Patching Strategy
Hi Guys,
I'm wondering what other Kace administrators are doing for patches in the Kace Appliance. We have about 3000 machines connected and have just started patching. I understand the technical end of the patching system, I'm wondering more about the policy and strategy used.
I'd like to know how you schedule the computers (ie all in 1 night or spread out),
# of machines you patch in a night,
how many patches do you push in a task,
how you identify patches that need to be detected/deployed?
I'm wondering what other Kace administrators are doing for patches in the Kace Appliance. We have about 3000 machines connected and have just started patching. I understand the technical end of the patching system, I'm wondering more about the policy and strategy used.
I'd like to know how you schedule the computers (ie all in 1 night or spread out),
# of machines you patch in a night,
how many patches do you push in a task,
how you identify patches that need to be detected/deployed?
0 Comments
[ + ] Show comments
Answers (5)
Please log in to answer
Posted by:
mlathrop
12 years ago
Fact #1) if there is any awareness by a user that something is touching their machine in any way they will complain of slowness.
We run our patching for 90 minutes each day for several years now and it does stop after 90 minutes.
The fact is; once your patching is mostly up to date (~90%+) after a few days of running there is little patching that occurs during normal cycles. The biggest slowdowns are during MS "Patch Tuesday" cycles once per month
We run our patching for 90 minutes each day for several years now and it does stop after 90 minutes.
The fact is; once your patching is mostly up to date (~90%+) after a few days of running there is little patching that occurs during normal cycles. The biggest slowdowns are during MS "Patch Tuesday" cycles once per month
Posted by:
mlathrop
12 years ago
We have around 300 machines - Win 7, Win Xp & Mac. I only subscribe to patches that are critical for OS & applications and deploy on a daily schedule during a 90 minute window. Since most of our users are laptops and offline at night, patching off hours would not be effective. Reboots are suppressed since we have sensitive users so we rely on users to reboot daily and remind them to do this.. There might be some risk in that, but so far no problems have arisen. We have 5 offices so there is a separate schedule for Mac and Windows at each office. We have Replication points at each office which update at night. This avoids bandwidth congestion across the WAN during replication and patching. We consistently achieve about 95% patch compliance with this strategy.
Posted by:
ms01ak
12 years ago
Thanks for the reply, I've got a lot of machines, and I know the kbox can't handle distributing all the patches to all machines at once. I'm wondering what the admins with large amount of machines do. Ie 500 machines a night every night get the patches?
Posted by:
nbs
12 years ago
Interesting question for us, especially for us as majority of our 3500 devices connect via an ADSL based WAN. Also, when trialing the patch functionality (it wasnt a requirement of the system but as we have it ... ) the test user complained (whilst munching on his granola) that his PC slowed down to a treacle like crawl.
I notice that the patch task has the ability to stop after a set amount of minutes, with 3500 machines, how reliable is this functionality? IE if I tell them to detect and deploy at 3 AM can I be be confident that 180 minutes later (3 hours) it will stop any detect / deploy job running?
I notice that the patch task has the ability to stop after a set amount of minutes, with 3500 machines, how reliable is this functionality? IE if I tell them to detect and deploy at 3 AM can I be be confident that 180 minutes later (3 hours) it will stop any detect / deploy job running?
Posted by:
mlathrop
12 years ago
Create staggered patch schedules for groups of machines.
I have mine labeled by subnet, and create a separate schedule for each subnet. Our remote offices have a replication share so machines on the remote network get patches from the rep share, reduces network traffic.
I have mine labeled by subnet, and create a separate schedule for each subnet. Our remote offices have a replication share so machines on the remote network get patches from the rep share, reduces network traffic.
ORIGINAL: ms01ak
Thanks for the reply, I've got a lot of machines, and I know the kbox can't handle distributing all the patches to all machines at once. I'm wondering what the admins with large amount of machines do. Ie 500 machines a night every night get the patches?
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.