This document assumes that you are getting started with patching, or that you are redesigning your patch processes at a high level.  Before applying any patches you should familiarize yourself with the LANDesk patching process and capabilities.  Here are several related documents to help you get started:

LANDESK Management Suite 9.5 patch & compliance documentation

LANDESK Management Suite 9.6 patch & compliance documentation

Patch Manager- Strategic and Tactical Implementation Guide

Due to varying requirements and computing environments your patching process needs to be tailored to your environment and needs.  This document serves to provide a general guideline for setting up baseline patching.  Your individual needs may vary. 

A baseline patch group will include minimal patch definitions that apply to computers and applications in your environment.  By design it applies to newly imaged computers containing your baseline production applications and serves to bring them up to a minimal standard of compliance before being released to your production environment.  Patches in this group are tested against baseline computers in your environment and are known to be safe to apply without unintended consequences.  

Here are the steps to get started:

• Build baseline computers with your standard OS image and all production applications installed. You should have baseline computers for all your major OS versions. These can be virtual machines, or physical.
• Download all applicable patch content and move all definitions to the scan folder. Ensure autofix, do not scan, and unassigned folders are empty. Create a custom group for Baseline Patch Definitions.
• Run a security scan on your baseline computers. This will detect what patches are required for these computers and applications but will not install any patches.
• Once completed view the Security and Patch Information for your baseline computers. Select every definition in "All Detected" and drag it to your Baseline Patch Definitions custom group.
• Look through this group and remove definitions (if any) which you know will break things in your environment. You can search by vendor, or any other column that is useful. Move any bad definitions to Do Not Scan and delete them from your custom group.
• Determine whether to apply patches for vendor products such as Adobe, Firefox, Chrome etc.  Move definitions which you will not apply to Do Not Scan and delete them from your custom group.
  
• Look at all patches marked "Manual" and determine if they are needed in your environment. If so, manually download the patches from the vendor. If not, move to Do Not Scan and delete the definition from your custom group.
• Right-click the Baseline Patch Definitions group and select Repair. Create a repair task for this custom group, ensuring you have downloaded all patch files as needed, including manual patches that you want to apply.
• Run this task on your baseline computers using Agent Settings that allow reboot.  This will take some time and possibly several reboots as several hundred patches will likely be installed.
• Investigate and remediate any failed patches, and ensure that no patches have caused unintended consequences for your baseline machines. Ensure none of your production applications have broken due to patches.  Move on only after you have validated that all patches are safe for your baseline computers.
• Move all definitions in your Scan folder back into the unassigned folder. Then, click on your Baseline Patch Definitions group, select all definitions and move them back to the scan folder. This assures you are only scanning against definitions that you have tested and which are needed to establish your baseline (so far).
• In the Download Updates window, check the box to "Put new definitions in 'unassigned' group" so that newly downloaded patches are not automatically set to scan.  You may change this later as you design and implement your continuing patch processes.

Your Baseline Patch Definition group is now complete and you are prepared to start baseline patching for newly imaged computers, or to catch up unpatched computers in your environment.  You can run baseline patches during OS provisioning by adding a Patch System action to your template.  This video provides more information on this action:

How to use the LANDESK OS Provisioning "Patch System" action

You will want to design your production patching process according to your needs.  You will need to investigate the remaining definitions in the "unassigned" folder and determine whether to scan and repair them or move them to Do Not Scan.  As you design your continuing patch process, make effective use of additional custom groups and Definition group settings to reduce your management workload.

Before applying baseline patches to your production environment you should apply them to a larger patch pilot group for further testing, and to eliminate any potential patch issues that would affect your users or break applications.  It is vital to be aware of your environmental needs and make educated determinations regarding which patches you apply and the potential consequences of them all.