According to the documentation that comes with the KBox: "For a thorough test, devices should function normally for at least a week after being patched. If no problems are reported after a week, the patch can be deployed to the remaining devices on the network."

(Found here on the Kbox: /locale/en_US.UTF-8/doc/wwhelp/wwhimpl/common/html/frameset.htm?context=Admin&file=c_BestPracticesForPatching.html&single=true )

Has anyone figured out how to automate this?  Is there a way to only deploy patches that you are sure have been deployed to a set of pilot systems for at least seven days?

I know how to label patches automatically by how old they are, but I can't figure out how to label them based on when the earliest they were installed.

Any and all suggestions are appreciated.

Thanks,

djz
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

1
I have a pilot group ( manual label ) of around 40 computers from various departments. They are aware of the fact they are my patching guinea pigs.

I deploy patches to them twice a month, starting with the Thursday after Patch Tuesday.

They run for a week, and any problems get sent directly to me.

If, after a week, we've not seen anything in our testing or on the various sources I follow for patching issues I then deploy to the entire company. 
Answered 05/18/2017 by: kelleyplumos
Senior White Belt

Please log in to comment
1
I have labels for the updates I am interested in when they have been released between 20-35 days. I target that label to several labs of computers I have. I then have labels for the same updates, once they are aged 35 days+. If we have no issues with the first set that was deployed I organically allow the patches to join the 35+ days label and deploy to other machines. 
Answered 05/15/2017 by: rockhead44
Red Belt

  • How do you confirm that the test / lab machines actually successfully installed the patches before they end up on production machines? Do you manually review all the patches periodically?
    • I verify the patches installed. The folks who run those labs are aware that they are "early adopters" of patches and notify me of any trouble. Fortunately, waiting until the 20-35 days aged before deploying keep problems to a minimum, as Microsoft has usually identified and replaced patches by that point.
  • Hi Rock,

    are using smart labels or manual labels? for example if i create a smart label with Microsoft patches released in last 30 days and apply it to test machines and later apply that end user machines after a week, that will leave few patches and may apply new patches right ? how can i make sure patches applied to test machines a week ago is same as patches that are going to deployed later a week ?
    • Smart Labels. The date range takes care of that for you. If a patch has been on your Kbox for 28 days and deploys, it will almost assuredly be there 7 days later. It can get tricky with application patches, which can easily be superceded by a new release. I handle all application patching via Managed Installs/scripts and only patch Operating System updates. Here's my SQL code for MS critical patches, aged 20-35 days

      SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 20 DAY))) AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= NOW() AND TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > DATE_SUB(NOW(),INTERVAL 35 DAY))))

      And my code for MS critical patches, aged more than 35 days.

      SELECT UNIX_TIMESTAMP(RELEASEDATE) as DATEPOSTED_SECONDS, KBSYS.PATCHLINK_PATCH.IS_APP, KBSYS.PATCHLINK_PATCH.IMPACTID AS DESCRIPTION, KBSYS.PATCHLINK_PATCH.RELEASEDATE AS DATEPOSTED, KBSYS.PATCHLINK_PATCH.IS_SUPERCEDED, KBSYS.PATCHLINK_PATCH.DESCR, KBSYS.PATCHLINK_PATCH.ID AS BID, KBSYS.PATCHLINK_PATCH.UID AS UID, KBSYS.PATCHLINK_PATCH.IDENTIFIER AS BULLETINID, KBSYS.PATCHLINK_PATCH.STATUSID AS STATUS, KBSYS.PATCHLINK_PATCH.TYPE, KBSYS.PATCHLINK_PATCH.VENDOR, UNPATCHED, YEAR(KBSYS.PATCHLINK_PATCH.RELEASEDATE) as DATEPOSTED_YEAR, PATCHED, KBSYS.PATCHLINK_PATCH.TITLE, KBSYS.PATCHLINK_IMPACT.IMPACT_SEQ, PATCHLINK_PATCH_STATUS.STATUS AS PATCH_STATUS, CACHE_SIZE AS CACHE_SIZE, KBSYS.PATCHLINK_PATCH.ID as TOPIC_ID FROM KBSYS.PATCHLINK_PATCH left join PATCHLINK_PATCH_COUNT on PATCHLINK_PATCH_COUNT.PATCHUID = KBSYS.PATCHLINK_PATCH.UID join KBSYS.PATCHLINK_IMPACT ON KBSYS.PATCHLINK_IMPACT.IMPACT=KBSYS.PATCHLINK_PATCH.IMPACTID left join PATCHLINK_PATCH_STATUS on PATCHLINK_PATCH_STATUS.PATCHUID = KBSYS.PATCHLINK_PATCH.UID WHERE ((PATCHLINK_PATCH_STATUS.STATUS = '0') AND (KBSYS.PATCHLINK_PATCH.VENDOR = 'Microsoft Corp.') AND (KBSYS.PATCHLINK_PATCH.IMPACTID = 'Critical') AND ((TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) > NOW() OR TIMESTAMP(KBSYS.PATCHLINK_PATCH.RELEASEDATE) <= DATE_SUB(NOW(),INTERVAL 35 DAY))))
Please log in to comment
Answer this question or Comment on this question for clarity