According to the documentation that comes with the KBox: "For a thorough test, devices should function normally for at least a week after being patched. If no problems are reported after a week, the patch can be deployed to the remaining devices on the network."

(Found here on the Kbox: /locale/en_US.UTF-8/doc/wwhelp/wwhimpl/common/html/frameset.htm?context=Admin&file=c_BestPracticesForPatching.html&single=true )

Has anyone figured out how to automate this?  Is there a way to only deploy patches that you are sure have been deployed to a set of pilot systems for at least seven days?

I know how to label patches automatically by how old they are, but I can't figure out how to label them based on when the earliest they were installed.

Any and all suggestions are appreciated.

Thanks,

djz
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

1
I have a pilot group ( manual label ) of around 40 computers from various departments. They are aware of the fact they are my patching guinea pigs.

I deploy patches to them twice a month, starting with the Thursday after Patch Tuesday.

They run for a week, and any problems get sent directly to me.

If, after a week, we've not seen anything in our testing or on the various sources I follow for patching issues I then deploy to the entire company. 
Answered 05/18/2017 by: kelleyplumos
Senior White Belt

Please log in to comment
1
I have labels for the updates I am interested in when they have been released between 20-35 days. I target that label to several labs of computers I have. I then have labels for the same updates, once they are aged 35 days+. If we have no issues with the first set that was deployed I organically allow the patches to join the 35+ days label and deploy to other machines. 
Answered 05/15/2017 by: rockhead44
Red Belt

  • How do you confirm that the test / lab machines actually successfully installed the patches before they end up on production machines? Do you manually review all the patches periodically?
    • I verify the patches installed. The folks who run those labs are aware that they are "early adopters" of patches and notify me of any trouble. Fortunately, waiting until the 20-35 days aged before deploying keep problems to a minimum, as Microsoft has usually identified and replaced patches by that point.
  • Hi Rock,

    are using smart labels or manual labels? for example if i create a smart label with Microsoft patches released in last 30 days and apply it to test machines and later apply that end user machines after a week, that will leave few patches and may apply new patches right ? how can i make sure patches applied to test machines a week ago is same as patches that are going to deployed later a week ?
    • Smart Labels. The date range takes care of that for you. If a patch has been on your Kbox for 28 days and deploys, it will almost assuredly be there 7 days later. It can get tricky with application patches, which can easily be superceded by a new release. I handle all application patching via Managed Installs/scripts and only patch Operating System updates. Here's my SQL code for MS critical patches, aged 20-35 days

      SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 20 DAY))) AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= NOW() AND TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > DATE_SUB(NOW(),INTERVAL 35 DAY))))

      And my code for MS critical patches, aged more than 35 days.

      SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((PATCHLINK_PATCH_STATUS.STATUS = '0') AND (KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 35 DAY))))
Please log in to comment
Answer this question or Comment on this question for clarity
Nine Simple (but Critical) Tips for Effective Patch Management
This paper reviews nine simple tips that can make patch management simpler, more effective and less expensive.

Share