This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Client Management
BCM >= 12.5
What are the best practices for patching?
It is best to:
- create several patch groups/jobs and not only one containing all of the required patches
- reboot your devices regularly
The most important is to try to avoid adding too many patches in one patch group/job. It is best to create one patch group/job per windows os type, or even better: different patch groups/jobs managing patching by os and by severity, and the other applications should be patched from other patch groups/jobs.
The reason for splitting efficiently is that if there is one patch that is not working or not downloading in the patch group/job the patch group/job will never start until it has been fixed, as patch groups/jobs don't start until all patches they contain for the target have been downloaded by the target.
Still there is a balance to find, as a patch group/job will suspend the patch module until the next reboot if one of the patches it contains requires a reboot of the device. This means that until the next reboot, no other ptach group/job will run on the target until the reboot.
At the end, it all depends on the patch window settings, the type of patches that are deployed, and the amount of patches there is to patch by device. If the patch window occurs only once a month, it's most likely best to have one heavy patch group/job that will patch the device at once, with the risks there is that it fails or doesn't start for one patch only. This most likely implies to have a first wave of patch deployment on typical devices before going live for the biggest number of targets.
Also, it is best to make sure the devices are regularly reboot, else the module could be suspended "for ever" and the patches from other patch group/jobs "never" be patched. The following KA provides more information on this subject: Patch Jobs/groups are stuck on the status "Execution pending" or "Installation Planned" because patch installations are blocked or suspended