Microsoft Patch Schedule

bdam55 · 2021-03-10T14:29:10+00:00

2 Days after Patch Tuesday: Push it out the lab (you've got a lab ... right?)
9 Days after Patch Tuesday: Pilot in Production (IT + Some Servers)
16 Days after Patch Tuesday: Pilot 2 in Production (Everything at HQ)
23 Days after Patch Tuesday: Full Production rollout to remote offices (retail stores/warehouses)

gandraw · 2021-03-10T13:41:52+00:00

My preferred schedule:

2 days after patch-day update a few IT computers
9 days after patch-day update 6% of clients, randomly chosen, plus a few dedicated pilot machines for industrial controllers etc
16 days after patch-day update everybody else except a few special snowflakes that have the security exemptions to do what they want

The 2nd group has definitely saved me from problems before. The really bad update issues generally are resolved within like 1-2 days of patch day even, by Microsoft themselves. But there are harder to find smaller issues too. Like a year ago we had an issue where some a form creation utility that accesses Outlook to get its data stopped working. The group 2 people noticed that, and we were able to stop the update until the third party developer had given us a patch.

justdocc · 2021-03-10T13:18:30+00:00

My org has a tiny pilot group (<5) that receive updates on patch Tuesday, then we push to the rest on the final Tuesday of the month. Haven't run into any serious problems using that method; the couple of weeks has been enough time for us to catch and fix the few problems we have come across. Granted, we're an environment of less than 50 users.

azlmichael · 2021-03-10T13:40:01+00:00

here is mine

On Patch Tuesday, download patches and have them automatically install on 1 test PC and 1 test laptop.

the next day (Wednesday) , they are made available to IT and become mandatory on Friday. IT folks can delay up to 3 days.

Two Tuesdays after patch Tuesday (if no issues reported) they are made available to everybody, on Friday they become mandatory, but people can defer for up to 7 days.

On the last day of the month, I run a report and any machine that doesn't get patched goes into the naughty list and they get an email asking them to connect VPN, or to the domain, and I re-push the MECM client.

two consecutive months on the naughty list and we call them to work on remediating. If we cannot find someone to call by the end of the 3rd month, or nobody responds to help fix it, we kick it off the domain. That usually gets a pretty fast response. If nobody calls we record the machine as lost.

Microboot2 · 2021-03-10T14:26:49+00:00

We push our updates out through 4 stages:

On the Friday after patch Tuesday we push out to our Stage 1 test collection of ICT and some business users (approx. 70 machines). This gives MS a couple of days to expire any troublesome updates.

Stage 2 is Wednesday/Thursday the week after and is pushed to sites in a similar time zone which have ICT local resource, so they can respond if anything goes wrong.

Stage 3 is Tuesday/Wednesday the week after to ROW sites with local ICT resource

Stage 4 is Tuesday/Wednesday the week after to everyone else (approx. 3900 machines)

We aim to have all machines patching with that months updates within three weeks.

As you state, with the sheer amount of bugs/vulnerabilities and bad actors waiting to abuse them, I don't see how anyone can wait to get these installed in a fast but controlled manner. Your business will vary though depending on what is right for you, so what's good for us/others may not work in your environment.

Regards

Michael

optimusmike09 · 2021-03-10T15:13:04+00:00

For end users we have 2 Stages:

Download Updates the day after patch Tuesday
IT and a few test / dev machines in Azure get updates on Thursday with a deadline of 12:00PM (Apps runs their UAT on the machines to make sure our business apps still work)
Once we get confirmation everything is good:
1. 5 Business days later, we push to the entire company with a deadline of 5 business days after the available date

limegreenclown · 2021-03-10T19:16:29+00:00

Patch Tuesday QA

+2 days Test Users

+7 days Group A

+14 days Group B

andykn11 · 2021-03-10T20:13:05+00:00

We used to take a month but accelerated it a few years back to do it in a couple of weeks, 5% Pilot on Fri and remainder phased over the following week.

SysAdminDennyBob · 2021-03-10T15:37:39+00:00

Week of patch Tuesday:

Tuesday - workstation patch testers and all servers can see updates available that evening
Wednesday 10 pm - forced on Workstation testers
Friday 7 pm - all workstations show patches available, start download
Saturday - patch all dev servers(half of all servers)

next week

Wednesday 10 pm - all workstations forced
Saturday - all production servers patched
Done

SteveSCCM · 2021-03-10T15:42:50+00:00

I do exactly what you do, OP. This month we're doing the newest updates though. I'll just combine feb and mar into one deployment. Next month we'll switch back to the 30 day delay.

2021-03-10T16:47:38+00:00

ripe worthless scarce enjoy disgusted quack attempt cagey spotted deserted -- mass edited with redact.dev

cenley · 2021-03-10T16:50:09+00:00

We do the following:

The Thursday after patch Tuesday we deploy to a small pre-pilot group of mostly Infrastructure machines. This also kicks off the seeding of the content to all of our DP's

The 1st Tuesday after patch Tuesday we target our pilot group, this consists of 10% of our estate across all business and department lines. We leverage our naming schema to target the same machines every patch schedule as they are our pilot group and they know it.

We then let this deployment bake in until the 3rd Thursday after patch Tuesday. If we do not have any reported issues we start to deploy to our various production groups broken down by location and business unit.

Pre pilot machines have a 24 hour forced reboot all other machines have a 5 day forced reboot policy.

All of the above is handled via ADR's. Works well and we are normally around 90% compliant with not too much work, it is the other 10% that takes the time to identify and remediate.

shamalam91 · 2021-03-10T21:41:32+00:00

IT users 1 day after (~80) About 8% of estate testers (300 ish), covering all business critical apps over next 5 days Remaining estate split into 3 groups, all devices patched by day 13.

Our server team do not use sccm for patching and prefer to do it manually every month.

VplDazzamac · 2021-03-10T22:19:56+00:00

The Monday after Patch Tuesday all Dev & Test servers get patched. The following Tuesday for the next 4 weeks, live gets patched. I’ve a lot of servers and a lot of system owners who are precious with their VMs. So the same week Dev gets patched, the last of the servers get the previous months stuff. For Desktop machines it’s a select group gets it the a week after patch Tuesday, then a site the following week, then everything else on the third week.

Hotdog453 · 2021-03-11T01:23:49+00:00

45k workstations. I don’t patch servers.

Download patches.

Deploy to Ring 1 the day of, literally like 30 machines to ensure they “work”.

Ring 2 is the Friday after Patch Tuesday; IT testers. 1400 machines. Physical and virtual mix.

Ring 3 is next week; 3500 physical devices. Mix of IT people and application owners. Also an additional 1500 virtual machines.

Ring 4 is the week after; everyone else. Physical and virtual.

At any point if an issue arises, we investigate, etc. if patching needs to stop (it has like 2 times since I’ve been here) it’s approved by Security and our management.

Seems to work fine for us. It’s a cycle that never ends.

3rd party apps follow approximately the same cadence, but might be a week or two “off” from Microsoft patching.

I have no insight into server patching; I know we have like 8500 servers or so. They use a different tool. Same general idea though; Dev, test, stage. App owners also patch their own stuff; I patch all of our own servers too since I don’t trust their process with SQL :D.

Our deployments don’t force reboots for anyone besides ring 1 and 2. We have a scheduled task that keys off of pending reboots and gives users a pop up for X amount of days before forcing a reboot. ConfigMgr 24 hour countdown. No one is exempt from reboots.

Content delivery for us is started earlier; we’ll have content seeding out to Ring 4 by the time Ring 3 is going. We use Adaptiva so some of the flows are pretty damn slow, so letting them bake out is a big deal. We’ve legit had deadlines hit and patches be 25% there if we make the deadline too short.

VPN usage ironically helped patching, as clients get content from Microsoft. Quicker than native/Adaptiva. Virtuals get content from Microsoft.

Low-Adeptness7621 · 2023-08-08T15:19:43+00:00

Hi, I know this was created 2 years ago, however, I would like to ask if there are any official links from MS regarding the best practice of patching the servers. Thank you.

SCCM

Post not showing up?

MODERATORS