How to patch remote devices

Patching devices is one of the fundamental roles of a sysadmin, right behind asking users to restart their computers and reset passwords. And just when we thought we had patch management all figured out, everyone started working remotely. But worry not, my fellow sysadmins. In this guide, I'll show you how to patch your remote endpoints quickly and with minimal effort, which are always my two highest priorities.

What is patch management?

Patch management is the process of distributing and managing updates. Installing updates should be familiar to anyone with a smart device since they seem to require updates eight days a week. However, patch management involves much more than just installing updates. Here are some of the primary functions of the patch management process.

• Vetting updates before distribution.

• Scheduling updates to minimize user impact.

• Establishing update groups to meet the needs of an organization.

• Remediating broken updates.

• Preserving critical systems.

For a more in-depth guide on patch management, check out our guide to Patch management 101.

Remote vs. local patch management

Managing updates for remote devices adds a layer of complexity to the patch management process, but the core objectives listed above remain unchanged. The key difference is the inability to administer remote devices physically. Think of it this way: How much easier would it be to fix your parent's computer in person versus over the phone? From personal experience, I can assure you it's much easier to fix their PC in person.

The key to managing patches on remote devices is having the right tool for the job. While many solutions on the market manage remote updates, a lot require extensive training, large budgets, or dedicated team members. If you've got those kinds of resources lying around, then you have many options. However, if you're like me and looking for a solution that gets the job done quickly and with minimal effort, PDQ Connect is a tool for you. Let's look at how simple it is to patch remote devices using PDQ Connect.

If you don't have PDQ Connect and want to follow along, sign up for a 14-day free trial and find out if Connect is the right tool to manage your remote devices.

Grouping devices in PDQ Connect

Once you've installed the PDQ Connect agent, your devices are scanned and imported into your Connect instance. At this point, Connect starts collecting all sorts of valuable data, such as hardware configurations, installed software, group memberships, enabled features, installed updates, disk drive data, and much more. You can use this information to create groups of devices your patch deployments can target.

Let's create a couple of groups to ensure we target the correct devices with our patch deployments. This first group targets devices with old versions of Google Chrome installed.

Creating a Google Chrome old group in PDQ Connect

Here's how to create a PDQ Connect group containing devices with old versions of Google Chrome installed.

1. In the Devices tab in PDQ Connect, click Create Group.

   

2. Add the following filters:

   1. Where | Software | Name | contains | $(AppNameGoogleChrome)

   2. AND | Software | Version | is less than | $(AppVerGoogleChromeEnterprise)

      

3. Click Save as group.

4. Enter a name for the group, then click Save.

As you can see, I'm super creative and named my group Chrome (Old). But you can also see that I've got one device with an old version of Google Chrome installed, so while my creativity is lacking, my methods are solid.

Creating a group of devices missing the latest Windows update

This time, we'll create a group of devices missing the latest cumulative update for a specific version of Windows. For this example, I'll be targeting devices running Windows 11 22H2. Many of these steps are the same as in the previous section, but the filters differ.

1. In the Devices tab in PDQ Connect, click Create Group.

2. Add the following filters to the group:

   1. Where | Device | OS | contains | Windows 11

   2. AND | Device | SP/ Release | equals | $(OSVerWin11LatestName)

   3. AND | Device | OS version | is less than | $(OSVerWin1122H2Latest)

      

3. Click Save as group.

4. Enter a name for the group, then click Save.

We're using built-in variables for our groups because PDQ automatically updates them, which means less work for us. When the next update comes out, we won't have to modify the group filters, they'll remain current, and our groups will stay accurate.

After saving my group, it looks like I've got one Windows 11 22H2 workstation missing the latest cumulative update, and it's the same device with an old version of Chrome installed. No worries; we'll set up some automations to ensure everything gets patched and updated.

Configuring automated deployments in PDQ Connect

The good news is that PDQ Connect automatically comes with packages for both Google Chrome and Windows cumulative updates. All we need to do is build the automations to push out updates to any devices in the groups we just created.

Automations in PDQ Connect are deployments configured on a schedule. You set the days of the week, the time, and the frequency, and PDQ Connect does the rest, deploying all the packages connected to that automation.

Creating a Google Chrome automation

First, let's make an automation to push out our Google Chrome updates regularly.

1. In PDQ Connect, click the Automation tab.

2. Click Create Automation.

   

3. Enter a name.

4. Search for and select the Google Chrome Enterprise package in the Packages field.

5. Ensure Latest is selected next to the package version.

6. Select Recurring if it's not already selected.

7. Enter a start date for the automation.

8. Configure the frequency of the automation.

9. Select the Chrome (Old) group as the Deploy to target, then click Save to save the automation.

   

With the Automation in place, it'll kick off on the start date you configure and continue to deploy according to your schedule. When the next version of Chrome is released, computers still running the old version will fall back into the group we created and then be patched by the automation.

Creating a Windows cumulative update automation

Now let's create the automation for our Windows cumulative update. Again, this process is similar to the previous section, but we'll use a different package, target a different group, and use a slightly different schedule.

1. In PDQ Connect, click the Automations tab, then click Create automation.

2. Name the automation.

3. Search for and select the Windows 11 (22H2) - Cumulative Update (64-bit) package in the Packages field.

4. Configure your trigger, start date, and schedule.

5. Select the Windows 11 22H2 Old Cumulative Update group we created earlier, then click Save.

   

Each month when Microsoft releases a new cumulative update, devices that haven't been updated will automatically populate into the Windows 11 22H2 Cumulative Update Old group we created. Then the automation distributes the newest update according to your configured schedule. It's pretty magical.

A remote workforce ain't all bad

Yes, managing remote devices adds a layer of complexity to administration and patch management. But I can't complain. More people working remotely means less social interaction for me, bolstering my reclusive nature. And with solutions like PDQ Connect, managing remote devices is basically as easy as managing local devices. The only requirement is an internet connection. Overall, I'd say it's a net win!