Patching devices is one of the fundamental roles of a sysadmin, right behind asking users to restart their computers and reset passwords. And just when we thought we had automated patch management figured out, everyone started working remotely. But worry not, my fellow sysadmins. In this guide, I'll show you how to patch your remote endpoints quickly and with minimal effort, which are always my two highest priorities.
What is patch management?
Patch management is the process of distributing and managing updates. Installing updates should be familiar to anyone with a smart device since they seem to require updates eight days a week. However, patch management involves much more than just installing updates. Here are some of the primary functions of the patch management process.
Vetting updates before distribution.
Scheduling updates to minimize user impact.
Establishing update groups to meet the needs of an organization.
Remediating broken updates.
Preserving critical systems.
For a more in-depth guide on patch management, check out our guide to patch management 101.
Remote vs. local patch management
Managing updates for remote devices adds a layer of complexity to the patch management process, but the core objectives listed above remain unchanged. The key difference is the inability to administer remote devices physically. Think of it this way: How much easier would it be to fix your parent's computer in person versus over the phone? From personal experience, I can assure you it's much easier to fix their PC in person.
Remote patch management best practices
Following remote patch management best practices can streamline your security patch deployment. As an added bonus, it can reduce the risk that missing patches and unpatched vulnerabilities will give threat actors a convenient entry point.
Here are a few tips to improve your remote endpoint management through effective patching.
Know your environment
We've waxed poetic about IT asset management more times than we can count, but it really is that important. Knowing the devices and software in your fleet makes it easier to recognize which available patches you need to apply.
Document your patch management policy
A patch management policy or plan may not be your magnum opus, but it can definitely make your processes run more smoothly. Documented guidelines improve consistency, enhance efficiency, and support compliance.
Test patches
No need to jeopardize your production environment with untested patches. Deploying the latest updates to a smaller test group (ideally in a lab environment) can help you spot potential issues before you start receiving angry calls from your remote workers.
Automate what you can
Automated patch management is one of the best things to ever happen to sysadmins (right up there with White Monster). With automations in place, remote patch installation is quick and painless, simplifying this critical aspect of vulnerability management.
Monitor updates
Unfortunately, you can't just push out patches and trust that everything will work out. Remote patch management also calls for ongoing remote monitoring to maintain visibility into patch status and patch compliance.
While you need to monitor your fleet closely, you also need to keep an eye on the latest software updates. Major releases to patch Windows typically come out on Patch Tuesday, so keep checking back to the PDQ blog for information on the latest essentials, like Microsoft Office and operating system updates.
Choose a high-quality patch manager
The key to managing patches on remote devices is having the right tool for the job. While many Windows patch management software solutions on the market manage remote updates, a lot require extensive training, large budgets, or dedicated team members. If you've got those kinds of resources lying around, then you have many options. However, if you're like me and need a remote patch management tool that gets the job done quickly and with minimal effort, then PDQ Connect is a tool for you.
Remote patch management with PDQ Connect
Let's look at how simple it is to patch remote devices using PDQ Connect. If you don't have PDQ Connect and want to follow along, sign up for a 14-day free trial and find out if Connect is the right tool for your remote device management.
If the remote devices in your fleet regularly connect to VPN, you can also use PDQ Deploy for remote patch management. Give it a go by following our guide to automate patch management with PDQ Deploy & Inventory.
Grouping devices in PDQ Connect
Once you've installed the PDQ Connect agent, your devices are scanned and imported into your Connect instance. At this point, Connect starts collecting all sorts of valuable data, such as hardware configurations, installed software, group memberships, enabled features, installed updates, disk drive data, and much more. You can use this information to create groups of devices for your patch deployments to target.
Let's create a couple of groups to ensure we target the correct devices with our patch deployments. This first group targets devices with old versions of Google Chrome installed.
Creating a Google Chrome old group in PDQ Connect
Here's how to create a PDQ Connect group containing devices with old versions of Google Chrome installed.
Select the Devices tab in PDQ Connect, click Create Group.
Enter a group name, then select Dynamic for the Type.
Add the following filters:
Where | Software | Name | contains | $(AppNameGoogleChrome)
AND | Software | Version | is less than | $(AppVerGoogleChromeEnterprise)
Click Create.
As you can see, I'm super creative and named my group Chrome (Old). But you can also see that I've got one device with an old version of Google Chrome installed, so while my creativity is lacking, my methods are solid.
Creating a group of devices missing the latest Windows update
This time, we'll create a group of devices missing the latest cumulative update for a specific version of Windows. For this example, I'll be targeting devices running Windows 11 22H2. Many of these steps are the same as in the previous section, but the filters differ.
Click the Devices tab in PDQ Connect, then click Create Group.
Enter a group name, then select Dynamic for the Type.
Add the following filters to the group:
Where | Device | OS | contains | Windows 11
AND | Device | SP/ Release | equals | 22H2
AND | Device | OS version | is less than | $(OSVerWin1122H2Latest)
AND | Windows updates | Update title | does not contain | $(HFName1122H2MonthlyLatest)
Click Create.
We're using built-in variables for our groups because PDQ automatically updates them, which means less work for us. When the next software update comes out, we won't have to modify the group filters, they'll remain current, and our groups will stay accurate.
After saving my group, it looks like I've got one Windows 11 22H2 workstation missing the latest cumulative update, and it's the same device with an old version of Chrome installed. No worries; we'll set up some automations to ensure everything gets patched and updated.
Configuring automated deployments in PDQ Connect
The good news is that PDQ Connect automatically comes with packages for both Google Chrome and Windows cumulative updates. All we need to do is build the automations to push out updates to any devices in the groups we just created.
Automations in PDQ Connect are deployments configured on a schedule. You set the days of the week, the time, and the frequency, and PDQ Connect does the rest, deploying all the packages connected to that automation.
Creating a Google Chrome automation
First, let's make an automation to push out our Google Chrome updates regularly.
In PDQ Connect, click the Automation tab.
Click Create Automation.
Enter a name.
Search for and select the Google Chrome Enterprise package in the Packages field.
Ensure Latest is selected next to the package version.
Select Recurring if it's not already selected.
Enter a start date for the automation.
Configure the frequency of the automation.
Select the Chrome (Old) group as the Deploy to target, then click Save to save the automation.
With the automation in place, it kicks off on the start date you configure and continues to deploy according to your schedule. When the next version of Chrome is released, computers still running the old version fall back into the group we created and are then patched by the automation.
Creating a Windows cumulative update automation
Now let's create the automation for our Windows cumulative update. Again, this process is similar to the previous section, but we'll use a different package, target a different group, and use a slightly different schedule.
In PDQ Connect, click the Automations tab, then click Create automation.
Name the automation.
Search for and select the Windows 11 (22H2) - Cumulative Update (64-bit) package in the Packages field.
Configure your trigger, start date, and schedule.
Select the Windows 11 22H2 Old Cumulative Update group we created earlier, then click Save.
Each month when Microsoft releases a new cumulative update, devices that haven't been updated automatically populate into the Windows 11 22H2 Cumulative Update Old group we created. Then the automation distributes the newest update according to your configured schedule. It's pretty magical.
Patching remote devices keeps getting easier and easier with PDQ Connect as we continue to release new features.
The automatic deployment trigger lets you automatically deploy a package when that package updates or a new device joins a group. You don't need to lift a finger. And bandwidth management helps you get users the latest updates without interrupting their work.
A remote workforce ain't all bad
Yes, managing remote devices adds a layer of complexity to administration and patch management. But I can't complain. More remote work means less social interaction for me, bolstering my reclusive nature. And with a patch management solution like PDQ Connect, patching remote endpoints is basically as easy as patching local devices. The only requirement is an internet connection. Overall, I'd say it's a net win!