I am currently doing an LDMS implementation at my company for a little under 3k endpoints. I have years of experience with the product, but have never had or implemented Patch Manager. We currently use WSUS and will be replacing it entirely with LDMS. We are not up to the patch phase of project, but I spent a lot of time evaluating different areas of patch when I did the proof of concept. I have a number of questions that I'm hoping some of you can point me in the right direction on.
1.) Moving from WSUS to Patch Manager what is usually the practice here? Do people usually start from where WSUS left off when it comes to approving patches for autofix? Do you try to match up all WSUS approvals with Patch Manager?
2.) How are people using download definition settings? They are very limited where you only have vendor/product and contains/equals. Initially I was hoping to use this for automation in getting patches into a roll-out project for a more hands-off approach, but that doesn't seem possible with the limited options.
3.) For workstations we will probably be implementing a three-phase patch cycle where pilot 1 would get approved patches the weekend following patch Thursday, pilot 2 the following weekend, and the rest of the environment. I'm weary of using the 'Disable any rules this definition replace' setting in the download definition settings for this reason... If a patch is still in play for the general population and a newer version of the patch comes out that will go to pilot this setting would stop the previous version from getting fully deployed to the general population. How are people using this setting with this issue? If you are not using it, how are you retiring old patches?
4.) How are people using groups and tags to maintain phases/rollouts/etc?
5.) With autofix one of my fears is that a patch will fail a number of times and stop installing where WSUS would just keep trying with the regular schedule. How are people protecting themselves against this issue?
6.) For autofix to work I assume you'd have to configure the reboot agent settings assigned to the agents to allow reboots during a time that overlaps with the patch/distribution agent settings maintenance window?