# Common patch configurations
The following patching strategies are the most commonly used in any environment, large or small. These strategies ensure patching is handled not only as a response to high-priority security risks, but also as a routine maintenance that helps preserve system reliability, performance, and compliance.
Oftentimes, these are used in conjunction with more complex and custom patching strategies. However, they also provide a recommended starting point and can be used exclusively depending on the size of your environment and specific organizational needs.
## Best overall practices
| Practice Area | Recommendation | Details |
| -------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Pilot Deployments** | Always implement a pilot phase, regardless of environment size. | Without pilot testing, you risk troubleshooting issues simultaneously across all devices.
Recommended pilot size: 12-25 devices, preferably lab machines.
|
| **Ring-Based Deployment** | Mature from small-scale lab pilots to ring-based deployment model | Use P-rings to expand testing beyond lab environments.
Create separate business units with divergent maintenance windows.
Progressively expand deployment scope across rings.
|
| **Pilot Device Selection** | Select devices representing full production environment | Operating Systems: Windows 10, Windows 11, macOS, Linux
Device Types: Workstations and servers
Use Cases: High-performance machines (development, analysis) and lightweight devices (kiosks)
The built-in Business Units are not always ideal as these are randomly chosen devices (1% of All Workstations etc.), so it's best to strategically create custom business units.
|
| **Pilot User Selection** | Choose users who provide actionable feedback | IT staff and IT-friendly users who provide detailed feedback, non-IT staff for real-world validation, and users who reliably communicate issues.
Avoid choosing mission critical devices (revenue generators, CEO's, etc.)
|
| **Approval Timing** | Schedule during business hours for timely response | Configure approval requests to generate mid-morning (\~10:00 AM) when an admin is most likely to view it during work hours. |
## Daily critical patching
This patching strategy deploys daily patching based on criticality scores provided by a vulnerability management integration partner. Each patch that is marked *Critical* is deployed to all clients daily at a desired time.
Please see our list of [Integration Partners](/patch/integrations/integration-partners.md) that support criticality scores.
Create strategy
**Navigation**
1. Select **Strategies** from the side navigation.
2. Click **New Strategy**.
**Overview**
1. Enter a **Name** and **Description**.
2. Toggle **ON** **Strategy Enabled**.
3. Click **Next**.
**What to Patch**
1. Either toggle **ON** **Include All Products** or select desired individual products/patches.
2. Select the ellipses (**...**) next to **Patch Filter**.
3. Select **Add Operating Condition**.
4. Select one of the following from the **Data Column** dropdown:
* For Adaptiva - **Risk.SecurityExposureLevel**.
* For Microsoft Defender - **Defender.SeverityLevel**.
* For CrowdStrike - **Falcon.ExPRT**.
* For SentinelOne - **SentinelOne.RiskSeverity**.
5. Set the **Operating Condition** to **Equals**.
6. Set the **Value** to **Critical**.
7. Click **OK**.
8. Click **Next**.
**When to Patch**
1. Click **+ Browse** next to **Schedule**.
2. Click the **Schedules** folder and select a desired schedule that will run in the AM.
3. Click **OK**.
4. Click **Next**.
**How to Patch**
1. Click **+ Add Deployment Ring**.
2. Click **+ Browse** and select your pilot devices business unit.
3. Click **+ Add Transition > Delay Transition** and enter 8-12 hours.
* This is to determine your PM production deployment. This will be the delay from your chosen schedule from the **When to patch** pane.
4. Click **OK**.
5. Click **+ Add Deployment Ring** and select your production devices.
6. Click **Save**.
## Accelerated browser patching
Browsers are highly susceptible to vulnerabilities and it is good practice to prioritize patching for these products. This patch strategy is run on browser products twice a week -- once in the morning for a pilot group and once in the evening for the remainder of devices on Tuesdays and Thursdays.
Create strategy
**Navigation**
1. Select **Strategies** from the side navigation.
2. Click **New Strategy**.
**Overview**
1. Enter a **Name** and **Description**.
2. Toggle **ON** **Strategy Enabled**.
3. Click **Next**.
**What to Patch**
1. Either toggle **ON** **Include All Products** or select individual products/patches.
2. Select **Browse** next to **Included Products**.
3. Select all of your browser products from the table.
4. Click **Next**.
**When to Patch**
1. Click **Browse** next to schedule.
2. Select the **Schedules** folder and select **Weekly (Tuesday, 10hrs)** and **Weekly (Thursday, 10hrs)**.
3. Click **OK**.
4. Click **Next**.
**How to Patch**
1. Click **+ Add Deployment Ring**.
2. Click **Browse** and select your preferred pilot **Business Unit**.
3. Click **OK**.
4. Click **+ Add Transition > Delay Transition** and enter *12 hours*.
5. Add an additional Deployment ring for the remaining production devices.
6. Click **Save**.
## Weekly Pilot / Production patching (Pilot Monday / Patch Friday)
This patch strategy covers weekly patching for all products for pilot business unit devices on every Monday and the remaining production business unit devices every Friday. Weekly patching ensures general upkeep of all products.
Create strategy
**Navigation**
1. Select **Strategies** from the side navigation.
2. Click **New Strategy**.
**Overview**
1. Enter a **Name** and **Description**.
2. Toggle **ON** **Strategy Enabled**.
3. Click **Next**.
**What to Patch**
1. Either toggle **ON** **Include All Products** or select individual products/patches.
2. Click **Next**.
**When to Patch**
1. Click **Browse** next to schedule.
2. Select the **Schedules** folder and select **Weekly (Monday, 10hrs)**.
3. Click **Next**.
**How to Patch**
1. Click **+ Add Deployment Ring**.
2. Click **Browse** and select your preferred pilot (P0) **Business Unit**.
3. Click **OK**.
4. Click **+ Add Transition > Delay Transition** and enter 2 days.
5. Create an additional pilot (P1) deployment ring and another delay of 2 days.
6. Click **+ Add Transition > Approval Transition**.
7. Select **Browse** and click **Create new Role** and add your desired admins to be notified for approval requests.
8. Click **OK** and add a **Reminder Interval** of 2 hours.
9. Add another deployment ring for your production devices.
10. Add a delay transition of 8hrs.
* By default after an approval request is approved, it will run the patch strategy ASAP. Adding a delay here will ensure that after the approval, production devices will install patches outside of business hours.
11. Click **Save**.
## Monthly multi-phase patching
The goal of the monthly multi-phase patching is to introduce predictability so users can always anticipate when patches happen on a monthly-basis. Additionally, the pilot/production structure ensures that multiple device groups are tested prior to a full deployment.
Create strategy
**Navigation**
1. Select **Strategies** from the side navigation.
2. Click **New Strategy**.
**Overview**
1. Enter a **Name** and **Description**.
2. Toggle **ON** **Strategy Enabled**.
3. Click **Next**.
**What to Patch**
1. Either toggle **ON** **Include All Products** or select individual products/patches.
2. Click **Next**.
**When to Patch**
1. Click **Browse** next to **Schedule** and select **2nd Tuesday of the Month (10hrs)**.
2. CLick **OK**.
3. Click **Next**.
**How to Patch**
1. Click **+ Add Deployment Ring**.
2. Click **Browse** and select your preferred pilot (P0) **Business Unit**.
3. Click **OK**.
4. Click **+ Add Transition > Delay Transition** and enter 7 days.
5. Repeat for P1, P2.
6. After the delay transition for week three, click **+ Add Transition > Approval Transition**.
7. Select **Browse** and click **Create new Role** and add your desired admins to be notified for approval requests.
8. Click **OK** and add a **Reminder Interval** of 2 hours.
9. Create a final deployment ring for your production devices.
10. Your plan outline should look like the following:
## Clustered services patching
The goal of clustered services patching is to maintain service availability by patching nodes in a controlled sequence. This includes patching passive nodes first, validating their success, and sending an approval request before advancing to active nodes, to ensure zero-downtime deployments.
Create strategy
**Navigation**
1. Select **Strategies** from the side navigation.
2. Click **New Strategy**.
**Overview**
1. Enter a **Name** and **Description**.
2. Toggle **ON** **Strategy Enabled**.
3. Click **Next**.
**What to Patch**
1. Either toggle **ON** **Include All Products** or select individual products/patches.
2. Click **Next**.
**When to Patch primary secondary , patch secondary**
1. Click **+ Browse** next to **Schedule**.
2. Click the **Schedules** folder and select a desired schedule that will run in the AM.
3. Click **OK**.
4. Click **Next**.
**How to Patch**
1. Click **+ Add Deployment Ring**.
2. Click **+ Browse** and select your secondary servers business unit.
3. Click **+ Add Transition > Success Gate Transition**.
4. Set the **Minimum Success Threshold** to 100. This will ensure that 100% of all of your devices must be patched successfully before continuing.
5. Set the Failure Action to **Abort**.
6. (Optional) Toggle **ON** **Send Failure Notification**, select the roles to notify, communication provider, and enter a notification message.
* If you hover over the **Notification Message** tooltip to view the available dynamic variables. For more information regarding dynamic variables, please see our [Success Gates - Notification Message](/patch/get-started/strategies-v2.md#success-gates) section.
7. Click **+ Add Approval Transition**, select the roles you'd like to be notified and designated approvers, and then configure the desired approval settings.
8. Click **+ Add Deployment Ring** and select your primary server business unit.
9. Click **Save**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.adaptiva.com/patch/get-started/common-patch-configs.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.