Wanted to get some additional thoughts and feedback from others around current methods of facilitating MS patches to end clients in a semi-automated fashion. In our specific case, we have multiple different clients that we provide re-occurring patching for. We used to manually create baselines each month on MS Patch Tuesday to incorporate that month’s patching. Patch Policies alleviates us from having to do that now.
Our approach today is pretty hands on and we looking for approaches to potentially streamline these efforts. Here is our high-level setup/approach today:
End clients each have an automatic group that contains their end servers. Some clients have multiple due to request (ex: Patch group 1 first, Patch Group 2 once group 1 is complete, etc)
Utilize BF WebUI Patch Policies for setting re-occurrence schedule for deployment of patches
- All patches are filtered so only critical, important, moderate, and low Microsoft OS Security Patches are deployed.
Create scheduled task in 3rd party software to run API call to BES Server to take action with BES Unlock task to respected computer group to unlock. This aligns with the maintenance window in #2. This same 3rd party software also issues a POST to BES Server to run the BES Lock task post the end of the maintenance window.
While the above works today it’s still labor intensive to setup, manage, and as you can see there is definitely room for failure if any one component doesn’t work successfully. In the end, we would like to identify an approach to setup a schedule for a computer group, Unlock the endpoints at the start of the window, run MS patches based on our mentioned patch criteria in #2, and lock the endpoints when complete. We have explored the built-in maintenance windows that will unlock/lock endpoints, but that doesn’t work when you have more than one maintenance window for endpoints. I look forward to hearing other’s approaches to a streamlined patching effort.