Patch Management Checklist

Cover Microsoft Patch Tuesday KBs, Cisco PSIRT, Fortinet PSIRT, VMware VMSAs, Adobe APSB bulletins, and any third-party stack you run (Citrix, Veeam, browser vendors). Subscribe to the vendor RSS feeds rather than waiting for a news article — embargoed advisories drop on the bulletin schedule before press coverage.

Pull the current inventory from the RMM (NinjaOne, Datto, Automate) or CMDB. Map each advisory to affected hosts by OS build and installed software version. Hosts missing from the RMM are the gotcha — unmanaged devices don't show up on the patch report and stay vulnerable for months.

CVSS base score alone is not enough — cross-reference CISA KEV (Known Exploited Vulnerabilities) and EPSS for real-world exploitation likelihood. A CVSS 7.2 with active exploitation outranks a CVSS 9.8 with no public POC. Document the rationale per CVE.

Assign each KB/patch to test, pilot, and production rings. Domain controllers and finance servers go last. Out-of-band emergency patches (actively exploited zero-days) may bypass pilot with explicit CAB approval.

Push to the lab Intune ring or SCCM test collection that mirrors a production gold image. Snapshot VMs before applying so a single command reverts the lab if the patch bricks boot.

Walk through the line-of-business apps the business cares about — ERP login, accounting close routine, RDP into the file server, Outlook profile load, VPN connect. .NET-related KBs and TLS/SChannel updates are the historical breakage points.

Confirm CrowdStrike / SentinelOne / Defender for Endpoint sensor still reports in after the patch. Kernel-level patches occasionally break EDR drivers — the July 2024 CrowdStrike incident is the canonical example of why this verification is non-optional.

Pass = ship to pilot. Pass with notes = ship with documented workaround. Fail = hold the patch and open a vendor case. Record the specific KBs that failed so the deployment package can be split.

File a Microsoft / Cisco / vendor support ticket with reproduction steps, the lab build, and event log excerpts. Note the case number on the patch register and split the failing KB out of this cycle's deployment package.

Attach the test-ring evidence, ring assignments, maintenance window, blast radius, and rollback plan. Standard monthly patch RFCs are pre-approved at most CABs; emergency out-of-band patches need explicit sign-off and a documented exception.

Avoid month-end finance close, payroll runs, and any client-facing event. Confirm there is no overlap with backup windows — patches that force a reboot during a Veeam job leave inconsistent restore points.

Email department leads, post in the IT announcements channel, and update the status page if you run one. For MSP clients, send through the PSA so the notification is logged on the ticket.

Verify Veeam / Datto backups completed last night, hypervisor snapshots are taken on critical VMs, and BitLocker recovery keys are escrowed. Snapshots should be timestamped within the last 24 hours, not last week.

Push to the pilot collection — typically IT staff laptops and a small set of volunteer power users. Hold 48 hours before promoting to broad production so kernel-level regressions surface on a small population first.

Stage rings from least to most critical: workstations → file servers → application servers → domain controllers. Throttle the deployment cadence so a regression caught at workstation rollout halts before it reaches DCs.

Check the RMM compliance dashboard, Defender / EDR sensor health, and the helpdesk queue for spike in tickets. Watch for boot loops, BSODs, VPN disconnects, and authentication failures — the typical patch-induced regression patterns.

Halt the deployment in SCCM/Intune, uninstall the offending KB via the documented procedure, and restore from snapshot or backup if uninstall doesn't recover. Page the on-call engineer and open a SEV2 incident; CAB needs an out-of-cycle review.

Pull the post-deployment report from NinjaOne / Automate / Intune. Hosts at less than 95% compliance need named follow-up — laptops that roam off the corp network, dormant VMs, and BYOD endpoints are the usual long tail.

Document KBs deployed, exceptions granted, vendor cases opened, and rollbacks executed in IT Glue / Hudu / Confluence. This is the artifact that auditors ask for during SOC 2, PCI, and CMMC assessments.

30-minute retro with the patch team. What KBs caused issues, what test-ring gaps let them through, and what gets added to the smoke-test script for next month. Update the runbook before memory fades.