Would love some feedback on my patching policy

Usage and Config Patch
1

Hello everyone,
I’m new to BigFix and would like to consult with you about the logic of my patching policy. Before I start, please take into consideration that a work week in my country is Sunday-Thursday :slight_smile:

So I have 2 policies:

  1. Monthly policy that refreshes every 2nd Thursday - So the logic here is that I give BigFix a couple of days to implement patches because they’re probably not available as soon as Microsoft releases new patches on the 2nd Tuesday. 2 days after Patch Tuesday should be enough I hope.
    1.1. The first schedule I put in this policy is “validation group” which consists of test hosts. The schedule is set for the 2nd Thursday (just like the refresh). So the logic here again is that after the refresh, those patches will be deployed on the same day. If it matters, the refresh is at 5AM and the deployment is at 5PM.
    1.2. The second schedule is the “production group”. It’s set to the 3rd Monday which should give me enough time to notice if anything breaks in the test group.

  2. The other policy I have is the “Validation policy”. It refreshes on a daily.
    2.1. The first schedule is deployed to a test group every Monday.
    2.2. The other schedule is deployed to a test group every Wednesday.
    The logic behind this policy is that some updates are becoming available outside of the “patch Tuesday” and I would like to test those “surprise updates” almost on a daily basis.

With all that being said, I have a few questions:

  1. What about “patch duration”? How long should I give it and what does it depend on?
  2. How do I handle reboots? I set the schedules to not reboot.
  3. Anything else I missed? I’ll be glad to receive tips and tricks on this subject. Please assume I know practically nothing about BigFix although I did go through the entire patching docs.

Thank you :slight_smile:

2

Welcome to BigFix !
Most of that looks well thought-out. I may have a couple of comments on it later but looks like a great start.

This is how long the Action will stay Open. How long to set the duration depends a lot on what you’re doing.
A group of Servers that need to patch between 10pm and 2am? Set that as the duration.
A group of Laptops that might be turned off when the patching starts but need to catch-up when they come back online? Maybe 30 days (at which point we expect next month’s patches to be ready)

Again, It Depends ™ . For the server groups, some customers let the Patch Policy reboot after (with a shorter schedule for their servers) or set up a separate Policy Action - like reboot once a week on Friday at 2am when the server is “Pending Restart”.
For laptops we usually just let Patch Policy do the reboots or sometimes a Policy Action to give a message asking them to reboot, once a day while “Pending Restart”.

I’d need to look at the PP interface, I don’t have it handy now, but…there’s an edge case where “Third Monday of the Month” might not be the one right after patch Tuesday. If the month begins on a Tuesday, then the first Monday comes after the first Tuesday, and after the second Tuesday comes the second (not third) Monday.
I think PP allows a schedule like “Six days after the second Tuesday” which would guarantee the Monday following Patch Tuesday.

One other thing to be aware of, Patch Policy only includes those fixlets that have a Default Action - otherwise we deem it might not be safe to auto-deploy.
Things like SQL service packs often don’t have a Default Action so you still need to check the console once in a while to see if anything’s getting missed.

2 Likes