PUBLIC

8.7. Maintenance Schedule



XSTRA Windows Maintenance & Security Plan


With this structured approach, XSTRA ensures that all systems are secure, updated, and optimized while minimizing disruptions. The daily security updates, automated patch deployments, and scheduled reboots keep systems running smoothly. By conducting post-maintenance log checks, XSTRA ensures that all maintenance actions are verified for success, allowing for immediate remediation when required.


At XSTRA, we ensure that all systems remain secure, updated, and optimized while minimizing disruptions. Our structured maintenance plan is designed to prevent downtime, ensure security compliance, and keep all machines performing at their best.


Windows Monthly Maintenance & Security Schedule


Day of Month Time Task Target Group Value Provided
Daily 9 AM

Update Defender Definition Files & Apply Critical Updates. Update XSTRA’s core XDEVICE custom apps including:
- XAGENT
- XPOSE
- XMESSAGE
- XDESKTOP (optional)


 Pilot (X0) Group Ensures protection from latest malware threats & applies urgent security patches without waiting for Patch Tuesday
Daily 3 PM

Update Defender Definition Files & Apply Critical Updates. Update XSTRA’s core XDEVICE custom apps including:
- XAGENT
- XPOSE
- XMESSAGE
- XDESKTOP (optional)


 Full Deployment Group Ensures protection from latest malware threats & applies urgent security patches without waiting for Patch Tuesday
2nd Thursday 1 PM, 3 PM, 5 PM Notification Reminder to Users of Upcoming Maintenance Pilot (X0) Group A notice is displayed on users’ screens reminding them to leave their computers on overnight
2nd Thursday 10 PM Create System Restore Point Pilot (X0) Group Provides rollback option in case of issues
2nd Thursday 11 PM OS Patch Management (Critical Updates, Security Updates, Definition Updates, Update Rollups, Service Packs, Feature Packs, Updates) Pilot (X0) Group Keeps OS secure and stable
2nd Thursday 11 PM Software Updates – (WinGet Only – not Chocolatey) Pilot (X0) Group Ensures latest software versions for security & performance
2nd Thursday 11 PM Drivers and Tools Updates (Hardware Updates, Office Updates, Tool Updates) Pilot (X0) Group Improves system compatibility & performance
2nd Thursday 11 PM Delete Temp Files & Internet History Pilot (X0) Group Frees up disk space & enhances privacy
2nd Thursday 11 PM Reboot if Needed Pilot (X0) Group Ensures updates apply correctly
2nd Friday 4 AM Final Reboot Full Deployment Group Ensures systems are fully refreshed and stable
2nd Friday 10 AM Log File Checks Full Deployment Group XSTRA checks log files on all activities to identify success and failures of the tasks attempted and decisions made on any additional actions required
3rd Thursday 1 PM, 3 PM, 5 PM Notification Reminder to Users of Upcoming Maintenance Full Deployment Group A notice is displayed on users’ screens reminding them to leave their computers on overnight
3rd Thursday 10 PM Create System Restore Point Full Deployment Group Provides rollback option in case of issues
3rd Thursday 11 PM OS Patch Management (Critical Updates, Security Updates, Definition Updates, Update Rollups, Service Packs, Feature Packs, Updates) Full Deployment Group Keeps OS secure and stable
3rd Friday 4 AM Final Reboot Full Deployment Group Ensures systems are fully refreshed and stable
3rd Friday 10 AM Log File Checks Full Deployment Group XSTRA checks log files on all activities to identify success and failures of the tasks attempted and decisions made on any additional actions required

Additional Notes


Purpose of Key Maintenance Tasks


  • Daily Critical Updates at 2 PM: Microsoft occasionally releases emergency out-of-band security patches to address urgent vulnerabilities. Applying critical updates daily at 2 PM prevents zero-day exploits, ensuring all machines are secure before the next scheduled monthly update, while keeping the primary cycle unchanged.
  • OS Patch Management: Covers all types of Windows updates (critical updates, security updates, definition updates, update rollups, service packs, feature packs, and general updates), ensuring system security and stability. This also includes upgrading Windows 10 and Windows 11 to the latest builds for the latest security patches, performance improvements, and feature updates.
  • Software Updates via WinGet and Chocolatey: WinGet, the official Windows package manager, and Chocolatey ensure that applications are updated to the latest versions, preventing security vulnerabilities and maintaining application performance.
  • Driver and Tools Updates: Updates to hardware drivers, Office applications, and other tools improve system compatibility and performance while addressing potential vulnerabilities.
  • System Restore Points: Created before updates to provide a rollback option in case of issues, ensuring system recovery if an update fails.
  • Disk Cleanup (Temp Files and Internet History): Deleting temporary files and internet history frees up disk space, enhances privacy, and improves system performance post-updates.
  • Reboots: Some updates require a reboot to take effect. Scheduled reboots (e.g., at 11 PM for the Pilot Group, 4 AM for all systems) ensure proper installation of patches and maintain system stability.
  • User Notifications at 1 PM, 3 PM, and 5 PM on Maintenance Days: Many users turn off their computers at the end of the workday, interrupting scheduled updates. Notifications at these intervals alert users of upcoming maintenance, encourage them to leave machines powered on overnight, and reduce missed updates and manual troubleshooting.
  • Log File Checks: Verifies that all maintenance tasks executed correctly, identifies failed updates, software patching errors, or reboot issues, allows XSTRA to apply corrective actions proactively, and ensures transparency and documentation for compliance.

Patch Tuesday Overview


  • Patch Tuesday occurs on the second Tuesday of each month at approximately 10 AM Pacific Time (PT).
  • It includes security updates, bug fixes, and performance improvements for Windows, Microsoft Office, and other Microsoft products.
  • Why Tuesday? A consistent schedule allows IT administrators to plan patch deployment and test updates before rolling them out to production systems.
  • If critical vulnerabilities are discovered, Microsoft may release out-of-band updates outside of Patch Tuesday.

Best Practices for Managing Patch Tuesday Updates


Microsoft releases updates every second Tuesday of the month, so a structured approach to deploying these patches is crucial to minimize risks and downtime.


Pre-Patch Tuesday Preparation


  • Inventory Your Devices:
    • Ensure all Windows 10/11 machines and servers are properly inventoried.
    • Identify critical machines and test environments.
  • Review Microsoft’s Patch Notes:
    • Microsoft publishes Patch Tuesday release notes on their Security Update Guide before updates go live.
    • Check for known issues or compatibility concerns.
  • Set Maintenance Windows:
    • Schedule updates for off-peak hours (e.g., 11 PM) to minimize disruptions.
    • Use Windows Update for Business (WUfB) or Group Policy for controlled deployment.


Staggered Rollout Strategy (Testing Before Full Deployment)


  • Phase 1: Pilot Group (3-5 Days):
    • If no major issues occur, push updates to non-critical user machines (e.g., Pilot Group X0 on the 2nd Thursday).
    • Continue monitoring performance.
  • Phase 2: Full Deployment (7-10 Days):
    • Deploy updates across all endpoints and critical infrastructure (e.g., Full Deployment Group on the 3rd Thursday).
    • Ensure proper documentation of any issues encountered.


Automating Patch Deployment


  • Use Windows Update for Business (WUfB):
    • For Windows 10/11 endpoints, configure deferred updates to allow time for testing.
    • Set quality updates to delay by 7-10 days and feature updates by 30+ days.
  • Leverage a Patch Management Solution:
    • If using TacticalRMM, Intune, or WSUS, schedule staggered deployments.
    • Automate reboots for updates requiring restarts.
  • Enable Windows Defender Updates:
    • Keep security intelligence up to date.
    • Enable cloud protection and tamper protection for added security.


Post-Patch Tuesday Actions


  • Monitor System Performance:
    • Use Event Viewer and Performance Monitor to check for update-related errors.
    • Gather feedback from users.
  • Rollback if Necessary:
    • If an update causes major issues, use one of the following:
    • Windows Update Rollback (within 10 days of installation).
    • System Restore (if a restore point was created).
    • Uninstall KB patches via wusa /uninstall /kb:xxxxxx.
  • Verify Security Compliance:
    • Ensure all systems are updated and protected against known vulnerabilities.
    • Check for out-of-band updates if Microsoft releases emergency patches.


Summary of Key Practices


  • Defragmentation or disk checks are not required for SSDs and are not part of this schedule.
  • System restore points are created before monthly updates to ensure a rollback option if needed.
  • Daily Windows Defender updates ensure security is up-to-date without waiting for Patch Tuesday.
  • The Pilot Group (X0) receives updates first on the 2nd Thursday to reduce risks for production systems.
  • Full deployment occurs one week later on the 3rd Thursday to ensure stability before applying updates to all systems.
  • All updates are scheduled outside business hours (e.g., 11 PM) to minimize disruptions.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Need Help? -> Contact Us !

Post Comment