Enterprise Patch Management

15 October 2020

Problem faced by enterprise team members across varying networks 

Centrally Managed were invited to review Patch Deployment for a multi-site company with on-premise and remote workers needing a way to ensure endpoints are patched. 

Their existing WSUS solution only patches Microsoft products and devices on the LAN / VPN. People working remotely who don’t have their VPN connected miss out on vital updates. 

Challenges set by patch management

• Securely connecting to the corporate network when not connected to VPN. 

o As the client works in the energy sector in ‘Top Tier COMAH’ high hazard sites it is 

crucial that any external connectivity is robust and secure. 

• Ensuring not just Microsoft applications are updated. 

o Vulnerabilities are exploited in many popular applications which are used globally. 

If these apps aren’t patched then the corporate network could be compromised. It’s important that updates are able to be deployed as soon as they’re made available by the developers. 

• Ensure ‘bad patches’ can’t take down hundreds of computers at once. 

o Although developers test patches before release there have been numerous 

occasions where a bad patch has taken down a large percentage of the corporate network leaving the support teams stretched to get people back online. 

Perhaps needs a flow diagram or simple illustration?

Approach our Ivanti Specialists took

• Look at the current WSUS environment and put together a migration plan 

• Confirm plan with internal stakeholders 

• Configure new Ivanti servers 

o Configure CSA server o Configure Rollout groups o Ensure agent is deployed to all endpoints o Ensure each endpoint has the correct settings depending which Tier they’re in o Ensure correct product definitions are downloaded 

A successfully rolled out patch management

The best way to tackle these challenges is to create a 3 tier rollout of all new patches. The 1st tier will be test devices. This will capture ‘bad patches’ to ensure that only the test devices are taken down if one is released. 

Once a % of successful devices is reported the patch will move to the 2nd stage, the pilot group. This will contain approx. 20% of devices with all of the different business apps captured. This group will ensure that each application is tested for the new patch. 

After another % of success the patch will move to the 3rd stage, the main rollout stage. There will be an 8 day window between the 2nd and 3rd stages to allow for any problems to be reported so they can be resolved or the patch withdrawn until further testing has taken place. 

In order to ensure communication on devices off the LAN/VPN we will configure an Ivanti CSA server. This will sit in the DMZ of the corporate network and devices running the agent will communicate with the internal Ivanti servers through the CSA using certificates. This will ensure the integrity of data and ensure that only approved devices can connect. 

Once implemented, ensure that the service is maintained through an annual support agreement. This provides a fully managed service that will ensure your support staff can do their day to day job without worrying about this important role. 

Share This

Read some of our case studies to learn more

A client was in the process of implementing CrowdStrike across their estate. There was some work needed to complete the migration from McAfee ePO to CrowdStrike
Read more
A client contacted us explaining they wanted to migrate from McAfee Drive Encryption to BitLocker. They plan to manage encryption using InTune and BitLocker.
Read more
A building society group which has had an on-premise Helpdesk system for the last 14 years wants to implement ITIL processes to streamline their IT operation.
Read more

The latest news from our highlights straight to your inbox!

Microsoft 365Tell us more about your needs and we'll be in touch shortly

Ivanti ConsultancyTell us more about your needs and we'll be in touch shortly

IT Project WorkTell us more about your needs and we'll be in touch shortly