Hey everyone! I've been navigating the complexities of patch management as our team works through Cyber Essentials Plus (CE+). It's been a challenge, especially since we need to coordinate updates from various platforms. Right now, we use Heimdal for OS patching, but it's not consistently reliable. We also have Intune in the mix and I'm looking to optimize its usage. The issue is there are tons of update sources to track, like Windows Update, HP Support Assistant, Dell Command, and different 3rd party apps like Adobe and Zoom. Each one releases updates that don't always appear in Heimdal or Intune, and some require manual checks. I have a few questions:
- How do you keep track of patching with so many sources?
- Is there a centralized tool that truly works?
- If you're using Intune for 3rd party updates, how's that going?
- What's your approach—scripts, vendor tools, or something else?
- And how do you handle compliance reporting for CE+?
Would love to hear your experiences, especially the good and the bad!
5 Answers
Automate as much as you can! Aim to handle critical patches at least quarterly or sooner if there's high-profile vulnerability announcement. Use your vulnerability management tools to prioritize what's critical instead of patching blindly. This way, you're spending less time on unnecessary patches and focusing on what truly matters.
One key tip is to reduce the number of software applications you're managing. For example, if you don't need multiple browsers, stick with just one like Edge. This way, you're not juggling so many updates. Keep your apps updated to the latest versions to minimize complexity. The less software you have, the easier it is to manage those patches.
That's actually solid advice! I’d love to remove some of the unnecessary apps, but users are so attached to Chrome.
Totally agree! Keeping it simple reduces a lot of headaches.
After my experience with CE+, I recommend you collaborate with your auditing team to understand the tools they use for assessments. Integrate those tools into your own system! Tools like PDQ for on-prem updates and PatchMyPC for Intune can be very effective. We’ve seen big benefits when aligning our tools with the auditor's standards.
Great advice! I will definitely check with our auditors to see what they’re using.
That makes a lot of sense to sync everything up.
If you're managing a lot of devices, consider using tools like Action1 or PDQ Connect alongside PowerShell. They can streamline your patching process significantly. We just completed CE+, and utilizing these tools really helped. For hardware, I set up automatic updates wherever possible to keep things running smoothly.
What makes Action1 better than PDQ Connect?
Nice! Just checked those out and they look like exactly what I need.
In our setup, we use Qualys for vulnerability scanning along with Intune and PatchMyPC for patching OS and apps. I find it helpful to have a central point of truth for all vulnerabilities so the critical ones are addressed first. Plus, we have automated updates for common software but still follow strict change management protocols to minimize disruptions.
Thanks for the heads up on Qualys. We're looking into it!
Solid approach! Striking a balance between automation and oversight is crucial.
Thanks for the tip, I’ll definitely look into that!