Barney's Blog

Blog archive

Doug's Mailbag: Patching Procedure

Readers share how they go about installing Microsoft' monthly updates:

We support small business clients so massive and expensive that testing isn't justified. I almost always wait for at least 24 hours before installing the updates on even my personal PC. After using myself as a 'crash test dummy,' I then install them on our office systems. If things are still looking good after that I'll allow WSUS to install them at my clients' systems.

I figure letting somebody else do the initial "beta" testing is a good plan!

Servers: The day after updates are released. (Except for some major updates to Exchange/SQL Server/etc. That require more planning.)

Test Group: The day updates are released.

All others: Six to seven days after the test group have been updated.

We do look at each update in depth prior to deployment but look at ALL of them as mandatory as they almost always fix a specific vulnerability. We have approximately 700 computers/servers to update.

Do we test every patch? No. With hundreds of Windows Servers and thousands of Windows workstations, it would be impractical (if not impossible) to test every patch in every configuration.

We use a 'layered' approach:

  1. We deploy patches monthly, giving a few days for Microsoft and others to see if any patches cause problems.
  2. Then we deploy on a handful of servers/workstations deemed 'not critical' and monitor irregularities.
  3. A day or so later we deploy to the general population of servers/workstations, but not to any server/workstation deemed ‘critical.'
  4. A day or so after that we deploy on critical servers and workstations.

For us, this is usually a three-day process and we haven't had any major issues in the many years we've employed this method.

We use WSUS and divide our computers into three categories (non-critical, general and critical) and set each category to deploy patches at the different times so we can stop and/or rollback if we see any issues. We typically do this over a weekend to avoid production hours.

Of course if there is a really critical patch that needs to go out immediately, we circumvent this process and test before we deploy.

We have 5,000 PCs and 250 servers to patch. If the online community is not filled with horror stories by the Thursday following Patch Tuesday we release them all to our environment via WSUS.

Share your thoughts with the editors of this newsletter! Write to Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).

Posted by Doug Barney on 08/19/2011 at 1:18 PM


  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

  • Windows 7 To Fall Out of Support in One Year

    January 14 marks a one-year period before the end of support for Windows 7.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.