Quote:

Having a policy that all machines must be fully patched is an invitation for trouble. How can there be any testing of patches and staged deployment? Deploying patches without first testing how they might impact a production system is not a best practice.



We do that. We don't just deploy patches the day (or sometimes even week) they come out. We have an initial test group, and then a pilot test group. After a period of testing they are released.

When we say "fully patched" we don't necessarily mean each and every latest patch that MS has released. Our "fully patched" refers to the patches we have tested and deemed safe/compatible for our environment. We also take into account the severity of the updates and the applicability within our environment.

But we do want to know that of the patches we are deploying...that they actually get deployed and there is a verifiable way to ensure that.