Patch Management Procedure

1. Purpose

The patch management procedure provides details on the patch management process to enhance security by promptly and efficiently applying software patches.

2. Acronyms

Change Advisory Board (CAB)

Windows Server Update Services (WSUS)

Microsoft endpoint configuration manager (MECM)

Software Update Point (SUP)

End User Management (EUM)

Advanced Managed Services (AMS)

3. Roles and Responsibilities

3.1. The outsourced service provider patch management support team are responsible for testing and deploying patches.

3.2. CAB approval is required for patch implementation to begin.

4. Deployment Group Phases

4.1. Phase 1 – Pilot Deployment

The testing of newly released security patches on designated low risk servers and workstations before applying it to the rest of the servers and workstations in production.

Groups

WSUS - Windows Server – Pilot
WSUS - Workstations Windows 11 – Pilot
WSUS - Workstations Windows 10 - Pilot

4.2. Phase 2 – Production Deployment

After Phase 1 testing is successful the remainder of the servers and workstations will receive the newly released security patches.

Groups:

WSUS - Windows Server - Auto Restart
- MECM may allow Windows Updates services to restart the servers.
WSUS - Windows Server - No Auto Restart
- MECM suppresses the restart to allow manual restart. These servers require a controlled restart.
WSUS - Workstations Windows 11 – All
WSUS - Workstations Windows 10 - All

4.3. Deployement groups will be periodically reviewed with the support team:

Workstations - EUM
Servers - AMS

5. Deployement Schedule

6. Rules and Products

6.1. Workstation products and deployment rules:

Windows 10 Updates
- Critical Updates
- Security Updates (Critical and Important)
Windows 11 Updates
- Critical Updates
- Security Updates (Critical and Important)

6.2. Endpoint Protection

Definition updates - Daily
- Endpoint Protection
- Defender Antivirus

6.3. Server products and deployement rules:

Server 2012 Updates (End of Life)
- Critical Updates
- Security Updates (Critical and Important)
Server 2016 Updates
- Critical Updates
- Security Updates (Critical and Important)
Server 2019 Updates
- Critical Updates
- Security Updates (Critical and Important)
Server 2022 Updates
- Critical Updates
- Security Updates (Critical and Important)

7. Process Details

On the 2nd Tuesday of each month Microsoft releases new patches and updates. Microsoft endpoint configuration manager (MECM) using a configured Software Update Point (SUP) will start a scheduled synchronization at 04h00. During the synchronization WSUS will be instructed to download the updates from Microsoft and import the updates to MECM.

The newly released updates will then be imported to custom configured packages containing the patches and will be distributed to all Site System Servers. Workstations and Servers will receive the updates from the relevant site system server within their same IP Range (Local LAN)

If CAB approves the implementation of patches, the deployment will start as:

Pilot Group – Servers - Friday
Pilot Group – Workstations - Immediately after CAB approval

If no issues were found, production patching will start:

Production Group – Servers - Saturday
Production Group – Workstations - One week after Pilot

Success will be measured if the patches are installed on the target platforms without any issues. Previously functioning operations on the target platform must continue to operate after installation of the patch. In case of problems arising due to the patch process, the patches can be removed.

8. Communication Plan

RFG representative will clearly communicate patch deployment schedules to relevant teams.

9. Continuous Improvement

RFG representative will regularly review and update the patch management procedure.