "enhanced" APD? I think to get back to our once-a-week deploy, I would have to prevent approval of updates from happening on any given day, and instead only allow approvals to happen, one-day a week, in order to expand our APD window, without causing more update disruption? The new enhanced APD seems chaotic in contrast to the former method.
Every possibility I can think of for defining a solution that would not impact machines multiple times per week, or at random hours of the day, involves so much more work, than the former single auto deployment configuration. In our organization any user has the option to take their laptop off-site, if they need. Sometimes they remain in the office. But no matter what, a laptop being brought into a meeting to demonstrate who knows what, would not welcome a Desktop Central pop-up announcing that their computer was about to be patched. Likewise I have a test patch group which runs at 6PM, but it certainly doesn't have every software that needs tested in it. Several apps I have such a limited number, I have to just manually approve (between 8a - 5p).
Our management was sold on the idea of the once-a-week patching scheme, and its easy to explain to users, that you will not be disrupted on a Monday morning with the patching process, if you leave your computer on and in the office over the weekend. If I expand the deploy window to achieve deployment to all workstations, I will impact all the computers, just to reach those machines which were not reachable during the desired deploy time. That is such a disruptive possibility, I am under a mandate to not change the deploy window. I am creating so many manual deploys for missing updates now, its consuming my days.
How are most Desktop Central Users faring with the new "enhanced" APD? I think to get back to our once-a-week deploy, I would have to prevent approval of updates from happening on any given day, and instead only allow approvals to happen, one-day a week, in order to expand our APD window, without causing more update disruption? The new enhanced APD seems chaotic in contrast to the former method.
Gah... this should have been posted under "Patch Management", I can't see a way to change that now ;( sorry