search
Adaptiva.comSupport

Common patch configurations

The following patching strategies are the most commonly used in any environment, large or small. These strategies ensure patching is handled not only as a response to high-priority security risks, but also as a routine maintenance that helps preserve system reliability, performance, and compliance.

Oftentimes, these are used in conjunction with more complex and custom patching strategies. However, they also provide a recommended starting point and can be used exclusively depending on the size of your environment and specific organizational needs.

hashtag
Best overall practices

Practice Area
Recommendation
Details

Pilot Deployments

Always implement a pilot phase, regardless of environment size.

Without pilot testing, you risk troubleshooting issues simultaneously across all devices. Recommended pilot size: 12-25 devices, preferably lab machines.

Ring-Based Deployment

Mature from small-scale lab pilots to ring-based deployment model

Use P-rings to expand testing beyond lab environments. Create separate business units with divergent maintenance windows. Progressively expand deployment scope across rings.

Pilot Device Selection

Select devices representing full production environment

Operating Systems: Windows 10, Windows 11, macOS, Linux Device Types: Workstations and servers Use Cases: High-performance machines (development, analysis) and lightweight devices (kiosks) The built-in Business Units are not always ideal as these are randomly chosen devices (1% of All Workstations etc.), so it's best to strategically create custom business units.

Pilot User Selection

Choose users who provide actionable feedback

IT staff and IT-friendly users who provide detailed feedback, non-IT staff for real-world validation, and users who reliably communicate issues. Avoid choosing mission critical devices (revenue generators, CEO's, etc.)

Approval Timing

Schedule during business hours for timely response

Configure approval requests to generate mid-morning (~10:00 AM) when an admin is most likely to view it during work hours.

hashtag
Daily critical patching

This patching strategy deploys daily patching based on criticality scores provided by a vulnerability management integration partner. Each patch that is marked Critical is deployed to all clients daily at a desired time.

Please see our list of Integration Partners that support criticality scores.

chevron-rightCreate strategyhashtag

Navigation

  1. Select Strategies from the side navigation.

  2. Click New Strategy.

Overview

  1. Enter a Name and Description.

  2. Toggle ON Strategy Enabled.

  3. Click Next.

What to Patch

  1. Toggle ON Include All Products.

  2. Select the ellipses (...) next to Patch Filter.

  3. Select Add Operating Condition.

  4. Select one of the following from the Data Column dropdown:

    • For Adaptiva - Risk.SecurityExposureLevel.

    • For Microsoft Defender - Defender.SeverityLevel.

    • For CrowdStrike - Falcon.ExPRT.

    • For SentinelOne - SentinelOne.RiskSeverity.

  5. Set the Operating Condition to Equals.

  6. Set the Value to Critical.

  7. Click OK.

  8. Click Next.

When to Patch

  1. Click + Browse next to Schedule.

  2. Click the Schedules folder and select a desired schedule that will run in the AM.

  3. Click OK.

  4. Click Next.

How to Patch

  1. Click + Add Deployment Ring.

  2. Click + Browse and select your pilot devices business unit.

  3. Click + Add Transition > Delay Transition and enter 8-12 hours.

    • This is to determine your PM production deployment. This will be the delay from your chosen schedule from the When to patch pane.

  4. Click OK.

  5. Click + Add Deployment Ring and select your production devices.

  6. Click Save.

hashtag
Accelerated browser patching

Browsers are highly susceptible to vulnerabilities and it is good practice to prioritize patching for these products. This patch strategy is run on browser products twice a week -- once in the morning for a pilot group and once in the evening for the remainder of devices on Tuesdays and Thursdays.

chevron-rightCreate strategyhashtag

Navigation

  1. Select Strategies from the side navigation.

  2. Click New Strategy.

Overview

  1. Enter a Name and Description.

  2. Toggle ON Strategy Enabled.

  3. Click Next.

What to Patch

  1. Toggle OFF Include All Products.

  2. Select Browse next to Included Products.

  3. Select all of your browser products from the table.

  4. Click Next.

When to Patch

  1. Click Browse next to schedule.

  2. Select the Schedules folder and select Weekly (Tuesday, 10hrs) and Weekly (Thursday, 10hrs).

  3. Click OK.

  4. Click Next.

How to Patch

  1. Click + Add Deployment Ring.

  2. Click Browse and select your preferred pilot Business Unit.

  3. Click OK.

  4. Click + Add Transition > Delay Transition and enter 12 hours.

  5. Add an additional Deployment ring for the remaining production devices.

  6. Click Save.

hashtag
Weekly Pilot / Production patching (Pilot Monday / Patch Friday)

This patch strategy covers weekly patching for all products for pilot business unit devices on every Monday and the remaining production business unit devices every Friday. Weekly patching ensures general upkeep of all products.

chevron-rightCreate strategyhashtag

Navigation

  1. Select Strategies from the side navigation.

  2. Click New Strategy.

Overview

  1. Enter a Name and Description.

  2. Toggle ON Strategy Enabled.

  3. Click Next.

What to Patch

  1. Toggle ON Include All Products.

  2. Click Next.

When to Patch

  1. Click Browse next to schedule.

  2. Select the Schedules folder and select Weekly (Monday, 10hrs).

  3. Click Next.

How to Patch

  1. Click + Add Deployment Ring.

  2. Click Browse and select your preferred pilot (P0) Business Unit.

  3. Click OK.

  4. Click + Add Transition > Delay Transition and enter 2 days.

  5. Create an additional pilot (P1) deployment ring and another delay of 2 days.

  6. Click + Add Transition > Approval Transition.

  7. Select Browse and click Create new Role and add your desired admins to be notified for approval requests.

  8. Click OK and add a Reminder Interval of 2 hours.

  9. Add another deployment ring for your production devices.

  10. Add a delay transition of 8hrs.

    • By default after an approval request is approved, it will run the patch strategy ASAP. Adding a delay here will ensure that after the approval, production devices will install patches outside of business hours.

  11. Click Save.

hashtag
Monthly multi-phase patching

The goal of the monthly multi-phase patching is to introduce predictability so users can always anticipate when patches happen on a monthly-basis. Additionally, the pilot/production structure ensures that multiple device groups are tested prior to a full deployment.

chevron-rightCreate strategyhashtag

Navigation

  1. Select Strategies from the side navigation.

  2. Click New Strategy.

Overview

  1. Enter a Name and Description.

  2. Toggle ON Strategy Enabled.

  3. Click Next.

What to Patch

  1. Toggle ON Include All Products.

  2. Click Next.

When to Patch

  1. Click Browse next to Schedule and select 2nd Tuesday of the Month (10hrs).

  2. CLick OK.

  3. Click Next.

How to Patch

  1. Click + Add Deployment Ring.

  2. Click Browse and select your preferred pilot (P0) Business Unit.

  3. Click OK.

  4. Click + Add Transition > Delay Transition and enter 7 days.

  5. Repeat for P1, P2.

  6. After the delay transition for week three, click + Add Transition > Approval Transition.

  7. Select Browse and click Create new Role and add your desired admins to be notified for approval requests.

  8. Click OK and add a Reminder Interval of 2 hours.

  9. Create a final deployment ring for your production devices.

  10. Your plan outline should look like the following:

PreviousStrategiesNextDashboards

Last updated

Was this helpful?