I was asked this in the forums, but I felt it was important enough to write about it both here and in the forum.

Patch Management should be a key part of what you do.  Patching is like car servicing - it can sometimes be put off a little bit, but failure to keep the oil and water up todate and without a regular service, things go horribly wrong.  You MUST tell your customers this so they can choose how to pay you for this service. (they can always just call you in when things go wrong, but it will take longer and cost them more).  Obviously patching is just one tool in yout kitbag for keeping systems secure - local and perimeter firewalls and anti-spyware and anti-virus software is also needed, as is good password and administrator policy.

The best person to talk about patching is the now famous Susan Bradly, who is a SBS MVP and known as a Diva. Before I point you off to some of her blogs on it, I thought I would answer some questions often asked in this area:

1) How do you decide whether to patch or hold off?

You always have to make a decision regarding patching vs risk.  How much time would you spend testing the fix for blaster vs deploying it asap. Likewise, how many times do patches break machines - if they do, find out why that system needs extra care and only evaluate vs that piece of software / hardware, but deploy to the rest.

2) What happens if things go wrong?

Remember, support to fix problems as a result of a patch (or service pack) is free from Microsoft, so you can always pickup the bat phone and call.  Microsoft do test all patches, but the amount of testing depends on the urgency of the patch and how it was obtained.  If you go for a hotfix as suggested by a KB article where you have to call Microsoft, this will have been tested less, but still we will work with you to fix issues with it.

No-Charge Support number (0870 60 10 100) is for virus and other security-related support. It is available... Mon - Fri 8am - 6pm

3) How do you patch David?

Personally, I deploy all application patches from microsoft to desktops immediately via WSUS or Windows Updates - ensuring I am using Microsoft Updates so all MS products get patched.  I evaluate drivers, but rarely deploy them 'cos if they ain't broke, don't fix and I would normally be looking for drivers only when I am setting up a system or if it is causing problems.

On my server, I auto deplpy critical patches and then hand manage the rest.  However I also read the security bulletins to see if there is something coming I need to worry about.

For places of info, there is no better than Susan Bradley's blog - http://msmvps.com/blogs/bradley - and you can always ask her a question.  She also covered this is a webcast on the SBSShow - http://www.vladville.com/sbsshow/2005/12/sbs-show-8-patch-management-with-susan.html. 

For information on patch Management from Microsoft, look at the bottom of the http://support.microsoft.com/gp/securityitpro page. 

ttfn

David