How are you handling computers that aren’t getting timely patches?

0
7
Asked By TechyNerd42 On

Hey everyone,
I'm reaching out to gather some ideas for a frustrating issue we're facing. We're using ManageEngine for patch management, but a ton of our systems aren't getting patched properly. This includes important updates for Windows 10/11, Microsoft Office, .NET Framework, Zoom, and Adobe Acrobat Reader DC.

We're dealing with several potential reasons for these missing patches. For instance, applications may still be running when patches are supposed to be applied (I've noticed ManageEngine notifications not closing the apps as they should). There are also systems that go offline during normal patching windows, pending reboots blocking other patches, and some patches just fail to download with no good reason.

Additionally, some sites in my agency still have users working on two computers, which is a leftover from the scramble during Covid. Management is okay with this setup, but it often leads to one computer being neglected and offline for long stretches, making it vulnerable when it finally reconnects.

I'm wondering if any of you have implemented policies like maximum session time or uptime to combat this? How about enforcing a forced reboot schedule? Or even preventing a computer from accessing internal networks if it hasn't been patched recently? I'd love to hear about your experiences and any solutions you've found effective.

Thanks!

4 Answers

Answered By ScriptSavant On

We run a weekly reboot script during off-hours, so the machines are rarely behind. Although we sometimes get few stragglers, I find that a simple manual Windows Update usually does the trick. We primarily use Kace to manage patches regularly.

RebootRanger -

That’s smart to schedule reboots! I think automated scripts for patching are a great idea, but every product I’ve tried for third-party apps has ended up failing silently.

Answered By ManualUpdater2023 On

If I discover a machine isn’t patching, I usually go for remote PowerShell to nudge it. If that fails, I’ve even reinstalled Windows or, in serious cases, wiped and restored the machine. The users can’t keep track, so we have to manually ensure everything’s up-to-date.

SysAdminNinja -

That's quite a hands-on approach! I generally prefer preventive measures by having enforced policies that automatically install any missing patches by a certain deadline. It saves time in the long run.

Answered By NetworkGuardian On

There are some awesome network access control products that automatically block network access until all updates are installed, which works well for us. It's a tough balance but it really keeps things secure!

Answered By PatchMaster99 On

In our setup, we enforce that any work computer can't connect to our network without the latest security updates. There’s a security scan that runs first, and if the computer’s out-of-date, it connects to a sandbox network just to get the updates. For bigger updates, we push them out automatically outside of working hours, but if that fails, the system forces it as soon as the device is on again. This keeps around 50,000 users globally up to date!

UpdateGuru88 -

That sounds like a solid system! We used to push updates every month, but now we have mandatory updates that users can delay only very briefly. It really helps in maintaining security.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.