I am looking for your opinions on a good patch management policy.

With Kace, we are able to notify the user when we start patching, and if a reboot is required, we can also notify the user about the requirement of a reboot.  For us, our only standard is that we do not want to automatically reboot a machine, but we will always want to notify the user of a reboot.  Other than that requirement, we do not need to notify.

My question is how you are doing the patching.

* Do you usually have the notification pop up to the user to tell them that patches are pending to be installed and that they should accept it?  Do you have any message pop up to say that patches are being installed?  Or do you just silently install the patches without having any messages pop up to the user?

* Do you prompt the user for reboot?  How do you manage the reboot notification?  We are currently planning on setting the prompts to 0 which means no limit, however what if a user kept disregarding the reboot requirement, how do you manage this?  However, if it's better to give some limit, what limit are you using and why?  In our Kace training, the trainer suggested that we could make a label of Reboot Pending machines and sending an alert to them to have them reboot and calling the user to bug them to reboot.  How have you dealt with these cases?  I'm thinking in the end if we need to, probably we would send a reboot script to those users after having tried all methods to ask them to reboot -- how many times or how long after giving them such warnings before you would start the drastic action of forcing the reboot on the client machine?

In our Kace training session, how trainer showed a method of creating a smart label of all new OS patches released within the last 30 days, and another smart label for all OS patches release greater than 30 days.  Then he said we could have a set of machines be used for beta patch testing, and we would have this set of machines always get the new patches installed on them, and for all other machines for production, we would have them get all OS patches released greater than 30 days, and if we have a schedule on this, we would have a 30 day window of having patches get updated on the set of beta tester machines to see if any issues arise, and after the 30 days is over, the patches would automatically go into the other label for production and the production machines would start to have this patch.  This seems like a good method of scheduling the patching of the machines, and I was wondering if anyone else is doing it this way, or some way like this?  Or are you doing it in a different method and how?

Thank you.  Looking forward to seeing what your best practices are for this.

0 Comments   [ + ] Show Comments


Please log in to comment


I have the luxury of being able to patch on nights/weekends, which helps. I wake machines after hours for patching. 

As for the patching jobs, I prompt the OK/Snooze/Cancel option for one minute (OK is the default after 1 minute), with a 5 minute Snooze timeout. I have some message stating what is about to be patched, in generic terms. 

As for reboot, the user is prompted for one minute. "Automatically reboot is no one is logged in" is checked. I have up to 5 prompts, at 10 minute intervals. 

I have a few machines that get patched once the patches are aged 7 days but no more than 21 days. I use that with smart labels. All my other machines patch once the patches are aged more than 21 days and assuming no issues arose with the aforementioned machines. 
Answered 05/10/2016 by: rockhead44
Tenth Degree Black Belt

  • Thanks for the response.

    I like the idea of creating the smart label for the patch age as well. How often do you schedule the patch process on your machines? It sounds like every week start on the Friday or Saturday night? We have more than 7000 Windows clients and I was thinking of having it deployed once a week to all the machines (maybe on a Thursday or Friday morning would make the most sense since it may require reboot, and they could reboot before the weekend)
    • I patch my adobe products early in the week (Monday/Tue/Wed nights) and Windows Updates in the Friday night-Sunday night window. That way I know if an issue arises whether to look at my Adobe or Windows Updates.
Please log in to comment
Answer this question or Comment on this question for clarity
Nine Simple (but Critical) Tips for Effective Patch Management
This paper reviews nine simple tips that can make patch management simpler, more effective and less expensive.