28 Replies Latest reply on Oct 3, 2013 2:57 PM by scott.williams

    King for a Day - What would you change?

    Carlo Costanzo

      For the past few weeks I've had some really good discussions around patch management.  The reasons why some people don't patch, the reasoning behind why people do patch, where it fits into an organization and who's role it typically falls under.  All of the conversations have been great and it is clear to me that patching is not just clicking update and walking away.  Patch management should be part of a robust, important and thought out procedure in almost every organization.  Big and small alike, the processes and challenges are pretty similar for all of us.


       

      As a last brainstorming event on the topic, I thought it would be interesting to play King (or Queen) for a Day.  Looking back at the Patch Management process, if you had supreme powers, what would you change?  How different would/could the processes look?  No need to even ground it in reality if you feel strongly enough about it!

       

       

      Let's start with reboots becoming a thing of the past.  Patch an application or OS and NOT have to restart or incur downtime penalties?!?  Revolutionary!

       

       

      Expulsion from my computerized Kingdom for any vendor requiring manual patching.  If you've packaged it up in a way that requires me to manually copy files or change registry entries, you haven't put enough time into your patch.  This would be considered a capital offense in my fiefdom.

       

       

      What would you do if you could just summon your subjects, wave your hand and make it so?

       

      *Reply to this post to earn 50 points and 1 entry to win an iPod Nano

        • Re: King for a Day - What would you change?
          jsimon16

          Obviously the hardest thing to deal with is downtime for the business.  The more applications that can run like Exchange with DAG's and SQL 2012 with AOAG, the easier it is to patch nodes invisibly to the user community.  So I guess my super power would be to load balance it all and make them all run like vmware with snapshots pre patch that are automanaged.

          • Re: King for a Day - What would you change?
            RandyBrown

            Doesn't have to be grounded in reality?  Alright!!


            No reboots, easy rollback (without reboot), method for testing the update ON THE SERVER THAT WILL BE PATCHED prior to actually installing it. Some sort of guarantee by the vendor that releases the patch that it will not break the server or the app that runs on the server being patched (perhaps dollars for downtime?)

            • Re: King for a Day - What would you change?
              byrona

              I would like it to be standard for patching solutions to manage VM Snapshots both the creation of and scheduled deletion a week later.  This would provide an easy fallback point for when patches cause problems.

              • Re: King for a Day - What would you change?
                xbod

                First, I would declare that Microsoft must put in the update window what the update/patch does for each patch.  Not just some of them (although sometimes I think they are trying to do this more often). 

                My next decree is that no vendor should issue a patch that re-installs the entire program!  Fix only what's broken.

                I know you said it, but it's worth repeating.  No reboots!

                 

                During the patching process, it would be required to preserve a copy of all old files and all old registry entries.  It's been said, but here it becomes law...easy painless rollback!

                • Re: King for a Day - What would you change?
                  jeremymayfield

                  For sure no restarts, and compatibility screening so it never broke application.  Version checking to ensure you have all the prerequisite items covered.  I would have it update all software and BIOS, and Hardware firmware.   I would have something that can handle devices like WAP, and Printer boards.  one tool that could effectively Update anything with a PC chip and attached to the network, and have it work.  yep i said it work, not be a crippled piece of plastic, copper and silicone, no work, as in be faster, better and not use a ton of HDD space, maybe a archival process to remove out old components that obviously wont ever be needed again.

                  • Re: King for a Day - What would you change?
                    bspencer63

                    My King for a Day change would be to have every server load balanced and clustered as well as have them all HA with DRS and vMotion capabilities so that there would be no such thing as down time!!!  All devices have redundant hardware so there are no "single points of failure" throughout the Network.  I'd also have a patch management solution that would handle all updates for all software packages.... Oh yeah, and have users fix all of their problems without ever calling for assistance!

                    Well you asked!

                    • Re: King for a Day - What would you change?
                      th3cap3


                      I would like patches developed with "Zero Downtime" in mind. To many things require reboots of an entire server just to patch an application, why can't we just restart the services affected for a few seconds? You could build redundancy into an application, it runs a snapshot of the application while patching is going on, then it slowly phases itself over to the new patched version without any interruption in service. I would also like ample test environments for proper patch testing and management, if you don't have the hardware to test patches on, your run a higher risk of not having the software available to run your business.

                      • Re: King for a Day - What would you change?
                        Richard Nicholson

                        If I were King for a Day..

                         

                        Windows wouldn't have everything tie to the kernel to operate so that every freaking patch no matter the size requires a reboot.. It would be like a happy marriage of Linux/Windows, and we could laugh at the Apple guys all day long!!

                         

                        And, when someone calls into support and states the "Internet" is down.  I would have the 1 touch button that brings in a robot and takes their PC from them and leaves them with a pen and paper to use from now on until the "Internet" in it's entirety comes back online since the WHOLE thing goes down when that happens.. HAHAHA

                        • Re: King for a Day - What would you change?
                          rulob

                          I dont know if this has been thrown (been too busy lately, damn u real life, i miss college) but my platonic patch system would be as follows.

                           

                          The VENDOR uploads the patch without interfering with your production environment(no security risks at all!). The patch goes on parallel, not stopping your environment or making it slower. The patch totally improves the performance of the app/system.

                           

                          And you get a palm on the back from the CEO, since you keep the business running with an update Patch

                           

                          --Raul

                          • Re: King for a Day - What would you change?
                            jspanitz

                            All vendors supply reboot free patches would be an excellent start.  And I'll second the easy, seamless rollback option.  How about a using the built in installer engine like MS has given us so there's no guesswork on how to install.  And how about files stamped with versions so we can tell the difference?  And delta patches instead of monster reinstalls - I mean the larger vendors support this today from THEIR website, how about from OUR patch servers?  Automated snapshots and scheduled deletion of those snapshots would be fantastic!  Let's continue that on to restore points on non virtualized systems.

                             

                            Oh and the latest trend of apps and their updates only being available on said OS vendors app store is CR@P!  We need access to all software and patches for enterprise deployments, not your monotone, zombie lemming user delivery system.

                            • Re: King for a Day - What would you change?
                              zzz

                              I declare my regal status to be for life!

                               

                              Huh? What do you mean it goes against the infinite wish clause? Blah. Fine.

                               

                              I declare that VM developers and vendors made patching offline VMs a option/reality, or better yet snapshots and images! And also for depreciated functions to send some alert/event or such rather than just not work/break things.

                              • Re: King for a Day - What would you change?
                                bsciencefiction.tv

                                Accountability for those in the lab that are supposed to be testing patches before they go in.  No Applications would be purchased that require Manually Patching.

                                • Re: King for a Day - What would you change?
                                  matt.matheus

                                  Comprehensive change reports.  I want to know EXACTLY what is being added / taken away / changed on every single patch, no exceptions.  One of my biggest pet peeves is applying an upgrade / update and finding out that a feature I used all the time is significantly different or removed.  A single line saying "user interface improvements" is not acceptable. 

                                   

                                  No reboots is a given.

                                   

                                  Appropriate escalation with vendor support for patching related problems.  If a vendor deploys a patch, and starts to receive a flood of calls, PULL the patch.  Don't pretend like nothing is wrong and act like I'm the only one having the problem when I call in.  IT people know each other, and my first call was to my friend to see if he's having the same issue and knows of a work around.

                                   

                                  Dollars for downtime.  Percentage based return on my maintenance contract for every hour of downtime caused by a faulty patch. 

                                  • Re: King for a Day - What would you change?
                                    dave@entwistle.cc

                                    Number ONE.  Force companies to agree on one type of configurable deployable package.  MSI/MSTs are so close so if Microsoft created and gave away a universal configurable package creator then they probably would take over with the exception of UNIX/LINUX systems and MAC OS.

                                    • Re: King for a Day - What would you change?
                                      mdriskell

                                      If I could patch/upgrade/Install MIBS in SolarWinds without having to restart services I'd be happy....Let's fix what's directly in the realm of this forum before taking on the world

                                      • Re: King for a Day - What would you change?
                                        zackm

                                        It would be nice to have a 3rd party repository of patches. Somewhere where I would go, click on all of the software I have installed on X computer (maybe even have an account where I can import an inventory with machine names). Then I could go through and deselect patches I do not need/want and then click submit and an msi would be generated that has all of the most up to date patches. One single file to push out that covers an entire machine.

                                        • Re: King for a Day - What would you change?
                                          storn

                                          I would only use VDI - boy would that make patching easier...

                                          • Re: King for a Day - What would you change?
                                            scott.williams

                                            auto-patching like iOS 7...  of course, the patches have to be good at the start