Keeping your organization’s systems and software up-to-date is a critical part of maintaining security and stability in the ever-evolving landscape of IT. ConnectWise Automate Patch Manager is a powerful tool that helps you automate the patching process and ensure that your systems are protected from vulnerabilities. To make the most of this tool, let’s explore some best practices for configuring the Patch Manager in ConnectWise Automate.
Before we go into the technical best practices, I would like to outline a few things that need to be considered prior to setting up your new patching schedule.
- Understand Your Environment
- Before enabling patch management across the board, it is important to understand fully how patching is going to affect your client’s environments. For example, if certain servers do not come up properly after a reboot, patching will need to be handled differently on those machines and possibly require tickets to be generated to manually reboot them.
- Define your Default Patch Policies
- It is important to discuss internally how you would like to see patching happen. The simpler it is, the easier it will be on everyone. Select a default time to patch servers as well as workstations (these are generally different times). If you are patching 3rd party apps, that must also be considered.
- Implement Patch Rollback Procedures
- It is important to be prepared for any unexpected behavior because of a patch being installed. Sometimes patches can cause issues, and having a plan in place to revert systems to their previous states can help minimize downtime and disruptions.
Patch Manager – Important Notes
There are two parts to the Patch Manager configuration that you need to be aware of. It is important that you understand how the patch manager works before going into too much detail:
- The first thing that needs to be understood is the priority levels on the group’s tab within Patch Manager. Contrary to general logic, ConnectWise has configured the plugin to have the priority level increase the lower you are on the list.
- The next thing that I would like to point out is if you look at the screenshot above, you will notice that there are two types of groups, one for approvals and one for patch installs. This is best practice and should be kept separate for best results. Additionally, one Approval Policy assigned per group is recommended.
- Another thing to note is there can only be one patch and reboot policy per machine, but approval policies get combined based on priority level.
- For example, If Patch A is approved under the ‘Approvals – Default’ policy but denied in the ‘Approvals – Workstations’ group, any machine that exists in that group will get the higher priority setting (which in this case would be the patch denial of Patch A)
Best Practices – Technical Deep Dive
- Update and Reboot Policy – Best Practices:
- Workstations:
- Update Policy: Everyday 3-5 am
- Daytime Patching Enabled
- Do not patch if uptime is less than 30 minutes.
‘Managed Mode’ or ‘Managed Mode – UI Disabled’
- Prompt Interval: 120 minutesDeadline: 48 – 72 hoursReboot if no user logged on – EnabledWake on LAN – Disabled
- Daytime Patching Enabled
- Update Policy: <Day of Week> 3-5 am (Choose what day you would like to perform updates for servers)
- Create Windows Restore Point – CheckedService Branch – Do NothingDefer feature and quality updates – Set to 0Windows Update Agent Mode:
‘Managed Mode’ or ‘Managed Mode – UI Disabled’
- Reboot Behavior: During Windows UpdateExtend Reboot Window: 30 minutes.Patch Reboot Mode: ‘Now’ or ‘Ask then Allow’Set Maintenance Window for instance of reboot,
ignore alerts and scripts with a 15-30 minute duration
- Create Windows Restore Point – CheckedService Branch – Do NothingDefer feature and quality updates – Set to 0Windows Update Agent Mode:
- Update Policy: Everyday 3-5 am
- Servers – Domain Controllers
- It is recommended to set up Domain Controllers to patch at a different time than other servers just to prevent any issues if the domain controller is not online when other servers reboot.
- Workstations:
- Approval Policy – Best Practices: (These should be on the Approvals – Default policy)
- Auto-Approve All Categories EXCEPT Bing Bar, Bing Service, Drivers, and UpgradesAuto-Ignore: Drivers
- By title: Language and Preview
- Test Group: 3 daysPilot Group: 4 days
- Set the Server Overrides approval policy on this groupThis is to be used only when you would like to manually deny a patch for all servers
- Approvals – Workstations
- Set the Workstation Override policy on this group
- This is to be used when you would like to manually deny a patch for all workstations
- Auto-Approve All Categories EXCEPT Bing Bar, Bing Service, Drivers, and UpgradesAuto-Ignore: Drivers
- Custom Groups/Client-Level Exclusions
- All custom configurations that do not fall under the above configurations need to be positioned below the default groups to ensure it has the higher priority.
- Simply make a group that is populated with all of the agents you would like this different configuration setup for and set up the custom Update and Reboot policies.
All in all, ConnectWise Automate Patch Manager is a powerful tool to help businesses streamline and enhance their patching processes. By adhering to the best practices outlined above, organizations can ensure their systems remain secure, resilient, and compliant. Embracing these best practices not only safeguards sensitive data and systems but also promotes a proactive approach to cybersecurity that is essential in today’s interconnected world.
