Steve Pruitt at myITforum.com

We all have computers whose users say "You can't patch my machine automatically. It has to be done manually." Or maybe they say "My machine can't be patched. The software is too liable to be affected." How do you handle these?

A real solution requires serious support from the IT senior management and from the corporate security team. If they won't back you up, you don't have a workable solution. That means your solution has to be presented to them first. Ideally it shoud be developed with the security team.

The system I inherited had a large number of such computers on the Exception List. These were patched manually by the local Desktop staff. That required lots of manhours, and tended to be somewhat disruptive to the users because of the scheduling challenges. After we went to SMS 2003 and implemented interactive patching, that let the users pick a time to run the updates up until the deadline, we went after the Exception List.

I developed a plan that allowed these machines additional days before the patching deadline, using common interactive patching as described in my earlier blog that describes the DSUW settings. This Extended Schedule process was needed to accomodate actuaries that commonly have calculations that run for several days. Corporate Security believed strongly in the value of automated patching, so they agreed that any exceptions would require a formally approved Security Exception. That would indicate why automated patching was a problem and how the risks resulting from manual patching would be resolved. They stated that they did not expect to ever approve such a request, though it was possible. Our management readily approved the plan.

Then I selected a handful of pilot testers. This included two local Actuaries and a few operations consoles used during the night. I explained the concept to the managers and selected users, and all agreed that the limitations and general design seemed reasonable. After the first month's patch cycle I asked what they thought of it. Both departments asked to have all of their exception machines put in the new system for the following month. They loved being able to schedule the updates at their convenience, and not be dependent on anyone else.

For the next month I selected around 20% of the exception list machines in each department to be pilot testers. I sent an email to the designated contacts and their managers that explained the system and listedwhich machines I had arbitrarily selected. They were asked to tell me if they wanted to change the pilot test selections or if their work required a longer deadline. There were a few changes in machines. One user said that his calculations often ran for two weeks. I replied that if this was the case he needed a much faster computer or to run these on a fast server. I copied his manager and asked the manager if they did need such a long period. He never did reply, and again the users loved the new system. The following month we had virtually all of the old Exception List machines on the new Extended Schedule.

Of course it wasn't quite that fast and simple. At first I tried to get volunteers, but failed. At the end there were a couple of departments that needed more than one month to test the process because the actual patches during the test month didn't affect the pilot test computers. It still was very fast and simple overall, and nearly every user and manager loved the result.

Eventually we changed the schedule for all machines to include the added days we had allowed for Extended Schedule. This was because of problems maintaining the list of machines accurately. We still maintain that list, only now it only matters when we have a 48-hour emergency patch. In those cases the Extended Schedule machines still get as much added time as we can afford to give them.