Change Request for Windows hotfixes

Lanz · 13 Jun 2011 at 15:01

As sysadmins, if you dont automatically install and reboot via gpo, do you do complete change request procedures when applying standard patch tuesday hotfixes to your Windows servers?

Or do you just have a open ended change policy that ties in with WUS and a patch schedual that is known by everyone so you dont have to inform users/managers when a server is patched and restarted?

Im trying to finally get to grips with a decent patching procedure, and managers seems to want to sign off every bit of work nowdays, even the simplest tasks require a page of explaination and sign off - So I need to cover all bases in regards to change requests.

Thanks

Teledude · 13 Jun 2011 at 15:13

All patches are tested on UAT systems and signed off by the test manager - application owners then get given a weekly schedule of patching and they must sign it off

tbh depends on the size of your org

Lanz · 13 Jun 2011 at 15:52

170 Servers, team of 3 people who manage them.

We have no test domain or the like, generally we have installed patches on the less important servers first to test, then over time the important ones finally get done

Rinse and repeat....

sidethink · 13 Jun 2011 at 16:40

Yes to change requests. At the very least do some specific paperwork for each batch of requests to get endorsement from the business versus the level of risk.

The level of risk depends on lots of things but most can be mitigated with a good testing and QA procedure in a distinct environment and, at least for desktops, deployment to a pilot user group.

chaosophy · 15 Jun 2011 at 21:54

As much as I dislike the whole admin/paper work side of the job, I'd say yes to CRs. You have to work on the assumption that something will go wrong one day and people will always start that conversation with 'why wasn't I informed?'. It is the app teams/server owners equivalent of a Z list celebrity saying 'don't you know who I am?'

Things can and will go wrong from time to time and you're better off making sure you are covered when they do.

Knubje · 16 Jun 2011 at 11:27

Here's how we work it:

Development Domain - All patches applied automatically via WSUS and reboot GPO on the day.

PreProduction - Request for Standard Change raised including list of required/released patches, approved and completed same week of patch releases.

Production - Request for Standard Change raised including list of required/released patches, approved and completed the week after preproduction patch installation.

This process means that it gets service and business approval and also approval from our change management team before allowing to go ahead.

Django x2 · 16 Jun 2011 at 11:51

Depends on the org size. I look after an estate agents with 5 servers (2 phys, 3 virt), 6 clients (5 phys, 1 virt). We have WSUS and I just let it carry on as required.