Barney's Blog

Blog archive

Doug's Mailbag: Patching Procedure

Readers share how they go about installing Microsoft' monthly updates:

We support small business clients so massive and expensive that testing isn't justified. I almost always wait for at least 24 hours before installing the updates on even my personal PC. After using myself as a 'crash test dummy,' I then install them on our office systems. If things are still looking good after that I'll allow WSUS to install them at my clients' systems.

I figure letting somebody else do the initial "beta" testing is a good plan!

Servers: The day after updates are released. (Except for some major updates to Exchange/SQL Server/etc. That require more planning.)

Test Group: The day updates are released.

All others: Six to seven days after the test group have been updated.

We do look at each update in depth prior to deployment but look at ALL of them as mandatory as they almost always fix a specific vulnerability. We have approximately 700 computers/servers to update.

Do we test every patch? No. With hundreds of Windows Servers and thousands of Windows workstations, it would be impractical (if not impossible) to test every patch in every configuration.

We use a 'layered' approach:

  1. We deploy patches monthly, giving a few days for Microsoft and others to see if any patches cause problems.
  2. Then we deploy on a handful of servers/workstations deemed 'not critical' and monitor irregularities.
  3. A day or so later we deploy to the general population of servers/workstations, but not to any server/workstation deemed ‘critical.'
  4. A day or so after that we deploy on critical servers and workstations.

For us, this is usually a three-day process and we haven't had any major issues in the many years we've employed this method.

We use WSUS and divide our computers into three categories (non-critical, general and critical) and set each category to deploy patches at the different times so we can stop and/or rollback if we see any issues. We typically do this over a weekend to avoid production hours.

Of course if there is a really critical patch that needs to go out immediately, we circumvent this process and test before we deploy.

We have 5,000 PCs and 250 servers to patch. If the online community is not filled with horror stories by the Thursday following Patch Tuesday we release them all to our environment via WSUS.

Share your thoughts with the editors of this newsletter! Write to Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).

Posted by Doug Barney on 08/19/2011 at 1:18 PM


  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

  • Microsoft's January Security Updates Come with NSA Help

    Microsoft released its January security updates with a partial assist from the U.S. National Security Agency (NSA).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.