Best Practice Guide: Software Update Deployment (16.0+)
What
With FileWave Version 16+, the system for patching devices with Operating system updates has been overhauled, and your current workflows likely should be as well. This article will review how you can best cleanup, reorganize, and overall simplify your patch management processes.
Note that you want to avoid assigning Windows OS updates to pre-16.0.0 clients because they will not function correctly. You can simply add a criteria to your SmartGroup to check if the "FileWave Client Version" begins with "16." and that would protect you until you can work to upgrade all of your devices.
Also note that Windows OS updates from before FileWave 16 should be purged from your server to free up disk space, and because they will not function correctly. This transition from the old format to this new format should be a one-time exercise to remove the old style of Windows OS updates and ensure your clients are upgraded to FileWave 16.0 or higher.
When/Why
Patch management of devices in your environment is the most important thing an IT manager does in almost every single organization. FileWave 16+ does operating system patching differently than before, but we feel confident if you follow this guide, and tailor it to your environment, that you'll find the new solution much more elegant and relatively care free.
For the purposes of this document, we'll use an example of a common deployment scenario, Alpha, Beta, then Production patching. That is, a system where you fist test new patches against a small set of devices (your alpha group) to ensure patches work without issue. Later, you would deploy to the larger beta group to ensure distribution is good. Only when both Alpha and Beta are good would you deploy to Production.
In some environments, folks go straight from test to production directly for OS patching. This will work fine as well, and you can tailor the below accordingly.
How
As stated above, in our example organization, we patch as follows:
- Each Monday we evaluate newly offered patches, and if we want to deploy them to test, we assign them to our Alpha group.
- On Wednesday of each week, if Alpha testing was good, we'll assign these same patches to the Beta group.
- And on the following Monday, if all is still well, we assign the same patches to our Production group (all devices).
But if we are starting from scratch, how best do we do this? We need three sets of objects to make all of the above happen. Device groups, fileset groups, and deployments.
Note: We are using Deployments here instead of associations on purpose. Deployments maintain their settings regardless of "new" content, and are much easier to use to add device exceptions (i.e. in this test, exclude Device A)
Device Groups
The device groups will be built like this:
The top level group is only for organizational purposes, and includes three groups. There is a manual group for Alpha Devices and for Beta Devices (we'll put select devices in each group manually). The Production group is a smart group based on ALL operating systems we manage. In our case, Apple devices and Windows. (Changes in Version 16+ make it possible to do this without any odd reporting...we'll show you below).
Note that once these groups are established, we will likely not need to edit them regularly. The "Production" smart group definition is shown below:
Fileset Groups
FileWave Version 16+ makes bulk-creating and storing patches MUCH easier. For our example patching workflow we are going to create three fileset groups to match our three device groups. Note again that we've added a top level group for organizational purposes.
Deployments
Deployments are the way we'll relate the other two building blocks above. That is, we'll use deployments to relate Patches to Devices using the fileset groups and device groups we built above. Alpha patches to Alpha devices, etc. Notice that the "Beta" assignment contains both Alpha and Beta Groups...we do that because they are manual groups and we want to make sure those devices all receive the assignments. The Production deployment doesn't need that, because it is by platform and covers all devices no matter what groups they are in.
Note that the assignments above are critical to the workflow, and you'll see that in the How to Use section below.
How to Use?
Now that we have our building blocks in place, we can start patching. Let's pretend that it is Monday morning of a new week. Let's go into the Software Updates view to see what new patches are available to us:
And in our environment it is a lot of patches indeed, since it is the first time we are setting up the mechanism. But don't worry, it is now easy to create everything at once, and there are several filters to help you. Examples:
- Requested Only filter is used to only show patches requested by devices in your environment...you'll likely always have this turned on
- Platform filter can be used to toggle between Apple and Windows patch views
- Fileset Status Filter: "No Fileset"...we can use this filter to ONLY show us patches we haven't "created" yet...we'll likely use this one all the time in our workflow
- Categories can be used to narrow down to Critical, Security or other patch categories
Let's assume for now though that "we want to patch everything".
Patch Creation (Alpha)
Because we always start with our Alpha group, that is the Fileset group location we'll use every Monday (and any other time we create new patch Filesets). Creating the filesets couldn't be simpler...we'll just select them all, right-click, choose create, and then choose the destination (our Alpha Fileset group)
Note that we put ALL patches for all platforms in the same fileset group...that is on purpose. FileWave 16+ allows you to do this, and simply "ignore" any patches that aren't for the devices you have assigned them to.
As soon as we update model, all "Alpha" patches for all "Alpha" devices will be assigned, and start to deploy...it's as easy as that.
Patch Assignment (Beta and Production)
Because we always start with our Alpha group, we never have to "create" patches for the Beta testers or Production users. On our "Wednesday" Beta testing the ONLY thing we have to do is MOVE the filesets from our Alpha Fileset Group to our Beta Fileset Group. And the following Monday we'll move patches from Beta to Production. Job well done.
Further Notes
Above, we mentioned that it didn't matter that we put all patches for all OSes in the same fileset group, and here is why:
In version 16+ of FileWave, the system knows the non-applicable patches don't apply, and they are automatically also filtered out of the UI in the Client Info view shown above. This means we don't have to create tons of groups for this, we can just keep it streamlined and simple. In the example provided you can see we don't see any of the Apple patches in the view, and we don't see anything Microsoft that doesn't apply either...the only thing we see is success (or failure) of the patches needed for this device.
And, when evaluating how your patching is going, remember there is a new view for any individual software update where you can see assignment (and results) from all devices.
Windows BIOS/UEFI Firmware and Driver Updates
The latest Windows Software Update filesets now include BIOS/UEFI firmware updates from certain OEM vendors (e.g., Dell, HP, Lenovo). While these updates may appear alongside OS patches, please be careful when deploying.
The latest Windows Software Update filesets now also includes third-party driver updates, such as those for monitors, audio devices, and peripheral hardware. While these updates can improve compatibility and stability, they often have the following impact:
- Many of these drivers require a reboot to complete installation.
- Automatic deployment may result in unexpected restarts, potentially disrupting end-user workflows.
To maintain a smooth user experience and prevent unplanned reboots, you may want to deploy driver updates via Self-Service Kiosk instead of automatic enforcement.
No Comments