6.0 Best Practices

Depending on the state of patch updates, number and type of devices, and other variables in your management zone, you might initially have a significant number of patches being cached on the servers for distribution when you first apply patch policies. Patch policy implementation will incrementally reduce the patch workload over time. The information in this section will help you to make good decisions in both initial deployment of patch policies and managing them in the long term.

Below are a few general recommendations in regards to managing patches using ZENworks Patch Management:

  1. Inventory the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization.

  2. Monitor security sources for vulnerability announcements, patch and non-patch remediations, and emerging threats that correspond to the software within the organization’s inventory.

  3. Prioritize the order in which the organization addresses remediating vulnerabilities.

  4. Create patch policies in ZENworks Patch Management that are built on organizational priorities.

  5. Conduct testing of patches and non-patch remediations on IT devices that use standardized configurations.

  6. Oversee patch policy implementation.

  7. Distribute vulnerability and remediation information to local administrators.

  8. Perform automated deployment of patches to IT devices using patch policies.

  9. Reconfigure automatic update of applications whenever possible and appropriate.

  10. Verify vulnerability remediation through network and host vulnerability scanning.

  11. Train administrators on how to apply vulnerability remediations using patch policies.

The ZENworks Server schedules a Vulnerability Detection task for all ZENworks managed devices (servers and workstations) and compiles information on the operating system, hardware, and software.

The results of the scan are sent to the ZENworks Server and can be viewed anytime in the Patches section in the Patch Management page or in the Devices page, even if a workstation is disconnected from your network.