Patch Management cycle :
1) Research- Define a scope. Get in contact with system owners. Get SLA requirements. Confirm update schedule. Sync inventory of SCCM/Landesk/IPAM. Define QA/DEV and PROD systems. Build vulnerabilities by server report.
2) Assess – 1st week. Define baseline. Build a list of missing updates with details/rating/exploitability index. Review and approve the list of patches during Patch meeting.
3) Remediate – 2nd week. Deploy patches to a testing environment. Evaluate system functionality. Check Event log for errors. Confirm system operability.
3rd week. Notify DEV/QA system owners about patching, provide the list of approved patches. Deploy to DEV\QA systems. Let system owners evaluate and confirm operability during next week
4th week. Notify Prod system owners about patching, provide the list of patches. Deploy to Prod systems. Let system owners to evaluate and confirm operability.
5) Confirm – Run vulnerabilities by server report. Confirm vulnerabilities patched and the environment is compliant with current baseline.
6) Report – Build report for management and system owners on applied patches.
7) Patch Tuesday – New patches are released by Microsoft. Notify system owners about patching schedule, so they can schedule maintenance and provide advance notice to customers. Reiterate starting step 2.
Patch Test Environment:
- Will consist of several VMs with different OS versions for 1st stage patch testing and system operability.
- Windows Server 2003 (32bit and 64-bit)
- Windows Server 2008 (32bit and 64-bit)
- Windows Server 2008R2
- Windows Server 2012
- Windows Server 2012R2
- Windows Server 2016
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
Small VMs 2vCPUs, 2GB RAM, no need HA – can be stored on local datastores. Enough datastore space for snapshots.
Back out plan :
We need to define back out procedures at least for Production critical systems. Define these systems and choose an appropriate roll-back plan (backup/snapshot/patch uninstall).
If snapshot will be taken check datastore space availability and schedule removing the snapshot.
There is no such best practice suggested\recommended by Microsoft as each Organization environment is different from one another . The process described can vary from Organization to Organization basis.