7.0 Best Practices
Depending on the state of patch updates, number and type of devices, and other variables in your management zone, you might initially have a significant number of patches being cached on the servers for distribution when you first apply patch policies. Patch policy implementation will incrementally reduce the patch workload over time. The information in this section will help you to make good decisions in both initial deployment of patch policies and managing them in the long term.
Below are a few general recommendations in regards to managing patches using ZENworks Patch Management:
-
Inventory the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization.
-
Monitor security sources for vulnerability announcements, patch and non-patch remediations, and emerging threats that correspond to the software within the organization’s inventory.
-
Prioritize the order in which the organization addresses remediating vulnerabilities.
-
Create patch policies in ZENworks Patch Management that are built on organizational priorities.
-
Conduct testing of patches and non-patch remediations on IT devices that use standardized configurations.
-
Oversee patch policy implementation.
-
Distribute vulnerability and remediation information to local administrators.
-
Perform automated deployment of patches to IT devices using patch policies.
-
Reconfigure automatic update of applications whenever possible and appropriate.
-
Verify vulnerability remediation through network and host vulnerability scanning.
-
Train administrators on how to apply vulnerability remediations using patch policies.
-
Verify that you have enough free disk space:
-
To initiate the patch scan, it is recommended that at least 500 MB of free disk space is available.
-
To deploy a Windows patch, it is recommended that the minimum disk space required is at least 5x the largest available patch. If you are deploying multiple patches, then the minimum disk space required is at least 5x the total size of the patches.
-
The ZENworks Server schedules a Vulnerability Detection task for all ZENworks managed devices (servers and workstations) and compiles information on the operating system, hardware, and software.
The results of the scan are sent to the ZENworks Server and can be viewed anytime in the Patches section in the
page or in the page, even if a workstation is disconnected from your network.