Patch Scanning & Deployment Best Practices - Considerations

Version 1

    Additional Considerations for Patch Scanning & Deployment

     

    Testing Patches

     

    It is best practice to test installing patches in a staging/test environment before patching your production systems. This can be especially important for updating servers and if you have custom software running in your environment. By testing installation of of patches first you can avoid a lot of headaches in case an update changes the compatibility of some component or application that might affect software running in your environment.

     

    You should factor testing into your estimated time that it will take to get new updates pushed out.

     

    Bandwidth and Timing Considerations

     

    Scanning will not use a lot of bandwidth, however, if the speed of connection is very slow and has high latency it will cause agent-less scans to take a very long time to finish. You can read more about this and plausible workarounds here: Troubleshooting Slow Patch Scans In Shavlik Protect

     

    Deploying patches is where bandwidth considerations come into play.

    As an example, let's say you're deploying an average of 20 new patches each month to 100 systems. The average patch size is around 30MB with some much smaller and some much larger. If you use regular agent-less deployment, these 20 patches will be pushed to all 100 systems.

    20 x 100 x 30 = 600000 MB (600 GB) of traffic that will go over your network.

     

    Deploying these patches in your environment is going to have a big hit on bandwidth. Take these things into account-

    • Consider the limitations of your network.
    • Will deploying during peak (operational) hours cause slowness of other more important traffic?
    • Where are all the systems located? Those going over WAN will have much slower connection and patches may fail to copy or take longer than the maintenance period to copy.

     

    Timing is another thing to consider.

    You might have a maintenance window of only a few hours during the middle of the night. This is where the scheduling options in Protect are very helpful, however, another thing to consider is just how much time the patch files will take to get copied to all of your target machines. Will that amount of time plus the time it takes for installation to complete fit into your maintenance window?

     

    Options to Minimize Impact:

    There are a couple things you can do to try to minimize the impact of agent-less deployment of patches with Protect:

    1. Copy patch files ahead of time - There is an option to only copy patch files rather than copy and run installation. This allows you to copy files at a different time than when you plan to actually deploy patches.
      1.jpg
    2. Use a distribution server - This is especially helpful if you are using agent-less deployment to machines in remote locations. You can have a 'Distribution Server', essentially a windows share hosting the patch files, located at each remote site so that the files are more easily accessible for those systems when deploying.

     

    Back to Patch Scanning And Deployment Best Practices Guide (Agentless)