Over the years, I have seen plenty of organizations with multiple variations of patching schedules. During this period, I have found a schedule that adheres to security requirements while simultaneously incorporating a testing scope which most organizations miss out on for validating their environment. Keep in mind, the timing and schedule can always be adjusted based on each organizations schedule and cadence.
- 2nd Tuesday of the Month – Patches are available to the packaging team by Microsoft.
- 2nd Wednesday of the Month – Testing groups notified of Patch availability.
- 3rd Tuesday of the Month – Notification sent to users regarding Patch availability.
- 3rd Thursday of the Month – Patches are made available to Client Machines globally. At this point Users have the option to voluntarily install the patches.
- 4th Tuesday of the Month – Notification sent to users regarding Patch enforcement.
- 4th Thursday of the Month – Patches are enforced to Client Machines globally.
Post patch install and reboot experience:
On completion of installation of patches, users are provided with a notification as in Fig. 1 that they have 330 minutes which is 5 hours and 30 minutes to voluntarily reboot their client devices.
Users have the option to immediately reboot or snooze the reboot popup at their convenience, prior to the enforcement time, as in Fig. 2. Users can snooze the notification for 1, 2 or 4 hours based on their schedule. Due to this users will see additional popups based on the snooze schedules selected.
5 hours and 30 minutes has been specifically chosen, so that users do not forget about the machine reboot and are notified and rebooted during the working hours. Patching is considered successful only when the installation of patches completes followed by a reboot.