Barney's Blog

Blog archive

Doug's Mailbag: Patching Procedure

Readers share how they go about installing Microsoft' monthly updates:

We support small business clients so massive and expensive that testing isn't justified. I almost always wait for at least 24 hours before installing the updates on even my personal PC. After using myself as a 'crash test dummy,' I then install them on our office systems. If things are still looking good after that I'll allow WSUS to install them at my clients' systems.

I figure letting somebody else do the initial "beta" testing is a good plan!

Servers: The day after updates are released. (Except for some major updates to Exchange/SQL Server/etc. That require more planning.)

Test Group: The day updates are released.

All others: Six to seven days after the test group have been updated.

We do look at each update in depth prior to deployment but look at ALL of them as mandatory as they almost always fix a specific vulnerability. We have approximately 700 computers/servers to update.

Do we test every patch? No. With hundreds of Windows Servers and thousands of Windows workstations, it would be impractical (if not impossible) to test every patch in every configuration.

We use a 'layered' approach:

  1. We deploy patches monthly, giving a few days for Microsoft and others to see if any patches cause problems.
  2. Then we deploy on a handful of servers/workstations deemed 'not critical' and monitor irregularities.
  3. A day or so later we deploy to the general population of servers/workstations, but not to any server/workstation deemed ‘critical.'
  4. A day or so after that we deploy on critical servers and workstations.

For us, this is usually a three-day process and we haven't had any major issues in the many years we've employed this method.

We use WSUS and divide our computers into three categories (non-critical, general and critical) and set each category to deploy patches at the different times so we can stop and/or rollback if we see any issues. We typically do this over a weekend to avoid production hours.

Of course if there is a really critical patch that needs to go out immediately, we circumvent this process and test before we deploy.

We have 5,000 PCs and 250 servers to patch. If the online community is not filled with horror stories by the Thursday following Patch Tuesday we release them all to our environment via WSUS.

Share your thoughts with the editors of this newsletter! Write to Letters printed in this newsletter may be edited for length and clarity, and will be credited by first name only (we do NOT print last names or e-mail addresses).

Posted by Doug Barney on 08/19/2011 at 1:18 PM


  • Azure AD Enhancements Bring Expanded Support for Auto-Provisioned SaaS Apps

    Microsoft announced a number of Azure Active Directory enhancements this month.

  • What's Behind Microsoft's Sudden Teams Push?

    As Skype for Business slowly gets phased out and Slack's enterprise dominance becomes less of a sure thing, the time is right for Microsoft to focus its marketing energies on its upstart collaboration tool.

  • Microsoft Releases PowerShell 7 Preview 3

    Microsoft announced on Wednesday that the PowerShell 7 Preview 3 scripting solution is now available.

  • SQL Server 2019 Release Candidate Now Available

    Microsoft on Wednesday announced the release of SQL Server 2019 release candidate (RC).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.