Patch Management Checklist

Cover Microsoft Patch Tuesday KBs, Cisco PSIRT, Fortinet PSIRT, VMware VMSAs, Adobe APSB bulletins, and any third-party stack you run (Citrix, Veeam, browser vendors). Subscribe to the vendor RSS feeds rather than waiting for a news article — embargoed advisories drop on the bulletin schedule before press coverage.

Pull the current inventory from the RMM (NinjaOne, Datto, Automate) or CMDB. Map each advisory to affected hosts by OS build and installed software version. Hosts missing from the RMM are the gotcha — unmanaged devices don't show up on the patch report and stay vulnerable for months.

CVSS base score alone is not enough — cross-reference CISA KEV (Known Exploited Vulnerabilities) and EPSS for real-world exploitation likelihood. A CVSS 7.2 with active exploitation outranks a CVSS 9.8 with no public POC. Document the rationale per CVE.

Push to the lab Intune ring or SCCM test collection that mirrors a production gold image. Snapshot VMs before applying so a single command reverts the lab if the patch bricks boot.

Walk through the line-of-business apps the business cares about — ERP login, accounting close routine, RDP into the file server, Outlook profile load, VPN connect. .NET-related KBs and TLS/SChannel updates are the historical breakage points.

Confirm CrowdStrike / SentinelOne / Defender for Endpoint sensor still reports in after the patch. Kernel-level patches occasionally break EDR drivers — the July 2024 CrowdStrike incident is the canonical example of why this verification is non-optional.

Pass = ship to pilot. Pass with notes = ship with documented workaround. Fail = hold the patch and open a vendor case. Record the specific KBs that failed so the deployment package can be split.

Attach the test-ring evidence, ring assignments, maintenance window, blast radius, and rollback plan. Standard monthly patch RFCs are pre-approved at most CABs; emergency out-of-band patches need explicit sign-off and a documented exception.

Avoid month-end finance close, payroll runs, and any client-facing event. Confirm there is no overlap with backup windows — patches that force a reboot during a Veeam job leave inconsistent restore points.

Email department leads, post in the IT announcements channel, and update the status page if you run one. For MSP clients, send through the PSA so the notification is logged on the ticket.

Push to the pilot collection — typically IT staff laptops and a small set of volunteer power users. Hold 48 hours before promoting to broad production so kernel-level regressions surface on a small population first.

Stage rings from least to most critical: workstations → file servers → application servers → domain controllers. Throttle the deployment cadence so a regression caught at workstation rollout halts before it reaches DCs.

Check the RMM compliance dashboard, Defender / EDR sensor health, and the helpdesk queue for spike in tickets. Watch for boot loops, BSODs, VPN disconnects, and authentication failures — the typical patch-induced regression patterns.

Pull the post-deployment report from NinjaOne / Automate / Intune. Hosts at less than 95% compliance need named follow-up — laptops that roam off the corp network, dormant VMs, and BYOD endpoints are the usual long tail.

Document KBs deployed, exceptions granted, vendor cases opened, and rollbacks executed in IT Glue / Hudu / Confluence. This is the artifact that auditors ask for during SOC 2, PCI, and CMMC assessments.