XDEVICE – Windows OS – Maintenance Plan
At XSTRA, we maintain a structured and proactive approach to system updates and maintenance. Our XDEVICE maintenance schedule is aligned with Microsoft’s Patch Tuesday, which occurs at 10:00 AM (PT) on the second Tuesday of each month—equating to 3:00 AM Wednesday (AEST). This alignment allows us to time deployments carefully, balancing prompt security patching with system stability.
We implement daily security updates, automated patch deployments, and scheduled reboots to keep systems secure and running smoothly. Post-maintenance, we conduct log and integrity checks to confirm that all updates were applied successfully and remediate any issues immediately if needed.
This disciplined process ensures that all systems under XSTRA’s care remain secure, compliant, and optimized in line with Microsoft’s own update release schedule – with minimal disruption to end users.
Windows Monthly Maintenance & Security Schedule
| Day of Month | Time & Target Group | Task | Value Provided |
|---|---|---|---|
| Daily | 9 AM Pilot (X0) Group |
A script is run to Update XSTRA’s proprietary software applications, including:
In addition, the latest Windows Defender definitions from Microsoft are installed, along with any urgent security patches, ensuring your systems are protected without waiting for Patch Tuesday. Scripts: XDEVICE_Daily.ps1 |
These updates enhance system security, improve software reliability, and ensure faster response to emerging threats. By staying ahead of scheduled patch cycles, your environment benefits from reduced risk of vulnerabilities, greater stability, and optimal performance of critical tools essential to daily operations. |
| 3 PM Full XDEVICE Deployment Group |
|||
| 2nd/3rd Thursday | 2nd Thursday 1 PM, 3 PM, 5 PM, 7 PM, 9 PM, 9:55 PM Pilot (X0) Group |
A script is run to call XMESSAGE to display a Notification Reminder on PC’s managed by XDEVICE to remind the users of the PC to leave it powered on overnight to support maintenance activities. Scripts: XDEVICE_Pre_Message.ps1 |
This message alerts Users to the need to leave the PC on overnight and does this repeatedly, 6 times between 5pm and 10pm. Users, therefore, have multiple opportunities to plan ahead to ensure all work is saved prior to 10pm. |
| 3rd Thursday 1 PM, 3 PM, 5 PM, 7 PM, 9 PM, 9:55 PM Full Deployment Group |
|||
| 2nd/3rd Thursday | 2nd Thursday 10 PM Pilot (X0) Group |
A script is run to Create a System Restore Point & Clean Up
Scripts: XDEVICE_Restore_Point.ps1 |
Creates a rollback point for XSTRA engineers in case issues arise during the upcoming 11 PM maintenance. Also frees up disk space to ensure smooth downloading and installation of updates expected during that task. |
| 3rd Thursday 10 PM Full Deployment Group |
|||
| 2nd/3rd Thursday | 2nd Thursday 11 PM Pilot (X0) Group |
OS Patch Management:
Software Patch Management:
Other:
|
By applying OS and software updates, users benefit from improved system security, stability, and performance. Critical and security patches protect against known vulnerabilities, while feature and driver updates enhance compatibility with the latest hardware and applications. |
| 3rd Thursday 11 PM Full Deployment Group |
|||
| 2nd/3rd Friday | 2nd Thursday 4 AM Pilot (X0) Group |
Final Reboot |
Ensures systems are fully refreshed and stable. |
| 3rd Thursday 4 AM Full Deployment Group |
|||
| 2nd/3rd Friday | 2nd Thursday 10 AM Pilot (X0) Group |
Log File Checks |
XSTRA checks log files on all activities to identify success and failures of the tasks attempted and decisions are then made on any additional actions required. |
| 3rd Thursday 10 AM Full Deployment Group |
Additional Notes
Purpose of Key Maintenance Tasks
- Daily Critical Updates at 3 PM: Microsoft occasionally releases emergency out-of-band security patches to address urgent vulnerabilities. Applying critical updates daily at 3 PM prevents zero-day exploits, ensuring all machines are secure before the next scheduled monthly update, while keeping the primary cycle unchanged.
- OS Patch Management: Covers all types of Windows updates (critical updates, security updates, definition updates, update rollups, service packs, feature packs, and general updates), ensuring system security and stability. This also includes upgrading Windows 10 and Windows 11 to the latest builds for the latest security patches, performance improvements, and feature updates.
- Software Updates via WinGet: WinGet, the official Windows package manager, ensures that applications are updated to the latest versions, preventing security vulnerabilities and maintaining application performance.
- Driver and Tools Updates: Updates to hardware drivers, Office applications, and other tools improve system compatibility and performance while addressing potential vulnerabilities.
- System Restore Points: Created before updates to provide a rollback option in case of issues, ensuring system recovery if an update fails.
- Disk Cleanup (Temp Files and Internet History): Deleting temporary files and internet history frees up disk space, enhances privacy, and improves system performance post-updates.
- Reboots: Some updates require a reboot to take effect. Scheduled reboots (e.g., at 11 PM for the Pilot Group, 4 AM for all systems) ensure proper installation of patches and maintain system stability.
- User Notifications at 1 PM, 3 PM, and 5 PM on Maintenance Days: Many users turn off their computers at the end of the workday, interrupting scheduled updates. Notifications at these intervals alert users of upcoming maintenance, encourage them to leave machines powered on overnight, and reduce missed updates and manual troubleshooting.
- Log File Checks: Verifies that all maintenance tasks executed correctly, identifies failed updates, software patching errors, or reboot issues, allows XSTRA to apply corrective actions proactively, and ensures transparency and documentation for compliance.
Patch Tuesday Overview
Patch Tuesday occurs on the second Tuesday of each month at approximately 10 AM Pacific Time (PT). It includes security updates, bug fixes, and performance improvements for Windows, Microsoft Office, and other Microsoft products.
Why Tuesday? A consistent schedule allows IT administrators to plan patch deployment and test updates before rolling them out to production systems.
If critical vulnerabilities are discovered, Microsoft may release out-of-band updates outside of Patch Tuesday.
Best Practices for Managing Patch Tuesday Updates
Microsoft releases updates on the second Tuesday of each month, making a structured patch deployment process essential to reduce risk and avoid downtime. These updates have previously caused issues on client computers, so XSTRA takes a proactive approach by staggering and pre-testing patches. This strategy aims to strike a careful balance between protecting systems and ensuring timely updates and should be acknowledged as a considered trade-off between risk and reward.
Pre-Patch Tuesday Preparation
- Inventory Your Devices: Ensure all Windows 10/11 machines and servers are properly inventoried. Identify critical machines and test environments.
- Review Microsoft’s Patch Notes: Microsoft publishes Patch Tuesday release notes on their Security Update Guide before updates go live. Check for known issues or compatibility concerns.
- Set Maintenance Windows: Schedule updates for off-peak hours (e.g., 11 PM) to minimize disruptions. Use Windows Update for Business (WUfB) or Group Policy for controlled deployment.
Staggered Rollout Strategy (Testing Before Full Deployment)
- Phase 1: XSTRA Pilot Group (3-5 Days): If no major issues occur, push updates to non-critical user machines (e.g., Pilot Group X0 on the 2nd Thursday). Continue monitoring performance.
- Phase 2: Client Full Deployment (7-10 Days): Deploy updates across all endpoints and critical infrastructure (e.g., Full Deployment Group on the 3rd Thursday). Ensure proper documentation of any issues encountered.
Automating Patch Deployment
- Use Windows Update for Business (WUfB): For Windows 10/11 endpoints, configure deferred updates to allow time for testing. Set quality updates to delay by 7-10 days and feature updates by 30+ days.
- Leverage a Patch Management Solution: If using TacticalRMM, Intune, or WSUS, schedule staggered deployments. Automate reboots for updates requiring restarts.
- Enable Windows Defender Updates: Keep security intelligence up to date. Enable cloud protection and tamper protection for added security.
Post-Patch Tuesday Actions
- Monitor System Performance: Use Event Viewer and Performance Monitor to check for update-related errors. Gather feedback from users.
- Rollback if Necessary: If an update causes major issues, use one of the following: Windows Update Rollback (within 10 days of installation), System Restore (if a restore point was created), or uninstall KB patches via
wusa /uninstall /kb:xxxxxx. - Verify Security Compliance: Ensure all systems are updated and protected against known vulnerabilities. Check for out-of-band updates if Microsoft releases emergency patches.
Summary of Key Practices
- Defragmentation or disk checks are not required for SSDs and are not part of this schedule.
- System restore points are created before monthly updates to ensure a rollback option if needed.
- Daily Windows Defender updates ensure security is up-to-date without waiting for Patch Tuesday.
- The Pilot Group (X0 – XSTRA) receives updates first on the 2nd Thursday to reduce risks for production systems.
- Full deployment occurs one week later on the 3rd Thursday to ensure stability before applying updates to all systems.
- All updates are scheduled outside business hours (e.g., 11 PM) to minimize disruptions.
Post your comment on this topic.