Standard of Patch Management Policy
I am looking for your opinions on a good patch management policy.
With Kace, we are able to notify the user when we start patching, and if a reboot is required, we can also notify the user about the requirement of a reboot. For us, our only standard is that we do not want to automatically reboot a machine, but we will always want to notify the user of a reboot. Other than that requirement, we do not need to notify.
My question is how you are doing the patching.
* Do you usually have the notification pop up to the user to tell them that patches are pending to be installed and that they should accept it? Do you have any message pop up to say that patches are being installed? Or do you just silently install the patches without having any messages pop up to the user?
* Do you prompt the user for reboot? How do you manage the reboot notification? We are currently planning on setting the prompts to 0 which means no limit, however what if a user kept disregarding the reboot requirement, how do you manage this? However, if it's better to give some limit, what limit are you using and why? In our Kace training, the trainer suggested that we could make a label of Reboot Pending machines and sending an alert to them to have them reboot and calling the user to bug them to reboot. How have you dealt with these cases? I'm thinking in the end if we need to, probably we would send a reboot script to those users after having tried all methods to ask them to reboot -- how many times or how long after giving them such warnings before you would start the drastic action of forcing the reboot on the client machine?
In our Kace training session, how trainer showed a method of creating a smart label of all new OS patches released within the last 30 days, and another smart label for all OS patches release greater than 30 days. Then he said we could have a set of machines be used for beta patch testing, and we would have this set of machines always get the new patches installed on them, and for all other machines for production, we would have them get all OS patches released greater than 30 days, and if we have a schedule on this, we would have a 30 day window of having patches get updated on the set of beta tester machines to see if any issues arise, and after the 30 days is over, the patches would automatically go into the other label for production and the production machines would start to have this patch. This seems like a good method of scheduling the patching of the machines, and I was wondering if anyone else is doing it this way, or some way like this? Or are you doing it in a different method and how?
Thank you. Looking forward to seeing what your best practices are for this.