General deployment methodology with PDQ
Greg Mills
Hi all, I'm trialing PDQ and have it up and running, but as I only have a few days I need to get some basic questions answered.
How do you ensure your WIndows patches are applied and active using PDQ? I gather that PDQ suppresses the restart request, but does that mean the system is not fully patched unless a restart is invoked? How do you interact with users during this process? Do you give them the ability to defer the restart?
What I'd like is for patches to be applied as per a schedule, or as soon as the client machine comes back online. If a users is in the middle of something though, I'd like them to get the ability to defer any restart.
Thanks
0
Comments
Hi Greg,
Our Windows update packages do defer a restart, and the OS is not patched until a reboot. There are a couple of ways to make sure that those systems get rebooted. One way would be to create a "reboot" package that has a condition to only run if no user is logged in. In that scenario before the reboot command is sent PDQ Deploy verifies that no user is logged in, if there is a user logged in the deployment will fail with the status "No steps able to run due to conditions."
You can put this reboot package on a schedule to run at a time when most users will be logged out.
PDQ Inventory can also show you what patches are applied to a particular machine so you know if every machine in your network is patched. The collection library has these built for you already so you have have a heads-up display of the machines in your environment that are, or are not patched.
Hi Josh, thanks for the post.
In my experience, users will avoid rebooting for as long as possible if left to their own devices. Your idea to wait until the user is logged out would work for our 50 or so virtual machines and servers, but not for the 30 or so laptops as they are taken home every evening.
So ideally, I'd like PDQ to be able to push a reboot on the user during the day but give them the option to defer this for a convenient period of time. Also, the user would get a set number of chances to defer until they are forced to restart.
I appreciate PDQ doesn't work this way, so it probably won't be our choice this time. If I'm honest, neither of the other two patching solutions do this either, so it seems we're after a feature that many others don't need.
Cheers
First:
You should take a look at WSUS, WUinstall or ABC Update
Second:
Change the power managment option "closing laptop=sleep" into "closing laptop=shutdown"
If you deploy the update at morning and the laptops are taken home in the evening the updates are getting installed in the moment the user close the laptop.
Third:
For local workstations and the "i'm-to-lazy-to-shut-down-my-pc-after-work" users, set up a shutdown script with PDQ Deploy, for example at 9 PM. Be sure your "Shutdown" collection only contains the right devices ;-)