Skip to content
Get started

Worksighted

Standard Patching Policy

This document outlines Worksighted’s structure and requirements regarding the patching of Windows servers and endpoints. The primary objective is to keep all production operating systems on current versions and updated with all approved patches. 

Endpoint Patch Schedule & Requirements 

 Endpoints running Windows Desktop operating systems will be patched on a fixed schedule. This simple standard has been arranged to help provide clear expectations to end users. 

 

Patch Window: Wednesday Morning 

  • General maintenance and third-party patching: 12:00 AM – 2:00 AM 
  • Pre-patch reboot: 2:30 AM 
  • Patch application: 3:00 AM – 6:00 AM 
    • Additional reboots may occur during patch application.

 

Expectations 

  • Windows desktops and laptops should be left on through Tuesday night / Wednesday morning. 
    • Laptops should be connected to AC power. 
    • Laptop lids should be left open. (Closing will put the computer to sleep.) 
  • Users work should be saved, and user accounts logged out. 
  • Endpoints have active and fully operational internet connections. 

 

Missed Patch Windows

  • Endpoints will be automatically enrolled in daytime patching. 
  • Updates will be pushed in the background when the machine is online. 
  • To ensure that patches are applied, any machine with an uptime greater than 7 days or that is pending a reboot will be prompted to restart every 2 hours. 
  • If reboots are repeatedly declined, it will be forced once upon reaching 10 days of consecutive uptime. 

 

Miscellaneous 

  • Worksighted will implement a policy that disables sleep on all endpoints when connected to AC power. 

 

Note: Exceptions to these standards may be made on a case-by-case basis. This requires a valid business case and must be reviewed and approved by Worksighted. Any existing exceptions will require review and approval to ensure consistency is maintained across all systems Worksighted is responsible for. 

 

 

Server Patch Schedule 

 Servers are patched via pre-arranged windows based on business requirements. 

 

Targets 

This section contains Worksighted’s objectives as they relate to Windows patching.  

Targets 

  • Windows Desktop and Server operating systems fully patched within the last 30 days. 
    • Standard: >95% of systems patched within the last 30 days. 
    • Standard: 100% of systems patched within the last 60 days. 
  • Windows feature updates maintained at supported versions. 

Hardware & Software Requirements 

The following details cover the basic requirements to ensure that servers and endpoints may be kept up to date. 

 

Supported Operating Systems 

  • All production systems should be kept on operating systems/versions that fall under Mainstream Support per Microsoft’s Fixed Lifecycle Policy. 
  • Any systems currently out of Mainstream Support should have a formal plan for upgrade or replacement. 

 

Hardware 

  • To ensure they are properly supported, all production hardware should be among the business offerings of the core OEMs (Dell, HP, Lenovo). 
  • Server hardware in production > 5 years should have a formal plan in place for replacement. 
  • Endpoint hardware in production > 4 years should have a formal plan in place for replacement. 

 

System Status 

  • C:\ free space should be kept to a minimum of 20 GB to support general patching and feature updates. 
  • Backup jobs configured to prevent overlaps with scheduled patch windows. 

 

Infrastructure 

  • Sufficient WAN and internal network capacity to support patching throughput.