If all you manage are Microsoft updates in your patch management environment, your update approval procedure is pretty straightforward: identify the updates you want to approve, and then approve them for the appropriate target groups. However, if you manage third-party applications with an automated patch management tool, you're probably faced with a lot more choices. Why? Because Microsoft only releases updates for their software, while third-party vendors like Adobe, Mozilla, and Oracle release full installers. Furthermore, with an automated patch management solution, you probably have two options for each third-party update: full-install and update-only. This gives you the flexibility to approve updates for only the computers that already have the software, or approve the full installer for all computers in a group so you can install it if they don't. So, which do you approve: the full installer, just the update, or both?
Best Practices for Approving Full and Update-only Installer Packages
In most cases, when you're updating third-party software with an automated patch management solution, you'll run into at least two scenarios:
You want to update only systems that already have the product installed. In this case, publish and approve the update-only package. You don't even have to publish the full-install package.
You want to ensure ALL systems have the current version of the program installed. In this case, publish and approve the full-install package. You don't have to publish the update-only package, since the full-install package also updates systems that already have the software.
Depending on the solution you use, you might also run into a third scenario. This is where SolarWinds Patch Manager, the patch management solution can provide some additional flexibility to the standard scenarios:
You want to update only systems that already have the product installed, but you also want to make the program available to other systems on demand. In this case:
- Publish and approve the update-only package.
- Publish, but do not approve the full-install package.
Patch Management With SolarWinds Patch Manager allows you to deploy published updates/installers to managed clients on demand. In this scenario, you would have the full installer available on your WSUS server, and then use Patch Manager to deploy the software to specific computers when they need it. When you deploy the software, you can tell the Update Management Wizard to ignore the approval state on the target computer(s). That way, the Windows Update Agent installs the software even though it's not approved for the target computers in WSUS.
For additional information about update-only and full-install packages, check out this Q & A article on the SolarWinds Knowledge Base: What's the difference between FULL and UPGRADE packages?
To learn more about Patch Manager, the ideal patch management software, check out this video: Patch Manager Guided Tour - YouTube