Best practices for advanced patching with site tags and UDF values
BEFORE YOU BEGIN Refer to Best practices for site tagging and Best practices for combining site tags and UDF values.
It is not standard for an MSP or internal IT department to patch all servers at the same time. Typically, patching is performed over the course of a month to reduce the risk of a bad patch being installed.
If you split a month into four weekly blocks, you can tag servers into a weekly block using a UDF value and then use filters to apply the correct patch policy.
PowerShell can be used to generate a random number between 1 and 4 using the following command:
$number = Get-Random -Minimum 1 -Maximum 5
You can use PowerShell to populate a UDF value by manipulating the corresponding registry value on the endpoint, meaning you can create an initial audit job that will assign your servers into a random patch group when the agent is installed.
New-ItemProperty -Path HKLM:\SOFTWARE\CentraStage\ -Name "Custom1" -PropertyType String -Value "$number"
NOTE Replace Custom1 with the applicable UDF field as required (Custom1-30).
Using PowerShell, you can also identify the type of operating system you are currently executing against.
Run the following PowerShell command:
$osInfo = Get-WmiObject -Class Win32_OperatingSystem
$osInfo.ProductType
That command will return one of the following values:
- Workstation (
1) - Domain Controller (
2) - Server (
3)
You can wrap the random number generator inside this logic to ensure you are tagging only servers into a weekly patch group. You can create a component to run as part of the initial audit job.
Check if the return result is not equal to 1 (a workstation OS) and then generate a random patch week number and add the value to a UDF.
$osInfo = Get-WmiObject -Class Win32_OperatingSystem
if ($osInfo.ProductType -ne 1) {
write-host Server OS Detected
$number = Get-Random -Minimum 1 -Maximum 5
New-ItemProperty -Path HKLM:\SOFTWARE\CentraStage\ -Name "Custom1" -PropertyType String -Value "$number"
}
For more information about the features referenced in this guide, refer to the following topics:
- UDF values: User-defined fields
- Custom components: Creating a component
- Initial audit jobs: Scheduled jobs
Now that you have assigned servers to a patch group, you can create four filters, one for each week.
You can now build your four new patch policies and assign the correct week filter to each one. Refer to Patch Management policy.
You now have a way of automatically enrolling a server using an initial audit job into a random weekly patch group and using filters to assign the correct patch policy.
