Manage Learn to apply best practices and optimize your operations.

Effective patch management practices

The key to keeping Windows systems up to date and secure is proper patch management, which should involve a number of carefully managed IT activities, outlined in this tip.

According to Gartner, patches are defined as "a software fix made or distributed in a quick and expedient way -- typically via a separate piece of software that users can download and run to modify an application already installed on their computers."

Do not, however, let the words " a quick and expedient way..." lead you to think that patches are insignificant.

They are the first line of defense against many types of exposure -- primarily security loopholes -- in vendor-supplied applications and operating software.

Gartner's definition does not imply that patches can be distributed with the blow of a whistle or the press of a button on a management console. The IT environment of most organizations today is a complex and delicate mix of components and dependencies. Unfortunately, many IT organizations are ill prepared to keep the pace. It seems that many organizations still manage patches in a rudimentary and inconsistent way. In order to arrive at the desired outcome -- the successful and timely deployment of the right patches on the right computers -- an organization must know in detail the current state of its infrastructure and the process it must follow in order to change.

What's there? What state is it in?

To implement effective patch management, IT organizations need an accurate and immediate assessment of their IT infrastructure. Typical questions include:

  • Do we have a list of all servers running an operating system below a certain revision level?
  • Is there an increase in incidents reported to the help desk about specific symptoms or outages?
  • Does our hardware or software configuration match exposures identified by our technology vendors?

For most organizations, these questions are only the tip of the iceberg. There are many more, because change is a constant for IT. But how can anyone keep up with the dynamic pace of change?

IT professionals must maintain a database that is detailed and updated enough to provide accurate and up-to-the-minute reports on the current state of the IT infrastructure, and they rely on a high degree of automation to ensure data integrity.

Discovery tools provide that level of automation. These tools detect and collect a wide range of detailed information about the network and computing resources in an organization's IT infrastructure. Loaded into the appropriate repository, that information can support a wide range of service management activities, of which patch management is a critical subset.

Very few organizations maintain an IT environment consisting of only one type of hardware. An effective discovery tool must be platform-neutral -- able to collect data across a wide range of different platforms.

How can I ensure that rollout will be successful?

Implementing the right processes is another critical component for an effective patch management practice. Although the automated discovery of the IT environment and the distribution of patches are essential, an organization that relies solely on tools to do the job also jeopardizes a successful patch management deployment. To work effectively, the tools must be an integral part of a mature service management capability.

A number of activities must be carefully managed. As with discovery, appropriate automation brings significant benefits. Some examples are:

  • Assess risk and cost for both the business and the IT environment.
  • Prioritize activities based upon those assessments.
  • Collect, validate and maintain configuration data.
  • Identify the parts of the infrastructure that are at risk. Isolate them.
  • Obtain the patches from a trusted source.
  • Identify and repair or rollback any damage.
  • Physically deploy patches.
  • Test and sign off on the changes.

Patch management cannot be treated as an exercise in isolation. It is important to identify and integrate a number of activities. Some might be:

  • Integration with configuration management/IT asset management. It is highly desirable to feed from an existing configuration repository and important to ensure that it is maintained during a patch deployment. Failure to do so will lead to fragmented and poorly managed knowledge of the IT infrastructure.
  • Correlation with the service desk. Identifying and responding appropriately to reported incidents can significantly reduce the scope and impact of any exposure.
  • Release management. A best practice discipline (part of the ITIL library) that deals with the bigger picture of managing the deployment of software across the environment. Any patch management activities should feed back into the DSL (Definitive Software Library -- the subset of ITIL Configuration data that applies to Software Assets).
  • Work order/change activity. Deploying software patches to an organization's operational infrastructure constitutes a significant change in activity. It is very important to ensure that it adheres to the defined standards for changes or emergency changes. Additionally, there may be specific instances where deploying a patch cannot be fully automated. Any manual activity needs to be coordinated properly.
  • Service level agreement (SLA) impact. Inadequate patch management can have a serious impact on the levels of service promised to users. This issue is particularly significant for outsourcers and service providers, where such failures can lead to significant penalties.
  • Potential software licensing implications -- for example, it may be necessary to have a current maintenance agreement with a software vendor in order to apply patches legally.

This method will permit a more proactive and consistent approach to patch management.


The adoption of comprehensive discovery tools and mature best practice processes significantly improves the effectiveness of an organization's patch management efforts, which in turn improves its service management capabilities. To be successful, the technology and processes adopted should support a number of objectives and be as automated as possible. Patch management efforts need to be platform-neutral -- that is, they should work equally on all hardware and software platforms in that organization's operational environment. In a dynamic and constantly evolving IT environment, patch management efforts must be adaptive. And finally they must provide the highest level of analytical data, both for technicians and management, to ensure patches can be deployed quickly and accurately with minimal impact to the business.

Gartner, based in Stamford, Conn., is the leading provider of research and analysis on the global IT industry.

About the author:
David D'Agostino Product Marketing Manager, EMEA Peregrine Systems. David has worked in the IT industry for 27 years. He has been at Peregrine Systems for 12 years in a variety of senior roles from consulting to European sales and marketing.

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.