Patch Scanning & Deployment Best Practices - Patch Tuesday Survival Guide and Best Practices

Version 2

    Table of Contents

     

    Patch Tuesday Survival Guide and Best Practices

     

    In the world of Windows systems, Patch Tuesday (generally the second Tuesday of each month) is the day that patching is planned around since new updates are released by Microsoft on that day. Below are a list of things to consider when preparing for Patch Tuesday and stay successful in getting your updates applied in a timely fashion using Shavlik Protect.

     

    Stay Up-To-Date on When Updates Are Released in Shavlik Patch Definitions

     

    Microsoft has been pretty good about getting most main bulletins and security fixes released on Patch Tuesday each month. Keep in mind that it will take some time for the Shavlik Content Team to properly build detection and deployment logic as well as test the updates before releasing new patch definitions. Generally Shavlik will have the new updates added to Protect's patch definitions within 24 hours of release from Microsoft on Patch Tuesday.

     

    You can get notifications and follow when the new patch definitions are released by Shavlik using the resources cited in this document:

    How To: Know When Xml Updates (Patch Definitions) Are Released and How to Receive Notifications

     

    Patch Tuesday is not the only time you may be wondering when an update will be added to Protect. The Shavlik Content team generally releases new patch definitions every Tuesday and Thursday evening. Generally on Patch Tuesday, the Shavlik Content Team will release an XML for Protect later that day containing the main bulletins from Microsoft as well as any other pertinent security bulletins released by other vendors. Then a second XML release will come the following Thursday containing any less critical patches. If there are any out of band critical updates released by vendors, the Shavlik Content Team will generally release new content as soon as possible.

     

    If there is an update you consider critical and do not see added to Shavlik's patch definitions, please contact support to verify when the update will be added.

     

    Most importantly - make sure you actually have the latest patch definitions in Protect once they're released.

    Patch Scanning & Deployment Best Practices - Verifying and Updating Patch Definitions

     

    Make Sure to Test Patches

     

    Read more in Patch Scanning & Deployment Best Practices - Considerations

     

    The one place Microsoft's Patch Tuesday is negatively known for is the effect that some patches can have in your environment if you don't test them first! Microsoft often released a revised version of an update due to problems that are initially seen with the bulletin being deployed in customer sites. Avoid these problems by testing patches first.

     

    Consider Best Practices in Applying Updates

     

    Microsoft has some official documentation on what they recommend as best practices.

    Best Practices for Applying Service Packs, Hotfixes and Security Patches

     

    Other vendors may have additional best practices and things to consider when deploying those updates. Consider researching this prior to deploying updates.

     

    Here are some additional guides on best practices from Shavlik:

     

    Prioritize Updates to Deploy

     

    Often you may be limited by a maintenance window as to how many updates you will have time to deploy. If this happens you will need to prioritize what updates to deploy.

    • You should first consider - of the updates that are not applied in your environment, which ones are the most critical? (both based on vendor and based on what you believe to be critical in your environment)
    • Are your systems at the latest service pack? Unless you have applications running that require an older service pack and will not work on the latest - you should consider it a priority to get the latest service packs applied, especially for the operating system.
    • Are there updates that you know will break something in your environment? Or updates you know are not necessary in your environment? Make sure to exclude those updates.
    • When will you be able to deploy the non-critical updates? Even though you obviously want to get critical updates out first and foremost, you should still try to plan a time to get the current non-critical updates deployed sometime before next Patch Tuesday hits. Otherwise you will start to fall behind on getting all updates applied to your systems.

     

     

    Back to Patch Scanning and Deployment Best Practices Guide (Agentless)