3 Replies Latest reply on Jul 13, 2020 4:18 PM by Jared Schwartz

    Patch Tuesday

    Jared Schwartz
      Share This:

      Hello All,


      I am new to patch management and wanted to know how you handle patch scheduling and setup.  It seems easy at the surface but the more I dig in the more it drives me crazy.


      We don't have a huge amount of machines and are a smaller shop so less is more in our case.  Internally we have discussed 4 patch groups (3 for testing).


      I was considering using a patch job to automate the first patch group, and then use a patch deployment for the remainder of the groups.



      Here is where I am getting stuck:


      1.  Patch Tuesday..  Management wants us to patch, job 1 the day after patch Tuesday to have them test the latest patches.  This is more complicated then it seems as I cannot for the life of me find a way to set the schedule for "the day after the 2nd Tuesday".  As such if I set the 3rd Wednesday, it can actually occur prior to the 2nd Tuesday due to what day the month starts on.


      2.  Automation..  We want to patch the machines at 6pm, and run it again the next day to catch the machines that where turned off the night before (hit the machine until it is patched).  From what I can tell this is not possible with one patch job.  To get around this limitation I had to split the first patch job into two patch jobs (The day after Patch Tuesday and Two days after Patch Tuesday) and it looks like I have to manually adjust the dates of each every month that will clear the history? (Two total patch jobs)


      I have not yet tested the Path Deployment for groups 2-4 but it looks like a similar problem.  Patch group 2-4 need to be staggered in time (or behind patch Tuesday) behind patch job 1 to avoid a problem if Microsoft drops a bad patch.  It looks like each patch group will require two patch groups to cover the day after if the machine is off (6 total patch groups)


      How are you guys simplifying this or handling this?




        • 1. Re: Patch Tuesday
          Dominik Kress

          Hi Jared,


          Whenever I work with customers in the part of Patch Management the "Patch Tuesday" idea may comes up or not. After a short discussion about it normally customers ignore it and use their own patch cycle. BCM is able to patch >200 products and only MS has a patch Tuesday.


          All patches which are released into the Patch Knowledgebase are pre-tested. This means that if the outlook patch breaks outlook it won't get into the Patch KB. It won't be tested if the outlook patch breaks your CTI plugin / Zoom plugin and so on.


          The day after the second Tuesday is the second Wednesday. 2020-07-11_12-46-16.png


          As you already mentioned it may could be that the 2nd Wednesday is one week before the second Tuesday. This would happen if the Wednesday is the first day of the month, like this month (July 2020). This will happen again September 2021.  In my opinion this isn't an issue when your goal is to get a highly automated patch process.


          Personally I would always not recommend to patch only once a month. At least whenever you want to use what BCM offers (>200 products). Also nearly all customers with which I worked may have started with a patch group but after some time they removed the test patching completely. Since it is too much work and if a device breaks it's normally because the device had other issues and the installed patch was the last bit.


          2 - Yes, for your planned configuration you should consider two patch jobs. You may want to test to set the start time to 6pm and the end time to e.g. 11am. I did not test this special planning scenario but it may could work.


          I would recommend to get in touch with your BMC partner and book an online consulting session for 4 or 8 hours to get a deep dive into patch management (do's & don'ts, Win10 build upgrade, troubleshooting). If you don't have a partner which is able to help you in this specific case you may want to reach out to Steve Gibbs and book him. He is also active here in the communities. This engagement would really save your time in the long run.



          Thinks to consider:

          - Patch twice a week (Tuesday and Thursday)

          - Patch whatever standard software is installed on your devices and what is supported with BCM (Firefox, Adobe Reader, Chrome and so on).

          - Activate Wake-On-Lan and set up your network for WoL. This is a great help to deploy Windows 10 build upgrades (which you should do at least once a year).

          - How to bring all your devices to a good patch level (if not already) so that there aren't missing a lot of patches from week to week

          - Critical devices and not critical devices?


          Please let me know if you have any additional questions.

          1 of 1 people found this helpful
          • 2. Re: Patch Tuesday
            Steve Gibbs

            I work with all types of customers from small manufacturers to large federal government customers. Every customer has their own unique set of policies and the methods used to comply with those policies.  Some customers are very aggressive where security is paramount and they set up Patch Jobs to run every day. where others have devices assigned to jobs that only run once a quarter (Typically Medical facilities where devices staying on line is paramount to a patients survival).


            If you wish to accomplish the patch job to run on the Wednesday following the second Tuesday of every month then you may have limited options to guarantee this schedule. Below is one scenario you could use but I feel this is too restrictive but some customers use it especially if they are restricted to a once a month maintenance window:


            Configure the Patch Manager to only run once a month to download the KB from Ivanti.

            Then set you patch job to run EVERY Wednesday.  This way, for those months where Wednesday is on the first day of the month and then it is the third Wednesday of the month following the second Tuesday of the month, you will still patch the first day following the Microsoft Tuesday.


            Here are the downsides:

            • Microsoft will release additional patches later in the month to "FIX" the patches that were released on Patch Tuesday. You will need to wait until the next patch cycle and you will not be able to deploy the patch because you have set the schedule to only download the patch KB once monthly.
            • Critical and Important patches are released regularly throughout the month and you will be unable to deploy until your maintenance window.

            The Benefits are:

            • What you test using patch jobs will not change until after your cycle completes. Because you only download the Patch KB once a month, you can be assured that no new patches creep in and get deployed to production that were not tested.
            • Reports will be more concise due to having a static number of patches required beginning on the time you download the KB until the next time you download the KB.  This way, management will see the progress more clearly without cluttering the inventory with newer patches that were released after your initial testing.

            Just food for thought! Also, most customer start off with great ideas but after some time, they will just use Patch Jobs and "Set it and forget it".  As Dominik mentioned, There is a lot of testing done BEFORE that are added to the KB thus saving you, the customer, the grief.



            1 of 1 people found this helpful
            • 3. Re: Patch Tuesday
              Jared Schwartz

              Thank you for the detailed responses, I greatly appreciate it.  I am still going though them and learning about this process.


              I could only mark one post as the answer when both are great.