Microsoft releases a batch of updates for Windows at least once a month on what has been termed “Patch Tuesday” (the second Tuesday of each month). These are important updates to protect your servers and may even provide additional functionality. When it comes to patching your servers, it can be very nerve-wracking. I have provided several tips that can be used to ensure your patching goes smoothly.
- Plan ahead. Know when Patch Tuesday will occur. Schedule downtime for your servers/farms and communicate it to end users. Be sure to include extra time just in case an issue arises.
- Research patches. You should check all available patches for known and potential issues prior to installation. This can include issues with the Operating System, any applications on the servers, or background processes and services required to run your applications. You can check the appropriate Microsoft KB article released with the patch for information and known issues. Also, use your favorite search engine to see if anyone has reported an issue with the patch. You can normally determine within the first couple of search result pages if it will be safe or not.
- Verify disk space. It is imperative that you have appropriate disk space on your Windows installation drive (oftentimes the C: drive) prior to installing updates. If not, you may have an incomplete installation or the updating could fail.
- Have a failback plan. Should an issue arise, know how to revert back in case you cannot fix the issue. Know how long it takes to failback, such that you know how long you can spend trying to correct the issue. For example, say you scheduled a three-hour window for installing patches. Say it takes 30 minutes to download, install, and restart your server. Afterwards you encounter an issue. You know that it takes roughly 30 minutes to failback (via Windows System Restore, a 3rd party tool, or just simply uninstalling the patch and restarting). Therefore, you know you can spend up to 2 hours attempting to fix the issue before beginning your failback.
- Be aware of non-OS updates. Windows Update can offer updates for other applications, including Microsoft products (Office, SharePoint, Exchange, SQL, etc.), non-Microsoft applications, and hardware drivers. You should be aware of this, as sometimes these updates may not be necessary to install, may need to be researched and tested, or may need to be installed at another time.
- Do not automatically install updates. This includes automatic installation via Windows Update and via Windows Server Update Services (WSUS) or equivalent patching service. This is extremely critical because you will want to choose what patches to update and when. Also, oftentimes, your WSUS administrators are not as knowledgeable about what may affect your applications on your servers. This gives an opportunity for another person to weigh in on whether or not a patch should be installed. As mentioned in Tip 5, updates to other applications (both Windows and non-Windows) may be pushed out with the set of updates, and your patching process may require you to wait on these application-specific patches for a later time.
- Install updates on a test or development server/farm first. This will give you time to test the patches and ensure you don’t experience any issues; and if you do, you’ll know how to fix them. After all, these servers were made for testing. If possible, get your users to test the patches as well. They might use your system in ways you might not expect.
- Install security updates ASAP. It is important to install these as soon as you can because your servers are at risk to attacks. Each Microsoft KB article and Security Bulletin explains what the risk is and thus is public knowledge to anyone. Therefore, attackers could breach your systems, exploiting these security holes. There is a reason why some people reference the day after Patch Tuesday as “Exploit Wednesday.”
- Check for additional updates. Before patching a server, click the check for additional updates link. This can help ensure that you install all available patches the first time. After installing the updates, go back and check again for any additional updates. Sometimes, an update will not be available until after another update has been installed.
- Validate applications after patching. After you have finished patching your system, test your OS and applications. Have a list of validations to check that way you know immediately if your system is functioning properly. For example, in SharePoint, you can check several different sites to ensure that they load and any features (particularly anything custom) are still working.
- Actually patch your system! You may not feel like patching the system at all. After all, if it’s working, why change anything? In addition, it can be risky and time consuming. However, not patching actually increases risk and makes any future patching take even longer! At some point, you will need to patch your system. Overall, it is easier to apply less updates more frequently than more updates less frequently.
Hopefully these tips prove valuable to you and your company. If you are not doing so already, begin using them to ease your patching process. If you have any additional tips, be sure to comment and let us know!