1 of 1 people found this helpful
Whenever I work with customers in the part of Patch Management the "Patch Tuesday" idea may comes up or not. After a short discussion about it normally customers ignore it and use their own patch cycle. BCM is able to patch >200 products and only MS has a patch Tuesday.
All patches which are released into the Patch Knowledgebase are pre-tested. This means that if the outlook patch breaks outlook it won't get into the Patch KB. It won't be tested if the outlook patch breaks your CTI plugin / Zoom plugin and so on.
As you already mentioned it may could be that the 2nd Wednesday is one week before the second Tuesday. This would happen if the Wednesday is the first day of the month, like this month (July 2020). This will happen again September 2021. In my opinion this isn't an issue when your goal is to get a highly automated patch process.
Personally I would always not recommend to patch only once a month. At least whenever you want to use what BCM offers (>200 products). Also nearly all customers with which I worked may have started with a patch group but after some time they removed the test patching completely. Since it is too much work and if a device breaks it's normally because the device had other issues and the installed patch was the last bit.
2 - Yes, for your planned configuration you should consider two patch jobs. You may want to test to set the start time to 6pm and the end time to e.g. 11am. I did not test this special planning scenario but it may could work.
I would recommend to get in touch with your BMC partner and book an online consulting session for 4 or 8 hours to get a deep dive into patch management (do's & don'ts, Win10 build upgrade, troubleshooting). If you don't have a partner which is able to help you in this specific case you may want to reach out to Steve Gibbs and book him. He is also active here in the communities. This engagement would really save your time in the long run.
Thinks to consider:
- Patch twice a week (Tuesday and Thursday)
- Patch whatever standard software is installed on your devices and what is supported with BCM (Firefox, Adobe Reader, Chrome and so on).
- Activate Wake-On-Lan and set up your network for WoL. This is a great help to deploy Windows 10 build upgrades (which you should do at least once a year).
- How to bring all your devices to a good patch level (if not already) so that there aren't missing a lot of patches from week to week
- Critical devices and not critical devices?
Please let me know if you have any additional questions.
1 of 1 people found this helpful
I work with all types of customers from small manufacturers to large federal government customers. Every customer has their own unique set of policies and the methods used to comply with those policies. Some customers are very aggressive where security is paramount and they set up Patch Jobs to run every day. where others have devices assigned to jobs that only run once a quarter (Typically Medical facilities where devices staying on line is paramount to a patients survival).
If you wish to accomplish the patch job to run on the Wednesday following the second Tuesday of every month then you may have limited options to guarantee this schedule. Below is one scenario you could use but I feel this is too restrictive but some customers use it especially if they are restricted to a once a month maintenance window:
Configure the Patch Manager to only run once a month to download the KB from Ivanti.
Then set you patch job to run EVERY Wednesday. This way, for those months where Wednesday is on the first day of the month and then it is the third Wednesday of the month following the second Tuesday of the month, you will still patch the first day following the Microsoft Tuesday.
Here are the downsides:
- Microsoft will release additional patches later in the month to "FIX" the patches that were released on Patch Tuesday. You will need to wait until the next patch cycle and you will not be able to deploy the patch because you have set the schedule to only download the patch KB once monthly.
- Critical and Important patches are released regularly throughout the month and you will be unable to deploy until your maintenance window.
The Benefits are:
- What you test using patch jobs will not change until after your cycle completes. Because you only download the Patch KB once a month, you can be assured that no new patches creep in and get deployed to production that were not tested.
- Reports will be more concise due to having a static number of patches required beginning on the time you download the KB until the next time you download the KB. This way, management will see the progress more clearly without cluttering the inventory with newer patches that were released after your initial testing.
Just food for thought! Also, most customer start off with great ideas but after some time, they will just use Patch Jobs and "Set it and forget it". As Dominik mentioned, There is a lot of testing done BEFORE that are added to the KB thus saving you, the customer, the grief.
Thank you for the detailed responses, I greatly appreciate it. I am still going though them and learning about this process.
I could only mark one post as the answer when both are great.