Before you begin deploying patches using MSP N-central, it is a good idea to have a patch deployment strategy. Having a plan in place ensures you have a sense for the environment in terms of how many users there are, if you can use automation, and any other potential issues you may encounter.
When performing an audit consider:
- Understand your customer's environment and their current patch strategy,
- Choose a level of automation - how much can you automate, and how much will require your attention,
- Map your requirements and plan a schedule to minimize or eliminate downtime and scheduling conflicts for your customers.
Understand your customer environment
Consider what devices your customer is using and what their business requirements are.
Ask the following questions:
- Can you treat all customers the same level of service, or do some require more granular configuration, and therefore more resources.
- Do any customers have sensitive devices such as Point of Sale, medical, financial, security that required special treatment when patching.
- What are each environment’s sensitivity to reboots. Does it differ between servers and workstations.
- Will your strategy force the customer to reboot each updated device within a certain time limit, or will you allow for a delay that is more convenient for them.
- Will your strategy force a patch on boot if they miss their patch schedule. For example, if the user turns off their computer prior to an overnight patching window.
- Should Windows Update be available to users and applications?
- If it is available for all user accounts and applications, users could circumvent your patch management.
- If it is available for only administrators, can they choose which patches to download from Microsoft.
- If it is available for only MSP N-central activity, Windows Update will be almost completely unavailable except when MSP N-central requires access.
- Do you want to use local probe caches for customers or do you want devices to download patches from Windows Update and third-party vendors? Using a probe cache provides more efficient use of bandwidth, especially when there are a large number of devices requiring a patch update.
Choose a level of patching automation
For each customer you need to determine which patches you can install automatically. While it is easier for you, there may be security issues and other considerations. Consider these questions to help you decide how much automation you employ:
- Which patches can you automatically approve for this customer?
- What can you automate for Windows workstations and laptops?
- What can you automate for Windows servers?
- Can you automate third party patches from vendors such as Java, Adobe, Google and others?
Map your requirements and schedule
The most convenient time for patch management is when your customers' devices are not in use, such as after business hours. Since there may be other maintenance activities such as AV scans, backups and maintenance scripts scheduled during this time, you need to ensure that patch management does not interfere. This is especially important if a forced reboot is involved.
SolarWinds MSP recommends that you create a spreadsheet of all scheduled activities for each customer device to ensure there is no overlap, and that each activity has plenty of time to complete before the next activity begins.