As I know this is very critical task all the IT admin and
IT managers. And this must be in place as per the security compliance.
If you’re not in up to date patch level, definitely your
environment in high vulnerable situation.
This article will explain to you how you can do more than
95% Windows client patch compliance in the security reports.
Solution – Implement System Center Configuration Manager
(SCCM)
KEY FACTS
Correctly Design your SCCM Architecture - Consideration
for the correct Architecture
Numbers of Connecting
Devises,
Numbers of Remote Site,
Remote Site Bandwidth,
Numbers of Application and
Image and capacity of them,
Integrate Intune – If you want
to manage devices which are non-join domain and non-Windows Operating System,
Integrate WSUS,
Correctly Assign Job Role what your
expecting with SLAs
Patch
Admin – Manage and Distribute all the patches
Image
Admin – Test and Deploy correct image to required devises
App
Admin – Test and deploy correct Apps to correct user or devise groups
KEY BENEFITS
Patch
Management and Reporting
Application
Management and Reporting
Assets
Reporting and Inventory – Asset Intelligent
Operating
System Deployment (OSD)
Settings
Management (DCM)
End
Point Protection
In this Article we are considering only How to do the More
than 95% Windows Client Patch Compliance
Guidelines for How to do the More
than 95% Windows Client Patch Compliance
Purpose –
Ensure timely delivery of
Security updates, help make environment secure and provide consistent user experience.
Target Compliance –
Deploy active exploit update to 95% of computers with three
business days.
Deploy
critical update to 95% of computers within seven business days.
Compliance period – Comply
within 3 or 7 business days, as appropriate.
Recommended Patching Process –
Pre-Update Deployment –
Silent, Interactive or on-demand patching you
can choose for this.
Create
Patch testing Groups with covering all the Operating Systems & application,
Provide
better awareness session about patch testing collection devices users,
Prior
notice them, before start deployment,
Deploy,
Monitor, Create Risk Mitigation plan, Request Feedback.
Patching
testing period define as 7 days with starting patch Tuesday.
Update Deployment –
Production
deployment with Silent Patching.
Enforce
Restart if it required,
User
Receives Initial restart notification at the 120th minute, and
Final
restart notification at the 60th minute.
The user
continues to receive a restart notification until the system has been
restarted.
Post-update Deployment
Confirm
deployment using reports statics
Cleanup
process
Document
Publish
Final report to all stakeholders
Best Practices
People – Make sure that
security of the environment is the TOP PRIORITY
Process –
Communicate
to users every month about patch Tuesday
Deploy
update consistently after the validation phase is complete
Preform
quality control on the test deployment before release to production
Monitor
and remediation any issues if you face quickly
Remove
expired update periodically
Technology –
Maintain
98% client heath all the time
Defined
correct boundaries and boundary group with including correct site servers
Deploy
Automatic Patch Deployment rules for each device collections
Use
WSUS to install the configuration manager client
Verify
SCCM Client settings
Weekly
or at least Monthly Client PC restart schedule
