The Patch
Management Process: 1.0
Created by:
Submitted to:
All
Organizations
Applies to: Windows Server 2003, Windows
Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows
Server Update Services
This
is Microsoft recommended approach to the update management process consists of
an ongoing set of four phases, as illustrated in the following figure. It is
essential to repeat the update management process on an ongoing basis, as new
updates become available that can enhance and protect the production
environment.
Following
the figure are the goals of each phase and examples of how administrators can
use WSUS features to ensure success during each of the four phases of the
process. It is important to note that many of the features can be employed in
more than one phase.
1.
Access Phase
The
administrator’s goals for the Assess phase are:
1.
To set up a production environment that will support update management for both
routine and emergency scenarios.
Although
it is the first step, the Assess phase is essentially an ongoing process. For
example, administrators should assess how many servers and client computers
they need to update, what their storage and network bandwidth requirements are,
and what time frame is acceptable to deploy an average update. Administrators
also have to determine what platforms, products, and languages they want to
update. Based on these factors, administrators can determine the most efficient
topology for scaling out their WSUS components.
WSUS
provides numerous options for setting up WSUS components, including the ability
to store update content locally on WSUS servers or download content on demand
from Microsoft Update. Administrators can also configure Automatic Updates to
download and install missing updates on a computer automatically. WSUS provides
options for managing client computers in both Active Directory and non–Active
Directory environments.
WSUS
provides standardized aggregate reports that administrators can run on an
ongoing basis. These reports provide comprehensive information about all
activity in the WSUS implementation, including information about updates that
have been synchronized to a WSUS server, and which updates are installed or are
missing from each computer.
2.
Identify Phase
The
administrator’s goals for the Identify phase are:
1.
To discover new updates in a convenient manner.
2.
To determine whether updates are relevant to the production environment.
WSUS
enables administrators to determine which types of updates to synchronize from
Microsoft Update and when to synchronize them. Because WSUS automatically
gathers data about all the computers known to the WSUS server in order to
determine whether an update is relevant, administrators can see immediately how
many computers need the update and how the deployment of the update would
impact the network before installing the update in the production environment.
3.
Evaluate and Plan
The
administrator’s goals for the Evaluate and Plan phase are:
1.
To test updates in an environment that is separate from but resembles the
production environment.
2.
To determine the tasks necessary to deploy updates into production, plan the
update releases, build the releases, and then conduct acceptance testing of the
releases.
When
evaluating updates in a test environment, administrators can run many of the
WSUS features they would be using in the actual deployment. They can set the
criteria and schedule for automatically synchronizing their WSUS servers,
create computer groups, and then target updates for those groups by approving
updates for install. During and after testing, administrators can use the
standardized reports that WSUS provides to monitor the success of their test
update installations.
WSUS
enables administrators to evaluate the result of installing updates before
deploying them to a production environment. By creating a group of test
computers and auto approving different sets of updates by product, language,
and other classifications, administrators can test various types of updates
using automation. During and after testing, administrators can correlate WSUS
update reports with their test results to validate installed updates and decide
how and when to schedule download and installation approvals for the production
environment.
4.
Deploy Phase
The
administrator’s goals for the Deploy phase are:
1.
To approve and schedule update installations.
2.
To review the process after the deployment is complete.
WSUS
allows administrators to specify target groups of computers and approve the
deployment of updates to those groups. To establish the order in which updates
are deployed, administrators can use WSUS to create the most efficient upstream
and downstream WSUS server configuration for their network and staffing
resources. In addition, administrators can configure how client computers
communicate with WSUS servers or Microsoft Update by using Group Policy or by
scripting with the WSUS API. The administrator can then use reporting to
determine the success of the update deployment by computer or target group.
For
reference and more detail about WSUS- https://technet.microsoft.com/en-us/library/