Quest SMA Patch Deployment Rings for Controlled Rollouts
Quest SMA Patch – Build a ring-based patch deployment strategy in Quest SMA with pilot groups, production rings, scheduling, monitoring and safer patch rollout practices.
Useful external reference: Quest KACE resources.
Introduction
Quest SMA Patch – This article presents an example of a ring-based patch deployment strategy using the software 7-Zip as a reference. The approach involves a 7-day delay between each ring, allowing patches to be tested and validated progressively before full deployment.
Useful external reference: Quest KACE resources.
Quest SMA Patch – While this example focuses on 7-Zip, the same methodology can be applied to Microsoft patches or any other software updates. You can also extend the logic by introducing additional filters, such as severity level or classification (e.g., critical, security updates, feature updates), to fine-tune the rollout process according to your organization’s risk tolerance and validation needs.
Useful external reference: Quest KACE resources.
Quest SMA Patch – This strategy helps reduce the impact of potential issues and ensures a stable deployment across your environment.
Useful external reference: Quest KACE resources.
Create Ring
Ring 1 – Immediate Deployment to Test Devices
Quest SMA Patch – This ring targets a small group of tester devices. The goal is to validate that newly released patches do not cause any regressions or compatibility issues.
Useful external reference: Quest KACE resources.
- Criteria: Patch is newly released.
- Filter: No release date restriction applied.
- Use case: Initial testing by IT or selected pilot users.
Quest SMA Patch – Example: Patch “7-Zip 25.00” is published on 07/07/2025 and assigned to Ring 1 for immediate deployment.
Useful external reference: Quest KACE resources.
Ring 2 – Pilot Deployment After 7 Days
Quest SMA Patch – After one week of successful testing in Ring 1, the patch is then deployed to a larger pilot group.
Useful external reference: Quest KACE resources.
- Criteria: Patch has been released at least 7 days ago.
- Filter:
Namecontains “7-zip”Releasedis not within the last 7 days
- Use case: Early deployment to a controlled group of power users or critical business units.
Quest SMA Patch – This step helps detect broader compatibility issues before full deployment.
Useful external reference: Quest KACE resources.
Ring 3 – Global Deployment After 14 Days
Quest SMA Patch – Finally, after two weeks of validation, the patch is deployed to all remaining systems.
Useful external reference: Quest KACE resources.
- Criteria: Patch has been released for at least 14 days.
- Filter:
Releasedis not within the last 15 days (to include patches older than 14 days)Namecontains “7-zip”
- Use case: Organization-wide patch deployment once validation is complete.
Quest SMA Patch – This staged rollout reduces the likelihood of widespread issues caused by newly released patches.
Useful external reference: Quest KACE resources.
Create Computer label
Patch_Ring1 – Technical Validation
Quest SMA Patch – This group is used to ensure that the patch does not break system functionality. It’s strictly for technical validation and does not take into account application compatibility.
Useful external reference: Quest KACE resources.
- Example rule: Devices with system names ending in
1 - Best practice: Use dedicated machines identified through a specific attribute such as OU, tag, or naming convention.
Quest SMA Patch – These machines serve as the first level of patch validation.
Useful external reference: Quest KACE resources.
Patch_Ring2 – Application Validation (Pilot)
Quest SMA Patch – This group is used to confirm that patches do not impact business applications.
Useful external reference: Quest KACE resources.
- Example rule: Devices with system names ending in
2,3, or4 - Best practice: Prefer using devices that represent key departments or critical application use cases, identified via OU, tag, or smart label.
Quest SMA Patch – This ring serves as the application pilot group before full deployment.
Useful external reference: Quest KACE resources.
Patch_Ring3 – Global Deployment
Quest SMA Patch – This group includes all remaining devices that will receive the patch after successful validation in the previous rings.
Useful external reference: Quest KACE resources.
- Rule: No specific filter—includes all production devices not already part of Ring 1 or Ring 2
- Best practice: Exclude testing and lab devices to ensure only business-critical systems are covered.
Quest SMA Patch – This is the final ring where full-scale patch deployment occurs.
Useful external reference: Quest KACE resources.
Schedule Task
Ring 1
Quest SMA Patch – In the Action tab of the Patch Schedule:
Useful external reference: Quest KACE resources.
- Action type:
Detect and Deploy - Patch Label:
WSUS_Zip_Ring1.
Quest SMA Patch – Ensure that “All Patches” is not selected—you want to deploy only the filtered ones.
Useful external reference: Quest KACE resources.
- In the Devices tab:
Quest SMA Patch – Operating Systems: Leave default (All) unless you want to target a specific OS.
Useful external reference: Quest KACE resources.
Quest SMA Patch – Device Label: Patch_Ring1
Useful external reference: Quest KACE resources.
- Under the Schedule tab:
Quest SMA Patch – Best practice: Run the task daily during non-business hours for Ring 1 devices.
Configure a recurring schedule (e.g., daily, or specific days of the week)
Useful external reference: Quest KACE resources.
Ring 2
Quest SMA Patch – You will need to do the same for Ring 2 patches on Ring 2 computers,
Useful external reference: Quest KACE resources.
Ring 3
Quest SMA Patch – and for Ring 3 patches on Ring 3 computers.
Useful external reference: Quest KACE resources.
Quest SMA Patch –
Useful external reference: Quest KACE resources.