I wonder if anyone can comment on the schedule and procedures for MS patching. I am drafting procedures for the server farm and want to see other advice/experiences
1 - Place "test" servers in their own group within WSUS environment.
2 - Synchronize the WSUS server 8 days before the scheduled outage date (can be automated.)
3 - Approve Critical patches for the test group 1 week before the outage window, and alert users when the patches have been approved.
4 - install the patches on test servers, reboot if necessary, and test servers for functionality during the week before the scheduled outage.
5 - alert the IT if the patches are causing a degradation of service, or unexpected detriment to the servers. If so, the patches would be set for uninstall, and would not be installed during the scheduled outage. If the patches do not cause any issues, users will inform the IT that they can approve the same patches for the remaining servers.
6 - Starting at first scheduled outage day, IT will take snapshots of VMs and install patches on remaining servers, and reboot if necessary. IT will inform users once all servers are available.
7 - If patches are found to negatively affect other servers in the environment, the patches can be set to be uninstalled within the WSUS console.
8 - If patches are found to work as expected, IT will remove the snapshot of the VM.