Whether you are working with an EDF based selection method or adding machines to groups manually it’s always easier to avoid mistakes when the patching groups your’re working with have names that clearly define what they do to the machines added to them. Our first advice is to never create groups that cater directly to an individual client ex: “Acme Corps Workstations” should be avoided. Instead, work down a list of what your clients are in need of and build an appropriate naming scheme that can easily be expanded on as new clients have additional needs. For example, if the first subset of my clients are town halls that need workstations online from 7am to 4pm m-f, then patching can (and should) occur anywhere outside those hours to ensure systems are staying up to date on the most recent 0 day security patches.
Breaking it Down
Rather than making a client specific patch group and naming it
“Town Hall 1”
we should instead name it:
“Workstations – Everyday 1a-5a – R+30 +D”
This tells us the group is for workstations, patching happens every day of the week from 1am to 5am with a reboot window that is from 1am to 5:30am (R+30). The +D indicates that this group also has daytime patching enabled. By creating this group and naming it after what it does, we reduce confusion and allow more clients to be grouped into the same patch window making them easier to manage.
Expanding on this idea we can easily make a 6 basic patching groups:
Selling it to Clients
This requires a fundamental shift in how MSPs interact with clients on patching and can be difficult to present at first. Its best to shift the conversation from “When would you like to patch?” to advising clients on best patching practices ex: “We have X standard patching windows, with the majority of clients on an everyday patching schedule where we see the best . Which option works best for you?”. Facilitating this conversation and helping clients understand the importance of more frequent patching than they might have been used to only gets easier when you can present the percent of fully patched machines on more frequent groups against their own machines.